/*
 * Copyright 2003 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 */


package at.gv.egovernment.moa.id.config.legacy;

import iaik.pki.pathvalidation.ChainingModes;
import iaik.utils.RFC2253NameParser;
import iaik.utils.RFC2253NameParserException;

import java.io.IOException;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;

import org.opensaml.saml2.metadata.RequestedAttribute;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.w3c.dom.traversal.NodeIterator;

import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.auth.data.Schema;
import at.gv.egovernment.moa.id.auth.data.SchemaImpl;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.legacy.OAAuthParameter;
import at.gv.egovernment.moa.id.config.legacy.VerifyInfoboxParameter;
import at.gv.egovernment.moa.id.config.legacy.VerifyInfoboxParameters;
import at.gv.egovernment.moa.id.config.legacy.CPEPS;
import at.gv.egovernment.moa.id.config.legacy.SignatureCreationParameter;
import at.gv.egovernment.moa.id.config.legacy.SignatureVerificationParameter;
import at.gv.egovernment.moa.id.data.IssuerAndSerial;
import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.BoolUtils;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.FileUtils;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.StringUtils;
import at.gv.egovernment.moa.util.XPathException;
import at.gv.egovernment.moa.util.XPathUtils;
import eu.stork.vidp.messages.builder.STORKMessagesBuilder;
import eu.stork.vidp.messages.common.STORKConstants;
import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel;
import eu.stork.vidp.messages.stork.RequestedAttributes;
import eu.stork.vidp.messages.util.SAMLUtil;

/**
 * A class that builds configuration data from a DOM based representation.
 * 
 * @author Patrick Peck
 * @author Stefan Knirsch
 * @version $Id$
 */
public class ConfigurationBuilder {

  //
  // XPath namespace prefix shortcuts
  //
  /** an XPATH-Expression */ 
  protected static final String CONF = Constants.MOA_ID_CONFIG_PREFIX + ":";
  /** an XPATH-Expression */ 
  protected static final String DSIG = Constants.DSIG_PREFIX + ":";
  
  /** an XPATH-Expression */ 
  protected static final String STORK = Constants.STORK_PREFIX + ":";
  
  /** an XPATH-Expression */ 
  protected static final String STORKP= Constants.STORKP_PREFIX + ":";

  //
  // chaining mode constants appearing in the configuration file
  //
  /** an XPATH-Expression */ 
  protected static final String CM_CHAINING = "chaining";
  /** an XPATH-Expression */ 
  protected static final String CM_PKIX = "pkix";
  /** an XPATH-Expression */ 
  protected static final String DEFAULT_ENCODING = "UTF-8";

  //
  // XPath expressions to select certain parts of the configuration
  //
  /** an XPATH-Expression */ 
  protected static final String ROOT = "/" + CONF + "MOA-IDConfiguration/";
  
  /** an XPATH-Expression */ 
  protected static final String AUTH_BKU_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "BKUSelection";
  /** an XPATH-Expression */ 
  protected static final String AUTH_BKUSELECT_TEMPLATE_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "BKUSelectionTemplate/@URL";
  /** an XPATH-Expression */ 
  protected static final String AUTH_TEMPLATE_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "Template/@URL";
    /** an XPATH-Expression */ 
  public static final String AUTH_TEMPLATE_ONLINEMANDATES_BKU_XPATH =
	   ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "OnlineMandates/" + CONF + "BKU";
  
  
  //protected static final String AUTH_MANDATE_TEMPLATE_XPATH =
//    ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "MandateTemplate/@URL";
  /** an XPATH-Expression */ 
  protected static final String INPUT_PROCESSOR_TEMPLATE_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "Templates/" + CONF + "InputProcessorSignTemplate/@URL";
  /** an XPATH-Expression */ 
   public static final String AUTH_SECLAYER_TRANSFORMS_INFO_FILENAME_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "SecurityLayer/" + CONF + "TransformsInfo/@filename";
  /** an XPATH-Expression */ 
  protected static final String AUTH_MOA_SP_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP";
  /** an XPATH-Expression */ 
  protected static final String AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH =
      ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyIdentityLink/" + CONF + "TrustProfileID";
  /** an XPATH-Expression */ 
  protected static final String AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH =
        ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF + "TrustProfileID";
  /** an XPATH-Expression */ 
  protected static final String AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH =
   ROOT + CONF + "AuthComponent/" + CONF + "MOA-SP/" + CONF + "VerifyAuthBlock/" + CONF  + "VerifyTransformsInfoProfileID";

  /** an XPATH-Expression */ 
  protected static final String AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "IdentityLinkSigners/" + CONF + "X509SubjectName";
 
  /** an XPATH-Expression */ 
  public static final String AUTH_VERIFY_INFOBOXES_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "VerifyInfoboxes";
  
  /** an XPATH-Expression */ 
  public static final String AUTH_FOREIGN_IDENTITIES_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "ForeignIdentities";
  
  /** an XPATH-Expression */ 
  public static final String AUTH_ONLINEMANDATES_XPATH =
    ROOT + CONF + "AuthComponent/" + CONF + "OnlineMandates";
  
  
  
  /** an XPATH-Expression */ 
  protected static final String OA_XPATH = ROOT + CONF + "OnlineApplication";
  /** an XPATH-Expression */ 
  protected static final String OA_LOGIN_XPATH = ROOT + CONF + "OnlineApplication/@loginURL";
  /** an XPATH-Expression */ 
  protected static final String OA_AUTH_COMPONENT_XPATH = CONF + "AuthComponent";
  /** an XPATH-Expression */ 
  protected static final String OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH = CONF + "IdentificationNumber";    
  /** an XPATH-Expression */ 
  protected static final String OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH =
    CONF + "Templates/" + CONF + "BKUSelectionTemplate/@URL";
  /** an XPATH-Expression */ 
  protected static final String OA_AUTH_COMPONENT_TEMPLATE_XPATH =
    CONF + "Templates/" + CONF + "Template/@URL";
  /** an XPATH-Expression */
  public static final String OA_AUTH_COMPONENT_TEMPLATE_ONLINEMANDATES_BKU_XPATH = 
	   CONF + "Templates/" + CONF + "OnlineMandates/" + CONF + "BKU";
  //protected static final String OA_AUTH_COMPONENT_MANDATE_TEMPLATE_XPATH =
    //CONF + "Templates/" + CONF + "MandateTemplate/@URL";
  /** an XPATH-Expression */ 
  protected static final String OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH = CONF + "TransformsInfo/@filename";
  /** an XPATH-Expression */ 
  protected static final String OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH = CONF + "VerifyInfoboxes";
  /** an XPATH-Expression */ 
  protected static final String OA_AUTH_COMPONENT_MANDATES_PROFILES_XPATH = CONF + "Mandates" + "/" + CONF + "Profiles";
  /** an XPATH-Expression */ 
  protected static final String CONNECTION_PARAMETER_URL_XPATH =
    CONF + "ConnectionParameter/@URL";
  /** an XPATH-Expression */ 
  protected static final String CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH =
    CONF + "ConnectionParameter/" + CONF + "AcceptedServerCertificates";
  /** an XPATH-Expression */ 
  protected static final String CONNECTION_PARAMETERN_KEYSTORE_XPATH =
    CONF + "ConnectionParameter/" + CONF + "ClientKeyStore";
  /** an XPATH-Expression */ 
  protected static final String CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH =
    CONNECTION_PARAMETERN_KEYSTORE_XPATH + "/@password";
  /** an XPATH-Expression */ 
  protected static final String GENERIC_CONFIGURATION_XPATH =
    ROOT + CONF + "GenericConfiguration";
  
  /** an XPATH-Expression */ 
  protected static final String TRUSTED_BKUS =
    ROOT + CONF + "TrustedBKUs/" + CONF + "BKUURL";

  protected static final String TRUSTED_TEMPLATEURLS =
	    ROOT + CONF + "TrustedTemplateURLs/" + CONF + "TemplateURL";

  
  /** an XPATH-Expression */ 
  protected static final String CHAINING_MODES_XPATH =
    ROOT + CONF + "ChainingModes";
  /** an XPATH-Expression */ 
  protected static final String CHAINING_MODES_DEFAULT_XPATH =
    CHAINING_MODES_XPATH + "/@systemDefaultMode";
  /** an XPATH-Expression */ 
  protected static final String TRUST_ANCHOR_XPATH =
    ROOT + CONF + "ChainingModes/" + CONF + "TrustAnchor";
  /** an XPATH-Expression */ 
  protected static final String ISSUER_XPATH = DSIG + "X509IssuerName";
  /** an XPATH-Expression */ 
  protected static final String SERIAL_XPATH = DSIG + "X509SerialNumber";
  /** an XPATH-Expression */ 
  protected static final String TRUSTED_CA_CERTIFICATES_XPATH =
    ROOT + CONF + "TrustedCACertificates";
  
  /** an XPATH-Expression */ 
  protected static final String VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH = CONF + "DefaultTrustProfile";
  /** an XPATH-Expression */ 
  protected static final String VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH = CONF + "TrustProfileID";
  /** an XPATH-Expression */ 
  protected static final String VERIFY_INFOBOXES_INFOBOX_XPATH = CONF + "Infobox";
  
  
  /** STORK Config XPATH-Expression */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_CPEPS =
    ROOT + CONF + "AuthComponent/" + CONF + "ForeignIdentities/" + CONF + "STORK/" + CONF + "C-PEPS";
  
  /** STORK Config AttributeName */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_COUNTRY_CODE = "countryCode";
  
  /** STORK Config AttributeName */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_URL = "URL";
  
  /** STORK Config XPATH-Expression */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_SIGNATURE_CREATION_PARAMETER =
    ROOT + CONF + "AuthComponent/" + CONF + "ForeignIdentities/" + CONF + "STORK/" + CONF + "SAMLSigningParameter/" +
    CONF + "SignatureCreationParameter" ;
  
  /** STORK Config XPATH-Expression */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_REQUESTED_ATTRIBUTES =
    STORK + "RequestedAttribute";
  
  /** STORK Config XPATH-Expression */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_SIGNATURE_VERIFICATION_PARAMETER =
    ROOT + CONF + "AuthComponent/" + CONF + "ForeignIdentities/" + CONF + "STORK/" + CONF + "SAMLSigningParameter/" +
    CONF + "SignatureVerificationParameter";
  
  /** STORK Config XPATH-Expression */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_KEYSTORE =    
	CONF + "KeyStore";
  
  /** STORK Config XPATH-Expression */  
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_KEYNAME =    
	  CONF + "KeyName";
  
  /** STORK Config XPATH-Expression */  
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_KEYSTORE_PASSWORD =    
    	CONF + "KeyStore/@password";
  
  /** STORK Config XPATH-Expression */  
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_KEYNAME_PASSWORD =    
    	CONF + "KeyName/@password";
  
  /** STORK Config XPATH-Expression */ 
  public static final String AUTH_FOREIGN_IDENTITIES_STORK_TRUSTPROFILE_ID =
    	CONF + "TrustProfileID";

  /** STORK Config XPATH-Expression */ 
  public static final String OA_AUTH_COMPONENT_STORK_QAA =
    CONF + "STORK/" + STORK + "QualityAuthenticationAssuranceLevel";
  
  /** STORK Config XPATH-Expression */ 
  public static final String OA_AUTH_COMPONENT_STORK_REQUESTED_ATTRIBUTE =
    CONF + "STORK/" + STORKP + "RequestedAttributes/" + STORK + "RequestedAttribute";
    
   /**
    * main configuration file directory name used to configure MOA-ID 
    */
   protected String rootConfigFileDir_;
  
  /** The root element of the MOA-ID configuration */
  protected Element configElem_;

  /**
   * Creates a new <code>MOAConfigurationProvider</code>.
   * 
   * @param configElem The root element of the MOA-ID configuration.
   */
  public ConfigurationBuilder(Element configElem, String rootConfigDir) {
    configElem_ = configElem;
    rootConfigFileDir_ = rootConfigDir;
  }

  /**
   * Returns the root element of the MOA-ID configuration. 
   * 
   * @return The root element of the MOA-ID configuration.
   */
  public Element getConfigElem() {
    return configElem_;
  }

  /**
   * Build a ConnectionParameter object containing all information
   * of the moa-sp element in the authentication component 
   * @return ConnectionParameter of the authentication component moa-sp element 
   */
  public ConnectionParameter buildAuthBKUConnectionParameter() {

    Element authBKU = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_BKU_XPATH);
    if (authBKU==null) return null;
    return buildConnectionParameter(authBKU);
  }
  
  /**
   * Build a ConnectionParameter containing all information
   * of the foreignid element in the authentication component
   * @return ConnectionParameter of the authentication component foreignid element
   */
  public ConnectionParameter buildForeignIDConnectionParameter() {
     Element foreignid = (Element)XPathUtils.selectSingleNode(configElem_, AUTH_FOREIGN_IDENTITIES_XPATH);
     if (foreignid==null) return null;
     return buildConnectionParameter(foreignid);

  }
  
  /**
   * Build a ConnectionParameter containing all information
   * of the OnlineMandates element in the authentication component
   * @return ConnectionParameter of the authentication component OnlineMandates element
   */
  public ConnectionParameter buildOnlineMandatesConnectionParameter() {
     Element onlinemandates = (Element)XPathUtils.selectSingleNode(configElem_, AUTH_ONLINEMANDATES_XPATH);
     if (onlinemandates==null) return null;
     return buildConnectionParameter(onlinemandates);

  }

  /**
   * Method buildAuthBKUSelectionType.
   * 
   * Build a string with the configuration value of BKUSelectionAlternative
   * 
   * @return String
   */
  public String buildAuthBKUSelectionType() {

   Element authBKU = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_BKU_XPATH);
   if (authBKU==null) return null;   
   return (authBKU).getAttribute("BKUSelectionAlternative");
  }

  /**
   * Build a string array with all filenames leading
   * to the Transforms Information for the Security Layer
   * @param contextNode The node from which should be searched
   * @param xpathExpr The XPATH expression for the search
   * @return String[] of filenames to the Security Layer Transforms Information 
   *         or <code>null</code> if no transforms are included
   */
  public String[] buildTransformsInfoFileNames(Node contextNode, String xpathExpr) {
    
    List transformsInfoFileNames = new ArrayList();
    
    try {
      NodeIterator tiIter = XPathUtils.selectNodeIterator(contextNode, xpathExpr);
      
      Attr tiElem;
      while ((tiElem = (Attr) tiIter.nextNode()) != null) {
        String tiFileName = tiElem.getNodeValue();
        transformsInfoFileNames.add(tiFileName);
      }
      
      String[] result = new String[transformsInfoFileNames.size()];
      transformsInfoFileNames.toArray(result);
  
      return result;
    } catch (XPathException xpe) {
      return new String[0];
    }
  }
  
  
  /**
   * Loads the <code>transformsInfos</code> from files.
   * @throws Exception on any exception thrown
   */
  public String[] loadTransformsInfos(String[] transformsInfoFileNames) throws Exception {
    
	String[] transformsInfos;
	  
		transformsInfos = new String[transformsInfoFileNames.length];
		for (int i = 0; i < transformsInfoFileNames.length; i++) {
			
			String fileURL = transformsInfoFileNames[i];
			try {
			//	if fileURL is relative to rootConfigFileDir make it absolute          
				fileURL = FileUtils.makeAbsoluteURL(fileURL, rootConfigFileDir_);
			
				String transformsInfo = FileUtils.readURL(fileURL, DEFAULT_ENCODING);
				transformsInfos[i] = transformsInfo;
				
			} catch (IOException e) {
				Logger.info("Transformation with URL " + fileURL + " can not be loaded");
			}
		}
	
    return transformsInfos;
  }

  /**
   * Build a ConnectionParameter bean containing all information
   * of the authentication component moa-sp element 
   * @return ConnectionParameter of the authentication component moa-sp element 
   */
  public ConnectionParameter buildMoaSpConnectionParameter() {

    Element connectionParameter = (Element) XPathUtils.selectSingleNode(configElem_, AUTH_MOA_SP_XPATH);
    if (connectionParameter==null) return null;
    return buildConnectionParameter(connectionParameter);
  }

  /**
   * Return a string with a url-reference to the VerifyIdentityLink trust 
   * profile id within the moa-sp part of the authentication component
   * @return String with a url-reference to the VerifyIdentityLink trust profile ID
   */
  public String getMoaSpIdentityLinkTrustProfileID() {
    return XPathUtils.getElementValue(
      configElem_,
      AUTH_MOA_SP_VERIFY_IDENTITY_TRUST_ID_XPATH,
      "");
  }
  /**
   * Return a string representation of an URL pointing to trusted CA Certificates 
   * @return String representation of an URL pointing to trusted CA Certificates 
   */
  public String getTrustedCACertificates() {
    return XPathUtils.getElementValue(
      configElem_,
      TRUSTED_CA_CERTIFICATES_XPATH,null);
  }
  
  /**
   * Return a string with a url-reference to the VerifyAuthBlock trust 
   * profile id within the moa-sp part of the authentication component
   * @return String with a url-reference to the VerifyAuthBlock trust profile ID
   */
  public String getMoaSpAuthBlockTrustProfileID() {
    return XPathUtils.getElementValue(
      configElem_,
      AUTH_MOA_SP_VERIFY_AUTH_TRUST_ID_XPATH,
      "");
  }
  /**
   * Build a string array with references to all verify transform info 
   * IDs within the moa-sp part of the authentication component
   * @return A string array containing all urls to the 
   * verify transform info IDs
   */
  public String[] buildMoaSpAuthBlockVerifyTransformsInfoIDs() {

    List verifyTransformsInfoIDs = new ArrayList();
    NodeIterator vtIter =
      XPathUtils.selectNodeIterator(
        configElem_,
        AUTH_MOA_SP_VERIFY_AUTH_VERIFY_ID_XPATH);
    Element vtElem;

    while ((vtElem = (Element) vtIter.nextNode()) != null) {

      String vtInfoIDs = DOMUtils.getText(vtElem);
      verifyTransformsInfoIDs.add(vtInfoIDs);
    }
    String[] result = new String[verifyTransformsInfoIDs.size()];
    verifyTransformsInfoIDs.toArray(result);

    return result;
  }

  public List getTrustedBKUs() {
	  
	  List trustedBKUs = new ArrayList();
	    
	      NodeIterator bkuIter = XPathUtils.selectNodeIterator(configElem_, TRUSTED_BKUS);
	      
	      Element vtElem;

	      while ((vtElem = (Element) bkuIter.nextNode()) != null) {
		      	String bkuURL = DOMUtils.getText(vtElem);
		      	trustedBKUs.add(bkuURL);
	      }
	      
	      return trustedBKUs;
	  
  }
  
public List getTrustedTemplateURLs() {
	  
	  List trustedTemplateURLs = new ArrayList();
	    
	      NodeIterator bkuIter = XPathUtils.selectNodeIterator(configElem_, TRUSTED_TEMPLATEURLS);
	      
	      Element vtElem;

	      while ((vtElem = (Element) bkuIter.nextNode()) != null) {
		      	String bkuURL = DOMUtils.getText(vtElem);
		      	trustedTemplateURLs.add(bkuURL);
	      }
	      
	      return trustedTemplateURLs;
	  
  }

  /**
   * Returns a list containing all X509 Subject Names 
   * of the Identity Link Signers
   * @return a list containing the configured identity-link signer X509 subject names
   */
  public List getIdentityLink_X509SubjectNames() {

    Vector x509SubjectNameList = new Vector();
    NodeIterator x509Iter =
      XPathUtils.selectNodeIterator(
        configElem_,
        AUTH_IDENTITY_LINK_X509SUBJECTNAME_XPATH);
    Element x509Elem;

    while ((x509Elem = (Element) x509Iter.nextNode()) != null) {
      String vtInfoIDs = DOMUtils.getText(x509Elem);
      x509SubjectNameList.add(vtInfoIDs);
    }
    
    // now add the default identity link signers
    String[] identityLinkSignersWithoutOID = MOAIDAuthConstants.IDENTITY_LINK_SIGNERS_WITHOUT_OID;
    for (int i=0; i<identityLinkSignersWithoutOID.length; i++) {
      String identityLinkSigner = identityLinkSignersWithoutOID[i];
      if (!x509SubjectNameList.contains(identityLinkSigner)) {
        x509SubjectNameList.add(identityLinkSigner);
      }
    }
   
    return x509SubjectNameList;
  }

  /**
   * Build an array of the OnlineApplication Parameters containing information 
   * about the authentication component
   * 
   * @param defaultVerifyInfoboxParameters Default parameters for verifying additional
   *                                infoboxes. Maybe <code>null</code>.
   * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating
   *                                the identity link signer certificate. Needed for
   *                                checking if this ID is not used for validating other 
   *                                infoboxes.
   * 
   * @return An OAProxyParameter array containing beans
   * with all relevant information for the authentication component of the online 
   * application
   */
  public OAAuthParameter[] buildOnlineApplicationAuthParameters(
    VerifyInfoboxParameters defaultVerifyInfoboxParameters, String moaSpIdentityLinkTrustProfileID)
  throws ConfigurationException 
  {

    String bkuSelectionTemplateURL =     
        XPathUtils.getAttributeValue(configElem_, AUTH_BKUSELECT_TEMPLATE_XPATH, null);
    String templateURL =     
    	XPathUtils.getAttributeValue(configElem_, AUTH_TEMPLATE_XPATH, null);
    String inputProcessorSignTemplateURL =     
      XPathUtils.getAttributeValue(configElem_, INPUT_PROCESSOR_TEMPLATE_XPATH, null);
    
    
    List OA_set = new ArrayList();
    NodeList OAIter = XPathUtils.selectNodeList(configElem_, OA_XPATH);

    for (int i = 0; i < OAIter.getLength(); i++) {
      Element oAElem = (Element) OAIter.item(i);
      Element authComponent =
        (Element) XPathUtils.selectSingleNode(oAElem, OA_AUTH_COMPONENT_XPATH);

      OAAuthParameter oap = new OAAuthParameter();
      String publicURLPrefix = oAElem.getAttribute("publicURLPrefix");
      oap.setPublicURLPrefix(publicURLPrefix);
      oap.setKeyBoxIdentier(oAElem.getAttribute("keyBoxIdentifier"));
      oap.setFriendlyName(oAElem.getAttribute("friendlyName"));
      String targetConfig = oAElem.getAttribute("target"); 
      String targetFriendlyNameConfig = oAElem.getAttribute("targetFriendlyName"); 
      
      // get the type of the online application
      String oaType = oAElem.getAttribute("type");
      oap.setOaType(oaType);
      String slVersion = "1.1";
      if ("businessService".equalsIgnoreCase(oaType)) {
        if (authComponent==null) {
          Logger.error("Missing \"AuthComponent\" for OA of type \"businessService\"");
          throw new ConfigurationException("config.02", null);
        } 
        Element identificationNumberElem =
          (Element) XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_IDENT_NUMBER_XPATH);
        if (identificationNumberElem==null) {
          Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\"");
          throw new ConfigurationException("config.02", null);
        } 
        Element identificationNumberChild = DOMUtils.getElementFromNodeList(identificationNumberElem.getChildNodes());
        if (identificationNumberChild == null) {
          Logger.error("Missing \"IdentificationNumber\" for OA of type \"businessService\"");
          throw new ConfigurationException("config.02", null);
        }

        if (!StringUtils.isEmpty(targetConfig)) {
        	Logger.error("Target attribute can not be set for OA of type \"businessService\"");
        	throw new ConfigurationException("config.02", null);
        }
        if (!StringUtils.isEmpty(targetFriendlyNameConfig)) {
        	Logger.error("Target friendly name attribute can not be set for OA of type \"businessService\"");
        	throw new ConfigurationException("config.02", null);
        }
        
        	
        if ("false".equalsIgnoreCase(oAElem.getAttribute("calculateHPI"))) {
         oap.setIdentityLinkDomainIdentifier(buildIdentityLinkDomainIdentifier(identificationNumberChild));
         //BZ.., setting type of IdLinkDomainIdentifier
         oap.setIdentityLinkDomainIdentifierType(identificationNumberChild.getLocalName());
         //..BZ
        } else {
         // If we have business service and want to dealt with GDA, the security layer can be advised to calulate 
         // the Health Professional Identifier HPI instead of the wbPK
            Logger.info("OA uses HPI for Identification");
         oap.setIdentityLinkDomainIdentifier(Constants.URN_PREFIX_HPI);
        }
        
        // if OA type is "businessSErvice" set slVersion to 1.2 and ignore parameter in config file
        Logger.info("OA type is \"businessService\"; setting Security Layer version to 1.2");
        slVersion = "1.2";
        
      } else {
          
    	  if (StringUtils.isEmpty(targetConfig) && !StringUtils.isEmpty(targetFriendlyNameConfig)) {
    		  Logger.error("Target friendly name attribute can not be set alone for OA of type \"businessService\"");
    		  throw new ConfigurationException("config.02", null);
    	  }
    	  oap.setTarget(targetConfig);
    	  oap.setTargetFriendlyName(targetFriendlyNameConfig);
    	  
        if (authComponent!=null) {
          slVersion = authComponent.getAttribute("slVersion");
        }
        
        
      }
      oap.setSlVersion(slVersion);
      //Check if there is an Auth-Block to read from configuration
      
      if (authComponent!=null)
      {
        oap.setProvideStammzahl(BoolUtils.valueOf(authComponent.getAttribute("provideStammzahl")));
        oap.setProvideAuthBlock(BoolUtils.valueOf(authComponent.getAttribute("provideAUTHBlock")));
        oap.setProvideIdentityLink(BoolUtils.valueOf(authComponent.getAttribute("provideIdentityLink")));
        oap.setProvideCertificate(BoolUtils.valueOf(authComponent.getAttribute("provideCertificate")));
        oap.setProvideFullMandatorData(BoolUtils.valueOf(authComponent.getAttribute("provideFullMandatorData")));
        oap.setUseUTC(BoolUtils.valueOf(authComponent.getAttribute("useUTC")));
        oap.setUseCondition(BoolUtils.valueOf(authComponent.getAttribute("useCondition")));
        oap.setConditionLength(buildConditionLength(authComponent.getAttribute("conditionLength")));        
        oap.setBkuSelectionTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_BKUSELECT_TEMPLATE_XPATH, bkuSelectionTemplateURL));
        oap.setTemplateURL(buildTemplateURL(authComponent, OA_AUTH_COMPONENT_TEMPLATE_XPATH, templateURL));        
      
//        System.out.println(publicURLPrefix);
//        System.out.println("useCondition: " + oap.getUseCondition());
//        System.out.println("conditionLength: " + oap.getConditionLength());
        
        oap.setInputProcessorSignTemplateURL(buildTemplateURL(authComponent, INPUT_PROCESSOR_TEMPLATE_XPATH, inputProcessorSignTemplateURL));        
        // load OA specific transforms if present
        String[] transformsInfoFileNames = buildTransformsInfoFileNames(authComponent, OA_AUTH_COMPONENT_TRANSFORMS_INFO_FILENAME_XPATH);        
        try {
          oap.setTransformsInfos(loadTransformsInfos(transformsInfoFileNames));
        } catch (Exception ex) {
          Logger.error("Error loading transforms specified for OA \"" + publicURLPrefix + "\"; using default transforms.");
        } 
        Node verifyInfoboxParamtersNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_VERIFY_INFOBOXES_XPATH);
        oap.setVerifyInfoboxParameters(buildVerifyInfoboxParameters(
          verifyInfoboxParamtersNode, defaultVerifyInfoboxParameters, moaSpIdentityLinkTrustProfileID));
        
        Node mandateProfilesNode = XPathUtils.selectSingleNode(authComponent, OA_AUTH_COMPONENT_MANDATES_PROFILES_XPATH);
        if (mandateProfilesNode != null) {
        	if ("businessService".equalsIgnoreCase(oaType)) {        		
        		Logger.error("No Online Mandate Modus for OA of type \"businessService\" allowed.");
                throw new ConfigurationException("config.02", null);
        	}
        	else {
        		String profiles = DOMUtils.getText(mandateProfilesNode);
        		oap.setMandateProfiles(profiles);
        	}        	
        }        
        
        //add STORK Configuration specific to OA (RequestedAttributes, QAALevel)
        //QualityAuthenticationAssuranceLevel qaaLevel = buildOaSTORKQAALevel(authComponent);
        //if (qaaLevel != null) {        	
        //	oap.setQaaLevel(qaaLevel);
        //	Logger.debug("Using non-MOA-default STORK QAALevel for this OA " + "(" + oap.getPublicURLPrefix() + "): " + qaaLevel.getValue());
        //}
        
        //RequestedAttributes additionalRequestedAttributes = buildOaSTORKRequestedAttributes(authComponent); 
       // 
        //if(!additionalRequestedAttributes.getRequestedAttributes().isEmpty()) {
        //	//we have additional STORK attributes to request for this OA         	
        //	Logger.debug("Using non-MOA-default STORK RequestedAttributes for this OA " + "(" + oap.getPublicURLPrefix() + "): ");
        //	for (RequestedAttribute addReqAttr : additionalRequestedAttributes.getRequestedAttributes()) {
        //		if (!SAMLUtil.containsAttribute(oap.getRequestedAttributes().getRequestedAttributes(),addReqAttr.getName())) {
        ///			addReqAttr.detach();
        //			oap.getRequestedAttributes().getRequestedAttributes().add(addReqAttr);
        //			Logger.debug("Requesting additional attribute: " + addReqAttr.getName() + ", isRequired: " + addReqAttr.isRequired());
        //		}
        //	}
        	
        //} else {
        //	//do nothing, only request default attributes
        //}

        
      } 
      OA_set.add(oap);
    }
    OAAuthParameter[] result =
      new OAAuthParameter[OA_set.size()];
    OA_set.toArray(result);

    return result;

  }

  /**
   * Returns the condition length as int
   * @param length the condition length as int
   * @return
   */
  private int buildConditionLength(String length) {

      if (StringUtils.isEmpty(length))
    	  return -1;
      else 
    	  return new Integer(length).intValue();
  }
  
  /**
   * Builds the URL for a BKUSelectionTemplate or a Template. The method selects
   * the uri string from the MOA ID configuration file via the given xpath expression
   * and returns either this string or the default value.
   * 
   * @param oaAuthComponent The AuthComponent element to get the template from.
   * @param xpathExpr       The xpath expression for selecting the template uri.
   * @param defaultURL      The default template url.
   * @return                The template url. This may either the via xpath selected uri
   *                        or, if no template is specified within the online appliacation,
   *                        the default url. Both may be <code>null</code>.
   */
  protected String buildTemplateURL(Element oaAuthComponent, String xpathExpr, String defaultURL) {
    String templateURL = XPathUtils.getAttributeValue(oaAuthComponent, xpathExpr, defaultURL);
    if (templateURL != null) {
      templateURL = FileUtils.makeAbsoluteURL(templateURL, rootConfigFileDir_);
    }
    return templateURL;
  }
  
  
  

  
  
  /**
   * Method buildConnectionParameter: internal Method for creating a 
   * ConnectionParameter object with all data found in the incoming element
   * @param root This Element contains the ConnectionParameter
   * @return ConnectionParameter
   */
  protected ConnectionParameter buildConnectionParameter(Element root) 
  {
    ConnectionParameter result = new ConnectionParameter();
    result.setAcceptedServerCertificates(
      XPathUtils.getElementValue(root,CONNECTION_PARAMETER_ACCEPTED_CERTS_XPATH,null));
    
    result.setAcceptedServerCertificates(FileUtils.makeAbsoluteURL(
      result.getAcceptedServerCertificates(), rootConfigFileDir_));
      
    result.setUrl(
      XPathUtils.getAttributeValue(root, CONNECTION_PARAMETER_URL_XPATH, ""));
    result.setClientKeyStore(
      XPathUtils.getElementValue(root,CONNECTION_PARAMETERN_KEYSTORE_XPATH,null));
    
    result.setClientKeyStore(FileUtils.makeAbsoluteURL(
      result.getClientKeyStore(), rootConfigFileDir_));
    
    result.setClientKeyStorePassword(
      XPathUtils.getAttributeValue(root,CONNECTION_PARAMETER_KEYSTORE_PASS_XPATH,""));
    
    if ((result.getAcceptedServerCertificates()==null)
        && (result.getUrl()=="")
        && (result.getClientKeyStore()==null)
        && (result.getClientKeyStorePassword()==""))
        return null;
    
    return result;
  }

  
  /**
   * Build the mapping of generic configuration properties.
   * 
   * @return a {@link Map} of generic configuration properties (a name to value
   * mapping) from the configuration.
   */
  public Map buildGenericConfiguration() {

    Map genericConfiguration = new HashMap();
    NodeIterator gcIter =
      XPathUtils.selectNodeIterator(
        configElem_,
        GENERIC_CONFIGURATION_XPATH);
    Element gcElem;

    while ((gcElem = (Element) gcIter.nextNode()) != null) {
      String gcName = gcElem.getAttribute("name");
      String gcValue = gcElem.getAttribute("value");

      genericConfiguration.put(gcName, gcValue);
    }

    return genericConfiguration;
  }
  

  /**
   * Returns the default chaining mode from the configuration.
   * 
   * @return The default chaining mode.
   */
  public String getDefaultChainingMode() {
    String defaultChaining =
      XPathUtils.getAttributeValue(
        configElem_,
        CHAINING_MODES_DEFAULT_XPATH,
        CM_CHAINING);

    return translateChainingMode(defaultChaining);

  }
  /**
   * Build the chaining modes for all configured trust anchors.
   * 
   * @return The mapping from trust anchors to chaining modes.
   */
  public Map buildChainingModes() {
    Map chainingModes = new HashMap();
    NodeIterator trustIter =
      XPathUtils.selectNodeIterator(configElem_, TRUST_ANCHOR_XPATH);
    Element trustAnchorElem;

    while ((trustAnchorElem = (Element) trustIter.nextNode()) != null) {
      IssuerAndSerial issuerAndSerial = buildIssuerAndSerial(trustAnchorElem);
      String mode = trustAnchorElem.getAttribute("mode");

      if (issuerAndSerial != null) {
        chainingModes.put(issuerAndSerial, translateChainingMode(mode));
      }
    }

    return chainingModes;
  }
  
  /**
   * Build an <code>IssuerAndSerial</code> from the DOM representation.
   * 
   * @param root The root element (being of type <code>dsig:
   * X509IssuerSerialType</code>.
   * @return The issuer and serial number contained in the <code>root</code>
   * element or <code>null</code> if could not be built for any reason.
   */
  protected IssuerAndSerial buildIssuerAndSerial(Element root) {
    String issuer = XPathUtils.getElementValue(root, ISSUER_XPATH, null);
    String serial = XPathUtils.getElementValue(root, SERIAL_XPATH, null);

    if (issuer != null && serial != null) {
      try {
        RFC2253NameParser nameParser = new RFC2253NameParser(issuer);
        Principal issuerDN = nameParser.parse();

        return new IssuerAndSerial(issuerDN, new BigInteger(serial));
      } catch (RFC2253NameParserException e) {
        warn("config.09", new Object[] { issuer, serial }, e);
        return null;
      } catch (NumberFormatException e) {
        warn("config.09", new Object[] { issuer, serial }, e);
        return null;
      }
    }
    return null;
  }

  /**
   * Translate the chaining mode from the configuration file to one used in the
   * IAIK MOA API.
   * 
   * @param chainingMode The chaining mode from the configuration.
   * @return The chaining mode as provided by the <code>ChainingModes</code>
   * interface.
   * @see iaik.pki.pathvalidation.ChainingModes
   */
  protected String translateChainingMode(String chainingMode) {
    if (chainingMode.equals(CM_CHAINING)) {
      return ChainingModes.CHAIN_MODE;
    } else if (chainingMode.equals(CM_PKIX)) {
      return ChainingModes.PKIX_MODE;
    } else {
      return ChainingModes.CHAIN_MODE;
    }
  }
  
  /**
   * Builds the IdentityLinkDomainIdentifier as needed for providing it to the
   * SecurityLayer for computation of the wbPK.
   * <p>e.g.:<br>
   * input element:
   * <br>
   * <code>&lt;pr:Firmenbuchnummer Identifier="FN"&gt;000468 i&lt;/pr:Firmenbuchnummer&gt;</code>
   * <p>
   * return value: <code>urn:publicid:gv.at+wbpk+FN468i</code>
   * 
   * @param number  The element holding the identification number of the business
   *                company.
   * @return The domain identifier
   */
  protected String buildIdentityLinkDomainIdentifier(Element number) {
    if (number == null) {
      return null;
    }
    String identificationNumber = number.getFirstChild().getNodeValue();
    String identifier = number.getAttribute("Identifier");
    // remove all blanks
    identificationNumber = StringUtils.removeBlanks(identificationNumber);
    if (number.getLocalName().equals("Firmenbuchnummer") || identifier.equalsIgnoreCase("fn") || identifier.equalsIgnoreCase("xfn")) {
      // delete zeros from the beginning of the number
      identificationNumber = StringUtils.deleteLeadingZeros(identificationNumber);
      // remove hyphens
      identificationNumber = StringUtils.removeToken(identificationNumber, "-");
    }
    StringBuffer identityLinkDomainIdentifier = new StringBuffer(Constants.URN_PREFIX_WBPK);
    identityLinkDomainIdentifier.append("+");
    if (!identificationNumber.startsWith(identifier)) {
      identityLinkDomainIdentifier.append(identifier);
    }
    identityLinkDomainIdentifier.append("+");
    identityLinkDomainIdentifier.append(identificationNumber);
    return identityLinkDomainIdentifier.toString();
  }
  
    /**
   * Builds the parameters for verifying additional infoboxes (additional to the
   * IdentityLink infobox).
   * 
   * @param verifyInfoboxesElem     The <code>VerifyInfoboxes</code> element from the 
   *                                config file. This maybe the global element or the
   *                                elment from an Online application.
   * @param defaultVerifyInfoboxParameters Default parameters to be used, if no 
   *                                <code>VerifyInfoboxes</code> element is present.
   *                                 This only applies to parameters
   *                                of an specific online application and is set to 
   *                                <code>null</code> when building the global parameters.
   * @param moaSpIdentityLinkTrustProfileID The ID of the trust profile used for validating
   *                                the identity link signer certificate. Needed for
   *                                checking if this ID is not used for validating other 
   *                                infoboxes.
   *                           
   * @return A {@link at.gv.egovernment.moa.id.config.auth.VerifyInfoboxParameters VerifyInfoboxParameters}
   *         object needed for verifying additional infoboxes.
   *         
   * @throws ConfigurationException If the trust profile for validating the identity link 
   *                                signer certificate is used for validating another infobox.
   */
  public VerifyInfoboxParameters buildVerifyInfoboxParameters(
    Node verifyInfoboxesElem, 
    VerifyInfoboxParameters defaultVerifyInfoboxParameters,
    String moaSpIdentityLinkTrustProfileID)
  throws ConfigurationException
  {
    
    if ((verifyInfoboxesElem == null) && (defaultVerifyInfoboxParameters == null)) {
      return null;
    }
    Vector identifiers = new Vector(); 
    List defaultIdentifiers = null;
    Map defaultInfoboxParameters = null;
    if (defaultVerifyInfoboxParameters != null) {
      defaultIdentifiers = defaultVerifyInfoboxParameters.getIdentifiers();
      defaultInfoboxParameters = defaultVerifyInfoboxParameters.getInfoboxParameters();
    }
    Hashtable infoboxParameters = new Hashtable();
    if (verifyInfoboxesElem != null) {
      // get the DefaultTrustProfileID
      String defaultTrustProfileID = null;    
      Node defaultTrustProfileNode =
        XPathUtils.selectSingleNode(verifyInfoboxesElem, VERIFY_INFOBOXES_DEFAULT_TRUST_PROFILE_XPATH);
      if (defaultTrustProfileNode != null) {
        Node trustProfileIDNode =
          XPathUtils.selectSingleNode(defaultTrustProfileNode, VERIFY_INFOBOXES_TRUST_PROFILE_ID_XPATH);
        defaultTrustProfileID = trustProfileIDNode.getFirstChild().getNodeValue(); 
        if (defaultTrustProfileID.equals(moaSpIdentityLinkTrustProfileID)) {
          throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID});
        }
      }      
      // get the Infoboxes
      NodeList infoboxes = 
        XPathUtils.selectNodeList(verifyInfoboxesElem, VERIFY_INFOBOXES_INFOBOX_XPATH);        
      for (int i=0; i<infoboxes.getLength(); i++) {
        Element infoBoxElem = (Element)infoboxes.item(i);
        // get the identifier of the infobox
        String identifier = infoBoxElem.getAttribute("Identifier");
        identifiers.add(identifier);
        VerifyInfoboxParameter verifyInfoboxParameter = new VerifyInfoboxParameter(identifier);
        verifyInfoboxParameter.setFriendlyName(identifier);
        // get the attributes
        // (1) required: override global value in any case
        verifyInfoboxParameter.setRequired(BoolUtils.valueOf(
          infoBoxElem.getAttribute("required")));
        // (2) provideStammzahl: override global value in any case
        verifyInfoboxParameter.setProvideStammzahl(BoolUtils.valueOf(
          infoBoxElem.getAttribute("provideStammzahl")));
        // (3) proviedIdentityLink: override global value in any case
        verifyInfoboxParameter.setProvideIdentityLink(BoolUtils.valueOf(
          infoBoxElem.getAttribute("provideIdentityLink")));
        // set default trustprofileID
        if (defaultTrustProfileID != null) {
          verifyInfoboxParameter.setTrustProfileID(defaultTrustProfileID);
        }
        // get the parameter elements
        boolean localValidatorClass = false;
        boolean localFriendlyName = false;
        List params = DOMUtils.getChildElements(infoBoxElem);
        Iterator it = params.iterator();
        while (it.hasNext()) {
          Element paramElem = (Element)it.next();                 
          String paramName = paramElem.getLocalName();
          if (paramName.equals("FriendlyName")) {
            verifyInfoboxParameter.setFriendlyName(paramElem.getFirstChild().getNodeValue());
            localFriendlyName = true;
          } else if (paramName.equals("TrustProfileID")) {
            String trustProfileID = paramElem.getFirstChild().getNodeValue();
            if (trustProfileID != null) {
              if (trustProfileID.equals(moaSpIdentityLinkTrustProfileID)) {
                throw new ConfigurationException("config.15", new Object[] {moaSpIdentityLinkTrustProfileID});
              }
              verifyInfoboxParameter.setTrustProfileID(trustProfileID);
            } 
          } else if (paramName.equals("ValidatorClass")) {
            String validatorClassName = paramElem.getFirstChild().getNodeValue();
            if (validatorClassName != null) {
              verifyInfoboxParameter.setValidatorClassName(validatorClassName);
              localValidatorClass = true;
            }            
          } else if (paramName.equals("SchemaLocations")) {
            List schemaElems = DOMUtils.getChildElements(paramElem);
            List schemaLocations = new Vector(schemaElems.size());
            Iterator schemaIterator = schemaElems.iterator();
            while (schemaIterator.hasNext()) {
              Element schemaElem = (Element)schemaIterator.next();
              String namespace = schemaElem.getAttribute("namespace");
              String schemaLocation = schemaElem.getAttribute("schemaLocation");
              // avoid adding the same schema twice
              Iterator schemaLocationIterator = schemaLocations.iterator();
              boolean add = true;
              while (schemaLocationIterator.hasNext()) {                
                String existingNamespace = ((Schema)schemaLocationIterator.next()).getNamespace();
                if (namespace.equals(existingNamespace)) {
                  Logger.warn("Multiple schemas specified for namespace \"" + namespace + 
                    "\"; only using the first one.");
                  add = false;
                  break;
                }
              }
              if (add) {
                schemaLocations.add(new SchemaImpl(namespace, schemaLocation));
              }
            }
            verifyInfoboxParameter.setSchemaLocations(schemaLocations);            
          } else if (paramName.equals("ApplicationSpecificParameters")) {
            verifyInfoboxParameter.setApplicationSpecificParams(paramElem);
          } else if (paramName.equals("ParepSpecificParameters")) {
            verifyInfoboxParameter.appendParepSpecificParams(paramElem);
          }
        }        
        // use default values for those parameters not yet set by local configuration
        if (defaultInfoboxParameters != null) {
          Object defaultVerifyIP = defaultInfoboxParameters.get(identifier);
          if (defaultVerifyIP != null) {
            VerifyInfoboxParameter defaultVerifyInfoboxParameter = 
              (VerifyInfoboxParameter)defaultVerifyIP;
            // if no friendly is set, use default
            if (!localFriendlyName) {
              verifyInfoboxParameter.setFriendlyName(
                defaultVerifyInfoboxParameter.getFriendlyName());
            }
            // if no TrustProfileID is set, use default, if available
            if (verifyInfoboxParameter.getTrustProfileID() == null) {
              verifyInfoboxParameter.setTrustProfileID(
                defaultVerifyInfoboxParameter.getTrustProfileID());
            } 
            // if no local validator class is set, use default
            if (!localValidatorClass) {
              verifyInfoboxParameter.setValidatorClassName(
                defaultVerifyInfoboxParameter.getValidatorClassName());
            }
            // if no schema locations set, use default         
            if (verifyInfoboxParameter.getSchemaLocations() == null) {
              verifyInfoboxParameter.setSchemaLocations(
                defaultVerifyInfoboxParameter.getSchemaLocations());
            }
            // if no application specific parameters set, use default
            if (verifyInfoboxParameter.getApplicationSpecificParams() == null) {
              verifyInfoboxParameter.setApplicationSpecificParams(
                defaultVerifyInfoboxParameter.getApplicationSpecificParams());
            }
          }
        }
        infoboxParameters.put(identifier, verifyInfoboxParameter);
      }
      // add the infobox identifiers not present within the local configuration to the 
      // identifier list
      if (defaultIdentifiers != null) {
        Iterator identifierIterator = defaultIdentifiers.iterator();
        while (identifierIterator.hasNext()) {
          String defaultIdentifier = (String)identifierIterator.next();
          if (!identifiers.contains(defaultIdentifier)) {
            identifiers.add(defaultIdentifier);
          }
        }
      }
      return new VerifyInfoboxParameters(identifiers, infoboxParameters);
    } else {
      return new VerifyInfoboxParameters(defaultIdentifiers, infoboxParameters);
    }       
  }
  
  /**
   * Creates a SignatureCreationParameter object from the MOA-ID configuration
   * This configuration object contains KeyStore and Key data for signature creation (STORK SAML Signature Creation).
   * 
   * @return KeyStore and Key data for signature creation (STORK SAML Signature Creation)
   */
  public SignatureCreationParameter buildSTORKSignatureCreationParameter() {
	  
	  Logger.debug("Loading STORK signature creation parameters.");
	  	  	  
	  Element signatureCreationParameterElement = (Element)XPathUtils.selectSingleNode(configElem_, AUTH_FOREIGN_IDENTITIES_STORK_SIGNATURE_CREATION_PARAMETER);
	  if (signatureCreationParameterElement == null) {
		  Logger.debug("No STORK signature parameters found, " + AUTH_FOREIGN_IDENTITIES_STORK_SIGNATURE_CREATION_PARAMETER + "is missing.");
		  return null;
	  }
	  
	  SignatureCreationParameter signatureCreationParameter = new SignatureCreationParameter();
	  
	  Element keyStoreElement = (Element)XPathUtils.selectSingleNode(signatureCreationParameterElement, AUTH_FOREIGN_IDENTITIES_STORK_KEYSTORE);
	  if (keyStoreElement==null) {
		  Logger.error(AUTH_FOREIGN_IDENTITIES_STORK_KEYSTORE + "is missing.");
		  return null;
	  }
	     
	  Element keyNameElement = (Element)XPathUtils.selectSingleNode(signatureCreationParameterElement, AUTH_FOREIGN_IDENTITIES_STORK_KEYNAME);
	  if (keyNameElement==null) {
		  Logger.error(AUTH_FOREIGN_IDENTITIES_STORK_KEYNAME + "is missing.");
		  return null;
	  }
	     
	  String keyStorePath = DOMUtils.getText(keyStoreElement);
	  if (StringUtils.isEmpty(keyStorePath)) {
		  Logger.error("No KeyStorePath for STORK SAML Signing Certificate provided!");
		  return null;	   
	  }
	  signatureCreationParameter.setKeyStorePath(FileUtils.makeAbsoluteURL(keyStorePath, rootConfigFileDir_));
	  Logger.trace("Found KeyStorePath for STORK SAML Signing Certificate: " + keyStorePath);
	   
	  String keyStorePassword = XPathUtils.getAttributeValue(signatureCreationParameterElement, AUTH_FOREIGN_IDENTITIES_STORK_KEYSTORE_PASSWORD, "");
	  signatureCreationParameter.setKeyStorePassword(keyStorePassword);
	  
	  String keyName = DOMUtils.getText(keyNameElement);
	  if (StringUtils.isEmpty(keyName)) {
		  Logger.warn(AUTH_FOREIGN_IDENTITIES_STORK_KEYSTORE_PASSWORD + "is missing.");
		  return null;
	  }
	  signatureCreationParameter.setKeyName(keyName);
	  Logger.trace("Found KeyName for STORK SAML Signing Certificate: " + keyName);
	  
	  String keyPassword = XPathUtils.getAttributeValue(signatureCreationParameterElement, AUTH_FOREIGN_IDENTITIES_STORK_KEYNAME_PASSWORD, "");
	  signatureCreationParameter.setKeyPassword(keyPassword);
	  
	  Logger.info("STORK signature creation parameters loaded.");
	  
	  return signatureCreationParameter;	     

  }
  
  /**
   * Creates a SignatureVerificationParameter object from the MOA-ID configuration
   * This configuration object contains the TrustProfile to be used for signature verification (STORK SAML Signature Verification)
   * 
   * @return TrustProfileID for signature verification (STORK SAML Signature Verification)
   */
  public SignatureVerificationParameter buildSTORKSignatureVerificationParameter() {
	  
	  Logger.debug("Loading STORK signature verification parameters.");
	  
	  Element signatureVerificationParameterElement = (Element)XPathUtils.selectSingleNode(configElem_, AUTH_FOREIGN_IDENTITIES_STORK_SIGNATURE_VERIFICATION_PARAMETER);
	  if (signatureVerificationParameterElement == null) {
		  Logger.debug("No STORK verification parameters found, " +AUTH_FOREIGN_IDENTITIES_STORK_SIGNATURE_VERIFICATION_PARAMETER + "is missing.");
		  return null;
	  }
	  
	  SignatureVerificationParameter signatureVerificationParameter = new SignatureVerificationParameter();
	  
	  String trustProfileID = XPathUtils.getElementValue(signatureVerificationParameterElement, AUTH_FOREIGN_IDENTITIES_STORK_TRUSTPROFILE_ID, null);
	  if (StringUtils.isEmpty(trustProfileID)) {
		  Logger.error(AUTH_FOREIGN_IDENTITIES_STORK_TRUSTPROFILE_ID + "is missing.");
		  return null;
	  }
	  Logger.trace("Using the following MOA-SP TrustProfile for STORK SAML signature verification: " + trustProfileID);
	  signatureVerificationParameter.setTrustProfileID(trustProfileID);
	  
	  Logger.info("STORK signature verification parameters loaded.");
	  
	  return signatureVerificationParameter;
  }
  
  /**
   * Builds a C-PEPS object from configuration
   * @param cpepsElement DOM Element of C-PEPS from configuration
   * @return C-PEPS object
   */
  public CPEPS buildSTORKCpeps(Element cpepsElement) {
	  
	  String countryCode = cpepsElement.getAttribute(AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_COUNTRY_CODE);	
      String cpepsURLString = cpepsElement.getAttribute(AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_URL);
      if (StringUtils.isEmpty(countryCode)) {
    	  Logger.error(AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_COUNTRY_CODE + "is missing.");
    	  return null;
      }
      if (StringUtils.isEmpty(cpepsURLString)) {
    	  Logger.error(AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_URL + "is missing.");
    	  return null;
      } 
      
      URL cpepsURL;
      try {
			cpepsURL = new URL(cpepsURLString);
      } catch (MalformedURLException e) {
			Logger.error("Provided CPEPS-URL (" + cpepsURLString + ") for country " + countryCode + " is not a URL", e);
			return null;
      }
      CPEPS cpeps = new CPEPS(countryCode, cpepsURL);
      Logger.debug("Adding C-PEPS for country: " + cpeps.getCountryCode() + ", URL: " + cpeps.getPepsURL());
  	      
      Element reqAttributeElement;
      NodeIterator reqAttributeIterator = XPathUtils.selectNodeIterator(cpepsElement, AUTH_FOREIGN_IDENTITIES_STORK_CPEPS_REQUESTED_ATTRIBUTES);      
      
      while ((reqAttributeElement = (Element) reqAttributeIterator.nextNode()) != null) {
		    RequestedAttribute requestedAttribute;
			try {
				requestedAttribute = (RequestedAttribute) SAMLUtil.unmarshallMessage(reqAttributeElement);
			} catch (MessageEncodingException e) {
				Logger.error("Provided RequestedAttributes for CPEPS from country " + countryCode + " is malformed.", e);
				return null;
			}
			//only add if STORK attribute is correct
			if (STORKConstants.FULL_STORK_ATTRIBUTE_SET.contains(requestedAttribute.getName())) {
				cpeps.addCountrySpecificRequestedAttribute(requestedAttribute);
				Logger.debug("Adding also country specific requested attribute for C-PEPS (" + countryCode + "): " + requestedAttribute.getName() + ", isRequired: " + requestedAttribute.isRequired());
			} else {
				Logger.warn("Skipping addition of requested STORK Attribute, attribute unknown : " + requestedAttribute.getName());
			}
		    
	  }
      
	  return cpeps;
  }
  
  /**
   * Builds the supported C-PEPS Map from configuration
   * @return Map of C-PEPS
   */
  public Map<String, CPEPS> buildSTORKcPEPSMap() {
	  
	  Logger.debug("Loading STORK C-PEPS information");
	  
	  Map<String, CPEPS> cpepsMap = new HashMap<String, CPEPS>();
	  	  	   
	  NodeIterator cpepsIterator = XPathUtils.selectNodeIterator(configElem_, AUTH_FOREIGN_IDENTITIES_STORK_CPEPS);
	  	       
	  Element cpepsElement;
	  CPEPS cpeps;

	  while ((cpepsElement = (Element) cpepsIterator.nextNode()) != null) {
		    cpeps = buildSTORKCpeps(cpepsElement);
		    if (cpeps != null) {
		    	cpepsMap.put(cpeps.getCountryCode(), cpeps);		    	
		    }
	  }
	  
	  if(!cpepsMap.isEmpty()) {
		  Logger.info("STORK C-PEPS information loaded");
	  }
	      
	  return cpepsMap;
	  
  }
  
  /**
   * Builds the required STORK QAALevel for this OA
   * @param authComponentElement DOM Element of AuthComponent (from MOA configuration)
   * @return STORK QAALevel for this OA
   */
  public QualityAuthenticationAssuranceLevel buildOaSTORKQAALevel(Element authComponentElement) {
	  Element qaaLevelElement = (Element)XPathUtils.selectSingleNode(authComponentElement, OA_AUTH_COMPONENT_STORK_QAA);
	  
	  if (qaaLevelElement == null) return null;
	  
	  try {
		QualityAuthenticationAssuranceLevel qaaLevel = (QualityAuthenticationAssuranceLevel) SAMLUtil.unmarshallMessage(qaaLevelElement);
		return qaaLevel;
	} catch (MessageEncodingException e) {
		Logger.error("Could not build STORK QAALevel, using default.");
		return null;
	}
	  
  }
  
  /**
   * Builds the Requested Attributes specific for an OA
   * @param authComponentElement DOM Element of AuthComponent (from MOA configuration)
   * @return STORK RequestedAttributes for this OA
   */
  public RequestedAttributes buildOaSTORKRequestedAttributes(Element authComponentElement) {
	  List<RequestedAttribute> reqAttributeList = new ArrayList<RequestedAttribute>();
	  
	  
	  Element reqAttributeElement;
      NodeIterator reqAttributeIterator = XPathUtils.selectNodeIterator(authComponentElement, OA_AUTH_COMPONENT_STORK_REQUESTED_ATTRIBUTE);
                  
      while ((reqAttributeElement = (Element) reqAttributeIterator.nextNode()) != null) {
		    RequestedAttribute requestedAttribute;
			try {
				requestedAttribute = (RequestedAttribute) SAMLUtil.unmarshallMessage(reqAttributeElement);
			} catch (MessageEncodingException e) {
				Logger.error("Provided RequestedAttributes Online Application is malformed.", e);
				return null;
			}
			//only add if STORK attribute is correct
			if (STORKConstants.FULL_STORK_ATTRIBUTE_SET.contains(requestedAttribute.getName())) {
				reqAttributeList.add(requestedAttribute);
			} else {
				Logger.warn("Skipping addition of requested STORK Attribute, attribute unknown : " + requestedAttribute.getName());
			}
	  }
	  
	  return STORKMessagesBuilder.buildRequestedAttributes(reqAttributeList);
  }

  /**
   * Method warn.
   * @param messageId to identify a country-specific message
   * @param parameters for the logger
   */
  //
  // various utility methods
  //

  protected static void warn(String messageId, Object[] parameters) {
    Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters));
  }

  /**
   * Method warn.
   * @param messageId to identify a country-specific message
   * @param args for the logger
   * @param t as throwabl
   */
  protected static void warn(String messageId, Object[] args, Throwable t) {
    Logger.warn(MOAIDMessageProvider.getInstance().getMessage(messageId, args), t);
  } 
}