package org.xipki.ocsp.qa.shell;

import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Reference;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.xipki.common.qa.ValidationIssue;
import org.xipki.common.qa.ValidationResult;
import org.xipki.common.util.ParamUtil;
import org.xipki.console.karaf.CmdFailure;
import org.xipki.console.karaf.completer.HashAlgCompleter;
import org.xipki.console.karaf.completer.SigAlgCompleter;
import org.xipki.ocsp.client.shell.BaseOcspStatusCommandSupport;
import org.xipki.ocsp.qa.Occurrence;
import org.xipki.ocsp.qa.OcspCertStatus;
import org.xipki.ocsp.qa.OcspError;
import org.xipki.ocsp.qa.OcspQa;
import org.xipki.ocsp.qa.OcspResponseOption;
import org.xipki.ocsp.qa.shell.completer.CertStatusCompleter;
import org.xipki.ocsp.qa.shell.completer.OccurrenceCompleter;
import org.xipki.ocsp.qa.shell.completer.OcspErrorCompleter;
import org.xipki.security.IssuerHash;
import org.xipki.security.SecurityFactory;
import org.xipki.security.util.AlgorithmUtil;

@Service
@Command(scope = "xipki-qa", name = "ocsp-status", description = "request certificate status (QA)")
/* loaded from: input_file:org/xipki/ocsp/qa/shell/OcspQaStatusCmd.class */
public class OcspQaStatusCmd extends BaseOcspStatusCommandSupport {

    @Option(name = "--exp-error", description = "expected error")
    @Completion(OcspErrorCompleter.class)
    private String errorText;

    @Option(name = "--exp-status", multiValued = true, description = "expected status\n(multi-valued)")
    @Completion(CertStatusCompleter.class)
    private List<String> statusTexts;

    @Option(name = "--exp-sig-alg", description = "expected signature algorithm")
    @Completion(SigAlgCompleter.class)
    private String sigAlg;

    @Option(name = "--exp-certhash-alg", description = "occurrence of certHash")
    @Completion(HashAlgCompleter.class)
    private String certhashAlg;

    @Reference
    private SecurityFactory securityFactory;
    private OcspQa ocspQa;
    private OcspError expectedOcspError;
    private Map<BigInteger, OcspCertStatus> expectedStatuses;
    private Occurrence expectedNextUpdateOccurrence;
    private Occurrence expectedCerthashOccurrence;
    private Occurrence expectedNonceOccurrence;

    @Option(name = "--exp-nextupdate", description = "occurrence of nextUpdate")
    @Completion(OccurrenceCompleter.class)
    private String nextUpdateOccurrenceText = Occurrence.optional.name();

    @Option(name = "--exp-certhash", description = "occurrence of certHash")
    @Completion(OccurrenceCompleter.class)
    private String certhashOccurrenceText = Occurrence.optional.name();

    @Option(name = "--exp-nonce", description = "occurrence of nonce")
    @Completion(OccurrenceCompleter.class)
    private String nonceOccurrenceText = Occurrence.optional.name();

    protected void checkParameters(X509Certificate x509Certificate, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception {
        ParamUtil.requireNonEmpty("serialNunmbers", list);
        if (isBlank(this.errorText) && isEmpty(this.statusTexts)) {
            throw new IllegalArgumentException("neither expError nor expStatus is set, this is not permitted");
        }
        if (isNotBlank(this.errorText) && isNotEmpty(this.statusTexts)) {
            throw new IllegalArgumentException("both expError and expStatus are set, this is not permitted");
        }
        if (isNotBlank(this.errorText)) {
            this.expectedOcspError = OcspError.forName(this.errorText);
        }
        if (isNotEmpty(this.statusTexts)) {
            if (this.statusTexts.size() != list.size()) {
                throw new IllegalArgumentException("number of expStatus is invalid: " + this.statusTexts.size() + ", it should be " + list.size());
            }
            this.expectedStatuses = new HashMap();
            int size = list.size();
            for (int i = 0; i < size; i++) {
                this.expectedStatuses.put(list.get(i), OcspCertStatus.forName(this.statusTexts.get(i)));
            }
        }
        this.expectedCerthashOccurrence = Occurrence.forName(this.certhashOccurrenceText);
        this.expectedNextUpdateOccurrence = Occurrence.forName(this.nextUpdateOccurrenceText);
        this.expectedNonceOccurrence = Occurrence.forName(this.nonceOccurrenceText);
    }

    protected Object processResponse(OCSPResp oCSPResp, X509Certificate x509Certificate, IssuerHash issuerHash, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception {
        OcspResponseOption ocspResponseOption = new OcspResponseOption();
        ocspResponseOption.setNextUpdateOccurrence(this.expectedNextUpdateOccurrence);
        ocspResponseOption.setCerthashOccurrence(this.expectedCerthashOccurrence);
        ocspResponseOption.setNonceOccurrence(this.expectedNonceOccurrence);
        ocspResponseOption.setRespIssuer(x509Certificate);
        ocspResponseOption.setSignatureAlgName(this.sigAlg);
        if (isNotBlank(this.certhashAlg)) {
            ocspResponseOption.setCerthashAlgId(AlgorithmUtil.getHashAlg(this.certhashAlg));
        }
        if (this.ocspQa == null) {
            this.ocspQa = new OcspQa(this.securityFactory);
        }
        ValidationResult checkOcsp = this.ocspQa.checkOcsp(oCSPResp, issuerHash, list, map, this.expectedOcspError, this.expectedStatuses, ocspResponseOption);
        StringBuilder sb = new StringBuilder(50);
        sb.append("OCSP response is ");
        sb.append(checkOcsp.isAllSuccessful() ? "valid" : "invalid");
        if (this.verbose.booleanValue()) {
            for (ValidationIssue validationIssue : checkOcsp.validationIssues()) {
                sb.append("\n");
                format(validationIssue, "    ", sb);
            }
        }
        println(sb.toString());
        if (checkOcsp.isAllSuccessful()) {
            return null;
        }
        throw new CmdFailure("OCSP response is invalid");
    }

    private static void format(ValidationIssue validationIssue, String str, StringBuilder sb) {
        sb.append(str);
        sb.append(validationIssue.code());
        sb.append(", ").append(validationIssue.description());
        sb.append(", ");
        sb.append(validationIssue.isFailed() ? "failed" : "successful");
        if (validationIssue.failureMessage() != null) {
            sb.append(", ").append(validationIssue.failureMessage());
        }
    }
}
