/* ======================================================================
   Parts Copyright 2006 University of Leeds, Oxford University, University of the Highlands and Islands.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

====================================================================== */

package org.bodington.server.realm;


import java.io.*;
import java.net.*;
import java.security.*;
import java.security.cert.*;
import java.security.spec.*;
import java.math.BigInteger;
import java.util.Date;

import org.apache.log4j.Logger;

import javax.security.auth.x500.X500Principal;
import sun.security.util.*;
import sun.security.x509.*;

import org.bodington.util.Base64Decoder;

/**
 *
 * @author  jrm
 */
public class X509CertificateBuilder
{
    
    private static Logger log = Logger.getLogger(X509CertificateBuilder.class);
    
    String ca_keystore_path;
    CertificateFactory certificate_factory = null;
    X509Certificate x509certificate_local_ca=null;
    String subject_name_local_ca=null;
    PrivateKey private_key_local_ca=null;
    
    Base64Decoder base64decoder = new Base64Decoder();
    
    /** Creates a new instance of X509CertificateBuilder */
    public X509CertificateBuilder( String ca_keystore_path )
    {
        this.ca_keystore_path = ca_keystore_path;
    }
    
    public void init()
    {
        // needs to load CA signing certificate
        InputStream ksStream;
        try
        {
            log.debug( "Keystore: " + ca_keystore_path );
            File ksfile = new File( ca_keystore_path );
            if ( ksfile.exists() && ksfile.length() == 0L )
                return;
            ksStream = new FileInputStream( ksfile );
            log.debug( "Opened keystore." );
        }
        catch(FileNotFoundException filenotfoundexception)
        {
            // silently return - no certificates to load
            return;
        }
        try
        {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load( ksStream, "notverysecret".toCharArray() );
            ksStream.close();

            log.debug( "Loaded keystore." );
            
            String s = "local_ca";
            if(keyStore.containsAlias(s))
            {
                log.debug( "Keystore has local_ca." );
                x509certificate_local_ca = (X509Certificate)keyStore.getCertificate(s);
                if( x509certificate_local_ca == null )
                    throw new IllegalArgumentException( "Can't find local ca certificate." );
                private_key_local_ca = (PrivateKey)keyStore.getKey(s, "notverysecret".toCharArray() );
                subject_name_local_ca = x509certificate_local_ca.getSubjectX500Principal().getName();
                log.debug( "subject_name_local_ca=" + subject_name_local_ca );
            }

            certificate_factory = CertificateFactory.getInstance("X509");
            return;
        }
        catch ( java.security.GeneralSecurityException se )
        {se.printStackTrace();}
        catch ( IOException ioe )
        {ioe.printStackTrace();}
        
        throw new IllegalArgumentException( "Technical problem reading key store." );
    }
    
    private X500Signer getSigner()
        throws InvalidKeyException, NoSuchAlgorithmException, IOException
    {
        java.security.Principal p = x509certificate_local_ca.getSubjectDN();
        X500Name x500name = new X500Name( p.getName() );
        Signature signature = Signature.getInstance("SHA1WithDSA");
        signature.initSign( private_key_local_ca );
        return new X500Signer( signature, x500name );
    }

    
    
    private X509Certificate createClientCertificate( X500Name x500name, long l, int serial, PublicKey public_key )
        throws GeneralSecurityException, IOException
    {
        X509CertImpl x509certimpl;
        X500Signer x500signer = getSigner();
        Date date = new Date();
        Date date1 = new Date();
        date1.setTime(date1.getTime() + l * 1000L);
        CertificateValidity certificatevalidity = new CertificateValidity(date, date1);
        X509CertInfo x509certinfo = new X509CertInfo();
        x509certinfo.set("version", new CertificateVersion(0));
        x509certinfo.set("serialNumber", new CertificateSerialNumber(serial));
        AlgorithmId algorithmid = x500signer.getAlgorithmId();
        x509certinfo.set("algorithmID", new CertificateAlgorithmId(algorithmid));
        x509certinfo.set("subject", new CertificateSubjectName(x500name));
        x509certinfo.set("key", new CertificateX509Key(public_key));
        x509certinfo.set("validity", certificatevalidity);
        x509certinfo.set("issuer", new CertificateIssuerName(x500signer.getSigner()));
        x509certimpl = new X509CertImpl(x509certinfo);
        x509certimpl.sign( private_key_local_ca, "SHA1WithDSA" );
        return x509certimpl;
    }
    
    public X509Certificate createClientCertificate( String name, long l, int serial, String enc_pub_key )
        throws GeneralSecurityException, IOException
    {
        X500Name x500_name = new X500Name( "cn=" + name );
        
        /*
        byte[] encoded_key = base64decoder.decodeBuffer( enc_pub_key );
        X509EncodedKeySpec public_key_spec = new X509EncodedKeySpec( encoded_key );
        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
        PublicKey public_key = keyFactory.generatePublic( public_key_spec );
        */

        byte[] der_keychal = base64decoder.decodeBuffer( enc_pub_key );
        PublicKey public_key = getVerifiedKey( "fixed_challenge", der_keychal );
        
        return createClientCertificate( x500_name, l, serial, public_key );
    }
    
    
    /*
     * Parse and verify the SignedPublicKeyAndChallenge data as
     * produced by KEYGEN ... return the key.
     */
    private PublicKey getVerifiedKey( String challenge, byte[] der_keychal )
    throws SignatureException, IOException,
	InvalidKeyException, NoSuchAlgorithmException
    {
	//
	// SignedPublicKeyAndChallenge ::= SEQUENCE {
	//	publicKeyAndChallenge	PublicKeyAndChallenge,
	//	signatureAlgorithm	AlgorithmIdentifier,
	//	signature		BIT STRING
	// }
	//
	DerInputStream	in = new DerInputStream( der_keychal );
	DerValue	spkac [] = in.getSequence( 3 );
	AlgorithmId	sigAlg;
	byte		sigBits [];

	if (spkac.length != 3)
	    throw new SignatureException( "invalid SPKAC" );

	sigAlg = AlgorithmId.parse( spkac[1] );
	sigBits = spkac[2].getBitString();


	//
	// PublicKeyAndChallenge ::= SEQUENCE {
	//	spki			SubjectPublicKeyInfo,
	//	challenge		IA5STRING
	// }
	//
	DerValue	pkac [];
	PublicKey		retval;

	// in = spkac [0].toDerInputStream ();
	in = new DerInputStream( spkac[0].toByteArray() );
	pkac = in.getSequence( 2 );

	if ( pkac.length != 2 )
	    throw new SignatureException ("invalid PKAC");
	if ( !challenge.equals( pkac[1].getIA5String() ) )
	    throw new SignatureException ("bad challenge in PKAC");

	retval = X509Key.parse( pkac [0] );

	//
	// Verify the signature .. shows the response was generated
	// by someone who knew the associated private key
	//
	Signature sig = Signature.getInstance( sigAlg.getName () );

	sig.initVerify (retval);
	sig.update (spkac [0].toByteArray ());
	if ( sig.verify (sigBits) )
	    return retval;
	else
	    throw new SignatureException ("bad SPKAC Signature");
    }

    
    
}