package org.bouncycastle.est.jcajce;


import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

import org.bouncycastle.est.ESTClientSourceProvider;
import org.bouncycastle.est.Source;
import org.bouncycastle.util.Strings;

class DefaultESTClientSourceProvider
    implements ESTClientSourceProvider
{

    private final SSLSocketFactory sslSocketFactory;
    private final JsseHostnameAuthorizer hostNameAuthorizer;
    private final int timeout;
    private final ChannelBindingProvider bindingProvider;
    private final Set<String> cipherSuites;
    private final Long absoluteLimit;
    private final boolean filterSupportedSuites;


    public DefaultESTClientSourceProvider(
        SSLSocketFactory socketFactory,
        JsseHostnameAuthorizer hostNameAuthorizer,
        int timeout, ChannelBindingProvider bindingProvider,
        Set<String> cipherSuites, Long absoluteLimit,
        boolean filterSupportedSuites)
        throws GeneralSecurityException
    {
        this.sslSocketFactory = socketFactory;
        this.hostNameAuthorizer = hostNameAuthorizer;
        this.timeout = timeout;
        this.bindingProvider = bindingProvider;
        this.cipherSuites = cipherSuites;
        this.absoluteLimit = absoluteLimit;
        this.filterSupportedSuites = filterSupportedSuites;
    }


    public Source makeSource(String host, int port)
        throws IOException
    {
        SSLSocket sock = (SSLSocket)sslSocketFactory.createSocket(host, port);
        sock.setSoTimeout(timeout);

        if (cipherSuites != null && !cipherSuites.isEmpty())
        {
            // Filter supplied list with what is actually supported.
            if (filterSupportedSuites)
            {
                HashSet<String> fs = new HashSet<String>();
                String[] supportedCipherSuites = sock.getSupportedCipherSuites();
                for (int i = 0; i != supportedCipherSuites.length; i++)
                {
                    fs.add(supportedCipherSuites[i]);
                }

                List<String> j = new ArrayList<String>();
                for (Iterator it = cipherSuites.iterator(); it.hasNext();)
                {
                    String s = (String)it.next();
                    if (fs.contains(s))
                    {
                        j.add(s);
                    }
                }

                if (j.isEmpty())
                {
                    throw new IllegalStateException("No supplied cipher suite is supported by the provider.");
                }

                sock.setEnabledCipherSuites(j.toArray(new String[j.size()]));
            }
            else
            {
                sock.setEnabledCipherSuites(cipherSuites.toArray(new String[cipherSuites.size()]));
            }
        }


        sock.startHandshake();

        if (hostNameAuthorizer != null)
        {
            if (!hostNameAuthorizer.verified(host, sock.getSession()))
            {
                throw new IOException("Host name could not be verified.");
            }
        }

        {
            String t = Strings.toLowerCase(sock.getSession().getCipherSuite());
            if (t.contains("_des_") || t.contains("_des40_") || t.contains("_3des_"))
            {
                throw new IOException("EST clients must not use DES ciphers");
            }
        }

        // check for use of null cipher and fail.
        if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("null"))
        {
            throw new IOException("EST clients must not use NULL ciphers");
        }

        // check for use of anon cipher and fail.
        if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("anon"))
        {
            throw new IOException("EST clients must not use anon ciphers");
        }

        // check for use of export cipher.
        if (Strings.toLowerCase(sock.getSession().getCipherSuite()).contains("export"))
        {
            throw new IOException("EST clients must not use export ciphers");
        }

        if (sock.getSession().getProtocol().equalsIgnoreCase("tlsv1"))
        {
            try
            {
                sock.close();
            }
            catch (Exception ex)
            {
                // Deliberately ignored.
            }
            throw new IOException("EST clients must not use TLSv1");
        }


        if (hostNameAuthorizer != null && !hostNameAuthorizer.verified(host, sock.getSession()))
        {
            throw new IOException("Hostname was not verified: " + host);
        }
        return new LimitedSSLSocketSource(sock, bindingProvider, absoluteLimit);
    }
}