/*

  * Copyright (c) 2011 Henry Story (bblfish.net)

  * under the MIT licence defined

  *    http://www.opensource.org/licenses/mit-license.html

  *

  * Permission is hereby granted, free of charge, to any person obtaining a copy of

  * this software and associated documentation files (the "Software"), to deal in the

  * Software without restriction, including without limitation the rights to use, copy,

  * modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,

  * and to permit persons to whom the Software is furnished to do so, subject to the

  * following conditions:

  *

  * The above copyright notice and this permission notice shall be included in all

  * copies or substantial portions of the Software.

  *

  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,

  * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

  * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT

  * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION

  * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE

  * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

  */

 package org.w3.readwriteweb.auth

 import javax.servlet.http.HttpServletRequest

 import unfiltered.netty.ReceivedMessage

 import java.util.Date

 import java.math.BigInteger

 import java.net.URL

 import unfiltered.request.{UserAgent, HttpRequest}

 import java.security.cert.{X509Certificate, Certificate}

 import java.security._

 import interfaces.RSAPublicKey

 import unfiltered.util.IO

 import sun.security.x509._

 import org.w3.readwriteweb.util.trySome

 import actors.threadpool.TimeUnit

 import com.google.common.cache.{CacheLoader, CacheBuilder, Cache}

 object X509CertSigner {

   def apply(

       keyStoreLoc: URL,

       keyStoreType: String,

       password: String,

       alias: String): X509CertSigner = {

     val keystore = KeyStore.getInstance(keyStoreType)

     IO.use(keyStoreLoc.openStream()) { in =>

       keystore.load(in, password.toCharArray)

     }

     val privateKey = keystore.getKey(alias, password.toCharArray).asInstanceOf[PrivateKey]

     val certificate = keystore.getCertificate(alias).asInstanceOf[X509Certificate]

     //one could verify that indeed this is the private key corresponding to the public key in the cert.

     new X509CertSigner(certificate, privateKey)

   }

 }

 class X509CertSigner(

     val signingCert: X509Certificate,

     signingKey: PrivateKey ) {

   val WebID_DN="""O=FOAF+SSL, OU=The Community of Self Signers, CN=Not a Certification Authority"""

   val sigAlg = signingKey.getAlgorithm match {

     case "RSA" =>  "SHA1withRSA"

     case "DSA" =>  "SHA1withDSA"

     //else will throw a case exception

   }

   /**

    * Adapted from http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html

    * The libraries used here are sun gpled code. This is much lighter to use than bouncycastle. All VMs that already

    * have these classes don't need to download the code. It should be easy in scala to create a build that can decide

    * if these need to be added to the classpath. I think the code just looks better than bouncycastle too.

    *

    * WARNING THIS IS   in construction

    *

    * Look in detail at http://www.ietf.org/rfc/rfc2459.txt

    *

    * Create a self-signed X.509 Certificate

    * @param subjectDN the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"

    * @param subjectKey the public key for the subject

    * @param days how many days from now the Certificate is valid for

    * @param webId a WebID to place in the Subject Alternative Name field of the Cert to be generated

    */

   def generate(

       subjectDN: String,

       subjectKey: RSAPublicKey,

       days: Int,

       webId: URL): X509Certificate = {   //todo: the algorithm should be deduced from private key in part

     var info = new X509CertInfo

     val from = new Date(System.currentTimeMillis()-10*1000*60) //start 10 minutes ago, to avoid network trouble

     val to = new Date(from.getTime + days*24*60*60*1000) 

     val interval = new CertificateValidity(from, to)

     val serialNumber = new BigInteger(64, new SecureRandom)

     val subjectXN = new X500Name(subjectDN)

     val issuerXN = new X500Name(signingCert.getSubjectDN.toString)

     info.set(X509CertInfo.VALIDITY, interval)

     info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber))

     info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(subjectXN))

     info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuerXN))

     info.set(X509CertInfo.KEY, new CertificateX509Key(subjectKey))

     info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3))

     //

     //extensions

     //

     val extensions = new CertificateExtensions

     val san =

       new SubjectAlternativeNameExtension(

           true,

           new GeneralNames().add(

               new GeneralName(new URIName(webId.toExternalForm))))

     extensions.set(san.getName, san)

     val basicCstrExt = new BasicConstraintsExtension(false,1)

     extensions.set(basicCstrExt.getName,basicCstrExt)

     {

       import KeyUsageExtension._

       val keyUsage = new KeyUsageExtension

       val usages =

         List(DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, KEY_AGREEMENT)

       usages foreach { usage => keyUsage.set(usage, true) }

       extensions.set(keyUsage.getName,keyUsage)

     }

     {

       import NetscapeCertTypeExtension._

       val netscapeExt = new NetscapeCertTypeExtension

       List(SSL_CLIENT, S_MIME) foreach { ext => netscapeExt.set(ext, true) }

       extensions.set(

         netscapeExt.getName,

         new NetscapeCertTypeExtension(false, netscapeExt.getValue))

     }

     val subjectKeyExt =

       new SubjectKeyIdentifierExtension(new KeyIdentifier(subjectKey).getIdentifier)

     extensions.set(subjectKeyExt.getName, subjectKeyExt)

     info.set(X509CertInfo.EXTENSIONS, extensions)

     val algo = signingCert.getPublicKey.getAlgorithm match {

       case "DSA" => new AlgorithmId(AlgorithmId.sha1WithDSA_oid )

       case "RSA" => new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid)

       case _ => sys.error("Don't know how to sign with this type of key")  

     }

     info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo))

     // Sign the cert to identify the algorithm that's used.

     val tmpCert = new X509CertImpl(info)

     tmpCert.sign(signingKey, algo.getName)

     //update the algorithm and re-sign

     val sigAlgo = tmpCert.get(X509CertImpl.SIG_ALG).asInstanceOf[AlgorithmId]

     info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, sigAlgo)

     val cert = new X509CertImpl(info)

     cert.sign(signingKey,algo.getName)

     cert.verify(signingCert.getPublicKey)

     return cert

   }

   val clonesig : Signature =  sig

   def sig: Signature = {

     if (clonesig != null && clonesig.isInstanceOf[Cloneable]) clonesig.clone().asInstanceOf[Signature]

     else {

       val signature = Signature.getInstance(sigAlg)

       signature.initSign(signingKey)

       signature

     }

   }

   def sign(string: String): Array[Byte] = {

       val signature = sig

       signature.update(string.getBytes("UTF-8"))

       signature.sign

   }

 }

 object Certs {

   def unapplySeq[T](r: HttpRequest[T])(implicit m: Manifest[T], fetch: Boolean=true): Option[IndexedSeq[Certificate]] = {

     if (m <:< manifest[HttpServletRequest])

       unapplyServletRequest(r.asInstanceOf[HttpRequest[HttpServletRequest]])

     else if (m <:< manifest[ReceivedMessage])

       unapplyReceivedMessage(r.asInstanceOf[HttpRequest[ReceivedMessage]],fetch)

     else

       None //todo: should  throw an exception here?

   }

   //todo: should perhaps pass back error messages, which they could in the case of netty

   private def unapplyServletRequest[T <: HttpServletRequest](r: HttpRequest[T]): Option[IndexedSeq[Certificate]] =

     r.underlying.getAttribute("javax.servlet.request.X509Certificate") match {

       case certs: Array[Certificate] => Some(certs)

       case _ => None

     }

   private def unapplyReceivedMessage[T <: ReceivedMessage](r: HttpRequest[T], fetch: Boolean): Option[IndexedSeq[Certificate]] = {

     import org.jboss.netty.handler.ssl.SslHandler

     val sslh = r.underlying.context.getPipeline.get(classOf[SslHandler])

     trySome(sslh.getEngine.getSession.getPeerCertificates.toIndexedSeq) orElse {

       if (!fetch) None

       else {

         sslh.setEnableRenegotiation(true)

         r match {

           case UserAgent(agent) if needAuth(agent) => sslh.getEngine.setNeedClientAuth(true)

           case _ => sslh.getEngine.setWantClientAuth(true)

         }

         val future = sslh.handshake()

         future.await(30000) //that's certainly way too long.

         if (future.isDone && future.isSuccess)

           trySome(sslh.getEngine.getSession.getPeerCertificates.toIndexedSeq)

         else

           None

       }

     }

   }

  /**

   *  Some agents do not send client certificates unless required. This is a problem for them, as it ends up breaking the

   *  connection for those agents if the client does not have a certificate...

   *

   *  It would be useful if this could be updated by server from time to  time from a file on the internet,

   *  so that changes to browsers could update server behavior

   *

   */

   def needAuth(agent: String): Boolean =

     (agent contains "Java")  | (agent contains "AppleWebKit")  |  (agent contains "Opera")

 }