/*
 *  Licensed to the Apache Software Foundation (ASF) under one or more
 *  contributor license agreements.  See the NOTICE file distributed with
 *  this work for additional information regarding copyright ownership.
 *  The ASF licenses this file to You under the Apache License, Version 2.0
 *  (the "License"); you may not use this file except in compliance with
 *  the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */

/**
* @author Vladimir N. Molotkov, Alexander Y. Kleymenov
* @version $Revision$
*/

package org.apache.harmony.security.x509;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.apache.harmony.security.asn1.ASN1Implicit;
import org.apache.harmony.security.asn1.ASN1OctetString;
import org.apache.harmony.security.asn1.ASN1Sequence;
import org.apache.harmony.security.asn1.ASN1Type;
import org.apache.harmony.security.asn1.BerInputStream;

/**
 * The class encapsulates the ASN.1 DER encoding/decoding work
 * with the following structure which is a part of X.509 certificate
 * (as specified in RFC 3280 -
 *  Internet X.509 Public Key Infrastructure.
 *  Certificate and Certificate Revocation List (CRL) Profile.
 *  http://www.ietf.org/rfc/rfc3280.txt):
 *
 * <pre>
 *
 *   NameConstraints ::= SEQUENCE {
 *        permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
 *        excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
 *
 *   GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
 *
 * </pre>
 *
 * @see org.apache.harmony.security.x509.GeneralSubtree
 * @see org.apache.harmony.security.x509.GeneralName
 */
public final class NameConstraints extends ExtensionValue {
    /** the value of permittedSubtrees field of the structure */
    private final GeneralSubtrees permittedSubtrees;
    /** the value of excludedSubtrees field of the structure */
    private final GeneralSubtrees excludedSubtrees;
    /** the ASN.1 encoded form of NameConstraints */
    private byte[] encoding;

    private ArrayList<GeneralName>[] permitted_names;
    private ArrayList<GeneralName>[] excluded_names;

    /**
     * Constructs <code>NameConstrains</code> object
     */
    public NameConstraints(GeneralSubtrees permittedSubtrees,
                           GeneralSubtrees excludedSubtrees) {
        if (permittedSubtrees != null) {
            List<GeneralSubtree> ps = permittedSubtrees.getSubtrees();
            if (ps == null || ps.isEmpty()) {
                throw new IllegalArgumentException("permittedSubtrees are empty");
            }
        }
        if (excludedSubtrees != null) {
            List<GeneralSubtree> es = excludedSubtrees.getSubtrees();
            if (es == null || es.isEmpty()) {
                throw new IllegalArgumentException("excludedSubtrees are empty");
            }
        }
        this.permittedSubtrees = permittedSubtrees;
        this.excludedSubtrees = excludedSubtrees;
    }

    private NameConstraints(GeneralSubtrees permittedSubtrees,
                            GeneralSubtrees excludedSubtrees, byte[] encoding) {
        this(permittedSubtrees, excludedSubtrees);
        this.encoding = encoding;
    }

    public static NameConstraints decode(byte[] encoding) throws IOException {
        return (NameConstraints) ASN1.decode(encoding);
    }

    @Override public byte[] getEncoded() {
        if (encoding == null) {
            encoding = ASN1.encode(this);
        }
        return encoding;
    }

    /**
     * Prepare the data structure to speed up the checking process.
     */
    private void prepareNames() {
        // array of lists with permitted General Names divided by type
        permitted_names = new ArrayList[9];
        if (permittedSubtrees != null) {
            for (GeneralSubtree generalSubtree : permittedSubtrees.getSubtrees()) {
                GeneralName name = generalSubtree.getBase();
                int tag = name.getTag();
                if (permitted_names[tag] == null) {
                    permitted_names[tag] = new ArrayList<GeneralName>();
                }
                permitted_names[tag].add(name);
            }
        }
        // array of lists with excluded General Names divided by type
        excluded_names = new ArrayList[9];
        if (excludedSubtrees != null) {
            for (GeneralSubtree generalSubtree : excludedSubtrees.getSubtrees()) {
                GeneralName name = generalSubtree.getBase();
                int tag = name.getTag();
                if (excluded_names[tag] == null) {
                    excluded_names[tag] = new ArrayList<GeneralName>();
                }
                excluded_names[tag].add(name);
            }
        }
    }

    /**
     * Returns the value of certificate extension
     */
    private byte[] getExtensionValue(X509Certificate cert, String OID) {
        try {
            byte[] bytes = cert.getExtensionValue(OID);
            if (bytes == null) {
                return null;
            }
            return (byte[]) ASN1OctetString.getInstance().decode(bytes);
        } catch (IOException e) {
            return null;
        }
    }

    /**
     * Apply the name restrictions specified by this NameConstraints
     * instance to the subject distinguished name and subject alternative
     * names of specified X509Certificate. Restrictions apply only
     * if specified name form is present in the certificate.
     * The restrictions are applied according the RFC 3280
     * (see 4.2.1.11 Name Constraints), excepting that restrictions are applied
     * and to CA certificates, and to certificates which issuer and subject
     * names the same (i.e. method does not check if it CA's certificate or not,
     * or if the names differ or not. This check if it is needed should be done
     * by caller before calling this method).
     * @param   cert X.509 Certificate to be checked.
     * @return  true if the certificate is acceptable according
     *          these NameConstraints restrictions
     */
    public boolean isAcceptable(X509Certificate cert) {
        if (permitted_names == null) {
            prepareNames();
        }

        byte[] bytes = getExtensionValue(cert, "2.5.29.17");
        List<GeneralName> names;
        try {
            names = (bytes == null)
                ? new ArrayList<GeneralName>(1) // will check the subject field only
                : ((GeneralNames) GeneralNames.ASN1.decode(bytes)).getNames();
        } catch (IOException e) {
            // the certificate is broken;
            e.printStackTrace();
            return false;
        }
        if ((excluded_names[4] != null) || (permitted_names[4] != null)) {
            try {
                names.add(new GeneralName(4,
                        cert.getSubjectX500Principal().getName()));
            } catch (IOException e) {
                // should never be happened
            }
        }
        return isAcceptable(names);
    }

    /**
     * Check if this list of names is acceptable according to this
     * NameConstraints object.
     */
    public boolean isAcceptable(List<GeneralName> names) {
        if (permitted_names == null) {
            prepareNames();
        }

        // check map: shows which types of permitted alternative names are
        // presented in the certificate
        boolean[] types_presented = new boolean[9];
        // check map: shows if permitted name of presented type is found
        // among the certificate's alternative names
        boolean[] permitted_found = new boolean[9];
        for (GeneralName name : names) {
            int type = name.getTag();
            // search the name in excluded names
            if (excluded_names[type] != null) {
                for (int i = 0; i < excluded_names[type].size(); i++) {
                    if (excluded_names[type].get(i).isAcceptable(name)) {
                        return false;
                    }
                }
            }
            // Search the name in permitted names
            // (if we already found the name of such type between the alt
            // names - we do not need to check others)
            if ((permitted_names[type] != null) && (!permitted_found[type])) {
                types_presented[type] = true;
                for (int i = 0; i < permitted_names[type].size(); i++) {
                    if (permitted_names[type].get(i).isAcceptable(name)) {
                        // found one permitted name of such type
                        permitted_found[type] = true;
                    }
                }
            }
        }
        for (int type = 0; type < 9; type++) {
            if (types_presented[type] && !permitted_found[type]) {
                return false;
            }
        }
        return true;
    }

    @Override public void dumpValue(StringBuilder sb, String prefix) {
        sb.append(prefix).append("Name Constraints: [\n");
        if (permittedSubtrees != null) {
            sb.append(prefix).append("  Permitted: [\n");
            for (GeneralSubtree generalSubtree : permittedSubtrees.getSubtrees()) {
                generalSubtree.dumpValue(sb, prefix + "    ");
            }
            sb.append(prefix).append("  ]\n");
        }
        if (excludedSubtrees != null) {
            sb.append(prefix).append("  Excluded: [\n");
            for (GeneralSubtree generalSubtree : excludedSubtrees.getSubtrees()) {
                generalSubtree.dumpValue(sb, prefix + "    ");
            }
            sb.append(prefix).append("  ]\n");
        }
        sb.append('\n').append(prefix).append("]\n");
    }

    /**
     * X.509 NameConstraints encoder/decoder.
     */
    public static final ASN1Sequence ASN1 = new ASN1Sequence(new ASN1Type[] {
            new ASN1Implicit(0, GeneralSubtrees.ASN1),
            new ASN1Implicit(1, GeneralSubtrees.ASN1) }) {
        {
            setOptional(0);
            setOptional(1);
        }

        @Override protected Object getDecodedObject(BerInputStream in) {
            Object[] values = (Object[]) in.content;
            return new NameConstraints(
                    (GeneralSubtrees) values[0],
                    (GeneralSubtrees) values[1],
                    in.getEncoded());
        }

        @Override protected void getValues(Object object, Object[] values) {
            NameConstraints nc = (NameConstraints) object;
            values[0] = nc.permittedSubtrees;
            values[1] = nc.excludedSubtrees;
        }
    };
}