package org.xipki.security.shell;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.EdECConstants;
import org.xipki.security.HashAlgo;
import org.xipki.security.SignatureAlgoControl;
import org.xipki.security.SignerConf;
import org.xipki.security.X509Cert;
import org.xipki.security.XiSecurityException;
import org.xipki.security.pkcs12.KeypairWithCert;
import org.xipki.security.pkcs12.KeystoreGenerationParameters;
import org.xipki.security.pkcs12.P12KeyGenerationResult;
import org.xipki.security.pkcs12.P12KeyGenerator;
import org.xipki.security.shell.Actions;
import org.xipki.security.shell.SecurityCompleters;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.shell.CmdFailure;
import org.xipki.shell.Completers;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.util.Args;
import org.xipki.util.ConfPairs;
import org.xipki.util.IoUtil;
import org.xipki.util.ObjectCreationException;
import org.xipki.util.PemEncoder;

/* loaded from: input_file:org/xipki/security/shell/P12Actions.class */
public class P12Actions {

    @Service
    @Command(scope = "xi", name = "csr-p12", description = "generate CSR with PKCS#12 keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$CsrP12.class */
    public static class CsrP12 extends Actions.CsrGenAction {

        @Option(name = "--p12", required = true, description = "PKCS#12 keystore file")
        @Completion(FileCompleter.class)
        private String p12File;

        @Option(name = "--password", description = "password of the PKCS#12 keystore file")
        private String password;

        private char[] getPassword() throws IOException {
            char[] readPasswordIfNotSet = readPasswordIfNotSet(this.password);
            if (readPasswordIfNotSet != null) {
                this.password = new String(readPasswordIfNotSet);
            }
            return readPasswordIfNotSet;
        }

        public KeyStore getKeyStore() throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
            InputStream newInputStream = Files.newInputStream(Paths.get(expandFilepath(this.p12File), new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                KeyStore keyStore = KeyUtil.getKeyStore("PKCS12");
                keyStore.load(newInputStream, getPassword());
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return keyStore;
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                throw th3;
            }
        }

        @Override // org.xipki.security.shell.Actions.CsrGenAction
        protected ConcurrentContentSigner getSigner(SignatureAlgoControl signatureAlgoControl) throws ObjectCreationException {
            Args.notNull(signatureAlgoControl, "signatureAlgoControl");
            try {
                ConfPairs confPairs = new ConfPairs("password", new String(getPassword()));
                confPairs.putPair("parallelism", Integer.toString(1));
                confPairs.putPair("keystore", "file:" + this.p12File);
                SignerConf signerConf = new SignerConf(confPairs.getEncoded(), HashAlgo.getNonNullInstance(this.hashAlgo), signatureAlgoControl);
                try {
                    signerConf.setPeerCertificates(getPeerCertificates());
                    return this.securityFactory.createSigner("PKCS12", signerConf, (X509Cert[]) null);
                } catch (IOException | CertificateException e) {
                    throw new ObjectCreationException("error getting peer certificates", e);
                }
            } catch (IOException e2) {
                throw new ObjectCreationException("could not read password: " + e2.getMessage(), e2);
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "dsa-p12", description = "generate RSA keypair in PKCS#12 keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$DsaP12.class */
    public static class DsaP12 extends P12KeyGenAction {

        @Option(name = "--subject", aliases = {"-s"}, description = "subject of the self-signed certificate")
        private String subject;

        @Option(name = "--plen", description = "bit length of the prime")
        private Integer plen = 2048;

        @Option(name = "--qlen", description = "bit length of the sub-prime")
        private Integer qlen;

        protected Object execute0() throws Exception {
            if (this.plen.intValue() % 1024 != 0) {
                throw new IllegalCmdParamException("plen is not multiple of 1024: " + this.plen);
            }
            if (this.qlen == null) {
                if (this.plen.intValue() <= 1024) {
                    this.qlen = 160;
                } else if (this.plen.intValue() <= 2048) {
                    this.qlen = 224;
                } else {
                    this.qlen = 256;
                }
            }
            saveKey(new P12KeyGenerator().generateDSAKeypair(this.plen.intValue(), this.qlen.intValue(), getKeyGenParameters(), this.subject));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "ec-p12", description = "generate EC keypair in PKCS#12 keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$EcP12.class */
    public static class EcP12 extends P12KeyGenAction {

        @Option(name = "--subject", aliases = {"-s"}, description = "subject of the self-signed certificate")
        protected String subject;

        @Option(name = "--curve", description = "EC curve name or OID")
        @Completion(Completers.ECCurveNameCompleter.class)
        private String curveName = "secp256r1";

        protected Object execute0() throws Exception {
            P12KeyGenerationResult generateECKeypair;
            P12KeyGenerator p12KeyGenerator = new P12KeyGenerator();
            KeystoreGenerationParameters keyGenParameters = getKeyGenParameters();
            ASN1ObjectIdentifier curveOid = EdECConstants.getCurveOid(this.curveName);
            if (curveOid != null) {
                generateECKeypair = p12KeyGenerator.generateEdECKeypair(curveOid, keyGenParameters, this.subject);
            } else {
                generateECKeypair = new P12KeyGenerator().generateECKeypair(AlgorithmUtil.getCurveOidForCurveNameOrOid(this.curveName), keyGenParameters, this.subject);
            }
            saveKey(generateECKeypair);
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "export-cert-p12", description = "export certificate from PKCS#12 keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$ExportCertP12.class */
    public static class ExportCertP12 extends P12SecurityAction {

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outFile;

        protected Object execute0() throws Exception {
            KeyStore keyStore = getKeyStore();
            String str = null;
            Enumeration<String> aliases = keyStore.aliases();
            while (true) {
                if (!aliases.hasMoreElements()) {
                    break;
                }
                String nextElement = aliases.nextElement();
                if (keyStore.isKeyEntry(nextElement)) {
                    str = nextElement;
                    break;
                }
            }
            if (str == null) {
                throw new CmdFailure("could not find private key");
            }
            saveVerbose("saved certificate to file", this.outFile, encodeCert(((X509Certificate) keyStore.getCertificate(str)).getEncoded(), this.outform));
            return null;
        }
    }

    /* loaded from: input_file:org/xipki/security/shell/P12Actions$P12KeyGenAction.class */
    public static abstract class P12KeyGenAction extends Actions.SecurityAction {

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the key")
        @Completion(FileCompleter.class)
        protected String keyOutFile;

        @Option(name = "--password", description = "password of the keystore file")
        protected String password;

        protected void saveKey(P12KeyGenerationResult p12KeyGenerationResult) throws IOException {
            Args.notNull(p12KeyGenerationResult, "keyGenerationResult");
            saveVerbose("saved PKCS#12 keystore to file", this.keyOutFile, p12KeyGenerationResult.keystore());
        }

        protected KeystoreGenerationParameters getKeyGenParameters() throws IOException {
            KeystoreGenerationParameters keystoreGenerationParameters = new KeystoreGenerationParameters(getPassword());
            SecureRandom random4Key = this.securityFactory.getRandom4Key();
            if (random4Key != null) {
                keystoreGenerationParameters.setRandom(random4Key);
            }
            return keystoreGenerationParameters;
        }

        private char[] getPassword() throws IOException {
            char[] readPasswordIfNotSet = readPasswordIfNotSet(this.password);
            if (readPasswordIfNotSet != null) {
                this.password = new String(readPasswordIfNotSet);
            }
            return readPasswordIfNotSet;
        }
    }

    /* loaded from: input_file:org/xipki/security/shell/P12Actions$P12SecurityAction.class */
    public static abstract class P12SecurityAction extends Actions.SecurityAction {

        @Option(name = "--p12", required = true, description = "PKCS#12 keystore file")
        @Completion(FileCompleter.class)
        protected String p12File;

        @Option(name = "--password", description = "password of the PKCS#12 file")
        protected String password;

        protected char[] getPassword() throws IOException {
            char[] readPasswordIfNotSet = readPasswordIfNotSet(this.password);
            if (readPasswordIfNotSet != null) {
                this.password = new String(readPasswordIfNotSet);
            }
            return readPasswordIfNotSet;
        }

        protected KeyStore getKeyStore() throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException, NoSuchProviderException {
            InputStream newInputStream = Files.newInputStream(Paths.get(expandFilepath(this.p12File), new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                KeyStore keyStore = KeyUtil.getKeyStore("PKCS12");
                keyStore.load(newInputStream, getPassword());
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return keyStore;
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                throw th3;
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "pkcs12", description = "export PKCS#12 key store, like the 'openssl pkcs12' command")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$Pkcs12.class */
    public static class Pkcs12 extends P12SecurityAction {

        @Option(name = "--key-out", required = true, description = "where to save the key")
        @Completion(FileCompleter.class)
        private String keyOutFile;

        @Option(name = "--cert-out", required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String certOutFile;

        protected Object execute0() throws Exception {
            char[] password = getPassword();
            FileInputStream fileInputStream = new FileInputStream(this.p12File);
            Throwable th = null;
            try {
                KeypairWithCert fromKeystore = KeypairWithCert.fromKeystore("PKCS12", fileInputStream, password, (String) null, password, (X509Cert) null);
                byte[] encode = PemEncoder.encode(fromKeystore.getKey().getEncoded(), PemEncoder.PemLabel.PRIVATE_KEY);
                byte[] encode2 = PemEncoder.encode(fromKeystore.getCertificateChain()[0].getEncoded(), PemEncoder.PemLabel.CERTIFICATE);
                IoUtil.save(this.keyOutFile, encode);
                IoUtil.save(this.certOutFile, encode2);
                if (fileInputStream == null) {
                    return null;
                }
                if (0 == 0) {
                    fileInputStream.close();
                    return null;
                }
                try {
                    fileInputStream.close();
                    return null;
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                    return null;
                }
            } catch (Throwable th3) {
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                throw th3;
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "rsa-p12", description = "generate RSA keypair in PKCS#12 keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$RsaP12.class */
    public static class RsaP12 extends P12KeyGenAction {

        @Option(name = "--subject", aliases = {"-s"}, description = "subject of the self-signed certificate")
        private String subject;

        @Option(name = "--key-size", description = "keysize in bit")
        private Integer keysize = 2048;

        @Option(name = "-e", description = "public exponent")
        private String publicExponent = "0x10001";

        protected Object execute0() throws Exception {
            if (this.keysize.intValue() % 1024 != 0) {
                throw new IllegalCmdParamException("keysize is not multiple of 1024: " + this.keysize);
            }
            saveKey(new P12KeyGenerator().generateRSAKeypair(this.keysize.intValue(), toBigInt(this.publicExponent), getKeyGenParameters(), this.subject));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "secretkey-p12", description = "generate secret key in JCEKS (not PKCS#12) keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$SecretkeyP12.class */
    public static class SecretkeyP12 extends P12KeyGenAction {

        @Option(name = "--key-type", required = true, description = "keytype, current only AES, DES3 and GENERIC are supported")
        @Completion(SecurityCompleters.SecretKeyTypeCompleter.class)
        private String keyType;

        @Option(name = "--key-size", required = true, description = "keysize in bit")
        private Integer keysize;

        protected Object execute0() throws Exception {
            if (!"AES".equalsIgnoreCase(this.keyType) && !"DES3".equalsIgnoreCase(this.keyType) && !"GENERIC".equalsIgnoreCase(this.keyType)) {
                throw new IllegalCmdParamException("invalid keyType " + this.keyType);
            }
            saveKey(new P12KeyGenerator().generateSecretKey(this.keyType.toUpperCase(), this.keysize.intValue(), getKeyGenParameters()));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "sm2-p12", description = "generate SM2 (curve sm2p256v1) keypair in PKCS#12 keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$Sm2P12.class */
    public static class Sm2P12 extends P12KeyGenAction {

        @Option(name = "--subject", aliases = {"-s"}, description = "subject of the self-signed certificate")
        protected String subject;

        protected Object execute0() throws Exception {
            saveKey(new P12KeyGenerator().generateECKeypair(GMObjectIdentifiers.sm2p256v1, getKeyGenParameters(), this.subject));
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "update-cert-p12", description = "update certificate in PKCS#12 keystore")
    /* loaded from: input_file:org/xipki/security/shell/P12Actions$UpdateCertP12.class */
    public static class UpdateCertP12 extends P12SecurityAction {

        @Option(name = "--cert", required = true, description = "certificate file")
        @Completion(FileCompleter.class)
        private String certFile;

        @Option(name = "--ca-cert", multiValued = true, description = "CA Certificate file")
        @Completion(FileCompleter.class)
        private Set<String> caCertFiles;

        protected Object execute0() throws Exception {
            KeyStore keyStore = getKeyStore();
            char[] password = getPassword();
            X509Cert parseCert = X509Util.parseCert(new File(this.certFile));
            assertMatch(keyStore, parseCert, new String(password));
            String str = null;
            Enumeration<String> aliases = keyStore.aliases();
            while (true) {
                if (!aliases.hasMoreElements()) {
                    break;
                }
                String nextElement = aliases.nextElement();
                if (keyStore.isKeyEntry(nextElement)) {
                    str = nextElement;
                    break;
                }
            }
            if (str == null) {
                throw new XiSecurityException("could not find private key");
            }
            Key key = keyStore.getKey(str, password);
            HashSet hashSet = new HashSet();
            if (isNotEmpty(this.caCertFiles)) {
                Iterator<String> it = this.caCertFiles.iterator();
                while (it.hasNext()) {
                    hashSet.add(X509Util.parseCert(new File(it.next())));
                }
            }
            X509Cert[] buildCertPath = X509Util.buildCertPath(parseCert, hashSet);
            Certificate[] certificateArr = new Certificate[buildCertPath.length];
            for (int i = 0; i < buildCertPath.length; i++) {
                certificateArr[i] = buildCertPath[i].toJceCert();
            }
            keyStore.setKeyEntry(str, key, password, certificateArr);
            OutputStream newOutputStream = Files.newOutputStream(Paths.get(this.p12File, new String[0]), new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    keyStore.store(newOutputStream, password);
                    println("updated certificate");
                    if (newOutputStream != null) {
                        if (0 != 0) {
                            try {
                                newOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newOutputStream.close();
                        }
                    }
                    return null;
                } finally {
                }
            } catch (Throwable th3) {
                if (newOutputStream != null) {
                    if (th != null) {
                        try {
                            newOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newOutputStream.close();
                    }
                }
                throw th3;
            }
        }

        private void assertMatch(KeyStore keyStore, X509Cert x509Cert, String str) throws Exception {
            String algorithm = x509Cert.getPublicKey().getAlgorithm();
            if ("X25519".equalsIgnoreCase(algorithm) || "X448".equalsIgnoreCase(algorithm)) {
                if (!Arrays.equals(KeypairWithCert.fromKeystore(keyStore, (String) null, str.toCharArray(), (X509Cert[]) null).getPublicKey().getEncoded(), x509Cert.getPublicKey().getEncoded())) {
                    throw new XiSecurityException("the certificate and private do not match");
                }
                return;
            }
            ConfPairs confPairs = new ConfPairs("keystore", "file:" + this.p12File);
            if (str != null) {
                confPairs.putPair("password", new String(str));
            }
            this.securityFactory.createSigner("PKCS12", new SignerConf(confPairs.getEncoded(), HashAlgo.SHA256, (SignatureAlgoControl) null), x509Cert);
        }
    }
}
