/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.cxf.xkms.x509.validator;

import java.io.File;
import java.io.InputStream;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;

import org.apache.cxf.helpers.FileUtils;
import org.apache.cxf.xkms.handlers.Applications;
import org.apache.cxf.xkms.model.xkms.UseKeyWithType;
import org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

public class TrustedAuthorityValidatorCRLTest extends BasicValidationTest {
    private static final String PATH_TO_RESOURCES = "/trustedAuthorityValidator/";
    private final X509Certificate certificateRoot;
    private final X509Certificate certificateWss40Rev;
    private final X509Certificate certificateWss40;
    private final X509CRL crl;
    private FileCertificateRepo certificateRepo;

    public TrustedAuthorityValidatorCRLTest() throws CertificateException, CRLException {
        certificateRoot = readCertificate("wss40CA.cer");
        certificateWss40Rev = readCertificate("wss40rev.cer");
        certificateWss40 = readCertificate("wss40.cer");
        crl = readCRL("wss40CACRL.cer");
    }

    @Before
    public void setUpCertificateRepo() throws CertificateException {
        File storageDir = new File("target/teststore_trusted_authority_validator");
        FileUtils.removeDir(storageDir);
        storageDir.mkdirs();
        certificateRepo = new FileCertificateRepo("target/teststore_trusted_authority_validator");

        UseKeyWithType rootKey = new UseKeyWithType();
        rootKey.setApplication(Applications.PKIX.getUri());
        String subjectDN = certificateRoot.getSubjectX500Principal().getName();
        rootKey.setIdentifier(subjectDN);
        certificateRepo.saveTrustedCACertificate(certificateRoot, rootKey);

        UseKeyWithType aliceKey = new UseKeyWithType();
        aliceKey.setApplication(Applications.PKIX.getUri());
        subjectDN = certificateWss40Rev.getSubjectX500Principal().getName();
        aliceKey.setIdentifier(subjectDN);
        certificateRepo.saveCACertificate(certificateWss40Rev, aliceKey);

        UseKeyWithType bobKey = new UseKeyWithType();
        bobKey.setApplication(Applications.PKIX.getUri());
        subjectDN = certificateWss40.getSubjectX500Principal().getName();
        bobKey.setIdentifier(subjectDN);
        certificateRepo.saveCACertificate(certificateWss40, bobKey);

        UseKeyWithType crlKey = new UseKeyWithType();
        crlKey.setApplication(Applications.PKIX.getUri());
        crlKey.setIdentifier(crl.getIssuerX500Principal().getName());
        certificateRepo.saveCRL(crl, crlKey);
    }

    @Test
    public void testIsCertChainValid() throws CertificateException {
        TrustedAuthorityValidator validator = new TrustedAuthorityValidator(certificateRepo);
        Assert.assertTrue("Root should be valid",
                          validator.isCertificateChainValid(Arrays.asList(certificateRoot)));
        Assert.assertTrue("wss40rev should not be valid",
                          !validator.isCertificateChainValid(Arrays.asList(certificateWss40Rev)));
        Assert.assertTrue("wss40 should be valid",
                          validator.isCertificateChainValid(Arrays.asList(certificateWss40)));
    }

    private static X509Certificate readCertificate(String path) throws CertificateException {
        InputStream inputStream = TrustedAuthorityValidatorCRLTest.class.getResourceAsStream(PATH_TO_RESOURCES
                                                                                          + path);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        return (X509Certificate)cf.generateCertificate(inputStream);
    }

    private static X509CRL readCRL(String path) throws CertificateException, CRLException {
        InputStream inputStream = TrustedAuthorityValidatorCRLTest.class.getResourceAsStream(PATH_TO_RESOURCES
                                                                                          + path);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        return (X509CRL)cf.generateCRL(inputStream);
    }

}