/*
 *
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 * 
 *   http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 *
 */
using System.IO;
using System.Net;
using log4net;
using Apache.Qpid.Client.Qms;
using Org.Mentalis.Security.Ssl;
using MCertificate = Org.Mentalis.Security.Certificates.Certificate;
using MCertificateChain = Org.Mentalis.Security.Certificates.CertificateChain;

namespace Apache.Qpid.Client.Transport.Socket.Blocking
{
   /// <summary>
   /// Implements a TLS v1.0 connection using the Mentalis.org library
   /// </summary>
   /// <remarks>
   /// It would've been easier to implement this at the StreamFilter
   /// level, but unfortunately the Mentalis library doesn't support
   /// a passthrough SSL stream class and is tied directly
   /// to socket-like classes.
   /// </remarks>
   class SslSocketConnector : ISocketConnector
   {
      private static ILog _logger = LogManager.GetLogger(typeof(SslSocketConnector));
      private MyTcpClient _tcpClient;

      public string LocalEndpoint
      {
         get { return _tcpClient.LocalEndpoint.ToString(); }
      }

      public Stream Connect(IBrokerInfo broker)
      {
         MCertificate cert = GetClientCert(broker);
         SecurityOptions options = new SecurityOptions(
            SecureProtocol.Tls1, cert, ConnectionEnd.Client
            );
         if ( broker.SslOptions != null 
            && broker.SslOptions.IgnoreValidationErrors )
         {
            _logger.Warn("Ignoring any certificate validation errors during SSL handshake...");
            options.VerificationType = CredentialVerification.None;
         }

         _tcpClient = new MyTcpClient(broker.Host, broker.Port, options);
         return _tcpClient.GetStream();
      }

      public void Dispose()
      {
         if ( _tcpClient != null )
         {
            _tcpClient.Close();
            _tcpClient = null;
         }
      }

      private static MCertificate GetClientCert(IBrokerInfo broker)
      {
         // if a client certificate is configured, 
         // use that to enable mutual authentication
         MCertificate cert = null;
         if ( broker.SslOptions != null 
            && broker.SslOptions.ClientCertificate != null )
         {
            cert = MCertificate.CreateFromX509Certificate(
               broker.SslOptions.ClientCertificate
               );
            _logger.DebugFormat("Using Client Certificate for SSL '{0}'", cert.ToString(true));
         }
         return cert;
      }

      class MyTcpClient : SecureTcpClient
      {
         public MyTcpClient(string host, int port, SecurityOptions options)
            : base(host, port, options)
         {
         }

         public EndPoint LocalEndpoint
         {
            get { return Client.LocalEndPoint; }
         }

      }

   }
}