/*
 * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
 * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
 * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
 * compliance with the Licence. You may obtain a copy of the Licence at:
 * https://joinup.ec.europa.eu/news/understanding-eupl-v12
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the Licence
 * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the Licence for the specific language governing permissions and limitations under
 * the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text file for details on the
 * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
 * works that you distribute must include a readable copy of the "NOTICE" text file.
*/

package at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize;

import java.util.Arrays;
import java.util.Collections;

import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.encryption.support.EncryptionConstants;
import org.opensaml.xmlsec.encryption.support.RSAOAEPParameters;
import org.opensaml.xmlsec.impl.BasicDecryptionConfiguration;
import org.opensaml.xmlsec.impl.BasicEncryptionConfiguration;
import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
import org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration;
import org.opensaml.xmlsec.signature.support.SignatureConstants;

/**
 * EAAF specific OpenSAML2 security configuration.
 *
 * @author tlenz
 *
 */
public class EaafDefaultSecurityConfigurationBootstrap
    extends DefaultSecurityConfigurationBootstrap {

  /**
   * Set EAAF specific encryption configuration to OpenSAML 3.x.
   *
   * @return
   */
  public static BasicEncryptionConfiguration buildEaafEncryptionConfiguration() {
    final BasicEncryptionConfiguration config = new BasicEncryptionConfiguration();

    config.setExcludedAlgorithms(Arrays.asList(
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15,
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_TRIPLEDES,
        EncryptionConstants.ALGO_ID_KEYWRAP_TRIPLEDES));

    config.setDataEncryptionAlgorithms(Arrays.asList(
        // The order of these is significant.
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128,
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192,
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256,

        // register GCM algorithms
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES128_GCM,
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES192_GCM,
        EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM));

    config.setKeyTransportEncryptionAlgorithms(Arrays.asList(
        // The order of the RSA algos is significant.
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP,
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP11,

        // The order of these is not significant.
        // These aren't really "preferences" per se. They just need to be registered
        // so that they can be used if a credential with a key of that type and size is
        // seen.
        EncryptionConstants.ALGO_ID_KEYWRAP_AES128,
        EncryptionConstants.ALGO_ID_KEYWRAP_AES192,
        EncryptionConstants.ALGO_ID_KEYWRAP_AES256));

    config.setRSAOAEPParameters(new RSAOAEPParameters(
        SignatureConstants.ALGO_ID_DIGEST_SHA1,
        EncryptionConstants.ALGO_ID_MGF1_SHA1,
        null));

    config.setDataKeyInfoGeneratorManager(buildDataEncryptionKeyInfoGeneratorManager());
    config.setKeyTransportKeyInfoGeneratorManager(buildKeyTransportEncryptionKeyInfoGeneratorManager());

    return config;
  }

  /**
   * Set EAAF specific decryption configuration to OpenSAML 3.x.
   *
   * @return
   */
  public static BasicDecryptionConfiguration buildEaaftDecryptionConfiguration() {
    final BasicDecryptionConfiguration config = new BasicDecryptionConfiguration();

    config.setExcludedAlgorithms(Collections.singletonList(
        EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15));

    config.setEncryptedKeyResolver(buildBasicEncryptedKeyResolver());

    return config;
  }

  /**
   * Set EAAF specific signature-creation configuration to OpenSAML 3.x.
   *
   * @return
   */
  public static BasicSignatureSigningConfiguration buildEaafSignatureSigningConfiguration() {
    final BasicSignatureSigningConfiguration config = new BasicSignatureSigningConfiguration();

    config.setExcludedAlgorithms(Arrays.asList(
        SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
        SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
        SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
        SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
        SignatureConstants.ALGO_ID_DIGEST_SHA1));

    config.setSignatureAlgorithms(Arrays.asList(
        // The order within each key group is significant.
        // The order of the key groups themselves is not significant.

        // RSA
        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256,
        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384,
        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512,

        // ECDSA
        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA256,
        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA384,
        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA512

    // HMAC (all symmetric keys)
    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA256,
    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA384,
    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA512,
    // SignatureConstants.ALGO_ID_MAC_HMAC_SHA1
    ));

    config.setSignatureReferenceDigestMethods(Arrays.asList(
        // The order of these is significant.
        SignatureConstants.ALGO_ID_DIGEST_SHA256,
        SignatureConstants.ALGO_ID_DIGEST_SHA384,
        SignatureConstants.ALGO_ID_DIGEST_SHA512));

    config.setSignatureCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);

    config.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());

    return config;
  }

  /**
   * Set EAAF specific signature-verification configuration to OpenSAML 3.x.
   *
   * @return
   */
  public static BasicSignatureValidationConfiguration buildEaafSignatureValidationConfiguration() {
    final BasicSignatureValidationConfiguration config = new BasicSignatureValidationConfiguration();

    config.setExcludedAlgorithms(Arrays.asList(
        SignatureConstants.ALGO_ID_DIGEST_NOT_RECOMMENDED_MD5,
        SignatureConstants.ALGO_ID_SIGNATURE_NOT_RECOMMENDED_RSA_MD5,
        SignatureConstants.ALGO_ID_MAC_HMAC_NOT_RECOMMENDED_MD5,
        SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1,
        SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1,
        SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1,
        SignatureConstants.ALGO_ID_DIGEST_SHA1));

    return config;
  }
}