/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying * information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Portions Copyright 2006 Sun Microsystems, Inc.
 */
package org.opends.server.loggers;

import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.RandomAccessFile;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.X509KeyManager;

import org.opends.server.core.DirectoryServer;

import static org.opends.server.loggers.Debug.*;

/**
 * This class implements a post rotation action that signs
 * the file.
 */
public class SignatureAction implements PostRotationAction
{
  /**
   * The fully-qualified name of this class for debugging purposes.
   */
  private static final String CLASS_NAME =
    "org.opends.server.loggers.SignatureAction";

  private static final String delimiter = "---------";
  private File originalFile;
  private String signatureAlgorithm = "SHA1withRSA";
  private String digestAlgorithm = "SHA";
  private String alias = null;

  /**
   * Create the signature action based on the log file name,
   * and the certificate alias to use for signing.
   *
   * @param origFile    The source file name to sign.
   * @param alias       The certificate alias to use for signing.
   */
  public SignatureAction(String origFile, String alias)
  {
    this.originalFile = new File(origFile);
    this.alias = alias;
  }

  /**
   * Create the signature action based on the log file name,
   * the signature algorithm, the digest algorithm, and the certificate alias
   * to use for signing.
   *
   * @param origFile    The source file name to sign.
   * @param sigAlg      The signature algorithm to use.
   * @param digestAlg   The MD5 digest algorithm to use.
   * @param alias       The certificate alias to use for signing.
   */
  public SignatureAction(String origFile, String sigAlg, String digestAlg,
                         String alias)
  {
    this.originalFile = new File(origFile);
    this.signatureAlgorithm = sigAlg;
    this.digestAlgorithm = digestAlg;
    this.alias = alias;
  }

  /**
   * The signature action that is executed. Returns true if the
   * action succeeded and false otherwise.
   *
   * @return  <CODE>true</CODE> if the signature was generated successfully, or
   *          <CODE>false</CODE> if not.
   */
  public boolean execute()
  {
    FileInputStream fis = null;
    boolean inputStreamOpen = false;
    try
    {
      KeyManager[] keyMgrs =
           DirectoryServer.getKeyManagerProvider().getKeyManagers();
      if(keyMgrs.length == 0)
      {
        // No keys available.
        // FIXME - Log in error log.
        System.err.println("No private key available to sign with.");
        return false;
      }
      X509KeyManager mgr = (X509KeyManager) keyMgrs[0];
      PrivateKey priv = mgr.getPrivateKey(alias);

      Signature sig = Signature.getInstance(signatureAlgorithm);
      sig.initSign(priv);

      MessageDigest md = MessageDigest.getInstance(digestAlgorithm);
      md.reset();

      fis = new FileInputStream(originalFile);
      inputStreamOpen = true;
      BufferedInputStream bufin = new BufferedInputStream(fis);
      byte[] buffer = new byte[1024];
      int len;
      while (bufin.available() != 0)
      {
        len = bufin.read(buffer);
        md.update(buffer, 0, len);
      }
      bufin.close();

      // Create a hash of the log file contents.
      byte[] hash = md.digest();
      // printBytes(hash);
      sig.update(hash);

      // Sign the hash.
      byte[] realSig = sig.sign();
      // printBytes(realSig);

      // Append the signature to the end of the file.
      RandomAccessFile raf = new RandomAccessFile(originalFile, "rw");
      raf.seek(raf.length());
      raf.write(delimiter.getBytes());
      raf.write("\n".getBytes());
      raf.write(realSig);

      return true;
    } catch(Exception ioe)
    {
      assert debugException(CLASS_NAME, "execute", ioe);
      if(inputStreamOpen)
      {
        try
        {
          fis.close();
        } catch(Exception fe)
        {
                assert debugException(CLASS_NAME, "execute", fe);
          // Cannot do much. Ignore.
        }
      }
      return false;
    }
  }


  /**
   * Verify the signature int the log file. Returns true if the
   * the signature is valid and false otherwise.
   *
   * @return  <CODE>true</CODE> if the signature is valid, or <CODE>false</CODE>
   *          if not.
   */
  public boolean verify()
  {
    RandomAccessFile inFile = null;
    boolean inputStreamOpen = false;
    try
    {
      KeyManager[] keyMgrs =
           DirectoryServer.getKeyManagerProvider().getKeyManagers();

      if(keyMgrs.length == 0)
      {
        // No keys available.
        // FIXME - Log in error log.
        System.err.println("No public key available to verify signature with.");
        return false;
      }

      X509KeyManager mgr = (X509KeyManager) keyMgrs[0];
      X509Certificate[] certChain = mgr.getCertificateChain(alias);

      if(certChain == null || certChain.length == 0)
      {
        System.err.println("Cannot find the public key for the signature.");
        return false;
      }

      PublicKey pubKey = certChain[0].getPublicKey();

      Signature sig = Signature.getInstance(signatureAlgorithm);
      sig.initVerify(pubKey);

      MessageDigest md = MessageDigest.getInstance(digestAlgorithm);
      md.reset();

      inFile = new RandomAccessFile(originalFile, "r");
      inputStreamOpen = true;
      String line = null;
      while ((line = inFile.readLine()) != null)
      {
        if(line.equals(delimiter))
        {
          break;
        }
        // int len = line.length();
        // md.update(line.getBytes(), 0, len);
        byte[] b = (line + "\n").getBytes();
        md.update(b);
      }

      // Read signature
      byte[] sigToVerify = new byte[128];
      int val = inFile.read(sigToVerify, 0, 128);
      // printBytes(sigToVerify);

      // Create a hash of the log file contents.
      byte[] hash = md.digest();
      // printBytes(hash);
      sig.update(hash);


      // Verify the hash.
      boolean verifies = sig.verify(sigToVerify);

      return verifies;
    } catch(Exception ioe)
    {
      assert debugException(CLASS_NAME, "execute", ioe);
      if(inputStreamOpen)
      {
        try
        {
          inFile.close();
        } catch(Exception fe)
        {
                assert debugException(CLASS_NAME, "execute", fe);
          // Cannot do much. Ignore.
        }
      }
      return false;
    }
  }



  /**
   * Prints a representation of the contents of the provided byte array to
   * standard output.
   *
   * @param  bArray  The array containing the data to be printed.
   */
  private void printBytes(byte[] bArray)
  {
    for(int i = 0; i < bArray.length; i++)
    {
      System.out.print(Integer.toHexString((int)bArray[i]));
    }
    System.out.println("");
  }


}