package at.gv.egovernment.moa.id.config;

import iaik.pki.pathvalidation.ChainingModes;
import iaik.utils.RFC2253NameParser;
import iaik.utils.RFC2253NameParserException;

import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;

import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.traversal.NodeIterator;

import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.Schema;
import at.gv.egovernment.moa.id.auth.data.SchemaImpl;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameter;
import at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters;
import at.gv.egovernment.moa.id.config.proxy.OAConfiguration;
import at.gv.egovernment.moa.id.config.proxy.OAProxyParameter;
import at.gv.egovernment.moa.id.data.IssuerAndSerial;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.BoolUtils;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.StringUtils;
import at.gv.egovernment.moa.util.XPathException;
import at.gv.egovernment.moa.util.XPathUtils;

/**
 * A class that builds configuration data from a DOM based representation.
 * 
 * @author Patrick Peck
 * @author Stefan Knirsch
 * @version $Id$
 */
public class ConfigurationBuilder {

  //
  // XPath namespace prefix shortcuts
  //
  /** an XPATH-Expression */ 
  private static final String CONF = Constants.MOA_ID_CONFIG_PREFIX + ":";
  /** an XPATH-Expression */ 
  private static final String DSIG = Constants.DSIG_PREFIX + ":";

  //
  // chaining mode constants appearing in the configuration file
  //
  /** an XPATH-Expression */ 
  private static final String CM_CHAINING = "chaining";
  /** an XPATH-Expression */ 
  private static final String CM_PKIX = "pkix";
  /** an XPATH-Expression */ 
  private static final String DEFAULT_ENCODING = "UTF-8";

  /**
   * Default online application configuration file name
   * (used when <code>/OnlineApplication/ProxyComponent@configFileURL</code> is <code>null</code>).
   */
  public static final String DEFAULT_OA_CONFIG_FILENAME = "MOAConfig.xml";

  //
  // XPath expressions to select certain parts of the configuration
  //
  /** an XPATH-Expression */ 
  private static final String ROOT = "/" + CONF + "MOA-IDConfiguration/";
  /** an XPATH-Expression */ 
  private static final String ROOTOA = "/" + CONF + "Configuration/";
  /** an XPATH-Expression */ 
  private static final String AUTH_BKU_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "BKUSelection";
  /** an XPATH-Expression */ 
  private static final String AUTH_BKUSELECT_TEMPLATE_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "BKUSelectionTemplate/@URL";
  /** an XPATH-Expression */ 
  private static final String AUTH_TEMPLATE_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "Template/@URL";
  /** an XPATH-Expression */ 
	public static final String AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "SecurityLayer/" + CONF + "TransformsInfo/@filename";
  /** an XPATH-Expression */ 
  private static final String AUTH_MOA_SP_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP";
  /** an XPATH-Expression */ 
  private static final String AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH =
      ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyIdentityLink/" + CONF + "TrustProfileID";
  /** an XPATH-Expression */ 
  private static final String AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH =
        ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF + "TrustProfileID";
  /** an XPATH-Expression */ 
  private static final String AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH =
   ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF  + "VerifyTransformsInfoProfileID";

  /** an XPATH-Expression */ 
  private static final String AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "IdentityLinkSigners/" + CONF + "X509SubjectName";
 
  /** an XPATH-Expression */ 
  public static final String AUTH_VERIFY_INFOBOXES_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "VerifyInfoboxes";
 
  /** an XPATH-Expression */ 
  private static final String PROXY_AUTH_XPATH =
    ROOT + CONF + "ProxyComponent/" + CONF + "AuthComponent";

  /** an XPATH-Expression */ 
  private static final String OA_XPATH = ROOT + CONF + "OnlineApplication";
  /** an XPATH-Expression */ 
  private static final String OA_LOGIN_XPATH = ROOT + CONF + "OnlineApplication/@loginURL";
  /** an XPATH-Expression */ 
  private static final String OA_AUTH_COMPONENT_XPATH = CONF + "AuthComponent";
  /** an XPATH-Expression */ 
  private static final String OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH = CONF + "IdentificationNumber";    
  /** an XPATH-Expression */ 
  private static final String OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH =
    CONF + "Templates/" + CONF + "BKUSelectionTemplate/@URL";
  /** an XPATH-Expression */ 
  private static final String OA_AUTH_COMPONENT_TEMPLATE_XPATH =
    CONF + "Templates/" + CONF + "Template/@URL";
  /** an XPATH-Expression */ 
  private static final String OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH = CONF + "TransformsInfo/@filename";
  /** an XPATH-Expression */ 
  private static final String OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH = CONF + "VerifyInfoboxes";
  /** an XPATH-Expression */ 
  private static final String OA_PROXY_COMPONENT_XPATH = CONF + "ProxyComponent";
  /** an XPATH-Expression */ 
  private static final String OA_PROXY_COMPONENT_ABSOLUTE_XPATH = ROOT + CONF + "OnlineApplication/" + CONF + "ProxyComponent";
  /** an XPATH-Expression */ 
  private static final String OA_PROXY_URL_XPATH = CONF + "ProxyComponent/@configFileURL";
  /** an XPATH-Expression */ 
  private static final String OA_PROXY_SESSION_TIMEOUT_XPATH = CONF + "ProxyComponent/@sessionTimeOut";
  /** an XPATH-Expression */ 
  private static final String OA_PROXY_LOGIN_PARA_XPATH = CONF + "ProxyComponent/@loginParameterResolverImpl";
  /** an XPATH-Expression */
  private static final String OA_PROXY_LOGIN_PARA_CONF_XPATH = CONF + "ProxyComponent/@loginParameterResolverConfiguration";
	/** an XPATH-Expression */ 
  private static final String OA_PROXY_CONNECTION_BUILDER_XPATH = CONF + "ProxyComponent/@connectionBuilderImpl";
  /** an XPATH-Expression */ 
  private static final String CONNECTION_PARAMETER_URL_XPATH =
    CONF + "ConnectionParameter/@URL";
  /** an XPATH-Expression */ 
  private static final String CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH =
    CONF + "ConnectionParameter/" + CONF + "AcceptedServerCertificates";
  /** an XPATH-Expression */ 
  private static final String CONNECTION_PARAMETERN_KEYSTORE_XPATH =
    CONF + "ConnectionParameter/" + CONF + "ClientKeyStore";
  /** an XPATH-Expression */ 
  private static final String CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH =
    CONNECTION_PARAMETERN_KEYSTORE_XPATH + "/@password";
  /** an XPATH-Expression */ 
  private static final String GENERIC_CONFIGURATION_XPATH =
    ROOT + CONF + "GenericConfiguration";
  /** an XPATH-Expression */ 
  private static final String OACONF_LOGIN_TYPE_XPATH =
    ROOTOA + CONF + "LoginType";
  /** an XPATH-Expression */ 
  private static final String OACONF_BINDING_TYPE_XPATH =
    ROOTOA + CONF + "Binding";
  /** an XPATH-Expression */ 
  private static final String OACONF_PARAM_AUTH_PARAMETER_XPATH =
    ROOTOA + CONF + "ParamAuth/" + CONF + "Parameter";
  /** an XPATH-Expression */ 
  private static final String OACONF_USER_ID_XPATH =
    ROOTOA + CONF + "BasicAuth/" + CONF + "UserID";
  /** an XPATH-Expression */ 
  private static final String OACONF_PASSWORD_XPATH =
    ROOTOA + CONF + "BasicAuth/" + CONF + "Password";
  /** an XPATH-Expression */ 
  private static final String OACONF_HEADER_AUTH_HEADER_XPATH =
    ROOTOA + CONF + "HeaderAuth/" + CONF + "Header";
  /** an XPATH-Expression */ 
  private static final String CHAINING_MODES_XPATH =
    ROOT + CONF + "ChainingModes";
  /** an XPATH-Expression */ 
  private static final String CHAINING_MODES_DEFAULT_XPATH =
    CHAINING_MODES_XPATH + "/@systemDefaultMode";
  /** an XPATH-Expression */ 
  private static final String TRUST_ANCHOR_XPATH =
    ROOT + CONF + "ChainingModes/" + CONF + "TrustAnchor";
  /** an XPATH-Expression */ 
  private static final String ISSUER_XPATH = DSIG + "X509IssuerName";
  /** an XPATH-Expression */ 
  private static final String SERIAL_XPATH = DSIG + "X509SerialNumber";
  /** an XPATH-Expression */ 
  private static final String TRUSTED_CA_CERTIFICATES_XPATH =
    ROOT + CONF + "TrustedCACertificates";
  
  /** an XPATH-Expression */ 
  private static final String VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH = CONF + "DefaultTrustProfile";
  /** an XPATH-Expression */ 
  private static final String VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH = CONF + "TrustProfileID";
  /** an XPATH-Expression */ 
  private static final String VERIFY_INFOBOXES_INFOBOX_XPATH = CONF + "Infobox";
  
  

  
	/**
	 * main configuration file directory name used to configure MOA-ID 
	 */
	private String rootConfigFileDir_;
  
  /** The root element of the MOA-ID configuration */
  private Element configElem_;

  /**
   * Creates a new <code>MOAConfigurationProvider</code>.
   * 
   * @param configElem The root element of the MOA-ID configuration.
   */
  public ConfigurationBuilder(Element configElem, String rootConfigDir) {
    configElem_ = configElem;
    rootConfigFileDir_ = rootConfigDir;
  }

  /**
   * Returns the root element of the MOA-ID configuration. 
   * 
   * @return The root element of the MOA-ID configuration.
   */
  public Element getConfigElem() {
    return configElem_;
  }

  /**
   * Build a ConnectionParameter object containing all information
   * of the moa-sp element in the authentication component 
   * @return ConnectionParameter of the authentication component moa-sp element 
   */
  public ConnectionParameter buildAuthBKUConnectionParameter() {

    Element authBKU = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_BKU_XPATH);
    if (authBKU==null) return null;
    return buildConnectionParameter(authBKU);
  }

  /**
   * Method buildAuthBKUSelectionType.
   * 
   * Build a string with the configuration value of BKUSelectionAlternative
   * 
   * @return String
   */
  public String buildAuthBKUSelectionType() {

   Element authBKU = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_BKU_XPATH);
   if (authBKU==null) return null;   
   return (authBKU).getAttribute("BKUSelectionAlternative");
  }

  /**
   * Build a string array with all filenames leading
   * to the Transforms Information for the Security Layer
   * @param businessService <code>true</code> if the application is a
   *        business application, otherwise <code>false</code>
   * @return String[] of filenames to the Security Layer Transforms Information 
   *         or <code>null</code> if no transforms are included
   */
  public String[] buildTransformsInfoFileNames(Node contextNode, String xpathExpr) {
    
    List transformsInfoFileNames = new ArrayList();
    
    try {
      NodeIterator tiIter = XPathUtils.selectNodeIterator(contextNode, xpathExpr);
      
      Attr tiElem;
      while ((tiElem = (Attr) tiIter.nextNode()) != null) {
        String tiFileName = tiElem.getNodeValue();
        transformsInfoFileNames.add(tiFileName);
      }
      
      String[] result = new String[transformsInfoFileNames.size()];
      transformsInfoFileNames.toArray(result);
  
      return result;
    } catch (XPathException xpe) {
      return new String[0];
    }
  }
  
  
  /**
   * Loads the <code>transformsInfos</code> from files.
   * @throws Exception on any exception thrown
   */
  public String[] loadTransformsInfos(String[] transformsInfoFileNames) throws Exception {
    
    String[] transformsInfos = new String[transformsInfoFileNames.length];
    for (int i = 0; i < transformsInfoFileNames.length; i++) {
      String fileURL = transformsInfoFileNames[i];

      //if fileURL is relative to rootConfigFileDir make it absolute          
      fileURL = FileUtils.makeAbsoluteURL(fileURL, rootConfigFileDir_);      
      String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING);
      transformsInfos[i] = transformsInfo;
    }
    return transformsInfos;
  }

  /**
   * Build a ConnectionParameter bean containing all information
   * of the authentication component moa-sp element 
   * @return ConnectionParameter of the authentication component moa-sp element 
   */
  public ConnectionParameter buildMoaSpConnectionParameter() {

    Element connectionParameter = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_MOA_SP_XPATH);
    if (connectionParameter==null) return null;
    return buildConnectionParameter(connectionParameter);
  }

  /**
   * Return a string with a url-reference to the VerifyIdentityLink trust 
   * profile id within the moa-sp part of the authentication component
   * @return String with a url-reference to the VerifyIdentityLink trust profile ID
   */
  public String getMoaSpIdentityLinkTrustProfileID() {
    return XPathUtils.getElementValue(
      configElem_,
      AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH,
      "");
  }
  /**
   * Return a string representation of an URL pointing to trusted CA Certificates 
   * @return String representation of an URL pointing to trusted CA Certificates 
   */
  public String getTrustedCACertificates() {
    return XPathUtils.getElementValue(
      configElem_,
      TRUSTED_CA_CERTIFICATES_XPATH,null);
  }
  
  /**
   * Return a string with a url-reference to the VerifyAuthBlock trust 
   * profile id within the moa-sp part of the authentication component
   * @return String with a url-reference to the VerifyAuthBlock trust profile ID
   */
  public String getMoaSpAuthBlockTrustProfileID() {
    return XPathUtils.getElementValue(
      configElem_,
      AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH,
      "");
  }
  /**
   * Build a string array with references to all verify transform info 
   * IDs within the moa-sp part of the authentication component
   * @return A string array containing all urls to the 
   * verify transform info IDs
   */
  public String[] buildMoaSpAuthBlockVerifyTransformsInfoIDs() {

    List verifyTransformsInfoIDs = new ArrayList();
    NodeIterator vtIter =
      XPathUtils.selectNodeIterator(
        configElem_,
        AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH);
    Element vtElem;

    while ((vtElem = (Element) vtIter.nextNode()) != null) {

      String vtInfoIDs = DOMUtils.getText(vtElem);
      verifyTransformsInfoIDs.add(vtInfoIDs);
    }
    String[] result = new String[verifyTransformsInfoIDs.size()];
    verifyTransformsInfoIDs.toArray(result);

    return result;
  }


  /**
   * Returns a list containing all X509 Subject Names 
   * of the Identity Link Signers
   * @return a list containing the configured identity-link signer X509 subject names
   */
  public List getIdentityLink_X509SubjectNames() {

    Vector x509SubjectNameList = new Vector();
    NodeIterator x509Iter =
      XPathUtils.selectNodeIterator(
        configElem_,
        AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH);
    Element x509Elem;

    while ((x509Elem = (Element) x509Iter.nextNode()) != null) {
      String vtInfoIDs = DOMUtils.getText(x509Elem);
      x509SubjectNameList.add(vtInfoIDs);
    }
    
    // now add the default identity link signers
    String[] identityLinkSignersWithoutOID = MOAIDAuthConstants.IDENTITY_LINK_SIGNERS_WITHOUT_OID;
    for (int i=0; i<identityLinkSignersWithoutOID.length; i++) {
      String identityLinkSigner = identityLinkSignersWithoutOID[i];
      if (!x509SubjectNameList.contains(identityLinkSigner)) {
        x509SubjectNameList.add(identityLinkSigner);
      }
    }
   
    return x509SubjectNameList;
  }

  /**
   * Build an array of the OnlineApplication Parameters containing information 
   * about the authentication component
   * 
   * @param defaultVerifyInfoboxParameters Default parameters for verifying additional
   *                                infoboxes. Maybe <code>null</code>.
   * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating
   *                                the identity link signer certificate. Needed for
   *                                checking if this ID is not used for validating other 
   *                                infoboxes.
   * 
   * @return An OAProxyParameter array containing beans
   * with all relevant information for the authentication component of the online 
   * application
   */
  public OAAuthParameter[] buildOnlineApplicationAuthParameters(
    VerifyInfoboxParameters defaultVerifyInfoboxParameters, String moaSpIdentityLinkTrustProfileID)
  throws ConfigurationException 
  {

    String bkuSelectionTemplateURL =     
    	  XPathUtils.getAttributeValue(configElem_, AUTH_BKUSELECT_TEMPLATE_XPATH, null);
    String templateURL =     
        XPathUtils.getAttributeValue(configElem_, AUTH_TEMPLATE_XPATH, null);
    
    List OA_set = new ArrayList();
    NodeList OAIter = XPathUtils.selectNodeList(configElem_, OA_XPATH);

    for (int i = 0; i < OAIter.getLength(); i++) {
      Element oAElem = (Element) OAIter.item(i);
      Element authComponent =
        (Element) XPathUtils.selectSingleNode(oAElem, OA_AUTH_COMPONENT_XPATH);

      OAAuthParameter oap = new OAAuthParameter();
      String publicURLPrefix = oAElem.getAttribute("publicURLPrefix");
      oap.setPublicURLPrefix(publicURLPrefix);
      oap.setKeyBoxIdentier(oAElem.getAttribute("keyBoxIdentifier"));
      
      // get the type of the online application
      String oaType = oAElem.getAttribute("type");
      oap.setOaType(oaType);
      String slVersion = "1.1";
      if ("businessService".equalsIgnoreCase(oaType)) {
        if (authComponent==null) {
          Logger.error("Missing \"AuthComponent\" for OA of type \"businessService\"");
          throw new ConfigurationException("config.02", null);
        } 
        Element identificationNumberElem =
          (Element) XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH);
        if (identificationNumberElem==null) {
          Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\"");
          throw new ConfigurationException("config.02", null);
        } 
        Element identificationNumberChild = DOMUtils.getElementFromNodeList(identificationNumberElem.getChildNodes());
        if (identificationNumberChild == null) {
          Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\"");
          throw new ConfigurationException("config.02", null);
        }
        if ("false".equalsIgnoreCase(oAElem.getAttribute("calculateHPI"))) {
        	oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild));
        } else {
        	// If we have business service and want to dealt with GDA, the security layer can be advised to calulate 
        	// the Health Professional Identifier HPI instead of the wbPK
            Logger.info("OA uses HPI for Identification");
        	oap.setIdentityLinkDomainIdentifier(Constants.URN_PREFIX_HPI);
        }
        
        // if OA type is "businessSErvice" set slVersion to 1.2 and ignore parameter in config file
        Logger.info("OA type is \"businessService\"; setting Security Layer version to 1.2");
        slVersion = "1.2";
        
      } else {
        
        if (authComponent!=null) {
          slVersion = authComponent.getAttribute("slVersion");
        }
        
      }
      oap.setSlVersion(slVersion);
      //Check if there is an Auth-Block to read from configuration
      
      if (authComponent!=null)
      {
        oap.setProvideStammzahl(BoolUtils.valueOf(authComponent.getAttribute("provideStammzahl")));
        oap.setProvideAuthBlock(BoolUtils.valueOf(authComponent.getAttribute("provideAUTHBlock")));
        oap.setProvideIdentityLink(BoolUtils.valueOf(authComponent.getAttribute("provideIdentityLink")));
        oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate")));        
        oap.setBkuSelectionTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH, bkuSelectionTemplateURL));
        oap.setTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_TEMPLATE_XPATH, templateURL));        
        // load OA specific transforms if present
        String[] transformsInfoFileNames = buildTransformsInfoFileNames(authComponent, OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH);        
        try {
          oap.setTransformsInfos(loadTransformsInfos(transformsInfoFileNames));
        } catch (Exception ex) {
          Logger.error("Error loading transforms specified for OA \"" + publicURLPrefix + "\"; using default transforms.");
        } 
        Node verifyInfoboxParamtersNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH);
        oap.setVerifyInfoboxParameters(buildVerifyInfoboxParameters(
          verifyInfoboxParamtersNode, defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID)); 
      } 
      OA_set.add(oap);
    }
    OAAuthParameter[] result =
      new OAAuthParameter[OA_set.size()];
    OA_set.toArray(result);

    return result;

  }
  
  /**
   * Builds the URL for a BKUSelectionTemplate or a Template. The method selects
   * the uri string from the MOA ID configuration file via the given xpath expression
   * and returns either this string or the default value.
   * 
   * @param oaAUTHComponent The AuthComponent element to get the template from.
   * @param xpathExpr       The xpath expression for selecting the template uri.
   * @param defaultURL      The default template url.
   * @return                The template url. This may either the via xpath selected uri
   *                        or, if no template is specified within the online appliacation,
   *                        the default url. Both may be <code>null</code>.
   */
  private String buildTemplateURL(Element oaAAuthComponent, String xpathExpr, String defaultURL) {
    String templateURL = XPathUtils.getAttributeValue(oaAAuthComponent, xpathExpr, defaultURL);
    if (templateURL != null) {
    	templateURL = FileUtils.makeAbsoluteURL(templateURL, rootConfigFileDir_);
    }
    return templateURL;
  }

  /**
   * Build a bean containing all information about the ProxyComponent
   * @return The ConnectionParameter for the Proxy Component
   */
  public ConnectionParameter buildAuthComponentConnectionParameter() 
  {

    Element connectionParameter = (Element) XPathUtils.selectSingleNode(configElem_, PROXY_AUTH_XPATH);
    if (connectionParameter==null) return null;
    return buildConnectionParameter(connectionParameter);

  }
  /**
   * Method buildConnectionParameter: internal Method for creating a 
   * ConnectionParameter object with all data found in the incoming element
   * @param root: this Element contains the ConnectionParameter
   * @return ConnectionParameter
   */
  protected ConnectionParameter buildConnectionParameter(Element root) 
  {
    ConnectionParameter result = new ConnectionParameter();
    result.setAcceptedServerCertificates(
      XPathUtils.getElementValue(root,CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH,null));
    
    result.setAcceptedServerCertificates(FileUtils.makeAbsoluteURL(
    	result.getAcceptedServerCertificates(), rootConfigFileDir_));
      
    result.setUrl(
      XPathUtils.getAttributeValue(root, CONNECTION_PARAMETER_URL_XPATH, ""));
    result.setClientKeyStore(
      XPathUtils.getElementValue(root,CONNECTION_PARAMETERN_KEYSTORE_XPATH,null));
    
    result.setClientKeyStore(FileUtils.makeAbsoluteURL(
    	result.getClientKeyStore(), rootConfigFileDir_));
    
    result.setClientKeyStorePassword(
    	XPathUtils.getAttributeValue(root,CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH,""));
    
    if ((result.getAcceptedServerCertificates()==null)
        && (result.getUrl()=="")
        && (result.getClientKeyStore()==null)
        && (result.getClientKeyStorePassword()==""))
        return null;
    
    return result;
  }

  /**
   * Build an array of OnlineApplication Parameter Beans containing information 
   * about the proxy component
   * @return An OAProxyParameter array containing beans
   * with all relevant information for the proxy component of the online 
   * application
   */
  public OAProxyParameter[] buildOnlineApplicationProxyParameters() throws ConfigurationException{

    List oA_list = new ArrayList();
    NodeList OAIter = XPathUtils.selectNodeList(configElem_, OA_XPATH);

    for (int i = 0; i < OAIter.getLength(); i++) {
      Element oAElem = (Element) OAIter.item(i);
      OAProxyParameter oap = new OAProxyParameter();
      
      oap.setPublicURLPrefix(oAElem.getAttribute("publicURLPrefix"));
      oap.setOaType(oAElem.getAttribute("type"));
      Element proxyComponentElem = (Element) XPathUtils.selectSingleNode(oAElem,OA_PROXY_COMPONENT_XPATH);        
      if (proxyComponentElem != null) {
        oap.setConfigFileURL(XPathUtils.getAttributeValue(oAElem, OA_PROXY_URL_XPATH, null));
        oap.setConfigFileURL(FileUtils.makeAbsoluteURL(oap.getConfigFileURL(), rootConfigFileDir_));
        // default session time out: 3600 sec = 1 h
        oap.setSessionTimeOut(new Integer(XPathUtils.getAttributeValue(oAElem,OA_PROXY_SESSION_TIMEOUT_XPATH,"3600")).intValue());
        oap.setLoginParameterResolverImpl(XPathUtils.getAttributeValue(oAElem, OA_PROXY_LOGIN_PARA_XPATH, null));
        oap.setLoginParameterResolverConfiguration(XPathUtils.getAttributeValue(oAElem, OA_PROXY_LOGIN_PARA_CONF_XPATH, null));
        oap.setLoginParameterResolverConfiguration(FileUtils.makeAbsoluteURL(oap.getLoginParameterResolverConfiguration(), rootConfigFileDir_));
        oap.setConnectionBuilderImpl(XPathUtils.getAttributeValue(oAElem,OA_PROXY_CONNECTION_BUILDER_XPATH, null));
            
        ConnectionParameter conPara = buildConnectionParameter(proxyComponentElem);
        oap.setConnectionParameter(conPara);
  
        OAConfiguration oaConf = buildOAConfiguration(getOAConfigElement(oap));
        oap.setOaConfiguration(oaConf);
        
        oA_list.add(oap);
      }
    }
    OAProxyParameter[] result =
      new OAProxyParameter[oA_list.size()];
    oA_list.toArray(result);

    return result;

  }

  /**
   * Build the mapping of generic configuration properties.
   * 
   * @return a {@link Map} of generic configuration properties (a name to value
   * mapping) from the configuration.
   */
  public Map buildGenericConfiguration() {

    Map genericConfiguration = new HashMap();
    NodeIterator gcIter =
      XPathUtils.selectNodeIterator(
        configElem_,
        GENERIC_CONFIGURATION_XPATH);
    Element gcElem;

    while ((gcElem = (Element) gcIter.nextNode()) != null) {
      String gcName = gcElem.getAttribute("name");
      String gcValue = gcElem.getAttribute("value");

      genericConfiguration.put(gcName, gcValue);
    }

    return genericConfiguration;
  }
  /**
   * Method buildOAConfiguration.
   * 
   * Build an {@link OAConfiguration} Object from the given configuration DOM element
   * 
   * @param root
   * @return OAConfiguration
   * @throws ConfigurationException
   */
  public OAConfiguration buildOAConfiguration(Element root) throws ConfigurationException{

    OAConfiguration oaConfiguration = new OAConfiguration();

    //The LoginType hast to be "stateless" or "stateful" to be valid

    oaConfiguration.setLoginType(
      XPathUtils.getElementValue(root, OACONF_LOGIN_TYPE_XPATH, null));
    
    oaConfiguration.setBinding(
      XPathUtils.getElementValue(root, OACONF_BINDING_TYPE_XPATH, OAConfiguration.BINDUNG_FULL));    
      
    //Try to build the Parameter Auth Parameters
    NodeIterator paramAuthIter =
      XPathUtils.selectNodeIterator(
        root,
        OACONF_PARAM_AUTH_PARAMETER_XPATH);
    Element paramAuthElem;
    HashMap paramAuthMap = new HashMap();
    while ((paramAuthElem = (Element) paramAuthIter.nextNode()) != null) {
      String name = XPathUtils.getAttributeValue(paramAuthElem, "@Name", null);
      String value = XPathUtils.getAttributeValue(paramAuthElem, "@Value", null);
      if (paramAuthMap.containsKey(name))
        throw new ConfigurationException("config.06", new Object[]{"Doppelter Wert für Parameter per HeaderAuthentication"});
      paramAuthMap.put(name, value);
    }
    oaConfiguration.setParamAuthMapping(paramAuthMap);
    // Try to build the BasicAuthParameters
    oaConfiguration.setBasicAuthUserIDMapping(
      XPathUtils.getElementValue(root, OACONF_USER_ID_XPATH, null));
    oaConfiguration.setBasicAuthPasswordMapping(
      XPathUtils.getElementValue(root, OACONF_PASSWORD_XPATH, null));

    //Try to build the Parameter Auth Parameters
    NodeIterator headerAuthIter = XPathUtils.selectNodeIterator(root,OACONF_HEADER_AUTH_HEADER_XPATH);

    Element headerAuthElem;
    HashMap headerAuthMap = new HashMap();
    while ((headerAuthElem = (Element) headerAuthIter.nextNode()) != null) {
      String name =
        XPathUtils.getAttributeValue(headerAuthElem, "@Name", null);
      String value =
        XPathUtils.getAttributeValue(headerAuthElem, "@Value", null);
      // Contains Key (Neue Config-Exception: doppelte werte)
      if (headerAuthMap.containsKey(name))
        throw new ConfigurationException("config.06", new Object[]{"Doppelter Wert für Parameter per HeaderAuthentication"});
      headerAuthMap.put(name, value);
    }
    oaConfiguration.setHeaderAuthMapping(headerAuthMap);

    if (paramAuthMap.size() == 0) {
      if (oaConfiguration.getBasicAuthUserIDMapping() == null) {
        oaConfiguration.setAuthType(OAConfiguration.HEADER_AUTH);
      }
      else
        oaConfiguration.setAuthType(OAConfiguration.BASIC_AUTH);
    }
    else
      oaConfiguration.setAuthType(OAConfiguration.PARAM_AUTH);

    return oaConfiguration;
  }

  /**
   * Reads the configuration file of the online application, and creates a DOM tree from it.
   * If <code>/OnlineApplication/ProxyComponent@configFileURL</code> is not given, 
   * uses default configuration file location.
   * 
   * @param oap configuration data of online application, meant for use by MOA-ID-PROXY
   * @return Element DOM tree root element
   * @throws ConfigurationException on any exception thrown
   */
  private Element getOAConfigElement(OAProxyParameter oap) throws ConfigurationException
  {  
    try {
      String configFileURL = oap.getConfigFileURL();
      if (configFileURL == null) {
        // use default config file URL, when config file URL is not given
        configFileURL = oap.getConnectionParameter().getUrl();
        if (configFileURL.charAt(configFileURL.length() - 1) != '/')
          configFileURL += "/";
        configFileURL += DEFAULT_OA_CONFIG_FILENAME;
      }
      Logger.info("Loading MOA-OA configuration " + configFileURL);
      Element configElem = DOMUtils.parseXmlValidating(
        new ByteArrayInputStream(FileUtils.readURL(configFileURL)));
      return configElem;
    }
    catch (Throwable t) {
      throw new ConfigurationException("config.03", new Object[] {"OAConfiguration"} , t);
    }
  }

  /**
   * Returns the default chaining mode from the configuration.
   * 
   * @return The default chaining mode.
   */
  public String getDefaultChainingMode() {
    String defaultChaining =
      XPathUtils.getAttributeValue(
        configElem_,
        CHAINING_MODES_DEFAULT_XPATH,
        CM_CHAINING);

    return translateChainingMode(defaultChaining);

  }
  /**
   * Build the chaining modes for all configured trust anchors.
   * 
   * @return The mapping from trust anchors to chaining modes.
   */
  public Map buildChainingModes() {
    Map chainingModes = new HashMap();
    NodeIterator trustIter =
      XPathUtils.selectNodeIterator(configElem_, TRUST_ANCHOR_XPATH);
    Element trustAnchorElem;

    while ((trustAnchorElem = (Element) trustIter.nextNode()) != null) {
      IssuerAndSerial issuerAndSerial = buildIssuerAndSerial(trustAnchorElem);
      String mode = trustAnchorElem.getAttribute("mode");

      if (issuerAndSerial != null) {
        chainingModes.put(issuerAndSerial, translateChainingMode(mode));
      }
    }

    return chainingModes;
  }
  
  /**
   * Build an <code>IssuerAndSerial</code> from the DOM representation.
   * 
   * @param root The root element (being of type <code>dsig:
   * X509IssuerSerialType</code>.
   * @return The issuer and serial number contained in the <code>root</code>
   * element or <code>null</code> if could not be built for any reason.
   */
  private IssuerAndSerial buildIssuerAndSerial(Element root) {
    String issuer = XPathUtils.getElementValue(root, ISSUER_XPATH, null);
    String serial = XPathUtils.getElementValue(root, SERIAL_XPATH, null);

    if (issuer != null && serial != null) {
      try {
        RFC2253NameParser nameParser = new RFC2253NameParser(issuer);
        Principal issuerDN = nameParser.parse();

        return new IssuerAndSerial(issuerDN, new BigInteger(serial));
      } catch (RFC2253NameParserException e) {
        warn("config.09", new Object[] { issuer, serial }, e);
        return null;
      } catch (NumberFormatException e) {
        warn("config.09", new Object[] { issuer, serial }, e);
        return null;
      }
    }
    return null;
  }

  /**
   * Translate the chaining mode from the configuration file to one used in the
   * IAIK MOA API.
   * 
   * @param chainingMode The chaining mode from the configuration.
   * @return The chaining mode as provided by the <code>ChainingModes</code>
   * interface.
   * @see iaik.pki.pathvalidation.ChainingModes
   */
  private String translateChainingMode(String chainingMode) {
    if (chainingMode.equals(CM_CHAINING)) {
      return ChainingModes.CHAIN_MODE;
    } else if (chainingMode.equals(CM_PKIX)) {
      return ChainingModes.PKIX_MODE;
    } else {
      return ChainingModes.CHAIN_MODE;
    }
  }
  
  /**
   * Builds the IdentityLinkDomainIdentifier as needed for providing it to the
   * SecurityLayer for computation of the wbPK.
   * <p>e.g.:<br>
   * input element:
   * <br>
   * <code>&lt;pr:Firmenbuchnummer Identifier="FN"&gt;000468 i&lt;/pr:Firmenbuchnummer&gt;</code>
   * <p>
   * return value: <code>urn:publicid:gv.at+wbpk+FN468i</code>
   * 
   * @param number  The element holding the identification number of the business
   *                company.
   * @return
   */
  private String buildIdentityLinkDomainIdentifier(Element number) {
    if (number == null) {
      return null;
    }
    String identificationNumber = number.getFirstChild().getNodeValue();
    String identifier = number.getAttribute("Identifier");
    // remove all blanks
    identificationNumber = StringUtils.removeBlanks(identificationNumber);
    if (number.getLocalName().equals("Firmenbuchnummer") || identifier.equalsIgnoreCase("fn")) {
      // delete zeros from the beginning of the number
      identificationNumber = StringUtils.deleteLeadingZeros(identificationNumber);
      // remove hyphens
      identificationNumber = StringUtils.removeToken(identificationNumber, "-");
    }
    StringBuffer identityLinkDomainIdentifier = new StringBuffer(Constants.URN_PREFIX_WBPK);
    identityLinkDomainIdentifier.append("+");
    if (!identificationNumber.startsWith(identifier)) {
      identityLinkDomainIdentifier.append(identifier);
    }
    identityLinkDomainIdentifier.append("+");
    identityLinkDomainIdentifier.append(identificationNumber);
    return identityLinkDomainIdentifier.toString();
  }
  
    /**
   * Builds the parameters for verifying additional infoboxes (additional to the
   * IdentityLink infobox).
   * 
   * @param verifyInfoboxesElem     The <code>VerifyInfoboxes</code> element from the 
   *                                config file. This maybe the global element or the
   *                                elment from an Online application.
   * @param defaultVerifyInfoboxParameters Default parameters to be used, if no 
   *                                <code>VerifyInfoboxes</code> element is present.
   *                                 This only applies to parameters
   *                                of an specific online application and is set to 
   *                                <code>null</code> when building the global parameters.
   * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating
   *                                the identity link signer certificate. Needed for
   *                                checking if this ID is not used for validating other 
   *                                infoboxes.
   *                           
   * @return A {@link at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters VerifyInfoboxParameters}
   *         object needed for verifying additional infoboxes.
   *         
   * @throws ConfigurationException If the trust profile for validating the identity link 
   *                                signer certificate is used for validating another infobox.
   */
  public VerifyInfoboxParameters buildVerifyInfoboxParameters(
    Node verifyInfoboxesElem, 
    VerifyInfoboxParameters defaultVerifyInfoboxParameters,
    String moaSpIdentityLinkTrustProfileID)
  throws ConfigurationException
  {
    
    if ((verifyInfoboxesElem == null) && (defaultVerifyInfoboxParameters == null)) {
      return null;
    }
    Vector identifiers = new Vector(); 
    List defaultIdentifiers = null;
    Map defaultInfoboxParameters = null;
    if (defaultVerifyInfoboxParameters != null) {
      defaultIdentifiers = defaultVerifyInfoboxParameters.getIdentifiers();
      defaultInfoboxParameters = defaultVerifyInfoboxParameters.getInfoboxParameters();
    }
    Hashtable infoboxParameters = new Hashtable();
    if (verifyInfoboxesElem != null) {
      // get the DefaultTrustProfileID
      String defaultTrustProfileID = null;    
      Node defaultTrustProfileNode =
        XPathUtils.selectSingleNode(verifyInfoboxesElem, VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH);
      if (defaultTrustProfileNode != null) {
        Node trustProfileIDNode =
          XPathUtils.selectSingleNode(defaultTrustProfileNode, VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH);
        defaultTrustProfileID = trustProfileIDNode.getFirstChild().getNodeValue(); 
        if (defaultTrustProfileID.equals(moaSpIdentityLinkTrustProfileID)) {
          throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID});
        }
      }      
      // get the Infoboxes
      NodeList infoboxes = 
        XPathUtils.selectNodeList(verifyInfoboxesElem, VERIFY_INFOBOXES_INFOBOX_XPATH);        
      for (int i=0; i<infoboxes.getLength(); i++) {
        Element infoBoxElem = (Element)infoboxes.item(i);
        // get the identifier of the infobox
        String identifier = infoBoxElem.getAttribute("Identifier");
        identifiers.add(identifier);
        VerifyInfoboxParameter verifyInfoboxParameter = new VerifyInfoboxParameter(identifier);
        verifyInfoboxParameter.setFriendlyName(identifier);
        // get the attributes
        // (1) required: override global value in any case
        verifyInfoboxParameter.setRequired(BoolUtils.valueOf(
          infoBoxElem.getAttribute("required")));
        // (2) provideStammzahl: override global value in any case
        verifyInfoboxParameter.setProvideStammzahl(BoolUtils.valueOf(
          infoBoxElem.getAttribute("provideStammzahl")));
        // (3) proviedIdentityLink: override global value in any case
        verifyInfoboxParameter.setProvideIdentityLink(BoolUtils.valueOf(
          infoBoxElem.getAttribute("provideIdentityLink")));
        // set default trustprofileID
        if (defaultTrustProfileID != null) {
          verifyInfoboxParameter.setTrustProfileID(defaultTrustProfileID);
        }
        // get the parameter elements
        boolean localValidatorClass = false;
        boolean localFriendlyName = false;
        List params = DOMUtils.getChildElements(infoBoxElem);
        Iterator it = params.iterator();
        while (it.hasNext()) {
          Element paramElem = (Element)it.next();                 
          String paramName = paramElem.getLocalName();
          if (paramName.equals("FriendlyName")) {
            verifyInfoboxParameter.setFriendlyName(paramElem.getFirstChild().getNodeValue());
            localFriendlyName = true;
          } else if (paramName.equals("TrustProfileID")) {
            String trustProfileID = paramElem.getFirstChild().getNodeValue();
            if (trustProfileID != null) {
              if (trustProfileID.equals(moaSpIdentityLinkTrustProfileID)) {
                throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID});
              }
              verifyInfoboxParameter.setTrustProfileID(trustProfileID);
            } 
          } else if (paramName.equals("ValidatorClass")) {
            String validatorClassName = paramElem.getFirstChild().getNodeValue();
            if (validatorClassName != null) {
              verifyInfoboxParameter.setValidatorClassName(validatorClassName);
              localValidatorClass = true;
            }            
          } else if (paramName.equals("SchemaLocations")) {
            List schemaElems = DOMUtils.getChildElements(paramElem);
            List schemaLocations = new Vector(schemaElems.size());
            Iterator schemaIterator = schemaElems.iterator();
            while (schemaIterator.hasNext()) {
              Element schemaElem = (Element)schemaIterator.next();
              String namespace = schemaElem.getAttribute("namespace");
              String schemaLocation = schemaElem.getAttribute("schemaLocation");
              // avoid adding the same schema twice
              Iterator schemaLocationIterator = schemaLocations.iterator();
              boolean add = true;
              while (schemaLocationIterator.hasNext()) {                
                String existingNamespace = ((Schema)schemaLocationIterator.next()).getNamespace();
                if (namespace.equals(existingNamespace)) {
                  Logger.warn("Multiple schemas specified for namespace \"" + namespace + 
                    "\"; only using the first one.");
                  add = false;
                  break;
                }
              }
              if (add) {
                schemaLocations.add(new SchemaImpl(namespace, schemaLocation));
              }
            }
            verifyInfoboxParameter.setSchemaLocations(schemaLocations);            
          } else if (paramName.equals("ApplicationSpecificParameters")) {
            verifyInfoboxParameter.setApplicationSpecificParams(paramElem);
          }
        }        
        // use default values for those parameters not yet set by local configuration
        if (defaultInfoboxParameters != null) {
          Object defaultVerifyIP = defaultInfoboxParameters.get(identifier);
          if (defaultVerifyIP != null) {
            VerifyInfoboxParameter defaultVerifyInfoboxParameter = 
              (VerifyInfoboxParameter)defaultVerifyIP;
            // if no friendly is set, use default
            if (!localFriendlyName) {
              verifyInfoboxParameter.setFriendlyName(
                defaultVerifyInfoboxParameter.getFriendlyName());
            }
            // if no TrustProfileID is set, use default, if available
            if (verifyInfoboxParameter.getTrustProfileID() == null) {
              verifyInfoboxParameter.setTrustProfileID(
                defaultVerifyInfoboxParameter.getTrustProfileID());
            } 
            // if no local validator class is set, use default
            if (!localValidatorClass) {
              verifyInfoboxParameter.setValidatorClassName(
                defaultVerifyInfoboxParameter.getValidatorClassName());
            }
            // if no schema locations set, use default         
            if (verifyInfoboxParameter.getSchemaLocations() == null) {
              verifyInfoboxParameter.setSchemaLocations(
                defaultVerifyInfoboxParameter.getSchemaLocations());
            }
            // if no application specific parameters set, use default
            if (verifyInfoboxParameter.getApplicationSpecificParams() == null) {
              verifyInfoboxParameter.setApplicationSpecificParams(
                defaultVerifyInfoboxParameter.getApplicationSpecificParams());
            }
          }
        }
        infoboxParameters.put(identifier, verifyInfoboxParameter);
      }
      // add the infobox identifiers not present within the local configuration to the 
      // identifier list
      if (defaultIdentifiers != null) {
        Iterator identifierIterator = defaultIdentifiers.iterator();
        while (identifierIterator.hasNext()) {
          String defaultIdentifier = (String)identifierIterator.next();
          if (!identifiers.contains(defaultIdentifier)) {
            identifiers.add(defaultIdentifier);
          }
        }
      }
      return new VerifyInfoboxParameters(identifiers, infoboxParameters);
    } else {
      return new VerifyInfoboxParameters(defaultIdentifiers, infoboxParameters);
    }       
  }

  /**
   * Method warn.
   * @param messageId to identify a country-specific message
   * @param parameters for the logger
   */
  //
  // various utility methods
  //

  private static void warn(String messageId, Object[] parameters) {
    Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters));
  }

  /**
   * Method warn.
   * @param messageId to identify a country-specific message
   * @param args for the logger
   * @param t as throwabl
   */
  private static void warn(String messageId, Object[] args, Throwable t) {
    Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, args), t);
  } 
}