#compdef sigillum

# AUTOMATICALLY GENERATED by `shtab`


_shtab_sigillum_commands() {
  local _commands=(
    "config:"
    "decrypt:Decrypt a .enc (symmetric) or .p7e (CMS EnvelopedData) file."
    "detect:"
    "encrypt:Encrypt the input file. Default\: symmetric AES-256 with password."
    "extract:Extract the original document carried inside a CAdES enveloping signature. Fails on detached signatures."
    "gui:"
    "sign:Sign the input file. The format is derived from the extension."
    "timestamp:Timestamp any file via RFC 3161."
    "tsl-import:"
    "tsl-list:"
    "verify:Verify a .pdf, .p7m, .xml, .tsr or .tsd file."
  )
  _describe 'sigillum commands' _commands
}

_shtab_sigillum_config_commands() {
  local _commands=(
    "set:"
    "show:"
  )
  _describe 'sigillum config commands' _commands
}

_shtab_sigillum_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  "(- : *)"{-V,--version}"[show program\'s version number and exit]"
)

_shtab_sigillum_config_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
)

_shtab_sigillum_config_set_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  "--cert[use this PKCS\#12 file as the device]:cert:"
  "--lib[path to the token\'s PKCS\#11 module]:lib:"
  "--cert-id[composite id of the certificate on the token]:cert_id:"
  "--tsa[TSA URL]:tsa:"
  "--tsa-user[TSA username]:tsa_user:"
  "--tsa-password[TSA password]:tsa_password:"
  "--image[logo for the visible signature]:image:"
  "--position[corner preset for the visible signature]:position:(bottom-right bottom-left top-right top-left)"
  "--country[primary eIDAS country (e.g. IT, DE). Empty string clears it (fall back to \$LANG).]:country:"
  "--active-countries[comma-separated list of country codes to include in the verification trust store. Empty string falls back to the primary country.]:active_countries:"
  "*--add-driver[add a directory (recursively scanned), glob, or file to the PKCS\#11 autodetect search list. Tried before the built-in paths. Repeatable.]:add_driver:"
  "*--remove-driver[remove a previously added entry. Repeatable.]:remove_driver:"
)

_shtab_sigillum_config_show_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  "--json[JSON output]"
)

_shtab_sigillum_decrypt_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  {-o,--output}"[output plaintext file]:output:"
  "--cert[PKCS\#12 (.p12\/.pfx) or PEM file to use]:cert:"
  "--lib[path to the token\'s PKCS\#11 (.so) module]:lib:"
  "--cert-id[composite id of the certificate on the token (see \`sigillum detect\`)]:cert_id:"
  ":encrypted file:"
)

_shtab_sigillum_detect_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  "--json[JSON output]"
)

_shtab_sigillum_encrypt_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  {-o,--output}"[output encrypted file]:output:"
  "--mode[symmetric (password) or asymmetric (certificate)]:mode:(sym asym)"
  "--algo[symmetric algorithm (default\: AES-256)]:algo:(AES-256 AES-128 3DES Blowfish)"
  "--recipient[recipient certificate (.p12\/.pem file)\; if omitted, encrypts to the configured cert]:recipient:"
  "--cert[PKCS\#12 (.p12\/.pfx) or PEM file to use]:cert:"
  "--lib[path to the token\'s PKCS\#11 (.so) module]:lib:"
  "--cert-id[composite id of the certificate on the token (see \`sigillum detect\`)]:cert_id:"
  ":plaintext file:"
)

_shtab_sigillum_extract_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  {-o,--output}"[output file (default\: strip the .p7m suffix)]:output:"
  "--shallow[extract only one CMS layer instead of recursing into nested .p7m wrappers]"
  ":.p7m file to extract:"
)

_shtab_sigillum_gui_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  "(-)*:arguments passed to GtkApplication:"
)

_shtab_sigillum_sign_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  {-o,--output}"[output file (default\: derived from input)]:output:"
  "--level[signature level (default\: B)]:level:(B T LT)"
  "--visible[PAdES\: add a graphical appearance]"
  "--page[page for the visible signature (0\=first, -1\=last)]:page:"
  "--position[corner preset for the visible signature]:position:(bottom-right bottom-left top-right top-left)"
  "--box[explicit rectangle in PDF points\: x1,y1,x2,y2]:box:"
  "--image[PNG\/JPG logo for the visible signature]:image:"
  "--reason[reason for the signature (PAdES)]:reason:"
  "--location[location of the signing (PAdES)]:location:"
  "--contact[signer\'s contact (PAdES)]:contact:"
  "--cert[PKCS\#12 (.p12\/.pfx) or PEM file to use]:cert:"
  "--lib[path to the token\'s PKCS\#11 (.so) module]:lib:"
  "--cert-id[composite id of the certificate on the token (see \`sigillum detect\`)]:cert_id:"
  "--tsa[TSA URL (overrides settings)]:tsa:"
  "--tsa-user[HTTP Basic username for the TSA]:tsa_user:"
  "--tsa-password[HTTP Basic password for the TSA (alt\: \$SIGILLUM_TSA_PASSWORD)]:tsa_password:"
  ":file to sign:"
)

_shtab_sigillum_timestamp_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  {-o,--output}"[output file (default\: \<input\>.tsr\/.tsd)]:output:"
  "--format[output format (default\: tsd)]:format:(tsr tsd)"
  "--tsa[TSA URL (overrides settings)]:tsa:"
  "--tsa-user[HTTP Basic username for the TSA]:tsa_user:"
  "--tsa-password[HTTP Basic password for the TSA (alt\: \$SIGILLUM_TSA_PASSWORD)]:tsa_password:"
  ":file to timestamp:"
)

_shtab_sigillum_tsl_import_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  "--country[ISO country code (e.g. IT, DE, FR). Defaults to the primary country derived from settings or \$LANG.]:country:"
)

_shtab_sigillum_tsl_list_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
)

_shtab_sigillum_verify_options=(
  "(- : *)"{-h,--help}"[show this help message and exit]"
  "--original[original file (required for .tsr and detached CAdES)]:original:"
  "*--trusted[PEM with extra CAs for the signer chain (repeatable)]:trusted:"
  "*--tsa-trusted[PEM with extra CAs for the TSA chain (repeatable)]:tsa_trusted:"
  "--json[machine-readable JSON output]"
  ":signed\/timestamped file:"
)


_shtab_sigillum() {
  local context state line curcontext="$curcontext" one_or_more='(-)*' remainder='(*)'

  if ((${_shtab_sigillum_options[(I)${(q)one_or_more}*]} + ${_shtab_sigillum_options[(I)${(q)remainder}*]} == 0)); then  # noqa: E501
    _shtab_sigillum_options+=(': :_shtab_sigillum_commands' '*::: :->sigillum')
  fi
  _arguments -C -s $_shtab_sigillum_options

  case $state in
    sigillum)
      words=($line[1] "${words[@]}")
      (( CURRENT += 1 ))
      curcontext="${curcontext%:*:*}:_shtab_sigillum-$line[1]:"
      case $line[1] in
        config) _shtab_sigillum_config ;;
        decrypt) _arguments -C -s $_shtab_sigillum_decrypt_options ;;
        detect) _arguments -C -s $_shtab_sigillum_detect_options ;;
        encrypt) _arguments -C -s $_shtab_sigillum_encrypt_options ;;
        extract) _arguments -C -s $_shtab_sigillum_extract_options ;;
        gui) _arguments -C -s $_shtab_sigillum_gui_options ;;
        sign) _arguments -C -s $_shtab_sigillum_sign_options ;;
        timestamp) _arguments -C -s $_shtab_sigillum_timestamp_options ;;
        tsl-import) _arguments -C -s $_shtab_sigillum_tsl_import_options ;;
        tsl-list) _arguments -C -s $_shtab_sigillum_tsl_list_options ;;
        verify) _arguments -C -s $_shtab_sigillum_verify_options ;;
      esac
  esac
}

_shtab_sigillum_config() {
  local context state line curcontext="$curcontext" one_or_more='(-)*' remainder='(*)'

  if ((${_shtab_sigillum_config_options[(I)${(q)one_or_more}*]} + ${_shtab_sigillum_config_options[(I)${(q)remainder}*]} == 0)); then  # noqa: E501
    _shtab_sigillum_config_options+=(': :_shtab_sigillum_config_commands' '*::: :->config')
  fi
  _arguments -C -s $_shtab_sigillum_config_options

  case $state in
    config)
      words=($line[1] "${words[@]}")
      (( CURRENT += 1 ))
      curcontext="${curcontext%:*:*}:_shtab_sigillum_config-$line[1]:"
      case $line[1] in
        set) _arguments -C -s $_shtab_sigillum_config_set_options ;;
        show) _arguments -C -s $_shtab_sigillum_config_show_options ;;
      esac
  esac
}



typeset -A opt_args

if [[ $zsh_eval_context[-1] == eval ]]; then
  # eval/source/. command, register function for later
  compdef _shtab_sigillum -N sigillum
else
  # autoload from fpath, call function directly
  _shtab_sigillum "$@"
fi

