/*******************************************************************************
 *******************************************************************************/
package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;

import org.opensaml.xml.encryption.EncryptionConstants;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.security.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xml.security.credential.BasicKeyInfoGeneratorFactory;
import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorManager;
import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager;
import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.SignatureConstants;

/**
 * @author tlenz
 *
 */
public class EAAFDefaultSecurityConfigurationBootstrap extends
		DefaultSecurityConfigurationBootstrap {
	
	public static BasicSecurityConfiguration buildDefaultConfig() {
		BasicSecurityConfiguration config = new BasicSecurityConfiguration();

		populateSignatureParams(config);
		populateEncryptionParams(config);
		populateKeyInfoCredentialResolverParams(config);
		populateKeyInfoGeneratorManager(config);
		populateKeyParams(config);

		return config;
	}

	protected static void populateKeyInfoGeneratorManager(
			BasicSecurityConfiguration config) {
		NamedKeyInfoGeneratorManager namedManager = new NamedKeyInfoGeneratorManager();
		config.setKeyInfoGeneratorManager(namedManager);

		namedManager.setUseDefaultManager(true);
		KeyInfoGeneratorManager defaultManager = namedManager
				.getDefaultManager();

		BasicKeyInfoGeneratorFactory basicFactory = new BasicKeyInfoGeneratorFactory();
		basicFactory.setEmitPublicKeyValue(true);

		X509KeyInfoGeneratorFactory x509Factory = new X509KeyInfoGeneratorFactory();
		x509Factory.setEmitEntityCertificate(true);

		defaultManager.registerFactory(basicFactory);
		defaultManager.registerFactory(x509Factory);
	}
	
	protected static void populateSignatureParams(
			BasicSecurityConfiguration config) {
		
		//use SHA256 instead of SHA1
		config.registerSignatureAlgorithmURI("RSA",
				SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
	
		config.registerSignatureAlgorithmURI("DSA",
				"http://www.w3.org/2000/09/xmldsig#dsa-sha1");
		
		//use SHA256 instead of SHA1
		config.registerSignatureAlgorithmURI("EC",
				SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256);

		//use SHA256 instead of SHA1
		config.registerSignatureAlgorithmURI("AES",
				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);
		
		
		config.registerSignatureAlgorithmURI("DESede",
				SignatureConstants.ALGO_ID_MAC_HMAC_SHA256);

		config.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#");
		config.setSignatureHMACOutputLength(null);
		
		//use SHA256 instead of SHA1
		config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
	}

	protected static void populateEncryptionParams(
			BasicSecurityConfiguration config) {
		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128),
				"http://www.w3.org/2001/04/xmlenc#aes128-cbc");
		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192),
				"http://www.w3.org/2001/04/xmlenc#aes192-cbc");
		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256),
				"http://www.w3.org/2001/04/xmlenc#aes256-cbc");
		
		//support GCM mode
		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(128), 
				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM);
		
		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(192), 
				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM);
		
		config.registerDataEncryptionAlgorithmURI("AES", Integer.valueOf(256), 
				EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM);
		
		
		config.registerDataEncryptionAlgorithmURI("DESede",
				Integer.valueOf(168),
				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
		config.registerDataEncryptionAlgorithmURI("DESede",
				Integer.valueOf(192),
				"http://www.w3.org/2001/04/xmlenc#tripledes-cbc");

		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null, "AES",
				"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
		
		config.registerKeyTransportEncryptionAlgorithmURI("RSA", null,
				"DESede", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");

		config.registerKeyTransportEncryptionAlgorithmURI("AES",
				Integer.valueOf(128), null,
				"http://www.w3.org/2001/04/xmlenc#kw-aes128");
		config.registerKeyTransportEncryptionAlgorithmURI("AES",
				Integer.valueOf(192), null,
				"http://www.w3.org/2001/04/xmlenc#kw-aes192");
		config.registerKeyTransportEncryptionAlgorithmURI("AES",
				Integer.valueOf(256), null,
				"http://www.w3.org/2001/04/xmlenc#kw-aes256");
		config.registerKeyTransportEncryptionAlgorithmURI("DESede",
				Integer.valueOf(168), null,
				"http://www.w3.org/2001/04/xmlenc#kw-tripledes");
		config.registerKeyTransportEncryptionAlgorithmURI("DESede",
				Integer.valueOf(192), null,
				"http://www.w3.org/2001/04/xmlenc#kw-tripledes");

		config.setAutoGeneratedDataEncryptionKeyAlgorithmURI("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
	}
}