package net.maritimeconnectivity.pki;

import java.io.Console;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.cert.X509Certificate;
import net.maritimeconnectivity.pki.pkcs11.P11PKIConfiguration;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/maritimeconnectivity/pki/Main.class */
public class Main {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) Main.class);
    private static final String HELP = "help";
    private static final String INIT = "init";
    private static final String TRUSTSTORE = "truststore-path";
    private static final String TRUSTSTORE_PASSWORD = "truststore-password";
    private static final String ROOT_KEYSTORE = "root-keystore-path";
    private static final String ROOT_KEYSTORE_PASSWORD = "root-keystore-password";
    private static final String ROOT_KEY_PASSWORD = "root-key-password";
    private static final String CRL_ENDPOINT = "crl-endpoint";
    private static final String X500_NAME = "x500-name";
    private static final String GENERATE_ROOT_CRL = "generate-root-crl";
    private static final String ROOT_CRL_PATH = "root-crl-path";
    private static final String REVOKED_SUBCA_FILE = "revoked-subca-file";
    private static final String CREATE_SUBCA = "create-subca";
    private static final String SUBCA_KEYSTORE = "subca-keystore";
    private static final String SUBCA_KEYSTORE_PASSWORD = "subca-keystore-password";
    private static final String SUBCA_KEY_PASSWORD = "subca-key-password";
    private static final String VERIFY_CERTIFICATE = "verify-certificate";
    private static final String PRINT_OUT_CERTIFICATE = "print-certificate";
    private static final String ROOT_CA_ALIAS = "root-ca-alias";
    private static final String NO_ROOT_CA_ALIAS_REQUIRED = "";
    private static final String VALIDITY_PERIOD = "validity-period";
    private static final String PKCS11 = "pkcs11";
    private static final String PKCS11_CONFIG = "pkcs11-conf";
    private static final String PKCS11_PIN = "pkcs11-pin";
    private static final String PKCS11_ROOT_CONFIG = "pkcs11-root-conf";
    private static final String PKCS11_ROOT_PIN = "pkcs11-root-pin";
    private static final String PKCS11_SUB_CONFIG = "pkcs11-sub-conf";
    private static final String PKCS11_SUB_PIN = "pkcs11-sub-pin";

    private Options setupOptions() {
        Options options = new Options();
        options.addOption("h", HELP, false, "Show this help message");
        options.addOption("i", INIT, false, "Initialize PKI - creates root CA. Requires the parameters: " + String.join(", ", TRUSTSTORE, TRUSTSTORE_PASSWORD, ROOT_KEYSTORE, ROOT_KEYSTORE_PASSWORD, ROOT_KEY_PASSWORD, X500_NAME, CRL_ENDPOINT, ROOT_CA_ALIAS));
        options.addOption("t", TRUSTSTORE, true, "Output truststore path.");
        options.addOption("tp", TRUSTSTORE_PASSWORD, true, "Truststore password");
        options.addOption("rk", ROOT_KEYSTORE, true, "Output keystore path.");
        options.addOption("rkp", ROOT_KEYSTORE_PASSWORD, true, "Keystore password.");
        options.addOption("kp", ROOT_KEY_PASSWORD, true, "Key password.");
        options.addOption("xn", X500_NAME, true, "Key password.");
        options.addOption("crl", CRL_ENDPOINT, true, "CRL endpoint");
        options.addOption("rt", ROOT_CA_ALIAS, true, "Root CA alias");
        options.addOption("vp", VALIDITY_PERIOD, true, "Validity period in year");
        options.addOption("grc", GENERATE_ROOT_CRL, false, "Generate CRL for root CA. Requires the parameters: " + String.join(", ", ROOT_KEYSTORE, ROOT_KEYSTORE_PASSWORD, ROOT_KEY_PASSWORD, ROOT_CRL_PATH, REVOKED_SUBCA_FILE));
        options.addOption("rcp", ROOT_CRL_PATH, true, "Root CRL path output path");
        options.addOption("rsf", REVOKED_SUBCA_FILE, true, "CSV file containing a semi-colon separated list (serialnumber;reason;date) of revoked sub-CAs.");
        options.addOption("csca", CREATE_SUBCA, false, "Create sub CA. Requires the parameters: " + String.join(", ", ROOT_KEYSTORE, ROOT_KEYSTORE_PASSWORD, ROOT_KEY_PASSWORD, TRUSTSTORE, TRUSTSTORE_PASSWORD, SUBCA_KEYSTORE, SUBCA_KEYSTORE_PASSWORD, SUBCA_KEY_PASSWORD, X500_NAME));
        options.addOption("sk", SUBCA_KEYSTORE, true, "Sub CA keystore path.");
        options.addOption("skp", SUBCA_KEYSTORE_PASSWORD, true, "Sub CA keystore password.");
        options.addOption("sp", SUBCA_KEY_PASSWORD, true, "Sub CA key password.");
        options.addOption("vc", VERIFY_CERTIFICATE, true, "Verify a certificate. Requires a path to a certificate in PEM format amd the parameters: " + String.join(", ", TRUSTSTORE, TRUSTSTORE_PASSWORD));
        options.addOption("pc", PRINT_OUT_CERTIFICATE, true, "Print out a certificate in human readable text");
        options.addOption("p11", PKCS11, false, "Use PKCS#11 to interact with an HSM.");
        options.addOption("p11c", PKCS11_CONFIG, true, "Path to a PKCS#11 config file.");
        options.addOption("pin", PKCS11_PIN, true, "PIN for HSM slot. If not given when using a HSM, it will be requested on runtime.");
        options.addOption("p11r", PKCS11_ROOT_CONFIG, true, "Path to a PKCS#11 config file for root CA.");
        options.addOption("pinr", PKCS11_ROOT_PIN, true, "PIN for root CA HSM slot. If not given when using a HSM, it will be requested on runtime.");
        options.addOption("p11s", PKCS11_SUB_CONFIG, true, "Path to a PKCS#11 config for intermediate CA.");
        options.addOption("pins", PKCS11_SUB_PIN, true, "PIN for intermediate CA HSM slot. If not given when using a HSM, it will be requested on runtime.");
        return options;
    }

    private void initCA(CommandLine commandLine) {
        if (!commandLine.hasOption(TRUSTSTORE) || !commandLine.hasOption(TRUSTSTORE_PASSWORD) || !commandLine.hasOption(ROOT_KEYSTORE) || !commandLine.hasOption(ROOT_KEYSTORE_PASSWORD) || !commandLine.hasOption(ROOT_KEY_PASSWORD) || !commandLine.hasOption(CRL_ENDPOINT) || !commandLine.hasOption(X500_NAME) || !commandLine.hasOption(ROOT_CA_ALIAS) || !commandLine.hasOption(VALIDITY_PERIOD)) {
            log.error("The init requires the parameters: " + String.join(", ", TRUSTSTORE, TRUSTSTORE_PASSWORD, ROOT_KEYSTORE, ROOT_KEYSTORE_PASSWORD, ROOT_KEY_PASSWORD, X500_NAME, CRL_ENDPOINT, ROOT_CA_ALIAS, VALIDITY_PERIOD));
            return;
        }
        PKIConfiguration pKIConfiguration = new PKIConfiguration(commandLine.getOptionValue(ROOT_CA_ALIAS));
        pKIConfiguration.setTruststorePath(commandLine.getOptionValue(TRUSTSTORE));
        pKIConfiguration.setTruststorePassword(commandLine.getOptionValue(TRUSTSTORE_PASSWORD));
        pKIConfiguration.setRootCaKeystorePath(commandLine.getOptionValue(ROOT_KEYSTORE));
        pKIConfiguration.setRootCaKeystorePassword(commandLine.getOptionValue(ROOT_KEYSTORE_PASSWORD));
        pKIConfiguration.setRootCaKeyPassword(commandLine.getOptionValue(ROOT_KEY_PASSWORD));
        new CAHandler(new CertificateBuilder(new KeystoreHandler(pKIConfiguration)), pKIConfiguration).initRootCA(commandLine.getOptionValue(X500_NAME), commandLine.getOptionValue(CRL_ENDPOINT), commandLine.getOptionValue(ROOT_CA_ALIAS), Integer.parseInt(commandLine.getOptionValue(VALIDITY_PERIOD)));
    }

    private void initCAPKCS11(CommandLine commandLine) {
        if (!commandLine.hasOption(TRUSTSTORE) || !commandLine.hasOption(TRUSTSTORE_PASSWORD) || !commandLine.hasOption(CRL_ENDPOINT) || !commandLine.hasOption(X500_NAME) || !commandLine.hasOption(ROOT_CA_ALIAS) || !commandLine.hasOption(PKCS11_CONFIG) || !commandLine.hasOption(VALIDITY_PERIOD)) {
            log.error("The init with PKCS#11 requires the parameters: " + String.join(", ", TRUSTSTORE, TRUSTSTORE_PASSWORD, X500_NAME, CRL_ENDPOINT, ROOT_CA_ALIAS, PKCS11_CONFIG, VALIDITY_PERIOD));
            return;
        }
        P11PKIConfiguration p11PKIConfiguration = new P11PKIConfiguration(commandLine.getOptionValue(ROOT_CA_ALIAS), commandLine.getOptionValue(PKCS11_CONFIG), commandLine.getOptionValue(PKCS11_PIN));
        p11PKIConfiguration.setTruststorePath(commandLine.getOptionValue(TRUSTSTORE));
        p11PKIConfiguration.setTruststorePassword(commandLine.getOptionValue(TRUSTSTORE_PASSWORD));
        new CAHandler(new CertificateBuilder(new KeystoreHandler(p11PKIConfiguration)), p11PKIConfiguration).initRootCAPKCS11(commandLine.getOptionValue(X500_NAME), commandLine.getOptionValue(CRL_ENDPOINT), commandLine.getOptionValue(ROOT_CA_ALIAS), Integer.parseInt(commandLine.getOptionValue(VALIDITY_PERIOD)));
    }

    private void genRootCRL(CommandLine commandLine) {
        if (!commandLine.hasOption(ROOT_KEYSTORE) || !commandLine.hasOption(ROOT_KEYSTORE_PASSWORD) || !commandLine.hasOption(ROOT_KEY_PASSWORD) || !commandLine.hasOption(ROOT_CRL_PATH) || !commandLine.hasOption(REVOKED_SUBCA_FILE) || !commandLine.hasOption(ROOT_CA_ALIAS)) {
            log.error("Generating the root CRL requires the parameters: " + String.join(", ", ROOT_KEYSTORE, ROOT_KEYSTORE_PASSWORD, ROOT_KEY_PASSWORD, ROOT_CRL_PATH, REVOKED_SUBCA_FILE, ROOT_CA_ALIAS));
            return;
        }
        PKIConfiguration pKIConfiguration = new PKIConfiguration(commandLine.getOptionValue(ROOT_CA_ALIAS));
        pKIConfiguration.setRootCaKeystorePath(commandLine.getOptionValue(ROOT_KEYSTORE));
        pKIConfiguration.setRootCaKeystorePassword(commandLine.getOptionValue(ROOT_KEYSTORE_PASSWORD));
        pKIConfiguration.setRootCaKeyPassword(commandLine.getOptionValue(ROOT_KEY_PASSWORD));
        new CAHandler(new CertificateBuilder(new KeystoreHandler(pKIConfiguration)), pKIConfiguration).generateRootCRL(commandLine.getOptionValue(ROOT_CRL_PATH), commandLine.getOptionValue(REVOKED_SUBCA_FILE), commandLine.getOptionValue(ROOT_CA_ALIAS));
    }

    private void genRootCRLPKCS11(CommandLine commandLine) {
        if (!commandLine.hasOption(ROOT_CRL_PATH) || !commandLine.hasOption(REVOKED_SUBCA_FILE) || !commandLine.hasOption(ROOT_CA_ALIAS) || !commandLine.hasOption(PKCS11_CONFIG)) {
            log.error("Generating the root CA with PKCS#11 requires the parameters: " + String.join(", ", ROOT_CRL_PATH, REVOKED_SUBCA_FILE, ROOT_CA_ALIAS, PKCS11_CONFIG));
        } else {
            P11PKIConfiguration p11PKIConfiguration = new P11PKIConfiguration(commandLine.getOptionValue(ROOT_CA_ALIAS), commandLine.getOptionValue(PKCS11_CONFIG), commandLine.getOptionValue(PKCS11_PIN));
            new CAHandler(new CertificateBuilder(new KeystoreHandler(p11PKIConfiguration)), p11PKIConfiguration).generateRootCRLP11(commandLine.getOptionValue(ROOT_CRL_PATH), commandLine.getOptionValue(REVOKED_SUBCA_FILE), commandLine.getOptionValue(ROOT_CA_ALIAS));
        }
    }

    private void createSubCA(CommandLine commandLine) {
        if (!commandLine.hasOption(ROOT_KEYSTORE) || !commandLine.hasOption(ROOT_KEYSTORE_PASSWORD) || !commandLine.hasOption(ROOT_KEY_PASSWORD) || !commandLine.hasOption(TRUSTSTORE) || !commandLine.hasOption(TRUSTSTORE_PASSWORD) || !commandLine.hasOption(SUBCA_KEYSTORE) || !commandLine.hasOption(SUBCA_KEYSTORE_PASSWORD) || !commandLine.hasOption(SUBCA_KEY_PASSWORD) || !commandLine.hasOption(X500_NAME) || !commandLine.hasOption(ROOT_CA_ALIAS) || !commandLine.hasOption(VALIDITY_PERIOD)) {
            log.error("Creating a sub CA requires the parameters: " + String.join(", ", ROOT_KEYSTORE, ROOT_KEYSTORE_PASSWORD, ROOT_KEY_PASSWORD, TRUSTSTORE, TRUSTSTORE_PASSWORD, SUBCA_KEYSTORE, SUBCA_KEYSTORE_PASSWORD, SUBCA_KEY_PASSWORD, X500_NAME, ROOT_CA_ALIAS, VALIDITY_PERIOD));
            return;
        }
        PKIConfiguration pKIConfiguration = new PKIConfiguration(commandLine.getOptionValue(ROOT_CA_ALIAS));
        pKIConfiguration.setTruststorePath(commandLine.getOptionValue(TRUSTSTORE));
        pKIConfiguration.setTruststorePassword(commandLine.getOptionValue(TRUSTSTORE_PASSWORD));
        pKIConfiguration.setRootCaKeystorePath(commandLine.getOptionValue(ROOT_KEYSTORE));
        pKIConfiguration.setRootCaKeystorePassword(commandLine.getOptionValue(ROOT_KEYSTORE_PASSWORD));
        pKIConfiguration.setRootCaKeyPassword(commandLine.getOptionValue(ROOT_KEY_PASSWORD));
        pKIConfiguration.setSubCaKeystorePath(commandLine.getOptionValue(SUBCA_KEYSTORE));
        pKIConfiguration.setSubCaKeystorePassword(commandLine.getOptionValue(SUBCA_KEYSTORE_PASSWORD));
        pKIConfiguration.setSubCaKeyPassword(commandLine.getOptionValue(SUBCA_KEY_PASSWORD));
        new CAHandler(new CertificateBuilder(new KeystoreHandler(pKIConfiguration)), pKIConfiguration).createSubCa(commandLine.getOptionValue(X500_NAME), commandLine.getOptionValue(ROOT_CA_ALIAS), Integer.parseInt(commandLine.getOptionValue(VALIDITY_PERIOD)));
    }

    private void createSubCAPKCS11(CommandLine commandLine) {
        char[] charArray;
        char[] charArray2;
        if (!commandLine.hasOption(TRUSTSTORE) || !commandLine.hasOption(TRUSTSTORE_PASSWORD) || !commandLine.hasOption(X500_NAME) || !commandLine.hasOption(ROOT_CA_ALIAS) || !commandLine.hasOption(PKCS11_ROOT_CONFIG) || !commandLine.hasOption(PKCS11_SUB_CONFIG) || !commandLine.hasOption(VALIDITY_PERIOD)) {
            log.error("Creating a sub CA requires the parameters: " + String.join(", ", TRUSTSTORE, TRUSTSTORE_PASSWORD, X500_NAME, ROOT_CA_ALIAS, PKCS11_ROOT_CONFIG, PKCS11_SUB_CONFIG, VALIDITY_PERIOD));
        }
        Console console = System.console();
        if (commandLine.hasOption(PKCS11_ROOT_PIN)) {
            charArray = commandLine.getOptionValue(PKCS11_ROOT_PIN).toCharArray();
        } else {
            log.error("Please input root CA HSM slot PIN: ");
            charArray = console.readPassword();
        }
        if (commandLine.hasOption(PKCS11_SUB_PIN)) {
            charArray2 = commandLine.getOptionValue(PKCS11_SUB_PIN).toCharArray();
        } else {
            log.error("Please input sub CA HSM slot PIN: ");
            charArray2 = console.readPassword();
        }
        if (console != null) {
            console.flush();
        }
        P11PKIConfiguration p11PKIConfiguration = new P11PKIConfiguration(commandLine.getOptionValue(ROOT_CA_ALIAS), commandLine.getOptionValue(PKCS11_ROOT_CONFIG), charArray);
        p11PKIConfiguration.setTruststorePath(commandLine.getOptionValue(TRUSTSTORE));
        p11PKIConfiguration.setTruststorePassword(commandLine.getOptionValue(TRUSTSTORE_PASSWORD));
        P11PKIConfiguration p11PKIConfiguration2 = new P11PKIConfiguration(commandLine.getOptionValue(ROOT_CA_ALIAS), commandLine.getOptionValue(PKCS11_SUB_CONFIG), charArray2);
        p11PKIConfiguration2.setTruststorePath(commandLine.getOptionValue(TRUSTSTORE));
        p11PKIConfiguration2.setTruststorePassword(commandLine.getOptionValue(TRUSTSTORE_PASSWORD));
        new CAHandler(new CertificateBuilder(new KeystoreHandler(p11PKIConfiguration)), p11PKIConfiguration).createSubCAPKCS11(commandLine.getOptionValue(X500_NAME), commandLine.getOptionValue(ROOT_CA_ALIAS), p11PKIConfiguration2, Integer.parseInt(commandLine.getOptionValue(VALIDITY_PERIOD)));
    }

    public void verifyCertificate(CommandLine commandLine) {
        if (!commandLine.hasOption(TRUSTSTORE) || !commandLine.hasOption(TRUSTSTORE_PASSWORD)) {
            log.error("Verifying a certificate requires the parameters: " + String.join(", ", TRUSTSTORE, TRUSTSTORE_PASSWORD));
            return;
        }
        PKIConfiguration pKIConfiguration = new PKIConfiguration(NO_ROOT_CA_ALIAS_REQUIRED);
        pKIConfiguration.setTruststorePath(commandLine.getOptionValue(TRUSTSTORE));
        pKIConfiguration.setTruststorePassword(commandLine.getOptionValue(TRUSTSTORE_PASSWORD));
        String optionValue = commandLine.getOptionValue(VERIFY_CERTIFICATE);
        try {
            X509Certificate certFromPem = CertificateHandler.getCertFromPem(new String(Files.readAllBytes(Paths.get(optionValue, new String[0]))));
            if (certFromPem == null) {
                log.error("Could not load certificate, is it in valid PEM format?");
                return;
            }
            try {
                CertificateHandler.verifyCertificateChain(certFromPem, new KeystoreHandler(pKIConfiguration).getTrustStore());
                log.info("Certificate is valid!");
                log.info(CertificateHandler.getIdentityFromCert(certFromPem).toString());
            } catch (Exception e) {
                log.error("Certificate is not valid!\n" + e);
            }
        } catch (IOException e2) {
            log.error("Could not load certificate from " + optionValue);
        }
    }

    public X509Certificate getCertificate(String str) throws IOException {
        return CertificateHandler.getCertFromPem(new String(Files.readAllBytes(Paths.get(str, new String[0]))));
    }

    public static void main(String[] strArr) {
        Main main = new Main();
        DefaultParser defaultParser = new DefaultParser();
        Options options = main.setupOptions();
        try {
            CommandLine parse = defaultParser.parse(options, strArr);
            if (parse.hasOption(INIT)) {
                if (parse.hasOption(PKCS11)) {
                    main.initCAPKCS11(parse);
                    return;
                } else {
                    main.initCA(parse);
                    return;
                }
            }
            if (parse.hasOption(GENERATE_ROOT_CRL)) {
                if (parse.hasOption(PKCS11)) {
                    main.genRootCRLPKCS11(parse);
                    return;
                } else {
                    main.genRootCRL(parse);
                    return;
                }
            }
            if (parse.hasOption(CREATE_SUBCA)) {
                if (parse.hasOption(PKCS11)) {
                    main.createSubCAPKCS11(parse);
                    return;
                } else {
                    main.createSubCA(parse);
                    return;
                }
            }
            if (parse.hasOption(VERIFY_CERTIFICATE)) {
                main.verifyCertificate(parse);
                return;
            }
            if (!parse.hasOption(PRINT_OUT_CERTIFICATE)) {
                new HelpFormatter().printHelp("mcp-pki", options);
                return;
            }
            try {
                log.info(CertificateHandler.getIdentityFromCert(main.getCertificate(parse.getOptionValue(PRINT_OUT_CERTIFICATE))).toString());
            } catch (IOException e) {
                log.error("Parsing of certificate failed. Reason: " + e.getMessage());
            }
        } catch (ParseException e2) {
            log.error("Parsing failed. Reason: " + e2.getMessage());
        }
    }
}
