/*

* Copyright (c) 2008-2009 Nokia Corporation and/or its subsidiary(-ies).

* All rights reserved.

* This component and the accompanying materials are made available

* under the terms of "Eclipse Public License v1.0"

* which accompanies this distribution, and is available

* at the URL "http://www.eclipse.org/legal/epl-v10.html".

*

* Initial Contributors:

* Nokia Corporation - initial contribution.

*

* Contributors:

*

* Description:   IKEv2 specifig certificate reading related stuff

*

*/

#include <x500dn.h>

#include <x509cert.h>

#include <asn1dec.h>

#include "ikev2pkiservice.h"

#include "utlcrypto.h"

#include "ikecert.h"

#include "ikecaelem.h"

#include "ikecalist.h"

#include "ikedebug.h"

#include "ikepolparser.h"

#include "ikev2const.h"

#include "ikecertconst.h"

//

// CIkePkiService Class

//

_LIT8(KEmptyString, "");

const TInt KDefaultCertificateBufferSize = 2048;

//

//  Certificate field indicators for GetCertificateFieldDERL()

//

#ifdef _DEBUG

#define SET_ACTIVE DEBUG_LOG2(_L("CIkeV2PkiService::SetActive (0x%x) %d\n"), this, __LINE__);\

                   SetActive()

#else

#define SET_ACTIVE SetActive()

#endif 

EXPORT_C CIkeV2PkiService* CIkeV2PkiService::NewL(MIkeV2PkiServiceObserver& aObserver, MIkeDebug& aDebug)

    {     

    CIkeV2PkiService* self = new (ELeave) CIkeV2PkiService(aObserver, aDebug);

    CleanupStack::PushL(self);

    self->ConstructL();

    CleanupStack::Pop(self);

    return self;

    }

CIkeV2PkiService::CIkeV2PkiService(MIkeV2PkiServiceObserver& aObserver, MIkeDebug& aDebug)

    :CActive(EPriorityStandard),  

    iObserver(aObserver),

    iDebug(aDebug),

    iState(EPkiServiceIdle),     

    iCertPtr(NULL, 0)

    {

    CActiveScheduler::Add(this);

    }

void CIkeV2PkiService::ConstructL()

    {    

    User::LeaveIfError(iPkiService.Connect());

    iTrustedCAList   = new (ELeave) CIkeCaList(2);

    iReadCertificate = HBufC8::NewL(KDefaultCertificateBufferSize);

    iCertPtr.Set(iReadCertificate->Des());

    //The code assumes that these are not NULL.

    //Reallocated, when needed

    iSubjName = HBufC8::NewL(2);      

    iRfc822Name = HBufC8::NewL(2);              

    }

EXPORT_C CIkeV2PkiService::~CIkeV2PkiService()

    {

	Cancel();

    delete iUserCertificate;

    delete i1Certificate;

    delete i2Certificate;

    delete i2CertificateName;

	delete iTrustedCAList;

    iCasTrustedByPeer.Reset();

    iCasTrustedByPeer.Close();

	delete iCaName;

	delete iReadCertificate;

	delete iSubjName;

	delete iRfc822Name;

	iPkiService.Close();	

    }

void CIkeV2PkiService::DoCancel()

    {

    iPkiService.CancelPendingOperation();    

    iState = EPkiServiceIdle;

    delete iCaName;

    iCaName = NULL;

    __ASSERT_DEBUG(iReadCertificate != NULL, User::Invariant());

    iReadCertificate->Des().Zero();

    __ASSERT_DEBUG(iSubjName != NULL, User::Invariant());

    iSubjName->Des().Zero();

    __ASSERT_DEBUG(iRfc822Name != NULL, User::Invariant());

    iRfc822Name->Des().Zero();

    iCasTrustedByPeer.Reset();    

    delete iIkeDataCAList;		

    iIkeDataCAList = NULL;

    iTrustedCAList->ResetAndDestroy();

    }

TInt CIkeV2PkiService::RunError(TInt /*aError*/)

    {    

    //Currently RunL may leave.

    //But we seem to ignore the possible leave.

	return KErrNone; 

    }

EXPORT_C void CIkeV2PkiService::ReadTrustedUserCertificateL()

    {    

    __ASSERT_ALWAYS(!IsActive(), User::Invariant());

    __ASSERT_ALWAYS(iTrustedCAList != NULL, User::Invariant());    

    __ASSERT_ALWAYS(iIkeData->iOwnCert.iOwnCertExists, User::Invariant());

    iCasTrustedByPeer.Reset();

	for (TInt i = 0; i < iTrustedCAList->Count(); ++i)

	    {		    

        CIkeCaElem* caElem = (*iTrustedCAList)[i];

        User::LeaveIfError(iCasTrustedByPeer.Append(caElem));

	    }

    iState = EReadingCertificate;

    if (iTrustedCAList->Count() > 0)

        {

        CIkeCaElem* CaElem = iCasTrustedByPeer[0];	                   

        HBufC8* caName = IkeCert::GetCertificateFieldDERL(CaElem->Certificate(), KSubjectName);

        if (caName == NULL)

            {

            User::Leave(KErrArgument);

            }

        delete iCaName;

        iCaName = caName;

        ReadUserCertificateL(*iCaName, EFalse);

        }

    else

        {

        //No CA's found.

        //We can't read anything

        User::Leave(KErrNotFound);

        }

    }

EXPORT_C TInt CIkeV2PkiService::Ikev2SignatureL(const TDesC8& aTrustedAuthority, 

                                                const TOwnCertInfo& aOwnCertInfo, 

                                                const TDesC8& aMsgOctets, 

                                                TDes8& aSignature, TUint8 aAuthMeth)

    {

    __ASSERT_ALWAYS(!IsActive(), User::Invariant());	

	TPKIKeyAlgorithm keyAlgorithm = EPKIRSA;	

    TInt length = aOwnCertInfo.iSubjectDnSuffix.Length();

    if ( length )

        {

        delete iSubjName;

        iSubjName = NULL;

        iSubjName = HBufC8::NewL(length);  	   			 

        iSubjName->Des().Copy(aOwnCertInfo.iSubjectDnSuffix);		

        }

    else 

        {

        iSubjName->Des().Zero();

        } 

    length = aOwnCertInfo.iRfc822NameFqdn.Length();

    if ( length )

        {

        delete iRfc822Name;

        iRfc822Name = NULL;

        iRfc822Name = HBufC8::NewL(length);  	   			 

        iRfc822Name->Des().Copy(aOwnCertInfo.iRfc822NameFqdn);        	 

        }

    else

        {

        iRfc822Name->Des().Zero();

        }

	//

	// Build PKCS1v15 format signature (ASN1 encoded) for RSA and SHA1 for DSA

	//

	CUtlMessageDigest* digest = TUtlCrypto::MakeMessageDigesterL(TUtlCrypto::EUtlMessageDigestSha1);

	CleanupStack::PushL(digest);

	HBufC8* asn1EncodedHash =NULL;

	HBufC8* DSSHash = NULL;

	switch( aAuthMeth )

		{

			case RSA_DIGITAL_SIGN:

				asn1EncodedHash = IkeCert::BuildPkcs1v15HashL(digest->Final(aMsgOctets));

				User::LeaveIfNull(asn1EncodedHash);

	    		CleanupStack::PopAndDestroy(digest);

    			CleanupStack::PushL(asn1EncodedHash);

    			User::LeaveIfError(iPkiService.Sign(aTrustedAuthority, *iSubjName, *iRfc822Name, 

		                                    		EX509DigitalSignature, aOwnCertInfo.iPrivateKeyLength, 

	                                    			keyAlgorithm, *asn1EncodedHash, aSignature));

   				CleanupStack::PopAndDestroy(asn1EncodedHash);

   				DEBUG_LOG(_L("Signing Auth data using RSA key."));

   				break;

			case DSS_DIGITAL_SIGN:

				DSSHash = HBufC8::New(20);

				DSSHash->Des().Append(digest->Final(aMsgOctets));

				CleanupStack::PopAndDestroy(digest);

    			CleanupStack::PushL(DSSHash);

				User::LeaveIfError(iPkiService.Sign(aTrustedAuthority, *iSubjName, *iRfc822Name, 

		                                    EX509DigitalSignature, aOwnCertInfo.iPrivateKeyLength, 

	                                    	keyAlgorithm, *DSSHash, aSignature));

   				CleanupStack::PopAndDestroy(DSSHash);

   				DEBUG_LOG(_L("Signing Auth data using DSA key."));

   				break;

   			default:

   				DEBUG_LOG1(_L("Authentication method %d not supported when using digital signatures."), aAuthMeth);

   				User::Leave(KErrNotSupported);

   				break;			

		}

	return aSignature.Length();

    }	 

EXPORT_C const CIkeCaList& CIkeV2PkiService::CaList() const

    {

    return *iTrustedCAList;

    }

EXPORT_C const TDesC8& CIkeV2PkiService::UserCertificateData() const 

    {    

    if (iUserCertificate != NULL)

        {

        return *iUserCertificate;

        }

    else

        {

        return KEmptyString;

        }

    }

EXPORT_C const TDesC8& CIkeV2PkiService::I2CertificateData() const 

    {    

    if (i2Certificate != NULL)

        {

        return *i2Certificate;

        }

    else

        {

        return KEmptyString;

        }

    }

EXPORT_C const TDesC8& CIkeV2PkiService::I1CertificateData() const 

    {    

    if (i1Certificate != NULL)

        {

        return *i1Certificate;

        }

    else

        {

        return KEmptyString;

        }

    }

EXPORT_C const TDesC8& CIkeV2PkiService::TrustedCaName() const

    {

    if ( i2CertificateName != NULL )

        {

        return *i2CertificateName;

        }

    if (iCaName != NULL)

        {

        return *iCaName;

        }

    else

        {

        return KEmptyString;

        }

    }               				

void CIkeV2PkiService::ReadUserCertificateL(const TDesC8& aTrustedAuthority, TBool aGetCACert)

    {

    __ASSERT_DEBUG(iReadCertificate != NULL, User::Invariant());

   //

   // Read certificate from PKI store using pkiserviceapi

   //  

	TPKIKeyAlgorithm keyAlgorithm = EPKIRSA; 

	TPKICertificateOwnerType ownerType; 	

	TUint keySize = 0;

	 if ( aGetCACert )

	    {

	        ownerType = EPKICACertificate;

	        //Init CA cert ident data.

	        //aTrustedAuthority (issuer) checking for CA certs is not supported.

	        //__ASSERT_ALWAYS(aTrustedAuthority.Length() == 0, User::Invariant());

	        if ( aTrustedAuthority.Length() == 0 )

	            {

	            delete iSubjName;

	            iSubjName = NULL;

	            iSubjName = iCaName->AllocL();

	            iRfc822Name->Des().Zero();

	            } 

	     }

	 else

	     {

	     ownerType = EPKIUserCertificate;	    

	     TInt length = iIkeData->iOwnCert.iSubjectDnSuffix.Length();

	     if ( length )

	         {

	         delete iSubjName;

	         iSubjName = NULL;

	         iSubjName = HBufC8::NewL(length);  	   			 

	         iSubjName->Des().Copy(iIkeData->iOwnCert.iSubjectDnSuffix);		

	         }

	     else 

	         {

	         iSubjName->Des().Zero();

	         } 

	     length = iIkeData->iOwnCert.iRfc822NameFqdn.Length();

	     if ( length )

	         {

	         delete iRfc822Name;

	         iRfc822Name = NULL;

	         iRfc822Name = HBufC8::NewL(length);  	   			 

	         iRfc822Name->Des().Copy(iIkeData->iOwnCert.iRfc822NameFqdn);        	 

	         }

	     else

	         {

	         iRfc822Name->Des().Zero();

	         }

	     keySize = iIkeData->iOwnCert.iPrivateKeyLength;

	     }

	iPkiService.ReadCertificateL(aTrustedAuthority,

	                              *iSubjName, *iRfc822Name,

			                      ownerType, keySize,

			                      keyAlgorithm, iCertPtr,

			                      &iResArray, iStatus);

    SET_ACTIVE;

    }	 

void CIkeV2PkiService::CIkeV2PkiServiceApplUidArrayCleanup(TAny* any)

    {

    RArray<TUid>* applUidList = reinterpret_cast<RArray<TUid>*>(any);

    applUidList->Reset();

    applUidList->Close();

    delete applUidList;    

    }

void CIkeV2PkiService::RunL()

    {   

    DEBUG_LOG1(_L("CIkeV2PkiService::RunL: Status %d"), iStatus.Int());

	//

	// A PKI service operation completed. Take actions according to

	// iOperation code

	//

    TInt err = KErrNone;

	TInt status = iStatus.Int();				

    iPkiService.Finalize(iResArray);

    iResArray = NULL;

	switch ( iState )

	    {

		case EBuildingCaList:

            TRAP(err, BuildingCaListRunL());

            break;				

		case EReadingCertificate:

		    TRAP(err, ReadUserCertificateRunL());

			break;

		case EReadingCertificateChain:

		    TRAP(err, ReadCertificateChainRunL());

		    break;

		default:

		    DEBUG_LOG(_L("RunL called in unknown state"));

		    User::Invariant();

			break;

	    }	

	if ( err != KErrNone )

	    {	

	    DEBUG_LOG(_L("Operation completed. Signalling observer."));

        SignalObserverL(err);

	    }   

    }

void CIkeV2PkiService::ReadUserCertificateRunL()

    {        

	//

	// A Certificate has been read PKI store.

	// Build X509 certificate object from certificate data

	//

	switch(iStatus.Int())

	    {

	    case KErrNone:	        

	        iUserCertificate = iReadCertificate->AllocL();

	        iReadCertificate->Des().Zero();

	        SignalObserverL(KErrNone);            

	        break;

	    case KPKIErrBufferTooShort:

		    {	

            //

            // Allocate a new buffer for ASN1 coded certificate read from PKI store

            // Buffer size is now asked from pkiserviceapi 

            //            

            TInt realCertSize;        

            User::LeaveIfError(iPkiService.GetRequiredBufferSize(realCertSize));

            delete iReadCertificate;

            iReadCertificate = NULL;

            iReadCertificate = HBufC8::NewL(realCertSize);

            iCertPtr.Set(iReadCertificate->Des());

            ReadUserCertificateL(*iCaName, EFalse);

		    }

	        break;

	    case KPKIErrNotFound:

	        {	            

            //

            // Get next user certificate from PKI store using either Key

            // identifier or CA name as read argument

            //                                    

            iCasTrustedByPeer.Remove(0);

            if ( iCasTrustedByPeer.Count() > 0 )

                {

                CIkeCaElem* CaElem = iCasTrustedByPeer[0];	                                   

                HBufC8* caName = IkeCert::GetCertificateFieldDERL(CaElem->Certificate(), KSubjectName);

                if (caName == NULL)

                    {

                    User::Leave(KErrArgument);

                    }

                delete iCaName;

                iCaName = caName;

                caName=NULL;

                delete caName;

                ReadUserCertificateL(*iCaName, EFalse);

                }	   

            else

                {

                User::Leave(KErrNotFound);

                }

	        }

            break;

	    case KErrNotFound:

	        ReadCertificateChainL();

	        break;

        default:

            User::Leave(iStatus.Int());

            break;            

	    }

    }    

void CIkeV2PkiService::BuildingCaListRunL()

    {       

    switch(iStatus.Int())

        {

        case KErrNone:

            {                        

            iIkeDataCAList->Delete(0);     

    	    ASSERT(iReadCertificate);

    		HBufC8* caCert = iReadCertificate; // Link CA buffer to CIkeCaElem

    		CleanupStack::PushL(caCert);		

    		iReadCertificate = NULL;    		

    		iReadCertificate = HBufC8::NewL(KDefaultCertificateBufferSize);

    		iCertPtr.Set(iReadCertificate->Des());

     		CIkeCaElem* caElem = CIkeCaElem::NewL(caCert);