/*******************************************************************************
 * Copyright 2014 Federal Chancellery Austria
 * MOA-ID has been developed in a cooperation between BRZ, the Federal
 * Chancellery Austria - ICT staff unit, and Graz University of Technology.
 *
 * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
 * the European Commission - subsequent versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
 * http://www.osor.eu/eupl/
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the Licence is distributed on an "AS IS" basis,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and
 * limitations under the Licence.
 *
 * This product combines work with different licenses. See the "NOTICE" text
 * file for details on the various modules and licenses.
 * The "NOTICE" text file is part of the distribution. Any derivative works
 * that you distribute must include a readable copy of the "NOTICE" text file.
 *******************************************************************************/
package at.gv.egovernment.moa.id.protocols.pvp2x.signer;

import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;

import org.opensaml.xml.security.credential.Credential;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.x509.X509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureConstants;

import at.gv.egovernment.moa.id.opemsaml.MOAKeyStoreX509CredentialAdapter;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.KeyStoreUtils;
import at.gv.egovernment.moa.util.MiscUtil;

public abstract class AbstractCredentialProvider {
	
	private KeyStore keyStore = null;
	
	/**
	 * Get a friendlyName for this keyStore implementation
	 * This friendlyName is used for logging
	 * 
	 * @return keyStore friendlyName
	 */
	public abstract String getFriendlyName();
	
	/**
	 * Get KeyStore
	 * 
	 * @return URL to the keyStore
	 */
	public abstract String getKeyStoreFilePath();
	
	/**
	 * Get keyStore password
	 * 
	 * @return Password of the keyStore
	 */
	public abstract String getKeyStorePassword();
	
	/**
	 * Get alias of key for metadata signing
	 * 
	 * @return key alias
	 */
	public abstract String getMetadataKeyAlias();
	
	/**
	 * Get password of key for metadata signing
	 * 
	 * @return key password
	 */
	public abstract String getMetadataKeyPassword();
	
	/**
	 * Get alias of key for request/response signing
	 * 
	 * @return key alias
	 */
	public abstract String getSignatureKeyAlias();
	
	/**
	 * Get password of key for request/response signing
	 * 
	 * @return key password
	 */
	public abstract String getSignatureKeyPassword();
	
	/**
	 * Get alias of key for IDP response encryption
	 * 
	 * @return key alias
	 */
	public abstract String getEncryptionKeyAlias();
	
	/**
	 * Get password of key for IDP response encryption
	 * 
	 * @return key password
	 */
	public abstract String getEncryptionKeyPassword();
	
	
	public X509Credential getIDPMetaDataSigningCredential()
			throws CredentialsNotAvailableException {
		try {
			
			if (keyStore == null)
				keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), 
						getKeyStorePassword());

			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
					keyStore, getMetadataKeyAlias(), getMetadataKeyPassword().toCharArray());

			credentials.setUsageType(UsageType.SIGNING);
			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
				Logger.error(getFriendlyName() + " Metadata Signing credentials is not found or contains no PrivateKey.");
				throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Signing credentials (Alias: "
						+ getMetadataKeyAlias() + ") is not found or contains no PrivateKey."});
				
			}
			return credentials;
		} catch (Exception e) {
			Logger.error("Failed to generate " + getFriendlyName() + " Metadata Signing credentials");
			e.printStackTrace();
			throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e);
		}
	}

	public X509Credential getIDPAssertionSigningCredential()
			throws CredentialsNotAvailableException {
		try {
			if (keyStore == null)
				keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), 
						getKeyStorePassword());

			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
					keyStore, getSignatureKeyAlias(), getSignatureKeyPassword().toCharArray());
			
			credentials.setUsageType(UsageType.SIGNING);
			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
				Logger.error(getFriendlyName() + " Assertion Signing credentials is not found or contains no PrivateKey.");
				throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Signing credentials (Alias: "
						+ getSignatureKeyAlias() + ") is not found or contains no PrivateKey."});
				
			}
			
			return (X509Credential) credentials;
		} catch (Exception e) {
			Logger.error("Failed to generate " + getFriendlyName() + " Assertion Signing credentials");
			e.printStackTrace();
			throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e);
		}
	}
	
	public X509Credential getIDPAssertionEncryptionCredential()
			throws CredentialsNotAvailableException {
		try {
			if (keyStore == null)
				keyStore = KeyStoreUtils.loadKeyStore(getKeyStoreFilePath(), 
						getKeyStorePassword());

			//if no encryption key is configured return null
			if (MiscUtil.isEmpty(getEncryptionKeyAlias()))
				return null;
			
			MOAKeyStoreX509CredentialAdapter credentials = new MOAKeyStoreX509CredentialAdapter(
					keyStore, getEncryptionKeyAlias(), getEncryptionKeyPassword().toCharArray());
			
			credentials.setUsageType(UsageType.ENCRYPTION);
			
			if (credentials.getPrivateKey() == null && credentials.getSecretKey() == null) {
				Logger.error(getFriendlyName() + " Assertion Encryption credentials is not found or contains no PrivateKey.");
				throw new CredentialsNotAvailableException("config.27", new Object[]{getFriendlyName() + " Assertion Encryption credentials (Alias: "
						+ getEncryptionKeyAlias() + ") is not found or contains no PrivateKey."});
				
			}
			
			return (X509Credential) credentials;
			
		} catch (Exception e) {
			Logger.error("Failed to generate " + getFriendlyName() + " Assertion Encryption credentials");
			e.printStackTrace();
			throw new CredentialsNotAvailableException("config.27", new Object[]{e.getMessage()}, e);
		}
	}
	
	public static Signature getIDPSignature(Credential credentials) {		
		PrivateKey privatekey = credentials.getPrivateKey();		
		Signature signer = SAML2Utils.createSAMLObject(Signature.class);
		
		if (privatekey instanceof RSAPrivateKey) {
			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
			
		} else if (privatekey instanceof ECPrivateKey) {
			signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);

		} else {
			Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential.");
			
			
		}

		signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);		
		signer.setSigningCredential(credentials);
		return signer;
		
	}
}