/*

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.io.IOException;

import java.net.URI;

import java.net.URISyntaxException;

import java.security.AccessController;

import java.security.cert.X509Certificate;

import sun.security.provider.certpath.CertId;

import sun.security.provider.certpath.OCSP;

import sun.security.provider.certpath.OCSPResponse;

import sun.security.provider.certpath.ResponderId;

import sun.security.util.Cache;

import sun.security.x509.PKIXExtensions;

import sun.security.x509.SerialNumber;

final class StatusResponseManager {

    private static final int DEFAULT_CORE_THREADS = 8;

    private static final int DEFAULT_CACHE_SIZE = 256;

    private final ScheduledThreadPoolExecutor threadMgr;

    private final Cache<CertId, ResponseCacheEntry> responseCache;

    private final URI defaultResponder;

    private final boolean respOverride;

    private final int cacheCapacity;

    private final int cacheLifetime;

    private final boolean ignoreExtensions;

    /**

     * Create a StatusResponseManager with default parameters.

     */

    StatusResponseManager() {

        int cap = AccessController.doPrivileged(

                new GetIntegerAction("jdk.tls.stapling.cacheSize",

                    DEFAULT_CACHE_SIZE));

        cacheCapacity = cap > 0 ? cap : 0;

        int life = AccessController.doPrivileged(

                new GetIntegerAction("jdk.tls.stapling.cacheLifetime",

                    DEFAULT_CACHE_LIFETIME));

        cacheLifetime = life > 0 ? life : 0;

        String uriStr = GetPropertyAction

                .privilegedGetProperty("jdk.tls.stapling.responderURI");

        URI tmpURI;

        try {

            tmpURI = ((uriStr != null && !uriStr.isEmpty()) ?

                    new URI(uriStr) : null);

        } catch (URISyntaxException urise) {

            tmpURI = null;

        }

        defaultResponder = tmpURI;

        respOverride = AccessController.doPrivileged(

                new GetBooleanAction("jdk.tls.stapling.responderOverride"));

        ignoreExtensions = AccessController.doPrivileged(

                new GetBooleanAction("jdk.tls.stapling.ignoreExtensions"));

        threadMgr = new ScheduledThreadPoolExecutor(DEFAULT_CORE_THREADS,

                new ThreadFactory() {

            @Override

            public Thread newThread(Runnable r) {

                Thread t = Executors.defaultThreadFactory().newThread(r);

                t.setDaemon(true);

                return t;

            }

        }, new ThreadPoolExecutor.DiscardPolicy());

        threadMgr.setExecuteExistingDelayedTasksAfterShutdownPolicy(false);

        threadMgr.setKeepAliveTime(5000, TimeUnit.MILLISECONDS);

        threadMgr.allowCoreThreadTimeOut(true);

    }

    /**

     * Get the current cache lifetime setting

     *

     * @return the current cache lifetime value

     */

    int getCacheLifetime() {

        return cacheLifetime;

    }

    /**

     * Get the current maximum cache size.

     *

     * @return the current maximum cache size

     */

    int getCacheCapacity() {

        return cacheCapacity;

    }

    /**

     * Get the default OCSP responder URI, if previously set.

     *

     * @return the current default OCSP responder URI, or {@code null} if

     *      it has not been set.

     */

    URI getDefaultResponder() {

        return defaultResponder;

    }

    /**

     * Get the URI override setting

     *

     * @return {@code true} if URI override has been set, {@code false}

     * otherwise.

     */

    boolean getURIOverride() {

        return respOverride;

    }

    /**

     * Get the ignore extensions setting.

     *

     * @return {@code true} if the {@code StatusResponseManager} will not

     */

    boolean getIgnoreExtensions() {

        return ignoreExtensions;

    }

    /**

     * Clear the status response cache

     */

    void clear() {

        responseCache.clear();

    }

    /**

     * Returns the number of currently valid objects in the response cache.

     *

     * @return the number of valid objects in the response cache.

     */

    int size() {

        return responseCache.size();

    }

    /**

     * This method takes into account not only the AIA extension from a

     * certificate to be checked, but also any default URI and possible

     * override settings for the response manager.

     *

     * @param cert the subject to get the responder URI from

     *

     *

     * @throws NullPointerException if {@code cert} is {@code null}.

     */

    URI getURI(X509Certificate cert) {

        Objects.requireNonNull(cert);

        if (cert.getExtensionValue(

                PKIXExtensions.OCSPNoCheck_Id.toString()) != null) {

            return null;

        } else if (defaultResponder != null && respOverride) {

            return defaultResponder;

        } else {

            URI certURI = OCSP.getResponderURI(cert);

            return (certURI != null ? certURI : defaultResponder);

        }

    }

    /**

     * Shutdown the thread pool

     */

    void shutdown() {

        threadMgr.shutdown();

    }

    /**

     * Get a list of responses for a chain of certificates.

     *

     * @param type the type of request being made of the

     *      {@code StatusResponseManager}

     * @param delay the number of time units to delay before returning

     *      responses.

     * @param unit the unit of time applied to the {@code delay} parameter

     *

     * @return an unmodifiable {@code Map} containing the certificate and

     *      its usually

     *

     */

            TimeUnit unit) {

        Map<X509Certificate, byte[]> responseMap = new HashMap<>();

        List<OCSPFetchCall> requestList = new ArrayList<>();

                chain.length);

        // It is assumed that the caller has ordered the certs in the chain

        // in the proper order (each certificate is issued by the next entry

        // in the provided chain).

        if (chain.length < 2) {

            return Collections.emptyMap();

        }

            try {

                // For type OCSP, we only check the end-entity certificate

                OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;

                CertId cid = new CertId(chain[1],

                        new SerialNumber(chain[0].getSerialNumber()));

                ResponseCacheEntry cacheEntry = getFromCache(cid, ocspReq);

                if (cacheEntry != null) {

                    responseMap.put(chain[0], cacheEntry.ocspBytes);

                } else {

                    StatusInfo sInfo = new StatusInfo(chain[0], cid);

                    requestList.add(new OCSPFetchCall(sInfo, ocspReq));

                }

            } catch (IOException exc) {

            }

            // For type OCSP_MULTI, we check every cert in the chain that

            OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;

            int ctr;

            for (ctr = 0; ctr < chain.length - 1; ctr++) {

                try {

                    CertId cid = new CertId(chain[ctr + 1],

                    if (cacheEntry != null) {

                        responseMap.put(chain[ctr], cacheEntry.ocspBytes);

                    } else {

                        StatusInfo sInfo = new StatusInfo(chain[ctr], cid);

                        requestList.add(new OCSPFetchCall(sInfo, ocspReq));

                    }

                } catch (IOException exc) {

                }

            }

        } else {

        }

        // If we were able to create one or more Fetches, go and run all

        // of them in separate threads.  For all the threads that completed

        if (!requestList.isEmpty()) {

            try {

                // Set a bunch of threads to go do the fetching

                List<Future<StatusInfo>> resultList =

                        threadMgr.invokeAll(requestList, delay, unit);

                // Go through the Futures and from any non-cancelled task,

                // get the bytes and attach them to the responseMap.

                for (Future<StatusInfo> task : resultList) {

                        }

                    }

                }

            } catch (InterruptedException | ExecutionException exc) {

                // Not sure what else to do here

            }

        }

        return Collections.unmodifiableMap(responseMap);

    }

    /**

     * Check the cache for a given {@code CertId}.

     *

     * @param cid the CertId of the response to look up

     * @param ocspRequest the OCSP request structure sent by the client

     *      in the TLS status_request[_v2] hello extension.

     *

     * @return the {@code ResponseCacheEntry} for a specific CertId, or

     *      {@code null} if it is not found or a nonce extension has been

     *      requested by the caller.

     */

    private ResponseCacheEntry getFromCache(CertId cid,

            OCSPStatusRequest ocspRequest) {

        // Determine if the nonce extension is present in the request.  If

        // so, then do not attempt to retrieve the response from the cache.

                return null;

            }

        }

        ResponseCacheEntry respEntry = responseCache.get(cid);

        // If the response entry has a nextUpdate and it has expired

        // before the cache expiration, purge it from the cache

        // and do not return it as a cache hit.

        if (respEntry != null && respEntry.nextUpdate != null &&

                respEntry.nextUpdate.before(new Date())) {

            respEntry = null;

        }

        return respEntry;

    }

    @Override

    public String toString() {

        StringBuilder sb = new StringBuilder("StatusResponseManager: ");

        sb.append("Core threads: ").append(threadMgr.getCorePoolSize());

        sb.append(", Cache timeout: ");

        if (cacheLifetime > 0) {

            sb.append(cacheLifetime).append(" seconds");

        } else {

            sb.append(" indefinite");

        }

        sb.append(", Cache MaxSize: ");

        if (cacheCapacity > 0) {

            sb.append(cacheCapacity).append(" items");

        } else {

            sb.append(" unbounded");

        }

        sb.append(", Default URI: ");

        if (defaultResponder != null) {

            sb.append(defaultResponder);

        } else {

            sb.append("NONE");

        }

        return sb.toString();

    }

    /**

     * Inner class used to group request and response data.

     */

    class StatusInfo {

        final X509Certificate cert;

        final CertId cid;

        final URI responder;

        ResponseCacheEntry responseData;

        /**

         * Create a StatusInfo object from certificate data.

         *

         * @param subjectCert the certificate to be checked for revocation

         * @param issuerCert the issuer of the {@code subjectCert}

         *

         */

        StatusInfo(X509Certificate subjectCert, X509Certificate issuerCert)

                throws IOException {

            this(subjectCert, new CertId(issuerCert,

                    new SerialNumber(subjectCert.getSerialNumber())));

        }

        /**

         * Create a StatusInfo object from an existing subject certificate

         * and its corresponding CertId.

         *

         * @param subjectCert the certificate to be checked for revocation

         * @param cid the CertId for {@code subjectCert}

         */

        StatusInfo(X509Certificate subjectCert, CertId certId) {

            cert = subjectCert;

            cid = certId;

            responder = getURI(cert);

            responseData = null;

        }

        /**

         * Copy constructor (used primarily for rescheduling).

         * This will do a member-wise copy with the exception of the

         * responseData and extensions fields, which should not persist

         * in a rescheduled fetch.

         *

         * @param orig the original {@code StatusInfo}

         */

        StatusInfo(StatusInfo orig) {

            this.cert = orig.cert;

            this.cid = orig.cid;

            this.responder = orig.responder;

            this.responseData = null;

        }

        /**

         * Return a String representation of the {@code StatusInfo}

         *

         * @return a {@code String} representation of this object

         */

        @Override