<%@page import="javax.naming.InitialContext"%>
<%@page import="java.security.KeyStore"%>
<%@page import="java.lang.reflect.Method"%>
<%@page import="java.security.cert.Certificate"%>
<%@page import="iaik.x509.X509Certificate"%>
<%@page import="iaik.asn1.structures.Name"%>
<%@page import="iaik.asn1.structures.GeneralNames"%>
<%@page import="iaik.asn1.structures.GeneralName"%>
<%@page import="iaik.utils.Util" %> 
<%@page import="iaik.asn1.DerCoder"%> 
<%@page import="iaik.asn1.ObjectID"%>
<%@page import="com.sap.engine.services.configuration.appconfiguration.*"%>
<%@page import="java.util.Properties"%>
<%@page import="java.util.Enumeration"%>
<%@page import="com.sap.tc.logging.Location"%>
<%@page import="com.sap.tc.logging.Severity"%>
<%@page import="com.sap.security.api.*"%>
<%@page import="com.sap.security.api.logon.*"%>


<%@page import="com.sap.engine.frame.core.configuration.*"%>
<%!
    static Location LOCATION =Location.getLocation("com.sap.security.core.server.tcsra.genreq");
 
%> 
<%    
LOCATION.debugT("entering genreq.jsp"); 

String oldservice = request.getParameter("OLDSERVICE");
if (oldservice==null)
	oldservice="/";
session.setAttribute("OLDSERVICE", oldservice);

String signurl = "/enrollapp/signreq.jsp";
String cn = null;
String userName = null;
String  remoteUser= request.getRemoteUser() ;
LOCATION.debugT("genreq.jsp called by remoteUser=" + remoteUser);

String j_username= request.getParameter("j_username");

String userEmail=null;
String enc_email = null;
String userAlias=null;


//we use UME to get EMail and Alias
IUser user = UMFactory.getAuthenticator().getLoggedInUser();


if (user ==null || remoteUser==null ) {
	// this can happens only if /enrollap/genreq.jsp was called directly
	// we don't want to support this case
	LOCATION.debugT("direct access to enrollapp/genreq.jsp not allowed");  
	response.sendRedirect("/");
	return;
}



userEmail = user.getEmail();
IUserAccount[] accounts = user.getUserAccounts();
if (accounts != null && accounts.length > 0)
{
   String[] aliases = accounts[0].getAttribute(IPrincipal.DEFAULT_NAMESPACE,  ILoginConstants.LOGON_ALIAS);
   if (aliases != null && aliases.length > 0)
   {
      userAlias = aliases[0];
   }
} 

LOCATION.debugT("user info: " + "alias=" + userAlias+", userEmail=" + userEmail + ", j_username=" +j_username); 

//TODO: We need AUTHORITY CHECK HERE !!!!




if ( userEmail!=null ) {
	GeneralNames generalNames = new GeneralNames();
	generalNames.addName(new GeneralName( GeneralName.rfc822Name , userEmail));
	enc_email= new String(Util.Base64Encode(DerCoder.encode ( generalNames.toASN1Object() )));
}

String raKeystoreViewName ="DEFAULT";
String raKeystoreViewEntryName ="j2ee-ra";
String raname=null;
String errorMessage = null;
String errmsg_1 = "Internal error. Please contact your system administrator !" ;

boolean useEMAILasSUBJAltName = true;
boolean useAliasAsCN = true;

// we need RA Name here 
// we read app property  tcs.myRAName first, if it was not changed 
// we determine the name from RA dist. name without common name part


try {
	InitialContext ctx = new InitialContext();

	//get ApplicationConfigHandlerFactory instance from JNDI
	ApplicationConfigHandlerFactory appCfgHdlFctry =   
	      (ApplicationConfigHandlerFactory)ctx.lookup("ApplicationConfiguration");
	if (appCfgHdlFctry != null) {
		 
		Properties props = appCfgHdlFctry.getApplicationProperties();
		
		if ( props !=null ) {
			raname = props.getProperty ("tcsra.myRAName");
			raKeystoreViewName= props.getProperty ("tcsra.RAKeystoreView");
			raKeystoreViewEntryName= props.getProperty ("tcsra.RASigningKey");
			errmsg_1 = props.getProperty ("tcsra.genreq_errmsg_1");
			useEMAILasSUBJAltName = Boolean.valueOf(props.getProperty ("tcsra.useEMAILasSUBJAltName")).booleanValue();
			useAliasAsCN = Boolean.valueOf(props.getProperty ("tcsra.useAliasAsCN")).booleanValue();
		
		}
	}
} catch (Exception e) {
	
	LOCATION.traceThrowableT(Severity.DEBUG, "Problem with ApplicationConfigHandlerFactory", e);
	//we continue with default values ..	
}




if (userAlias!= null &&  useAliasAsCN)
	cn = userAlias;
else 
	cn = remoteUser ;
cn = cn.toUpperCase();
	
LOCATION.debugT("CN set to:" + cn);	

try {
		InitialContext ctx = new InitialContext();
	    	final Object kManager = ctx.lookup("keystore");
	    	Class cl = kManager.getClass();
			
		final Method method = cl.getMethod("getKeystore", new Class[] { String.class });
		KeyStore rakeystore = (KeyStore)method.invoke( kManager, new Object[] { raKeystoreViewName} ) ;
		Certificate [] chain = rakeystore.getCertificateChain(raKeystoreViewEntryName);
		if (chain == null)
			LOCATION.infoT("no RA certificate found with parameters View : " +raKeystoreViewName +" Entry: " +raKeystoreViewEntryName );
		//it will fail with NullpointerException here if no RA Cert found			
		X509Certificate      cert0= (X509Certificate) chain[0];
		if ( raname == null || "".equals(raname.trim()) || 	"put_your_RA_name_here".equals(raname)) {
			Name  name =(Name) cert0.getSubjectDN(); 
		
			name.removeRDN(ObjectID.commonName);
			raname= name.toString();
		}
		
		session.setAttribute("rakey",rakeystore.getKey(raKeystoreViewEntryName, null));
		session.setAttribute("racert",cert0);
		
		 
} catch (Exception e) {
	
	LOCATION.traceThrowableT(Severity.DEBUG, "internal error", e);
	errorMessage = errmsg_1;
}

String userdn = "CN="+cn+"," + raname;
//we put the userdn to the session for the next step !
session.setAttribute("tcs.j2ee-ra.userdn",userdn);
if (userEmail!=null && useEMAILasSUBJAltName)
	session.setAttribute("tcs.j2ee-ra.userEmail", userEmail);
 	

%>

<% if (errorMessage!=null) { %>
<html>	<head>
<script language="JavaScript">
  function display( ) {
	alert("<%=errorMessage%>");
	self.navigate("<%=oldservice.replaceAll("\"", "\\\\\"")%>");
	}
</script>	
</head>
<body onload="display()">
</body>
</html>

<% return ;} %>


<% if (request.getHeader("User-Agent").indexOf("MSIE")!=-1 ) { %>


<html> 
  <head>
  <title>Certificate Request MSIE</title>
  <META HTTP-EQUIV="Cache-Control" CONTENT="no cache">
  <META HTTP-EQUIV="Pragma" CONTENT="no cache">
  <META HTTP-EQUIV="Expires" CONTENT="0">

<OBJECT id=g_objClassFactory CLASSID="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"></OBJECT>

<!--  Code for CertificatRequest starts here -->
<script language="JavaScript">
var weAreOnVista  = 0;
function CheckVista()
{
  // alert(navigator.userAgent)
  if (navigator.userAgent.indexOf("NT") >= 0 && navigator.userAgent.substr(navigator.userAgent.indexOf("NT")+3, 1) >5	)
  {
    weAreOnVista = 1
     
  }
  else
  {
    weAreOnVista = 0   
  }
}

CheckVista();





function reverseDN( arg ) {
   if ( arg.indexOf(",") ==-1) {
      return arg;
   } else {
	  var i = arg.indexOf(",");
  	  return reverseDN(arg.substring(i+1, arg.length))+ ","+ arg.substring(0,i);
	}
}

function CERT_REQ()

{
   var subject_name = document.forms["FORM"].subject.value;
   var CERT_REQ = "";   
   if (weAreOnVista ==0) {
   	CERT_REQ = doEnroll(reverseDN(subject_name));   	
   } else {
   	CERT_REQ = CREATE_REQ_Vista(subject_name);   	
   }
   
   if ( CERT_REQ.length> 0 ) {
   	CERT_REQ=CERT_REQ.replace(/\n/g,"");
   	CERT_REQ=CERT_REQ.replace(/\r/g,"");
   
      	document.forms["FORM"].certrequest.value=CERT_REQ;
  	document.forms["FORM"].submit();
   }
  else {
 	self.navigate("<%=oldservice.replaceAll("\"", "\\\\\"")%>");
  }
}

 function doEnroll(arg) {
     
      var enroll = new ActiveXObject("CEnroll.CEnroll.2");
   
      enroll.KeySpec = 1;
      enroll.GenKeyFlags = 0x11;
    <% if (enc_email!=null  && useEMAILasSUBJAltName) { %>

      enroll.addExtensionToRequest(0, "2.5.29.17", "<%= enc_email %>");
    <% } %>
	

      var certReq ="";
      try {
	certReq = enroll.createRequest(1, arg, "");
      
      	certReq = certReq.replace(/\n/g, "").replace(/\r/g, "");
      } catch(err) {

      }
     
 
     return certReq;
    }


</SCRIPT>

<SCRIPT language="VBScript">

function CREATE_REQ_Vista(subject_name)
   On Error Resume Next 
   const contextUser = 1
   const XCN_AT_KEYEXCHANGE = 1
   const XCN_CRYPT_STRING_BASE64 = 1
   const SUBJ_ALT_NAME_OID = "2.5.29.17"
   dim objPrivateKey
   set objPrivateKey = g_objClassFactory.CreateObject("X509Enrollment.CX509PrivateKey")
   objPrivateKey.Length = 1024
   objPrivateKey.keySpec = XCN_AT_KEYEXCHANGE
   ' objPrivateKey.keySpec = 0
   ' default value of objPrivateKey.ExportPolicy is 0 (not exportable)
   ' default value of objPrivateKey.KeyProtection is 0 (no protection)
   dim objRequest
   set objRequest = g_objClassFactory.CreateObject("X509Enrollment.CX509CertificateRequestPkcs10")
   call objRequest.InitializeFromPrivateKey(contextUser, objPrivateKey, "")	
   dim objDN
   set objDN= g_objClassFactory.CreateObject("X509Enrollment.CX500DistinguishedName")
   call objDn.Encode(subject_name)    	
   objRequest.subject = objDn
   
  
   <% if (enc_email!=null  && useEMAILasSUBJAltName) { %>
    
	dim objID 
	set objID = g_objClassFactory.CreateObject("X509Enrollment.CObjectId")
	 	
	call objID.InitializeFromValue(SUBJ_ALT_NAME_OID)
        dim objExt 
       	set objExt = g_objClassFactory.CreateObject("X509Enrollment.CX509Extension")
      
        call objExt.Initialize(objID,XCN_CRYPT_STRING_BASE64,"<%= enc_email %>")
     
        call objRequest.X509Extensions.add(objExt)
             
     	
       
    <% } %>
   
  
   
  
   dim objEnroll
   set objEnroll = g_objClassFactory.CreateObject("X509Enrollment.CX509Enrollment")
   objEnroll.InitializeFromRequest(objRequest)
   dim pkcs10
   pkcs10 = objEnroll.CreateRequest(XCN_CRYPT_STRING_BASE64)
   CREATE_REQ_Vista = pkcs10
   if ( Err.Number <> 0 ) then
      MsgBox("Error in call to CreateRequest (Vista) " & Err.description)
      err.clear
       CREATE_REQ_Vista=""
   end if	
end function

</SCRIPT>
<!--  Code for CertificatRequest ends here -->

</head>

<body onload=CERT_REQ()>

  
 <FORM METHOD="post" NAME="FORM" ACTION="<%= signurl%>">
 	   <INPUT TYPE="hidden" NAME="subject" value="<%= userdn%>">
	   <INPUT TYPE="hidden" NAME="certrequest" maxlen=8000>	  
	   
</FORM>     	
</BODY>
</HTML>

<% } else { %>
<html>
  <head>
  <title>Certificate Request NETSCAPE</title>

</head>

<body onload=document.forms["FORM"].submit()>

 Creating certificate request (Netscape)...     
 <FORM METHOD="POST" NAME="FORM" ACTION="<%= signurl%>">

	  <KEYGEN TYPE= hidden NAME="certrequest" >
	   	   
	   <BR> <BR><INPUT TYPE=submit value="Click here to start">
	   
	   </FORM>     
</BODY>
</HTML>



      
<% } %>