/* ======================================================================
The Bodington System Software License, Version 1.0
  
Copyright (c) 2001 The University of Leeds.  All rights reserved.
  
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:

1.  Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.

2.  Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.

3.  The end-user documentation included with the redistribution, if any,
must include the following acknowledgement:  "This product includes
software developed by the University of Leeds
(http://www.bodington.org/)."  Alternately, this acknowledgement may
appear in the software itself, if and wherever such third-party
acknowledgements normally appear.

4.  The names "Bodington", "Nathan Bodington", "Bodington System",
"Bodington Open Source Project", and "The University of Leeds" must not be
used to endorse or promote products derived from this software without
prior written permission. For written permission, please contact
d.gardner@leeds.ac.uk.

5.  The name "Bodington" may not appear in the name of products derived
from this software without prior written permission of the University of
Leeds.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO,  TITLE,  THE IMPLIED WARRANTIES 
OF QUALITY  AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO 
EVENT SHALL THE UNIVERSITY OF LEEDS OR ITS CONTRIBUTORS BE LIABLE FOR 
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE.
=========================================================

This software was originally created by the University of Leeds and may contain voluntary 
contributions from others.  For more information on the Bodington Open Source Project, please 
see http://bodington.org/

====================================================================== */

package org.bodington.server.realm;


import java.io.*;
import java.net.*;
import java.security.*;
import java.security.cert.*;
import java.security.spec.*;
import java.math.BigInteger;
import java.util.Date;

import org.apache.log4j.Logger;

import javax.security.auth.x500.X500Principal;
import sun.security.util.*;
import sun.security.x509.*;

import org.bodington.util.Base64Decoder;

/**
 *
 * @author  jrm
 */
public class X509CertificateBuilder
{
    
    private static Logger log = Logger.getLogger(X509CertificateBuilder.class);
    
    String ca_keystore_path;
    CertificateFactory certificate_factory = null;
    X509Certificate x509certificate_local_ca=null;
    String subject_name_local_ca=null;
    PrivateKey private_key_local_ca=null;
    
    Base64Decoder base64decoder = new Base64Decoder();
    
    /** Creates a new instance of X509CertificateBuilder */
    public X509CertificateBuilder( String ca_keystore_path )
    {
        this.ca_keystore_path = ca_keystore_path;
    }
    
    public void init()
    {
        // needs to load CA signing certificate
        InputStream ksStream;
        try
        {
            log.debug( "Keystore: " + ca_keystore_path );
            File ksfile = new File( ca_keystore_path );
            if ( ksfile.exists() && ksfile.length() == 0L )
                return;
            ksStream = new FileInputStream( ksfile );
            log.debug( "Opened keystore." );
        }
        catch(FileNotFoundException filenotfoundexception)
        {
            // silently return - no certificates to load
            return;
        }
        try
        {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load( ksStream, "notverysecret".toCharArray() );
            ksStream.close();

            log.debug( "Loaded keystore." );
            
            String s = "local_ca";
            if(keyStore.containsAlias(s))
            {
                log.debug( "Keystore has local_ca." );
                x509certificate_local_ca = (X509Certificate)keyStore.getCertificate(s);
                if( x509certificate_local_ca == null )
                    throw new IllegalArgumentException( "Can't find local ca certificate." );
                private_key_local_ca = (PrivateKey)keyStore.getKey(s, "notverysecret".toCharArray() );
                subject_name_local_ca = x509certificate_local_ca.getSubjectX500Principal().getName();
                log.debug( "subject_name_local_ca=" + subject_name_local_ca );
            }

            certificate_factory = CertificateFactory.getInstance("X509");
            return;
        }
        catch ( java.security.GeneralSecurityException se )
        {se.printStackTrace();}
        catch ( IOException ioe )
        {ioe.printStackTrace();}
        
        throw new IllegalArgumentException( "Technical problem reading key store." );
    }
    
    private X500Signer getSigner()
        throws InvalidKeyException, NoSuchAlgorithmException, IOException
    {
        java.security.Principal p = x509certificate_local_ca.getSubjectDN();
        X500Name x500name = new X500Name( p.getName() );
        Signature signature = Signature.getInstance("SHA1WithDSA");
        signature.initSign( private_key_local_ca );
        return new X500Signer( signature, x500name );
    }

    
    
    private X509Certificate createClientCertificate( X500Name x500name, long l, int serial, PublicKey public_key )
        throws GeneralSecurityException, IOException
    {
        X509CertImpl x509certimpl;
        X500Signer x500signer = getSigner();
        Date date = new Date();
        Date date1 = new Date();
        date1.setTime(date1.getTime() + l * 1000L);
        CertificateValidity certificatevalidity = new CertificateValidity(date, date1);
        X509CertInfo x509certinfo = new X509CertInfo();
        x509certinfo.set("version", new CertificateVersion(0));
        x509certinfo.set("serialNumber", new CertificateSerialNumber(serial));
        AlgorithmId algorithmid = x500signer.getAlgorithmId();
        x509certinfo.set("algorithmID", new CertificateAlgorithmId(algorithmid));
        x509certinfo.set("subject", new CertificateSubjectName(x500name));
        x509certinfo.set("key", new CertificateX509Key(public_key));
        x509certinfo.set("validity", certificatevalidity);
        x509certinfo.set("issuer", new CertificateIssuerName(x500signer.getSigner()));
        x509certimpl = new X509CertImpl(x509certinfo);
        x509certimpl.sign( private_key_local_ca, "SHA1WithDSA" );
        return x509certimpl;
    }
    
    public X509Certificate createClientCertificate( String name, long l, int serial, String enc_pub_key )
        throws GeneralSecurityException, IOException
    {
        X500Name x500_name = new X500Name( "cn=" + name );
        
        /*
        byte[] encoded_key = base64decoder.decodeBuffer( enc_pub_key );
        X509EncodedKeySpec public_key_spec = new X509EncodedKeySpec( encoded_key );
        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
        PublicKey public_key = keyFactory.generatePublic( public_key_spec );
        */

        byte[] der_keychal = base64decoder.decodeBuffer( enc_pub_key );
        PublicKey public_key = getVerifiedKey( "fixed_challenge", der_keychal );
        
        return createClientCertificate( x500_name, l, serial, public_key );
    }
    
    
    /*
     * Parse and verify the SignedPublicKeyAndChallenge data as
     * produced by KEYGEN ... return the key.
     */
    private PublicKey getVerifiedKey( String challenge, byte[] der_keychal )
    throws SignatureException, IOException,
	InvalidKeyException, NoSuchAlgorithmException
    {
	//
	// SignedPublicKeyAndChallenge ::= SEQUENCE {
	//	publicKeyAndChallenge	PublicKeyAndChallenge,
	//	signatureAlgorithm	AlgorithmIdentifier,
	//	signature		BIT STRING
	// }
	//
	DerInputStream	in = new DerInputStream( der_keychal );
	DerValue	spkac [] = in.getSequence( 3 );
	AlgorithmId	sigAlg;
	byte		sigBits [];

	if (spkac.length != 3)
	    throw new SignatureException( "invalid SPKAC" );

	sigAlg = AlgorithmId.parse( spkac[1] );
	sigBits = spkac[2].getBitString();


	//
	// PublicKeyAndChallenge ::= SEQUENCE {
	//	spki			SubjectPublicKeyInfo,
	//	challenge		IA5STRING
	// }
	//
	DerValue	pkac [];
	PublicKey		retval;

	// in = spkac [0].toDerInputStream ();
	in = new DerInputStream( spkac[0].toByteArray() );
	pkac = in.getSequence( 2 );

	if ( pkac.length != 2 )
	    throw new SignatureException ("invalid PKAC");
	if ( !challenge.equals( pkac[1].getIA5String() ) )
	    throw new SignatureException ("bad challenge in PKAC");

	retval = X509Key.parse( pkac [0] );

	//
	// Verify the signature .. shows the response was generated
	// by someone who knew the associated private key
	//
	Signature sig = Signature.getInstance( sigAlg.getName () );

	sig.initVerify (retval);
	sig.update (spkac [0].toByteArray ());
	if ( sig.verify (sigBits) )
	    return retval;
	else
	    throw new SignatureException ("bad SPKAC Signature");
    }

    
    
}