package org.xipki.cmpclient.shell;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.StringTokenizer;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Reference;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.apache.karaf.shell.support.completers.StringsCompleter;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERGeneralizedTime;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.crmf.CertRequest;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.crmf.Controls;
import org.bouncycastle.asn1.crmf.OptionalValidity;
import org.bouncycastle.asn1.crmf.POPOSigningKey;
import org.bouncycastle.asn1.crmf.ProofOfPossession;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x509.qualified.BiometricData;
import org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode;
import org.bouncycastle.asn1.x509.qualified.MonetaryValue;
import org.bouncycastle.asn1.x509.qualified.QCStatement;
import org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData;
import org.bouncycastle.cert.crmf.ProofOfPossessionSigningKeyBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.xipki.cmpclient.CmpClientException;
import org.xipki.cmpclient.EnrollCertRequest;
import org.xipki.cmpclient.EnrollCertResult;
import org.xipki.cmpclient.shell.Actions;
import org.xipki.cmpclient.shell.CmpClientCompleters;
import org.xipki.security.ConcurrentBagEntrySigner;
import org.xipki.security.ConcurrentContentSigner;
import org.xipki.security.HashAlgo;
import org.xipki.security.KeyUsage;
import org.xipki.security.ObjectIdentifiers;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignatureAlgoControl;
import org.xipki.security.SignerConf;
import org.xipki.security.X509Cert;
import org.xipki.security.X509ExtensionType;
import org.xipki.security.util.X509Util;
import org.xipki.shell.CmdFailure;
import org.xipki.shell.Completers;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.ConfPairs;
import org.xipki.util.DateUtil;
import org.xipki.util.Hex;
import org.xipki.util.IoUtil;
import org.xipki.util.ObjectCreationException;
import org.xipki.util.ReqRespDebug;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/cmpclient/shell/EnrollCertActions.class */
public class EnrollCertActions {

    @Service
    @Command(scope = "xi", name = "cmp-csr-enroll", description = "enroll certificate via CSR")
    /* loaded from: input_file:org/xipki/cmpclient/shell/EnrollCertActions$CmpCsrEnroll.class */
    public static class CmpCsrEnroll extends Actions.ClientAction {

        @Option(name = "--csr", required = true, description = "CSR file")
        @Completion(FileCompleter.class)
        private String csrFile;

        @Option(name = "--profile", aliases = {"-p"}, required = true, description = "certificate profile")
        private String profile;

        @Option(name = "--not-before", description = "notBefore, UTC time of format yyyyMMddHHmmss")
        private String notBeforeS;

        @Option(name = "--not-after", description = "notAfter, UTC time of format yyyyMMddHHmmss")
        private String notAfterS;

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        private String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outputFile;

        @Option(name = "--ca", description = "CA name\n(required if the profile is supported by more than one CA)")
        @Completion(CmpClientCompleters.CaNameCompleter.class)
        private String caName;

        protected Object execute0() throws Exception {
            if (this.caName != null) {
                this.caName = this.caName.toLowerCase();
            }
            CertificationRequest parseCsr = X509Util.parseCsr(new File(this.csrFile));
            Date parseUtcTimeyyyyMMddhhmmss = StringUtil.isNotBlank(this.notBeforeS) ? DateUtil.parseUtcTimeyyyyMMddhhmmss(this.notBeforeS) : null;
            Date parseUtcTimeyyyyMMddhhmmss2 = StringUtil.isNotBlank(this.notAfterS) ? DateUtil.parseUtcTimeyyyyMMddhhmmss(this.notAfterS) : null;
            ReqRespDebug reqRespDebug = getReqRespDebug();
            try {
                EnrollCertResult enrollCert = this.client.enrollCert(this.caName, parseCsr, this.profile, parseUtcTimeyyyyMMddhhmmss, parseUtcTimeyyyyMMddhhmmss2, reqRespDebug);
                saveRequestResponse(reqRespDebug);
                X509Cert x509Cert = null;
                if (enrollCert != null) {
                    x509Cert = enrollCert.getCertOrError((String) enrollCert.getAllIds().iterator().next()).getCertificate();
                }
                if (x509Cert == null) {
                    throw new CmdFailure("no certificate received from the server");
                }
                saveVerbose("certificate saved to file", this.outputFile, encodeCert(x509Cert.getEncoded(), this.outform));
                return null;
            } catch (Throwable th) {
                saveRequestResponse(reqRespDebug);
                throw th;
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "cmp-enroll-cagenkey", description = "enroll certificate (keypair will be generated by the CA)")
    /* loaded from: input_file:org/xipki/cmpclient/shell/EnrollCertActions$CmpEnrollCagenkey.class */
    public static class CmpEnrollCagenkey extends EnrollAction {

        @Option(name = "--cmpreq-type", description = "CMP request type (ir for Initialization Request,\nand cr for Certification Request)")
        @Completion(value = StringsCompleter.class, values = {"ir", "cr"})
        private String cmpreqType = "cr";

        @Option(name = "--cert-outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        private String certOutform = "der";

        @Option(name = "--cert-out", description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String certOutputFile;

        @Option(name = "--p12-out", required = true, description = "where to save the PKCS#12 keystore")
        @Completion(FileCompleter.class)
        private String p12OutputFile;

        @Option(name = "--password", description = "password of the PKCS#12 file")
        private String password;

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollAction
        protected SubjectPublicKeyInfo getPublicKey() throws Exception {
            return null;
        }

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollAction
        protected EnrollCertRequest.Entry buildEnrollCertRequestEntry(String str, String str2, CertRequest certRequest) throws Exception {
            return new EnrollCertRequest.Entry("id-1", str2, certRequest, (ProofOfPossession) null, true, false);
        }

        protected Object execute0() throws Exception {
            EnrollCertResult enroll = enroll();
            X509Cert x509Cert = null;
            PrivateKeyInfo privateKeyInfo = null;
            if (enroll != null) {
                EnrollCertResult.CertifiedKeyPairOrError certOrError = enroll.getCertOrError((String) enroll.getAllIds().iterator().next());
                x509Cert = certOrError.getCertificate();
                privateKeyInfo = certOrError.getPrivateKeyInfo();
            }
            if (x509Cert == null) {
                throw new CmdFailure("no certificate received from the server");
            }
            if (privateKeyInfo == null) {
                throw new CmdFailure("no private key received from the server");
            }
            if (StringUtil.isNotBlank(this.certOutputFile)) {
                saveVerbose("saved certificate to file", this.certOutputFile, encodeCert(x509Cert.getEncoded(), this.certOutform));
            }
            X509Cert[] caCertChain = enroll.getCaCertChain();
            int length = caCertChain == null ? 1 : 1 + caCertChain.length;
            X509Certificate[] x509CertificateArr = new X509Certificate[length];
            x509CertificateArr[0] = x509Cert.toJceCert();
            if (length > 1) {
                for (int i = 0; i < caCertChain.length; i++) {
                    x509CertificateArr[i + 1] = caCertChain[i].toJceCert();
                }
            }
            PrivateKey privateKey = BouncyCastleProvider.getPrivateKey(privateKeyInfo);
            KeyStore keyStore = KeyStore.getInstance("PKCS12");
            char[] password = getPassword();
            keyStore.load(null, password);
            keyStore.setKeyEntry("main", privateKey, password, x509CertificateArr);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            keyStore.store(byteArrayOutputStream, password);
            saveVerbose("saved key to file", this.p12OutputFile, byteArrayOutputStream.toByteArray());
            return null;
        }

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollAction
        protected EnrollCertRequest.EnrollType getCmpReqType() throws Exception {
            if ("cr".equalsIgnoreCase(this.cmpreqType)) {
                return EnrollCertRequest.EnrollType.CERT_REQ;
            }
            if ("ir".equalsIgnoreCase(this.cmpreqType)) {
                return EnrollCertRequest.EnrollType.INIT_REQ;
            }
            throw new IllegalCmdParamException("invalid cmpreq-type " + this.cmpreqType);
        }

        private char[] getPassword() throws IOException {
            char[] readPasswordIfNotSet = readPasswordIfNotSet(this.password);
            if (readPasswordIfNotSet != null) {
                this.password = new String(readPasswordIfNotSet);
            }
            return readPasswordIfNotSet;
        }
    }

    @Service
    @Command(scope = "xi", name = "cmp-enroll-p11", description = "enroll certificate (PKCS#11 token)")
    /* loaded from: input_file:org/xipki/cmpclient/shell/EnrollCertActions$CmpEnrollP11.class */
    public static class CmpEnrollP11 extends EnrollCertAction {

        @Option(name = "--slot", required = true, description = "slot index")
        private Integer slotIndex;

        @Option(name = "--key-id", description = "id of the private key in the PKCS#11 device\neither keyId or keyLabel must be specified")
        private String keyId;

        @Option(name = "--key-label", description = "label of the private key in the PKCS#11 device\neither keyId or keyLabel must be specified")
        private String keyLabel;

        @Option(name = "--module", description = "name of the PKCS#11 module")
        private String moduleName = "default";
        private ConcurrentContentSigner signer;

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollCertAction
        protected ConcurrentContentSigner getSigner() throws ObjectCreationException {
            if (this.signer == null) {
                byte[] bArr = null;
                if (this.keyId != null) {
                    bArr = Hex.decode(this.keyId);
                }
                this.signer = this.securityFactory.createSigner("PKCS11", getPkcs11SignerConf(this.moduleName, this.slotIndex, this.keyLabel, bArr, getHashAlgo(this.hashAlgo), getSignatureAlgoControl()), (X509Cert[]) null);
            }
            return this.signer;
        }

        public static SignerConf getPkcs11SignerConf(String str, Integer num, String str2, byte[] bArr, HashAlgo hashAlgo, SignatureAlgoControl signatureAlgoControl) {
            Args.notNull(hashAlgo, "hashAlgo");
            Args.notNull(num, "slotIndex");
            if (bArr == null && str2 == null) {
                throw new IllegalArgumentException("at least one of keyId and keyLabel may not be null");
            }
            ConfPairs confPairs = new ConfPairs();
            confPairs.putPair("parallelism", Integer.toString(1));
            if (str != null && str.length() > 0) {
                confPairs.putPair("module", str);
            }
            if (num != null) {
                confPairs.putPair("slot", num.toString());
            }
            if (bArr != null) {
                confPairs.putPair("key-id", Hex.encode(bArr));
            }
            if (str2 != null) {
                confPairs.putPair("key-label", str2);
            }
            return new SignerConf(confPairs.getEncoded(), hashAlgo, signatureAlgoControl);
        }
    }

    @Service
    @Command(scope = "xi", name = "cmp-enroll-p12", description = "enroll certificate (PKCS#12 keystore)")
    /* loaded from: input_file:org/xipki/cmpclient/shell/EnrollCertActions$CmpEnrollP12.class */
    public static class CmpEnrollP12 extends EnrollCertAction {

        @Option(name = "--p12", required = true, description = "PKCS#12 keystore file")
        @Completion(FileCompleter.class)
        private String p12File;

        @Option(name = "--password", description = "password of the PKCS#12 keystore file")
        private String password;
        private ConcurrentContentSigner signer;

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollCertAction
        protected ConcurrentContentSigner getSigner() throws ObjectCreationException, CmpClientException {
            if (this.signer == null) {
                if (this.password == null) {
                    try {
                        this.password = new String(readPassword());
                    } catch (IOException e) {
                        throw new ObjectCreationException("could not read password: " + e.getMessage(), e);
                    }
                }
                ConfPairs confPairs = new ConfPairs("password", this.password);
                confPairs.putPair("parallelism", Integer.toString(1));
                confPairs.putPair("keystore", "file:" + this.p12File);
                SignerConf signerConf = new SignerConf(confPairs.getEncoded(), getHashAlgo(this.hashAlgo), getSignatureAlgoControl());
                List dhPocPeerCertificates = this.client.getDhPocPeerCertificates(getCaName().toLowerCase());
                if (CollectionUtil.isNotEmpty(dhPocPeerCertificates)) {
                    signerConf.setPeerCertificates(dhPocPeerCertificates);
                }
                this.signer = this.securityFactory.createSigner("PKCS12", signerConf, (X509Cert[]) null);
            }
            return this.signer;
        }
    }

    /* loaded from: input_file:org/xipki/cmpclient/shell/EnrollCertActions$EnrollAction.class */
    public static abstract class EnrollAction extends Actions.ClientAction {
        private static final long _12_HOURS_MS = 43200000;

        @Reference
        protected SecurityFactory securityFactory;

        @Option(name = "--subject", aliases = {"-s"}, required = true, description = "subject to be requested")
        private String subject;

        @Option(name = "--profile", aliases = {"-p"}, required = true, description = "certificate profile")
        private String profile;

        @Option(name = "--not-before", description = "notBefore, UTC time of format yyyyMMddHHmmss")
        private String notBeforeS;

        @Option(name = "--not-after", description = "notAfter, UTC time of format yyyyMMddHHmmss")
        private String notAfterS;

        @Option(name = "--ca", description = "CA name\n(required if the profile is supported by more than one CA)")
        @Completion(CmpClientCompleters.CaNameCompleter.class)
        private String caName;

        @Option(name = "--keyusage", multiValued = true, description = "keyusage")
        @Completion(Completers.KeyusageCompleter.class)
        private List<String> keyusages;

        @Option(name = "--ext-keyusage", multiValued = true, description = "extended keyusage (name or OID")
        @Completion(Completers.ExtKeyusageCompleter.class)
        private List<String> extkeyusages;

        @Option(name = "--subject-alt-name", multiValued = true, description = "subjectAltName")
        private List<String> subjectAltNames;

        @Option(name = "--subject-info-access", multiValued = true, description = "subjectInfoAccess")
        private List<String> subjectInfoAccesses;

        @Option(name = "--qc-eu-limit", multiValued = true, description = "QC EuLimitValue of format <currency>:<amount>:<exponent>.")
        private List<String> qcEuLimits;

        @Option(name = "--biometric-type", description = "Biometric type")
        private String biometricType;

        @Option(name = "--biometric-hash", description = "Biometric hash algorithm")
        @Completion(Completers.HashAlgCompleter.class)
        private String biometricHashAlgo;

        @Option(name = "--biometric-file", description = "Biometric hash algorithm")
        @Completion(FileCompleter.class)
        private String biometricFile;

        @Option(name = "--biometric-uri", description = "Biometric source data URI")
        private String biometricUri;

        @Option(name = "--dateOfBirth", description = "Date of birth YYYYMMdd in subject")
        private String dateOfBirth;

        @Option(name = "--postalAddress", multiValued = true, description = "postal address in subject")
        private List<String> postalAddress;

        @Option(name = "--extra-extensions-file", description = "Configuration file for extral extensions")
        @Completion(FileCompleter.class)
        private String extraExtensionsFile;

        protected abstract SubjectPublicKeyInfo getPublicKey() throws Exception;

        protected abstract EnrollCertRequest.Entry buildEnrollCertRequestEntry(String str, String str2, CertRequest certRequest) throws Exception;

        protected abstract EnrollCertRequest.EnrollType getCmpReqType() throws Exception;

        protected String getCaName() throws CmpClientException {
            if (StringUtil.isBlank(this.caName)) {
                this.caName = this.client.getCaNameForProfile(this.profile);
            }
            return this.caName;
        }

        /* JADX WARN: Type inference failed for: r1v25, types: [byte[], byte[][]] */
        protected EnrollCertResult enroll() throws Exception {
            Iso4217CurrencyCode iso4217CurrencyCode;
            ASN1ObjectIdentifier aSN1ObjectIdentifier;
            RDN[] rDNs;
            ASN1ObjectIdentifier aSN1ObjectIdentifier2;
            RDN[] rDNs2;
            EnrollCertRequest.EnrollType cmpReqType = getCmpReqType();
            if (this.extkeyusages != null) {
                ArrayList arrayList = new ArrayList(this.extkeyusages.size());
                for (String str : this.extkeyusages) {
                    if (Completers.ExtKeyusageCompleter.getIdForUsageName(str) == null) {
                        try {
                            new ASN1ObjectIdentifier(str).getId();
                        } catch (Exception e) {
                            throw new IllegalCmdParamException("invalid extended key usage " + str);
                        }
                    }
                }
                this.extkeyusages = arrayList;
            }
            X500Name x500Name = new X500Name(this.subject);
            LinkedList linkedList = new LinkedList();
            if (StringUtil.isNotBlank(this.dateOfBirth) && ((rDNs2 = x500Name.getRDNs((aSN1ObjectIdentifier2 = ObjectIdentifiers.DN.dateOfBirth))) == null || rDNs2.length == 0)) {
                linkedList.add(new RDN(aSN1ObjectIdentifier2, new DERGeneralizedTime(DateUtil.toUtcTimeyyyyMMddhhmmss(new Date(DateUtil.parseUtcTimeyyyyMMdd(this.dateOfBirth).getTime() + _12_HOURS_MS)) + "Z")));
            }
            if (CollectionUtil.isNotEmpty(this.postalAddress) && ((rDNs = x500Name.getRDNs((aSN1ObjectIdentifier = ObjectIdentifiers.DN.postalAddress))) == null || rDNs.length == 0)) {
                ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
                Iterator<String> it = this.postalAddress.iterator();
                while (it.hasNext()) {
                    aSN1EncodableVector.add(new DERUTF8String(it.next()));
                }
                if (aSN1EncodableVector.size() > 0) {
                    linkedList.add(new RDN(aSN1ObjectIdentifier, new DERSequence(aSN1EncodableVector)));
                }
            }
            if (!linkedList.isEmpty()) {
                Collections.addAll(linkedList, x500Name.getRDNs());
                x500Name = new X500Name((RDN[]) linkedList.toArray(new RDN[0]));
            }
            CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
            certTemplateBuilder.setSubject(x500Name);
            if (getPublicKey() != null) {
                certTemplateBuilder.setPublicKey(getPublicKey());
            }
            if (StringUtil.isNotBlank(this.notBeforeS) || StringUtil.isNotBlank(this.notAfterS)) {
                certTemplateBuilder.setValidity(new OptionalValidity(StringUtil.isNotBlank(this.notBeforeS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(this.notBeforeS)) : null, StringUtil.isNotBlank(this.notAfterS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(this.notAfterS)) : null));
            }
            LinkedList linkedList2 = new LinkedList();
            if (isNotEmpty(this.subjectAltNames)) {
                linkedList2.add(X509Util.createExtnSubjectAltName(this.subjectAltNames, false));
            }
            if (isNotEmpty(this.subjectInfoAccesses)) {
                linkedList2.add(X509Util.createExtnSubjectInfoAccess(this.subjectInfoAccesses, false));
            }
            if (isNotEmpty(this.keyusages)) {
                HashSet hashSet = new HashSet();
                Iterator<String> it2 = this.keyusages.iterator();
                while (it2.hasNext()) {
                    hashSet.add(KeyUsage.getKeyUsage(it2.next()));
                }
                linkedList2.add(new Extension(Extension.keyUsage, false, X509Util.createKeyUsage(hashSet).getEncoded()));
            }
            if (isNotEmpty(this.extkeyusages)) {
                linkedList2.add(new Extension(Extension.extendedKeyUsage, false, X509Util.createExtendedUsage(textToAsn1ObjectIdentifers(this.extkeyusages)).getEncoded()));
            }
            if (isNotEmpty(this.qcEuLimits)) {
                ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
                for (String str2 : this.qcEuLimits) {
                    StringTokenizer stringTokenizer = new StringTokenizer(str2, ":");
                    try {
                        String nextToken = stringTokenizer.nextToken();
                        String nextToken2 = stringTokenizer.nextToken();
                        String nextToken3 = stringTokenizer.nextToken();
                        try {
                            iso4217CurrencyCode = new Iso4217CurrencyCode(Integer.parseInt(nextToken));
                        } catch (NumberFormatException e2) {
                            iso4217CurrencyCode = new Iso4217CurrencyCode(nextToken);
                        }
                        aSN1EncodableVector2.add(new QCStatement(ObjectIdentifiers.Extn.id_etsi_qcs_QcLimitValue, new MonetaryValue(iso4217CurrencyCode, Integer.parseInt(nextToken2), Integer.parseInt(nextToken3))));
                    } catch (Exception e3) {
                        throw new Exception("invalid qc-eu-limit '" + str2 + "'");
                    }
                }
                linkedList2.add(new Extension(Extension.qCStatements, false, new DERSequence(aSN1EncodableVector2).getEncoded()));
            }
            if (this.biometricType != null && this.biometricHashAlgo != null && this.biometricFile != null) {
                TypeOfBiometricData typeOfBiometricData = StringUtil.isNumber(this.biometricType) ? new TypeOfBiometricData(Integer.parseInt(this.biometricType)) : new TypeOfBiometricData(new ASN1ObjectIdentifier(this.biometricType));
                HashAlgo hashAlgo = getHashAlgo(this.biometricHashAlgo);
                byte[] hash = hashAlgo.hash((byte[][]) new byte[]{IoUtil.read(this.biometricFile)});
                BiometricData biometricData = new BiometricData(typeOfBiometricData, hashAlgo.getAlgorithmIdentifier(), new DEROctetString(hash), this.biometricUri != null ? new DERIA5String(this.biometricUri) : null);
                ASN1EncodableVector aSN1EncodableVector3 = new ASN1EncodableVector();
                aSN1EncodableVector3.add(biometricData);
                linkedList2.add(new Extension(Extension.biometricInfo, false, new DERSequence(aSN1EncodableVector3).getEncoded()));
            } else if (this.biometricType != null || this.biometricHashAlgo != null || this.biometricFile != null) {
                throw new Exception("either all of biometric triples (type, hash algo, file) must be set or none of them should be set");
            }
            if (this.extraExtensionsFile != null) {
                X509ExtensionType.ExtensionsType extensionsType = (X509ExtensionType.ExtensionsType) JSON.parseObject(IoUtil.read(this.extraExtensionsFile), X509ExtensionType.ExtensionsType.class, new Feature[0]);
                extensionsType.validate();
                List<X509ExtensionType> extensions = extensionsType.getExtensions();
                if (CollectionUtil.isNotEmpty(extensions)) {
                    for (X509ExtensionType x509ExtensionType : extensions) {
                        linkedList2.add(new Extension(new ASN1ObjectIdentifier(x509ExtensionType.getType().getOid()), false, x509ExtensionType.getConstant().toASN1Encodable().toASN1Primitive().getEncoded("DER")));
                    }
                }
            }
            if (isNotEmpty(linkedList2)) {
                certTemplateBuilder.setExtensions(new Extensions((Extension[]) linkedList2.toArray(new Extension[0])));
            }
            EnrollCertRequest.Entry buildEnrollCertRequestEntry = buildEnrollCertRequestEntry("id-1", this.profile, new CertRequest(1, certTemplateBuilder.build(), (Controls) null));
            EnrollCertRequest enrollCertRequest = new EnrollCertRequest(cmpReqType);
            enrollCertRequest.addRequestEntry(buildEnrollCertRequestEntry);
            ReqRespDebug reqRespDebug = getReqRespDebug();
            try {
                EnrollCertResult enrollCerts = this.client.enrollCerts(getCaName(), enrollCertRequest, reqRespDebug);
                saveRequestResponse(reqRespDebug);
                return enrollCerts;
            } catch (Throwable th) {
                saveRequestResponse(reqRespDebug);
                throw th;
            }
        }

        static List<ASN1ObjectIdentifier> textToAsn1ObjectIdentifers(List<String> list) {
            if (list == null) {
                return null;
            }
            ArrayList arrayList = new ArrayList(list.size());
            for (String str : list) {
                if (!str.isEmpty()) {
                    ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(str);
                    if (!arrayList.contains(aSN1ObjectIdentifier)) {
                        arrayList.add(aSN1ObjectIdentifier);
                    }
                }
            }
            return arrayList;
        }
    }

    /* loaded from: input_file:org/xipki/cmpclient/shell/EnrollCertActions$EnrollCertAction.class */
    public static abstract class EnrollCertAction extends EnrollAction {

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outputFile;

        @Option(name = "--cmpreq-type", description = "CMP request type (ir for Initialization Request,\ncr for Certification Request, and ccr for Cross-Certification Request)")
        @Completion(value = StringsCompleter.class, values = {"ir", "cr", "ccr"})
        private String cmpreqType = "cr";

        @Option(name = "--hash", description = "hash algorithm name for the POPO computation")
        protected String hashAlgo = "SHA256";

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        private String outform = "der";

        @Option(name = "--rsa-pss", description = "whether to use the RSAPSS for the POPO computation\n(only applied to RSA key)")
        private Boolean rsaPss = Boolean.FALSE;

        @Option(name = "--dsa-plain", description = "whether to use the Plain DSA for the POPO computation\n(only applied to DSA and ECDSA key)")
        private Boolean dsaPlain = Boolean.FALSE;

        @Option(name = "--gm", description = "whether to use the chinese GM algorithm for the POPO computation\n(only applied to EC key with GM curves)")
        private Boolean gm = Boolean.FALSE;

        protected SignatureAlgoControl getSignatureAlgoControl() {
            return new SignatureAlgoControl(this.rsaPss.booleanValue(), this.dsaPlain.booleanValue(), this.gm.booleanValue());
        }

        protected abstract ConcurrentContentSigner getSigner() throws ObjectCreationException, CmpClientException;

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollAction
        protected SubjectPublicKeyInfo getPublicKey() throws Exception {
            return getSigner().getCertificate().getSubjectPublicKeyInfo();
        }

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollAction
        protected EnrollCertRequest.Entry buildEnrollCertRequestEntry(String str, String str2, CertRequest certRequest) throws Exception {
            ConcurrentContentSigner signer = getSigner();
            ProofOfPossessionSigningKeyBuilder proofOfPossessionSigningKeyBuilder = new ProofOfPossessionSigningKeyBuilder(certRequest);
            ConcurrentBagEntrySigner borrowSigner = signer.borrowSigner();
            try {
                POPOSigningKey build = proofOfPossessionSigningKeyBuilder.build((ContentSigner) borrowSigner.value());
                signer.requiteSigner(borrowSigner);
                return new EnrollCertRequest.Entry(str, str2, certRequest, new ProofOfPossession(build));
            } catch (Throwable th) {
                signer.requiteSigner(borrowSigner);
                throw th;
            }
        }

        protected Object execute0() throws Exception {
            EnrollCertResult enroll = enroll();
            X509Cert x509Cert = null;
            if (enroll != null) {
                x509Cert = enroll.getCertOrError((String) enroll.getAllIds().iterator().next()).getCertificate();
            }
            if (x509Cert == null) {
                throw new CmdFailure("no certificate received from the server");
            }
            saveVerbose("saved certificate to file", this.outputFile, encodeCert(x509Cert.getEncoded(), this.outform));
            return null;
        }

        @Override // org.xipki.cmpclient.shell.EnrollCertActions.EnrollAction
        protected EnrollCertRequest.EnrollType getCmpReqType() throws Exception {
            if ("cr".equalsIgnoreCase(this.cmpreqType)) {
                return EnrollCertRequest.EnrollType.CERT_REQ;
            }
            if ("ir".equalsIgnoreCase(this.cmpreqType)) {
                return EnrollCertRequest.EnrollType.INIT_REQ;
            }
            if ("ccr".equalsIgnoreCase(this.cmpreqType)) {
                return EnrollCertRequest.EnrollType.CROSS_CERT_REQ;
            }
            throw new IllegalCmdParamException("invalid cmpreq-type " + this.cmpreqType);
        }
    }
}
