package at.gv.egiz.eaaf.modules.auth.sl20.utils;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.X509Certificate;
import java.util.List;

import javax.annotation.Nonnull;

import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException;

import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.lang.JoseException;

import com.fasterxml.jackson.databind.JsonNode;

public interface IJoseTools {

  /**
   * Create a JWS signature.
   *
   *<p>This method adds the certificate chain into JOSE header.</p>
   *
   * @param payLoad Payload to sign
   * @throws SlCommandoBuildException In case of a signature creation error
   */
  String createSignature(String payLoad) throws SlCommandoBuildException;

  /**
   * Create a JWS signature.
   *
   * @param payLoad Payload to sign
   * @param addFullCertChain If <code>true</code> the full certificate chain will be added,
   *     otherwise only the X509CertSha256Fingerprint is added into JOSE header
   * @return Signed PayLoad in serialized form
   * @throws SlCommandoBuildException SlCommandoBuildException In case of a signature creation error
   */
  String createSignature(String payLoad, boolean addFullCertChain) throws SlCommandoBuildException;

  /**
   * Validates a signed SL2.0 message.
   *
   * @param serializedContent Serialized JWS signature
   * @return Verification-result DAO
   * @throws SL20Exception In case of a signature validation error
   */
  @Nonnull
  VerificationResult validateSignature(@Nonnull String serializedContent) throws SL20Exception;

  /**
   * Validate a JWS signature.
   *
   * @param serializedContent JWS in serialized form
   * @param trustedCerts      trusted X509 certificates
   * @param constraints       signature verification constraints
   * @return Signature-verification result
   * @throws JoseException In case of a signature verification error
   * @throws IOException   In case of a general IO error
   */
  @Nonnull
  VerificationResult validateSignature(@Nonnull String serializedContent, @Nonnull List<X509Certificate> trustedCerts,
      @Nonnull AlgorithmConstraints constraints) throws JoseException, IOException;

  /**
   * Validate a JWS signature.
   *
   * @param serializedContent JWS in serialized form
   * @param trustStore        with trusted X509 certificates
   * @param algconstraints    signature verification constraints
   * @return Signature-verification result
   * @throws JoseException     In case of a signature verification error
   * @throws IOException       In case of a general IO error
   * @throws KeyStoreException In case of TrustStore error
   */
  @Nonnull
  VerificationResult validateSignature(@Nonnull String serializedContent, @Nonnull KeyStore trustStore,
      @Nonnull AlgorithmConstraints algconstraints) throws JoseException, IOException, KeyStoreException;

  /**
   * Get the encryption certificate for SL2.0 End-to-End encryption.
   *
   * @return
   */
  X509Certificate getEncryptionCertificate();

  /**
   * Decrypt a serialized JWE token.
   *
   * @param compactSerialization Serialized JWE token
   * @return decrypted payload
   * @throws SL20Exception In case of a decryption error
   */
  JsonNode decryptPayload(String compactSerialization) throws SL20Exception;

}