package org.xipki.scep.client.shell;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.List;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.apache.karaf.shell.support.completers.StringsCompleter;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.cert.X509CRLHolder;
import org.xipki.scep.client.CaCertValidator;
import org.xipki.scep.client.CaIdentifier;
import org.xipki.scep.client.EnrolmentResponse;
import org.xipki.scep.client.ScepClient;
import org.xipki.security.X509Cert;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.shell.CmdFailure;
import org.xipki.shell.Completers;
import org.xipki.shell.XiAction;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/scep/client/shell/Actions.class */
public class Actions {

    /* loaded from: input_file:org/xipki/scep/client/shell/Actions$ClientAction.class */
    public static abstract class ClientAction extends XiAction {

        @Option(name = "--url", required = true, description = "URL of the SCEP server")
        protected String url;

        @Option(name = "--ca-id", description = "CA identifier")
        protected String caId;

        @Option(name = "--ca-cert", required = true, description = "CA certificate")
        @Completion(FileCompleter.class)
        private String caCertFile;

        @Option(name = "--p12", required = true, description = "PKCS#12 keystore file")
        @Completion(FileCompleter.class)
        private String p12File;

        @Option(name = "--password", description = "password of the PKCS#12 keystore file, as plaintext or PBE-encrypted.")
        private String passwordHint;
        private ScepClient scepClient;
        private PrivateKey identityKey;
        private X509Cert identityCert;

        protected ScepClient getScepClient() throws CertificateException, IOException {
            if (this.scepClient == null) {
                this.scepClient = new ScepClient(new CaIdentifier(this.url, this.caId), new CaCertValidator.PreprovisionedCaCertValidator(X509Util.parseCert(new File(this.caCertFile))));
            }
            return this.scepClient;
        }

        protected PrivateKey getIdentityKey() throws Exception {
            if (this.identityKey == null) {
                readIdentity();
            }
            return this.identityKey;
        }

        protected X509Cert getIdentityCert() throws Exception {
            if (this.identityCert == null) {
                readIdentity();
            }
            return this.identityCert;
        }

        private void readIdentity() throws Exception {
            char[] readPasswordIfNotSet = readPasswordIfNotSet("Enter the keystore password", this.passwordHint);
            KeyStore inKeyStore = KeyUtil.getInKeyStore("PKCS12");
            InputStream newInputStream = Files.newInputStream(Paths.get(this.p12File, new String[0]), new OpenOption[0]);
            try {
                inKeyStore.load(newInputStream, readPasswordIfNotSet);
                if (newInputStream != null) {
                    newInputStream.close();
                }
                String str = null;
                Enumeration<String> aliases = inKeyStore.aliases();
                while (true) {
                    if (!aliases.hasMoreElements()) {
                        break;
                    }
                    String nextElement = aliases.nextElement();
                    if (inKeyStore.isKeyEntry(nextElement)) {
                        str = nextElement;
                        break;
                    }
                }
                if (str == null) {
                    throw new Exception("no key entry is contained in the keystore");
                }
                this.identityKey = (PrivateKey) inKeyStore.getKey(str, readPasswordIfNotSet);
                this.identityCert = new X509Cert((X509Certificate) inKeyStore.getCertificate(str));
            } catch (Throwable th) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "scep-cacert", description = "get CA certificate")
    /* loaded from: input_file:org/xipki/scep/client/shell/Actions$ScepCacert.class */
    public static class ScepCacert extends XiAction {

        @Option(name = "--url", required = true, description = "URL of the SCEP server")
        private String url;

        @Option(name = "--ca-id", description = "CA identifier")
        private String caId;

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the CA certificate")
        @Completion(FileCompleter.class)
        protected String outFile;

        protected Object execute0() throws Exception {
            ScepClient scepClient = new ScepClient(new CaIdentifier(this.url, this.caId), new CaCertValidator() { // from class: org.xipki.scep.client.shell.Actions.ScepCacert.1
                public boolean isTrusted(X509Cert x509Cert) {
                    return true;
                }
            });
            scepClient.init();
            X509Cert caCert = scepClient.getCaCert();
            if (caCert == null) {
                throw new CmdFailure("received no CA certficate from server");
            }
            saveVerbose("saved certificate to file", this.outFile, encodeCert(caCert.getEncoded(), this.outform));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "scep-certpoll", description = "poll certificate")
    /* loaded from: input_file:org/xipki/scep/client/shell/Actions$ScepCertpoll.class */
    public static class ScepCertpoll extends ClientAction {

        @Option(name = "--csr", required = true, description = "CSR file")
        @Completion(FileCompleter.class)
        private String csrFile;

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outputFile;

        protected Object execute0() throws Exception {
            CertificationRequest parseCsr = X509Util.parseCsr(new File(this.csrFile));
            ScepClient scepClient = getScepClient();
            EnrolmentResponse scepCertPoll = scepClient.scepCertPoll(getIdentityKey(), getIdentityCert(), parseCsr, scepClient.getAuthorityCertStore().getCaCert().getSubject());
            if (scepCertPoll.isFailure()) {
                throw new CmdFailure("server returned 'failure'");
            }
            if (scepCertPoll.isPending()) {
                throw new CmdFailure("server returned 'pending'");
            }
            List certificates = scepCertPoll.getCertificates();
            if (certificates == null || certificates.isEmpty()) {
                throw new CmdFailure("received no certficate from server");
            }
            saveVerbose("saved certificate to file", this.outputFile, encodeCert(((X509Cert) certificates.get(0)).getEncoded(), this.outform));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "scep-enroll", description = "enroll certificate")
    /* loaded from: input_file:org/xipki/scep/client/shell/Actions$ScepEnroll.class */
    public static class ScepEnroll extends ClientAction {

        @Option(name = "--csr", required = true, description = "CSR file")
        @Completion(FileCompleter.class)
        private String csrFile;

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outputFile;

        @Option(name = "--method", description = "method to enroll the certificate.")
        @Completion(value = StringsCompleter.class, values = {"pkcs", "renewal"})
        private String method;

        protected Object execute0() throws Exception {
            EnrolmentResponse scepRenewalReq;
            ScepClient scepClient = getScepClient();
            CertificationRequest parseCsr = X509Util.parseCsr(new File(this.csrFile));
            PrivateKey identityKey = getIdentityKey();
            X509Cert identityCert = getIdentityCert();
            if (StringUtil.isBlank(this.method)) {
                scepRenewalReq = scepClient.scepEnrol(parseCsr, identityKey, identityCert);
            } else if ("pkcs".equalsIgnoreCase(this.method)) {
                scepRenewalReq = scepClient.scepPkcsReq(parseCsr, identityKey, identityCert);
            } else {
                if (!"renewal".equalsIgnoreCase(this.method)) {
                    throw new CmdFailure("invalid enroll method");
                }
                scepRenewalReq = scepClient.scepRenewalReq(parseCsr, identityKey, identityCert);
            }
            if (scepRenewalReq.isFailure()) {
                throw new CmdFailure("server returned 'failure'");
            }
            if (scepRenewalReq.isPending()) {
                throw new CmdFailure("server returned 'pending'");
            }
            saveVerbose("saved enrolled certificate to file", this.outputFile, encodeCert(((X509Cert) scepRenewalReq.getCertificates().get(0)).getEncoded(), this.outform));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "scep-get-cert", description = "download certificate")
    /* loaded from: input_file:org/xipki/scep/client/shell/Actions$ScepGetCert.class */
    public static class ScepGetCert extends ClientAction {

        @Option(name = "--serial", aliases = {"-s"}, required = true, description = "serial number")
        private String serialNumber;

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outputFile;

        protected Object execute0() throws Exception {
            ScepClient scepClient = getScepClient();
            BigInteger bigInt = toBigInt(this.serialNumber);
            List scepGetCert = scepClient.scepGetCert(getIdentityKey(), getIdentityCert(), scepClient.getAuthorityCertStore().getCaCert().getSubject(), bigInt);
            if (scepGetCert == null || scepGetCert.isEmpty()) {
                throw new CmdFailure("received no certficate from server");
            }
            saveVerbose("saved certificate to file", new File(this.outputFile), encodeCert(((X509Cert) scepGetCert.get(0)).getEncoded(), this.outform));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "scep-get-crl", description = "download CRL")
    /* loaded from: input_file:org/xipki/scep/client/shell/Actions$ScepGetCrl.class */
    public static class ScepGetCrl extends ClientAction {

        @Option(name = "--cert", aliases = {"-c"}, required = true, description = "certificate file")
        @Completion(FileCompleter.class)
        private String certFile;

        @Option(name = "--outform", description = "output format of the CRL")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the CRL")
        @Completion(FileCompleter.class)
        private String outputFile;

        protected Object execute0() throws Exception {
            X509Cert parseCert = X509Util.parseCert(new File(this.certFile));
            X509CRLHolder scepGetCrl = getScepClient().scepGetCrl(getIdentityKey(), getIdentityCert(), parseCert.getIssuer(), parseCert.getSerialNumber());
            if (scepGetCrl == null) {
                throw new CmdFailure("received no CRL from server");
            }
            saveVerbose("saved CRL to file", this.outputFile, encodeCrl(scepGetCrl.getEncoded(), this.outform));
            return null;
        }
    }
}
