package org.xipki.security.shell;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Reference;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DERGeneralizedTime;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.asn1.x509.CertificateList;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.qualified.BiometricData;
import org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode;
import org.bouncycastle.asn1.x509.qualified.MonetaryValue;
import org.bouncycastle.asn1.x509.qualified.QCStatement;
import org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.xipki.security.BadInputException;
import org.xipki.security.ConcurrentBagEntrySigner;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.HashAlgo;
import org.xipki.security.KeyUsage;
import org.xipki.security.NoIdleSignerException;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignatureAlgoControl;
import org.xipki.security.X509Cert;
import org.xipki.security.X509ExtensionType;
import org.xipki.security.XiSecurityException;
import org.xipki.security.shell.SecurityCompleters;
import org.xipki.security.util.KeyUtil;
import org.xipki.security.util.X509Util;
import org.xipki.shell.Completers;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.shell.XiAction;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.CompareUtil;
import org.xipki.util.DateUtil;
import org.xipki.util.Hex;
import org.xipki.util.IoUtil;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/security/shell/Actions.class */
public class Actions {

    /* loaded from: input_file:org/xipki/security/shell/Actions$BaseCsrGenAction.class */
    public static abstract class BaseCsrGenAction extends SecurityAction {
        private static final long _12_HOURS_MS = 43200000;

        @Option(name = "--subject-alt-name", aliases = {"--san"}, multiValued = true, description = "subjectAltName, in the form of [tagNo]value or [tagText]value. Valid tagNo/tagText/value:\n '0'/'othername'/OID=[DirectoryStringChoice:]value,\n    valid DirectoryStringChoices are printableString and utf8String,\n    default to utf8Sring '1'/'email'/text,\n '2'/'dns'/text,\n '4'/'dirName'/X500 name e.g. CN=abc,\n '5'/'edi'/key=value,\n '6'/'uri'/text,\n '7'/'ip'/IP address,\n '8'/'rid'/OID")
        protected List<String> subjectAltNames;

        @Option(name = "--subject-info-access", aliases = {"--sia"}, multiValued = true, description = "subjectInfoAccess")
        protected List<String> subjectInfoAccesses;

        @Option(name = "--peer-cert", description = "Peer certificate file, only for the Diffie-Hellman keys")
        @Completion(FileCompleter.class)
        private String peerCertFile;

        @Option(name = "--peer-certs", description = "Peer certificates file (A PEM file containing certificates, only for the Diffie-Hellman keys")
        @Completion(FileCompleter.class)
        private String peerCertsFile;

        @Option(name = "--subject", aliases = {"-s"}, description = "subject in the CSR, if not set, use the subject in the signer's certificate ")
        private String subject;

        @Option(name = "--dateOfBirth", description = "Date of birth YYYYMMdd in subject")
        private String dateOfBirth;

        @Option(name = "--postalAddress", multiValued = true, description = "postal address in subject")
        private List<String> postalAddress;

        @Option(name = "--outform", description = "output format of the CSR")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "CSR file")
        @Completion(FileCompleter.class)
        private String outputFilename;

        @Option(name = "--challenge-password", aliases = {"-c"}, description = "challenge password")
        private String challengePassword;

        @Option(name = "--keyusage", multiValued = true, description = "keyusage")
        @Completion(Completers.KeyusageCompleter.class)
        private List<String> keyusages;

        @Option(name = "--ext-keyusage", multiValued = true, description = "extended keyusage (name or OID)")
        @Completion(Completers.ExtKeyusageCompleter.class)
        private List<String> extkeyusages;

        @Option(name = "--qc-eu-limit", multiValued = true, description = "QC EuLimitValue of format <currency>:<amount>:<exponent>")
        private List<String> qcEuLimits;

        @Option(name = "--biometric-type", description = "Biometric type")
        private String biometricType;

        @Option(name = "--biometric-hash", description = "Biometric hash algorithm")
        @Completion(Completers.HashAlgCompleter.class)
        private String biometricHashAlgo;

        @Option(name = "--biometric-file", description = "Biometric hash algorithm")
        private String biometricFile;

        @Option(name = "--biometric-uri", description = "Biometric sourcedata URI")
        @Completion(FileCompleter.class)
        private String biometricUri;

        @Option(name = "--extra-extensions-file", description = "Configuration file for extral extensions")
        @Completion(FileCompleter.class)
        private String extraExtensionsFile;

        protected abstract ConcurrentContentSigner getSigner() throws Exception;

        /* JADX INFO: Access modifiers changed from: protected */
        public List<X509Cert> getPeerCertificates() throws CertificateException, IOException {
            if (!StringUtil.isNotBlank(this.peerCertsFile)) {
                if (StringUtil.isNotBlank(this.peerCertFile)) {
                    return Collections.singletonList(X509Util.parseCert(Paths.get(this.peerCertFile, new String[0]).toFile()));
                }
                return null;
            }
            PemReader pemReader = new PemReader(new InputStreamReader(new FileInputStream(this.peerCertsFile), StandardCharsets.UTF_8));
            Throwable th = null;
            try {
                LinkedList linkedList = new LinkedList();
                while (true) {
                    PemObject readPemObject = pemReader.readPemObject();
                    if (readPemObject == null) {
                        break;
                    }
                    if ("CERTIFICATE".equals(readPemObject.getType())) {
                        linkedList.add(X509Util.parseCert(readPemObject.getContent()));
                    }
                }
                return linkedList.isEmpty() ? null : linkedList;
            } finally {
                if (pemReader != null) {
                    if (0 != 0) {
                        try {
                            pemReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        pemReader.close();
                    }
                }
            }
        }

        protected Object execute0() throws Exception {
            X500Name subject;
            ASN1ObjectIdentifier aSN1ObjectIdentifier;
            RDN[] rDNs;
            ASN1ObjectIdentifier aSN1ObjectIdentifier2;
            RDN[] rDNs2;
            Iso4217CurrencyCode iso4217CurrencyCode;
            if (this.extkeyusages != null) {
                ArrayList arrayList = new ArrayList(this.extkeyusages.size());
                for (String str : this.extkeyusages) {
                    if (Completers.ExtKeyusageCompleter.getIdForUsageName(str) == null) {
                        try {
                            new ASN1ObjectIdentifier(str).getId();
                        } catch (Exception e) {
                            throw new IllegalCmdParamException("invalid extended key usage " + str);
                        }
                    }
                }
                this.extkeyusages = arrayList;
            }
            LinkedList linkedList = new LinkedList();
            ASN1OctetString extnValue = isEmpty(this.subjectAltNames) ? null : X509Util.createExtnSubjectAltName(this.subjectAltNames, false).getExtnValue();
            if (extnValue != null) {
                linkedList.add(new Extension(Extension.subjectAlternativeName, false, extnValue));
            }
            ASN1OctetString extnValue2 = isEmpty(this.subjectInfoAccesses) ? null : X509Util.createExtnSubjectInfoAccess(this.subjectInfoAccesses, false).getExtnValue();
            if (extnValue2 != null) {
                linkedList.add(new Extension(Extension.subjectInfoAccess, false, extnValue2));
            }
            if (isNotEmpty(this.keyusages)) {
                HashSet hashSet = new HashSet();
                Iterator<String> it = this.keyusages.iterator();
                while (it.hasNext()) {
                    hashSet.add(KeyUsage.getKeyUsage(it.next()));
                }
                linkedList.add(new Extension(Extension.keyUsage, false, X509Util.createKeyUsage(hashSet).getEncoded()));
            }
            if (isNotEmpty(this.extkeyusages)) {
                linkedList.add(new Extension(Extension.extendedKeyUsage, false, X509Util.createExtendedUsage(textToAsn1ObjectIdentifers(this.extkeyusages)).getEncoded()));
            }
            if (isNotEmpty(this.qcEuLimits)) {
                ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
                for (String str2 : this.qcEuLimits) {
                    StringTokenizer stringTokenizer = new StringTokenizer(str2, ":");
                    try {
                        String nextToken = stringTokenizer.nextToken();
                        String nextToken2 = stringTokenizer.nextToken();
                        String nextToken3 = stringTokenizer.nextToken();
                        try {
                            iso4217CurrencyCode = new Iso4217CurrencyCode(Integer.parseInt(nextToken));
                        } catch (NumberFormatException e2) {
                            iso4217CurrencyCode = new Iso4217CurrencyCode(nextToken);
                        }
                        aSN1EncodableVector.add(new QCStatement(ObjectIdentifiers.Extn.id_etsi_qcs_QcLimitValue, new MonetaryValue(iso4217CurrencyCode, Integer.parseInt(nextToken2), Integer.parseInt(nextToken3))));
                    } catch (Exception e3) {
                        throw new Exception("invalid qc-eu-limit '" + str2 + "'");
                    }
                }
                linkedList.add(new Extension(Extension.qCStatements, false, new DERSequence(aSN1EncodableVector).getEncoded()));
            }
            if (this.biometricType != null && this.biometricHashAlgo != null && this.biometricFile != null) {
                TypeOfBiometricData typeOfBiometricData = StringUtil.isNumber(this.biometricType) ? new TypeOfBiometricData(Integer.parseInt(this.biometricType)) : new TypeOfBiometricData(new ASN1ObjectIdentifier(this.biometricType));
                HashAlgo hashAlgo = HashAlgo.getInstance(this.biometricHashAlgo);
                byte[] read = IoUtil.read(this.biometricFile);
                MessageDigest messageDigest = MessageDigest.getInstance(hashAlgo.getJceName());
                messageDigest.reset();
                byte[] digest = messageDigest.digest(read);
                BiometricData biometricData = new BiometricData(typeOfBiometricData, hashAlgo.getAlgorithmIdentifier(), new DEROctetString(digest), this.biometricUri != null ? new DERIA5String(this.biometricUri) : null);
                ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
                aSN1EncodableVector2.add(biometricData);
                linkedList.add(new Extension(Extension.biometricInfo, false, new DERSequence(aSN1EncodableVector2).getEncoded()));
            } else if (this.biometricType != null || this.biometricHashAlgo != null || this.biometricFile != null) {
                throw new Exception("either all of biometric triples (type, hash algo, file) must be set or none of them should be set");
            }
            if (this.extraExtensionsFile != null) {
                X509ExtensionType.ExtensionsType extensionsType = (X509ExtensionType.ExtensionsType) JSON.parseObject(IoUtil.read(this.extraExtensionsFile), X509ExtensionType.ExtensionsType.class, new Feature[0]);
                extensionsType.validate();
                List<X509ExtensionType> extensions = extensionsType.getExtensions();
                if (CollectionUtil.isNotEmpty(extensions)) {
                    for (X509ExtensionType x509ExtensionType : extensions) {
                        linkedList.add(new Extension(new ASN1ObjectIdentifier(x509ExtensionType.getType().getOid()), false, x509ExtensionType.getConstant().toASN1Encodable().toASN1Primitive().getEncoded("DER")));
                    }
                }
            }
            linkedList.addAll(getAdditionalExtensions());
            ConcurrentContentSigner signer = getSigner();
            HashMap hashMap = new HashMap();
            if (CollectionUtil.isNotEmpty(linkedList)) {
                hashMap.put(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new Extensions((Extension[]) linkedList.toArray(new Extension[0])));
            }
            if (StringUtil.isNotBlank(this.challengePassword)) {
                hashMap.put(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(this.challengePassword));
            }
            SubjectPublicKeyInfo subjectPublicKeyInfo = signer.getCertificate() != null ? Certificate.getInstance(signer.getCertificate().getEncoded()).getSubjectPublicKeyInfo() : KeyUtil.createSubjectPublicKeyInfo(signer.getPublicKey());
            if (this.subject != null) {
                subject = getSubject(this.subject);
                LinkedList linkedList2 = new LinkedList();
                if (StringUtil.isNotBlank(this.dateOfBirth) && ((rDNs2 = subject.getRDNs((aSN1ObjectIdentifier2 = ObjectIdentifiers.DN.dateOfBirth))) == null || rDNs2.length == 0)) {
                    linkedList2.add(new RDN(aSN1ObjectIdentifier2, new DERGeneralizedTime(DateUtil.toUtcTimeyyyyMMddhhmmss(new Date(DateUtil.parseUtcTimeyyyyMMdd(this.dateOfBirth).getTime() + _12_HOURS_MS)) + "Z")));
                }
                if (CollectionUtil.isNotEmpty(this.postalAddress) && ((rDNs = subject.getRDNs((aSN1ObjectIdentifier = ObjectIdentifiers.DN.postalAddress))) == null || rDNs.length == 0)) {
                    ASN1EncodableVector aSN1EncodableVector3 = new ASN1EncodableVector();
                    Iterator<String> it2 = this.postalAddress.iterator();
                    while (it2.hasNext()) {
                        aSN1EncodableVector3.add(new DERUTF8String(it2.next()));
                    }
                    if (aSN1EncodableVector3.size() > 0) {
                        linkedList2.add(new RDN(aSN1ObjectIdentifier, new DERSequence(aSN1EncodableVector3)));
                    }
                }
                if (!linkedList2.isEmpty()) {
                    Collections.addAll(linkedList2, subject.getRDNs());
                    subject = new X500Name((RDN[]) linkedList2.toArray(new RDN[0]));
                }
            } else {
                if (StringUtil.isNotBlank(this.dateOfBirth)) {
                    throw new IllegalCmdParamException("dateOfBirth cannot be set if subject is not set");
                }
                if (CollectionUtil.isNotEmpty(this.postalAddress)) {
                    throw new IllegalCmdParamException("postalAddress cannot be set if subject is not set");
                }
                X509Cert certificate = signer.getCertificate();
                if (certificate == null) {
                    throw new IllegalCmdParamException("subject must be set");
                }
                subject = certificate.getSubject();
            }
            saveVerbose("saved CSR to file", this.outputFilename, encodeCsr(generateRequest(signer, subjectPublicKeyInfo, subject, hashMap).getEncoded(), this.outform));
            return null;
        }

        protected X500Name getSubject(String str) {
            return new X500Name(Args.notBlank(str, "subjectText"));
        }

        protected List<String> getAdditionalNeedExtensionTypes() {
            return Collections.emptyList();
        }

        protected List<String> getAdditionalWantExtensionTypes() {
            return Collections.emptyList();
        }

        protected List<Extension> getAdditionalExtensions() throws BadInputException {
            return Collections.emptyList();
        }

        private static List<ASN1ObjectIdentifier> textToAsn1ObjectIdentifers(List<String> list) {
            if (list == null) {
                return null;
            }
            ArrayList arrayList = new ArrayList(list.size());
            for (String str : list) {
                if (!str.isEmpty()) {
                    ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(str);
                    if (!arrayList.contains(aSN1ObjectIdentifier)) {
                        arrayList.add(aSN1ObjectIdentifier);
                    }
                }
            }
            return arrayList;
        }

        private PKCS10CertificationRequest generateRequest(ConcurrentContentSigner concurrentContentSigner, SubjectPublicKeyInfo subjectPublicKeyInfo, X500Name x500Name, Map<ASN1ObjectIdentifier, ASN1Encodable> map) throws XiSecurityException {
            Args.notNull(concurrentContentSigner, "signer");
            Args.notNull(subjectPublicKeyInfo, "subjectPublicKeyInfo");
            Args.notNull(x500Name, "subjectDn");
            PKCS10CertificationRequestBuilder pKCS10CertificationRequestBuilder = new PKCS10CertificationRequestBuilder(x500Name, subjectPublicKeyInfo);
            if (CollectionUtil.isNotEmpty(map)) {
                for (Map.Entry<ASN1ObjectIdentifier, ASN1Encodable> entry : map.entrySet()) {
                    pKCS10CertificationRequestBuilder.addAttribute(entry.getKey(), entry.getValue());
                }
            }
            try {
                ConcurrentBagEntrySigner borrowSigner = concurrentContentSigner.borrowSigner();
                try {
                    PKCS10CertificationRequest build = pKCS10CertificationRequestBuilder.build((ContentSigner) borrowSigner.value());
                    concurrentContentSigner.requiteSigner(borrowSigner);
                    return build;
                } catch (Throwable th) {
                    concurrentContentSigner.requiteSigner(borrowSigner);
                    throw th;
                }
            } catch (NoIdleSignerException e) {
                throw new XiSecurityException(e.getMessage(), e);
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "cert-info", description = "print certificate information")
    /* loaded from: input_file:org/xipki/security/shell/Actions$CertInfo.class */
    public static class CertInfo extends SecurityAction {

        @Option(name = "--in", description = "certificate file")
        @Completion(FileCompleter.class)
        private String inFile;

        @Option(name = "--serial", description = "print serial number")
        private Boolean serial;

        @Option(name = "--subject", description = "print subject")
        private Boolean subject;

        @Option(name = "--issuer", description = "print issuer")
        private Boolean issuer;

        @Option(name = "--not-before", description = "print notBefore")
        private Boolean notBefore;

        @Option(name = "--not-after", description = "print notAfter")
        private Boolean notAfter;

        @Option(name = "--fingerprint", description = "print fingerprint in hex")
        private Boolean fingerprint;

        @Option(name = "--hex", aliases = {"-h"}, description = "print hex number")
        private Boolean hex = Boolean.FALSE;

        @Option(name = "--hash", description = "hash algorithm name")
        @Completion(Completers.HashAlgCompleter.class)
        protected String hashAlgo = "SHA256";

        /* JADX WARN: Type inference failed for: r1v1, types: [byte[], byte[][]] */
        protected Object execute0() throws Exception {
            X509Cert parseCert = X509Util.parseCert(IoUtil.read(this.inFile));
            if (this.serial != null && this.serial.booleanValue()) {
                return getNumber(parseCert.getSerialNumber());
            }
            if (this.subject != null && this.subject.booleanValue()) {
                return parseCert.getSubject().toString();
            }
            if (this.issuer != null && this.issuer.booleanValue()) {
                return parseCert.getIssuer().toString();
            }
            if (this.notBefore != null && this.notBefore.booleanValue()) {
                return toUtcTimeyyyyMMddhhmmssZ(parseCert.getNotBefore());
            }
            if (this.notAfter != null && this.notAfter.booleanValue()) {
                return toUtcTimeyyyyMMddhhmmssZ(parseCert.getNotAfter());
            }
            if (this.fingerprint == null || !this.fingerprint.booleanValue()) {
                return null;
            }
            return HashAlgo.getInstance(this.hashAlgo).hexHash((byte[][]) new byte[]{parseCert.getEncoded()});
        }

        private String getNumber(Number number) {
            return !this.hex.booleanValue() ? number.toString() : number instanceof Byte ? "0x" + Hex.encode(new byte[]{((Byte) number).byteValue()}) : number instanceof Short ? "0x" + Integer.toHexString(((Short) number).shortValue()) : number instanceof Integer ? "0x" + Integer.toHexString(((Integer) number).intValue()) : number instanceof Long ? "0x" + Long.toHexString(((Long) number).longValue()) : number instanceof BigInteger ? "0x" + ((BigInteger) number).toString(16) : number.toString();
        }
    }

    @Service
    @Command(scope = "xi", name = "convert-keystore", description = "Convert keystore")
    /* loaded from: input_file:org/xipki/security/shell/Actions$ConvertKeystore.class */
    public static class ConvertKeystore extends SecurityAction {

        @Option(name = "--in", required = true, description = "source keystore file")
        @Completion(FileCompleter.class)
        private String inFile;

        @Option(name = "--intype", required = true, description = "type of the source keystore")
        @Completion(SecurityCompleters.KeystoreTypeCompleter.class)
        private String inType;

        @Option(name = "--inpwd", description = "password of the source keystore")
        private String inPwd;

        @Option(name = "--out", required = true, description = "destination keystore file")
        @Completion(FileCompleter.class)
        private String outFile;

        @Option(name = "--outtype", required = true, description = "type of the destination keystore")
        @Completion(SecurityCompleters.KeystoreTypeCompleter.class)
        private String outType;

        @Option(name = "--outpwd", description = "password of the destination keystore")
        private String outPwd;

        protected Object execute0() throws Exception {
            File file = new File(IoUtil.expandFilepath(this.inFile));
            File file2 = new File(IoUtil.expandFilepath(this.outFile));
            if (CompareUtil.equalsObject(file, file2)) {
                throw new IllegalCmdParamException("in and out cannot be the same");
            }
            KeyStore keyStore = KeyStore.getInstance(this.inType);
            KeyStore keyStore2 = KeyStore.getInstance(this.outType);
            keyStore2.load(null);
            char[] readPasswordIfNotSet = readPasswordIfNotSet("password of the source keystore", this.inPwd);
            InputStream newInputStream = Files.newInputStream(file.toPath(), new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    keyStore.load(newInputStream, readPasswordIfNotSet);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    char[] readPasswordIfNotSet2 = readPasswordIfNotSet("password of the destination keystore", this.outPwd);
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        String nextElement = aliases.nextElement();
                        if (keyStore.isKeyEntry(nextElement)) {
                            keyStore2.setKeyEntry(nextElement, keyStore.getKey(nextElement, readPasswordIfNotSet), readPasswordIfNotSet2, keyStore.getCertificateChain(nextElement));
                        } else {
                            keyStore2.setCertificateEntry(nextElement, keyStore.getCertificate(nextElement));
                        }
                    }
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(4096);
                    keyStore2.store(byteArrayOutputStream, readPasswordIfNotSet2);
                    saveVerbose("saved destination keystore to file", file2, byteArrayOutputStream.toByteArray());
                    return null;
                } finally {
                }
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    if (th != null) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                throw th3;
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "crl-info", description = "print CRL information")
    /* loaded from: input_file:org/xipki/security/shell/Actions$CrlInfo.class */
    public static class CrlInfo extends SecurityAction {

        @Option(name = "--in", description = "CRL file")
        @Completion(FileCompleter.class)
        private String inFile;

        @Option(name = "--hex", aliases = {"-h"}, description = "print hex number")
        private Boolean hex = Boolean.FALSE;

        @Option(name = "--crlnumber", description = "print CRL number")
        private Boolean crlNumber;

        @Option(name = "--issuer", description = "print issuer")
        private Boolean issuer;

        @Option(name = "--this-update", description = "print thisUpdate")
        private Boolean thisUpdate;

        @Option(name = "--next-update", description = "print nextUpdate")
        private Boolean nextUpdate;

        protected Object execute0() throws Exception {
            CertificateList certificateList = CertificateList.getInstance(X509Util.toDerEncoded(IoUtil.read(this.inFile)));
            if (this.crlNumber != null && this.crlNumber.booleanValue()) {
                ASN1Encodable extensionParsedValue = certificateList.getTBSCertList().getExtensions().getExtensionParsedValue(Extension.cRLNumber);
                return extensionParsedValue == null ? "null" : getNumber(ASN1Integer.getInstance(extensionParsedValue).getPositiveValue());
            }
            if (this.issuer != null && this.issuer.booleanValue()) {
                return certificateList.getIssuer().toString();
            }
            if (this.thisUpdate != null && this.thisUpdate.booleanValue()) {
                return toUtcTimeyyyyMMddhhmmssZ(certificateList.getThisUpdate().getDate());
            }
            if (this.nextUpdate == null || !this.nextUpdate.booleanValue()) {
                return null;
            }
            return certificateList.getNextUpdate() == null ? "null" : toUtcTimeyyyyMMddhhmmssZ(certificateList.getNextUpdate().getDate());
        }

        private String getNumber(Number number) {
            return !this.hex.booleanValue() ? number.toString() : number instanceof Byte ? "0X" + Hex.encode(new byte[]{((Byte) number).byteValue()}) : number instanceof Short ? "0X" + Integer.toHexString(Integer.valueOf(((Short) number).shortValue()).intValue()) : number instanceof Integer ? "0X" + Integer.toHexString(((Integer) number).intValue()) : number instanceof Long ? "0X" + Long.toHexString(((Long) number).longValue()) : number instanceof BigInteger ? "0X" + ((BigInteger) number).toString(16) : number.toString();
        }
    }

    /* loaded from: input_file:org/xipki/security/shell/Actions$CsrGenAction.class */
    public static abstract class CsrGenAction extends BaseCsrGenAction {

        @Option(name = "--hash", description = "hash algorithm name (will be ignored in some keys, e.g. edwards curve based keys)")
        @Completion(Completers.HashAlgCompleter.class)
        protected String hashAlgo = "SHA256";

        @Option(name = "--rsa-pss", description = "whether to use the RSAPSS for the POPO computation\n(only applied to RSA key)")
        private Boolean rsaPss = Boolean.FALSE;

        @Option(name = "--dsa-plain", description = "whether to use the Plain DSA for the POPO computation")
        private Boolean dsaPlain = Boolean.FALSE;

        @Option(name = "--gm", description = "whether to use the chinese GM algorithm for the POPO computation\n(only applied to EC key with GM curves)")
        private Boolean gm = Boolean.FALSE;

        /* JADX INFO: Access modifiers changed from: protected */
        public SignatureAlgoControl getSignatureAlgoControl() {
            this.hashAlgo = this.hashAlgo.trim().toUpperCase();
            if (this.hashAlgo.indexOf(45) != -1) {
                this.hashAlgo = this.hashAlgo.replaceAll("-", "");
            }
            return new SignatureAlgoControl(this.rsaPss.booleanValue(), this.dsaPlain.booleanValue(), this.gm.booleanValue());
        }
    }

    @Service
    @Command(scope = "xi", name = "import-cert", description = "import certificates to a keystore")
    /* loaded from: input_file:org/xipki/security/shell/Actions$ImportCert.class */
    public static class ImportCert extends SecurityAction {

        @Option(name = "--keystore", required = true, description = "keystore file")
        @Completion(FileCompleter.class)
        private String ksFile;

        @Option(name = "--type", required = true, description = "type of the keystore")
        @Completion(SecurityCompleters.KeystoreTypeCompleter.class)
        private String ksType;

        @Option(name = "--password", description = "password of the keystore")
        private String ksPwd;

        @Option(name = "--cert", aliases = {"-c"}, required = true, multiValued = true, description = "certificate files")
        @Completion(FileCompleter.class)
        private List<String> certFiles;

        protected Object execute0() throws Exception {
            File file = new File(IoUtil.expandFilepath(this.ksFile));
            KeyStore keyStore = KeyStore.getInstance(this.ksType);
            char[] readPasswordIfNotSet = readPasswordIfNotSet(this.ksPwd);
            HashSet hashSet = new HashSet(10);
            if (file.exists()) {
                InputStream newInputStream = Files.newInputStream(file.toPath(), new OpenOption[0]);
                try {
                    keyStore.load(newInputStream, readPasswordIfNotSet);
                    newInputStream.close();
                    Enumeration<String> aliases = keyStore.aliases();
                    while (aliases.hasMoreElements()) {
                        hashSet.add(aliases.nextElement());
                    }
                } catch (Throwable th) {
                    newInputStream.close();
                    throw th;
                }
            } else {
                keyStore.load(null);
            }
            Iterator<String> it = this.certFiles.iterator();
            while (it.hasNext()) {
                X509Cert parseCert = X509Util.parseCert(new File(it.next()));
                String commonName = X509Util.getCommonName(parseCert.getSubject());
                String str = commonName;
                int i = 2;
                while (hashSet.contains(str)) {
                    int i2 = i;
                    i++;
                    str = commonName + "-" + i2;
                }
                keyStore.setCertificateEntry(str, parseCert.toJceCert());
                hashSet.add(str);
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(4096);
            keyStore.store(byteArrayOutputStream, readPasswordIfNotSet);
            saveVerbose("saved keystore to file", file, byteArrayOutputStream.toByteArray());
            return null;
        }
    }

    @Service
    @Command(scope = "xi", name = "keystore-convert", description = "convert the keystore format")
    /* loaded from: input_file:org/xipki/security/shell/Actions$KeystoreConvert.class */
    public static class KeystoreConvert extends SecurityAction {

        @Option(name = "--in-type", required = true, description = "type of source keystore")
        private String inType;

        @Option(name = "--in", required = true, description = "file of source keystore")
        @Completion(FileCompleter.class)
        private String inFile;

        @Option(name = "--in-provider", description = "Security provider of source keystore")
        private String inProvider;

        @Option(name = "--in-pass", description = "password of source keystore")
        private String inPass;

        @Option(name = "--in-keypass", valueToShowInHelp = "keystore password", description = "password for the keys of source keystore")
        private String inKeyPass;

        @Option(name = "--out-type", required = true, description = "type of target keystore")
        private String outType;

        @Option(name = "--out-provider", description = "Security provider of target keystore")
        private String outProvider;

        @Option(name = "--out", required = true, description = "file of target keystore")
        @Completion(FileCompleter.class)
        private String outFile;

        @Option(name = "--out-pass", description = "password of target keystore")
        private String outPass;

        @Option(name = "--out-keypass", valueToShowInHelp = "keystore password", description = "password for the keys of target keystore")
        private String outKeyPass;

        @Option(name = "--in-keypass-diff", description = "whether the password for the keys differs from that of source keystore\nwill be ignored if --in-keypass is set")
        private Boolean inKeyPassDiff = Boolean.FALSE;

        @Option(name = "--out-keypass-diff", description = "whether the password for the keys differs from that of target keystore\nwill be ignored if --out-keypass is set")
        private Boolean outKeyPassDiff = Boolean.FALSE;

        protected Object execute0() throws Exception {
            KeyStore keyStore = StringUtil.isBlank(this.inProvider) ? KeyStore.getInstance(this.inType) : KeyStore.getInstance(this.inType, this.inProvider);
            char[] charArray = this.inPass != null ? this.inPass.toCharArray() : readPassword("Enter the password of the source keystore");
            keyStore.load(Files.newInputStream(Paths.get(this.inFile, new String[0]), new OpenOption[0]), charArray);
            Enumeration<String> aliases = keyStore.aliases();
            boolean z = false;
            while (true) {
                if (!aliases.hasMoreElements()) {
                    break;
                }
                if (keyStore.isKeyEntry(aliases.nextElement())) {
                    z = true;
                    break;
                }
            }
            char[] cArr = null;
            if (z) {
                cArr = this.inKeyPass != null ? this.inKeyPass.toCharArray() : this.inKeyPassDiff.booleanValue() ? readPassword("Enter the password for keys of the source keystore") : charArray;
            }
            char[] charArray2 = this.outPass != null ? this.outPass.toCharArray() : readPassword("Enter the password of the target keystore");
            if (z) {
                cArr = this.outKeyPass != null ? this.outKeyPass.toCharArray() : this.outKeyPassDiff.booleanValue() ? readPassword("Enter the password for keys of the target keystore") : charArray;
            }
            KeyStore keyStore2 = StringUtil.isBlank(this.outProvider) ? KeyStore.getInstance(this.outType) : KeyStore.getInstance(this.outType, this.inProvider);
            keyStore2.load(null, charArray2);
            Enumeration<String> aliases2 = keyStore.aliases();
            while (aliases2.hasMoreElements()) {
                String nextElement = aliases2.nextElement();
                if (keyStore.isKeyEntry(nextElement)) {
                    keyStore2.setKeyEntry(nextElement, keyStore.getKey(nextElement, cArr), null, keyStore.getCertificateChain(nextElement));
                } else if (keyStore.isCertificateEntry(nextElement)) {
                    keyStore2.setCertificateEntry(nextElement, keyStore.getCertificate(nextElement));
                } else {
                    println("entry " + nextElement + " is neither key nor certificate, ignore it");
                }
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            keyStore2.store(byteArrayOutputStream, charArray2);
            saveVerbose("converted keystore to", this.outFile, byteArrayOutputStream.toByteArray());
            return null;
        }
    }

    /* loaded from: input_file:org/xipki/security/shell/Actions$SecurityAction.class */
    public static abstract class SecurityAction extends XiAction {

        @Reference
        protected SecurityFactory securityFactory;

        protected String toUtcTimeyyyyMMddhhmmssZ(Date date) {
            return DateUtil.toUtcTimeyyyyMMddhhmmss(date) + "Z";
        }
    }

    @Service
    @Command(scope = "xi", name = "validate-csr", description = "validate CSR")
    /* loaded from: input_file:org/xipki/security/shell/Actions$ValidateCsr.class */
    public static class ValidateCsr extends SecurityAction {

        @Option(name = "--csr", required = true, description = "CSR file")
        @Completion(FileCompleter.class)
        private String csrFile;

        @Option(name = "--keystore", description = "peer's keystore file")
        @Completion(FileCompleter.class)
        private String peerKeystoreFile;

        @Option(name = "--keystore-type", description = "type of the keystore")
        @Completion(SecurityCompleters.KeystoreTypeCompleter.class)
        private String keystoreType = "PKCS12";

        @Option(name = "--keystore-password", description = "password of the keystore")
        private String keystorePassword;

        /* JADX WARN: Code restructure failed: missing block: B:33:0x00d6, code lost:
        
            r8 = new org.xipki.security.DHSigStaticKeyCertPair(r0, new org.xipki.security.X509Cert((java.security.cert.X509Certificate) r0.getCertificate(r0)));
         */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        protected java.lang.Object execute0() throws java.lang.Exception {
            /*
                Method dump skipped, instructions count: 433
                To view this dump add '--comments-level debug' option
            */
            throw new UnsupportedOperationException("Method not decompiled: org.xipki.security.shell.Actions.ValidateCsr.execute0():java.lang.Object");
        }
    }
}
