package com.fsck.k9.mail.ssl;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import org.apache.commons.io.IOUtils;
import timber.log.Timber;


public class LocalKeyStore {
    private static final int KEY_STORE_FILE_VERSION = 1;

    private static String sKeyStoreLocation;

    public static void setKeyStoreLocation(String directory) {
        sKeyStoreLocation = directory;
    }

    private static class LocalKeyStoreHolder {
        static final LocalKeyStore INSTANCE = new LocalKeyStore();
    }

    public static LocalKeyStore getInstance() {
        return LocalKeyStoreHolder.INSTANCE;
    }


    private File mKeyStoreFile;
    private KeyStore mKeyStore;


    private LocalKeyStore() {
        try {
            upgradeKeyStoreFile();
            setKeyStoreFile(null);
        } catch (CertificateException e) {
            /*
             * Can happen if setKeyStoreLocation(String directory) has not been
             * called before the first call to getInstance(). Not necessarily an
             * error, presuming setKeyStoreFile(File) is called next with a
             * non-null File.
             */
            Timber.w("Local key store has not been initialized");
        }
    }

    /**
     * Reinitialize the local key store with certificates contained in
     * {@code file}
     *
     * @param file
     *            {@link File} containing locally saved certificates. May be 0
     *            length, in which case it is deleted and recreated. May be
     *            {@code null}, in which case a default file location is used.
     * @throws CertificateException
     *            Occurs if {@code file == null} and
     *            {@code setKeyStoreLocation(directory)} was not called previously.
     */
    public synchronized void setKeyStoreFile(File file) throws CertificateException {
        if (file == null) {
            file = new File(getKeyStoreFilePath(KEY_STORE_FILE_VERSION));
        }
        if (file.length() == 0) {
            /*
             * The file may be empty (e.g., if it was created with
             * File.createTempFile). We can't pass an empty file to
             * Keystore.load. Instead, we let it be created anew.
             */
            if (file.exists() && !file.delete()) {
                Timber.d("Failed to delete empty keystore file: %s", file.getAbsolutePath());
            }
        }

        FileInputStream fis = null;
        try {
            fis = new FileInputStream(file);
        } catch (FileNotFoundException e) {
            // If the file doesn't exist, that's fine, too
        }

        try {
            KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
            store.load(fis, "".toCharArray());
            mKeyStore = store;
            mKeyStoreFile = file;
        } catch (Exception e) {
            Timber.e(e, "Failed to initialize local key store");
            // Use of the local key store is effectively disabled.
            mKeyStore = null;
            mKeyStoreFile = null;
        } finally {
            IOUtils.closeQuietly(fis);
        }
    }

    public synchronized void addCertificate(String host, int port,
            X509Certificate certificate) throws CertificateException {
        if (mKeyStore == null) {
            throw new CertificateException(
                    "Certificate not added because key store not initialized");
        }
        try {
            mKeyStore.setCertificateEntry(getCertKey(host, port), certificate);
        } catch (KeyStoreException e) {
            throw new CertificateException(
                    "Failed to add certificate to local key store", e);
        }
        writeCertificateFile();
    }

    private void writeCertificateFile() throws CertificateException {
        java.io.OutputStream keyStoreStream = null;
        try {
            keyStoreStream = new java.io.FileOutputStream(mKeyStoreFile);
            mKeyStore.store(keyStoreStream, "".toCharArray());
        } catch (FileNotFoundException e) {
            throw new CertificateException("Unable to write KeyStore: "
                    + e.getMessage());
        } catch (CertificateException e) {
            throw new CertificateException("Unable to write KeyStore: "
                    + e.getMessage());
        } catch (IOException e) {
            throw new CertificateException("Unable to write KeyStore: "
                    + e.getMessage());
        } catch (NoSuchAlgorithmException e) {
            throw new CertificateException("Unable to write KeyStore: "
                    + e.getMessage());
        } catch (KeyStoreException e) {
            throw new CertificateException("Unable to write KeyStore: "
                    + e.getMessage());
        } finally {
            IOUtils.closeQuietly(keyStoreStream);
        }
    }

    public synchronized boolean isValidCertificate(Certificate certificate,
            String host, int port) {
        if (mKeyStore == null) {
            return false;
        }
        Certificate storedCert = null;
        try {
            storedCert = mKeyStore.getCertificate(getCertKey(host, port));
            return (storedCert != null && storedCert.equals(certificate));
        } catch (KeyStoreException e) {
            return false;
        }
    }

    private static String getCertKey(String host, int port) {
        return host + ":" + port;
    }

    public synchronized void deleteCertificate(String oldHost, int oldPort) {
        if (mKeyStore == null) {
            return;
        }
        try {
            mKeyStore.deleteEntry(getCertKey(oldHost, oldPort));
            writeCertificateFile();
        } catch (KeyStoreException e) {
            // Ignore: most likely there was no cert. found
        } catch (CertificateException e) {
            Timber.e(e, "Error updating the local key store file");
        }
    }

    private void upgradeKeyStoreFile() throws CertificateException {
        if (KEY_STORE_FILE_VERSION > 0) {
            // Blow away version "0" because certificate aliases have changed.
            File versionZeroFile = new File(getKeyStoreFilePath(0));
            if (versionZeroFile.exists() && !versionZeroFile.delete()) {
                Timber.d("Failed to delete old key-store file: %s", versionZeroFile.getAbsolutePath());
            }
        }
    }

    private String getKeyStoreFilePath(int version) throws CertificateException {
        if (sKeyStoreLocation == null) {
            throw new CertificateException("Local key store location has not been initialized");
        }
        if (version < 1) {
            return sKeyStoreLocation + File.separator + "KeyStore.bks";
        } else {
            return sKeyStoreLocation + File.separator + "KeyStore_v" + version + ".bks";
        }
    }
}