package org.xipki.cmpclient.shell;

import java.io.File;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Date;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.xipki.cmpclient.CertIdOrError;
import org.xipki.cmpclient.shell.Actions;
import org.xipki.cmpclient.shell.CmpClientCompleters;
import org.xipki.security.CrlReason;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;
import org.xipki.shell.CmdFailure;
import org.xipki.shell.Completers;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.util.Args;
import org.xipki.util.DateUtil;
import org.xipki.util.ReqRespDebug;

/* loaded from: input_file:org/xipki/cmpclient/shell/UnRevRemoveCertActions.class */
public class UnRevRemoveCertActions {

    @Service
    @Command(scope = "xi", name = "cmp-revoke", description = "revoke certificate")
    /* loaded from: input_file:org/xipki/cmpclient/shell/UnRevRemoveCertActions$CmpRevoke.class */
    public static class CmpRevoke extends UnRevRemoveCertAction {

        @Option(name = "--reason", aliases = {"-r"}, required = true, description = "CRL reason")
        @Completion(Completers.ClientCrlReasonCompleter.class)
        private String reason;

        @Option(name = "--inv-date", description = "invalidity date, UTC time of format yyyyMMddHHmmss")
        private String invalidityDateS;

        protected Object execute0() throws Exception {
            if (!((this.certFile == null) ^ (getSerialNumber() == null))) {
                throw new IllegalCmdParamException("exactly one of cert and serial must be specified");
            }
            CrlReason forNameOrText = CrlReason.forNameOrText(this.reason);
            if (!CrlReason.PERMITTED_CLIENT_CRLREASONS.contains(forNameOrText)) {
                throw new IllegalCmdParamException("reason " + this.reason + " is not permitted");
            }
            Date date = null;
            if (isNotBlank(this.invalidityDateS)) {
                date = DateUtil.parseUtcTimeyyyyMMddhhmmss(this.invalidityDateS);
            }
            ReqRespDebug reqRespDebug = getReqRespDebug();
            try {
                CertIdOrError revokeCert = this.certFile != null ? this.client.revokeCert(this.caName, X509Util.parseCert(new File(this.certFile)), forNameOrText.getCode(), date, reqRespDebug) : this.client.revokeCert(this.caName, getSerialNumber(), forNameOrText.getCode(), date, reqRespDebug);
                if (revokeCert.getError() != null) {
                    throw new CmdFailure("revocation failed: " + revokeCert.getError());
                }
                println("revoked certificate");
                return null;
            } finally {
                saveRequestResponse(reqRespDebug);
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "cmp-rm-cert", description = "remove certificate")
    /* loaded from: input_file:org/xipki/cmpclient/shell/UnRevRemoveCertActions$CmpRmCert.class */
    public static class CmpRmCert extends UnRevRemoveCertAction {
        protected Object execute0() throws Exception {
            if (!((this.certFile == null) ^ (getSerialNumber() == null))) {
                throw new IllegalCmdParamException("exactly one of cert and serial must be specified");
            }
            ReqRespDebug reqRespDebug = getReqRespDebug();
            try {
                CertIdOrError removeCert = this.certFile != null ? this.client.removeCert(this.caName, X509Util.parseCert(new File(this.certFile)), reqRespDebug) : this.client.removeCert(this.caName, getSerialNumber(), reqRespDebug);
                if (removeCert.getError() != null) {
                    throw new CmdFailure("removing certificate failed: " + removeCert.getError());
                }
                println("removed certificate");
                return null;
            } finally {
                saveRequestResponse(reqRespDebug);
            }
        }
    }

    @Service
    @Command(scope = "xi", name = "cmp-unrevoke", description = "unrevoke certificate")
    /* loaded from: input_file:org/xipki/cmpclient/shell/UnRevRemoveCertActions$CmpUnrevoke.class */
    public static class CmpUnrevoke extends UnRevRemoveCertAction {
        protected Object execute0() throws Exception {
            if (!((this.certFile == null) ^ (getSerialNumber() == null))) {
                throw new IllegalCmdParamException("exactly one of cert and serial must be specified");
            }
            ReqRespDebug reqRespDebug = getReqRespDebug();
            try {
                CertIdOrError unrevokeCert = this.certFile != null ? this.client.unrevokeCert(this.caName, X509Util.parseCert(new File(this.certFile)), reqRespDebug) : this.client.unrevokeCert(this.caName, getSerialNumber(), reqRespDebug);
                if (unrevokeCert.getError() != null) {
                    throw new CmdFailure("releasing revocation failed: " + unrevokeCert.getError());
                }
                println("unrevoked certificate");
                return null;
            } finally {
                saveRequestResponse(reqRespDebug);
            }
        }
    }

    /* loaded from: input_file:org/xipki/cmpclient/shell/UnRevRemoveCertActions$UnRevRemoveCertAction.class */
    public static abstract class UnRevRemoveCertAction extends Actions.ClientAction {

        @Option(name = "--ca", description = "CA name\n(required if more than one CA is configured)")
        @Completion(CmpClientCompleters.CaNameCompleter.class)
        protected String caName;

        @Option(name = "--cert", aliases = {"-c"}, description = "certificate file (either cert or serial must be specified)")
        @Completion(FileCompleter.class)
        protected String certFile;

        @Option(name = "--serial", aliases = {"-s"}, description = "serial number (either cert or serial must be specified)")
        private String serialNumberS;
        private BigInteger serialNumber;

        protected BigInteger getSerialNumber() {
            if (this.serialNumber == null && isNotBlank(this.serialNumberS)) {
                this.serialNumber = toBigInt(this.serialNumberS);
            }
            return this.serialNumber;
        }

        protected String checkCertificate(X509Cert x509Cert, X509Cert x509Cert2) throws CertificateEncodingException {
            if (this.caName != null) {
                this.caName = this.caName.toLowerCase();
            }
            Args.notNull(x509Cert, "cert");
            Args.notNull(x509Cert2, "caCert");
            if (!x509Cert.getIssuer().equals(x509Cert2.getSubject())) {
                return "the given certificate is not issued by the given issuer";
            }
            byte[] subjectKeyId = x509Cert2.getSubjectKeyId();
            byte[] authorityKeyId = x509Cert.getAuthorityKeyId();
            if (subjectKeyId != null && authorityKeyId != null && !Arrays.equals(authorityKeyId, subjectKeyId)) {
                return "the given certificate is not issued by the given issuer";
            }
            try {
                x509Cert.verify(x509Cert2.getPublicKey(), "BC");
                return null;
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
                return "could not verify the signature of given certificate by the issuer: " + e.getMessage();
            } catch (SignatureException e2) {
                return "could not verify the signature of given certificate by the issuer";
            }
        }
    }
}
