package org.eparapher.core.crypto.cert;
   
   import java.io.ByteArrayInputStream;
   import java.io.ByteArrayOutputStream;
   import java.io.File;
   import java.io.FileWriter;
   import java.io.IOException;
   import java.io.UnsupportedEncodingException;
   import java.math.BigInteger;
  import java.security.GeneralSecurityException;
  import java.security.InvalidAlgorithmParameterException;
  import java.security.InvalidKeyException;
  import java.security.KeyPair;
  import java.security.KeyPairGenerator;
  import java.security.KeyStore;
  import java.security.KeyStoreException;
  import java.security.NoSuchAlgorithmException;
  import java.security.NoSuchProviderException;
  import java.security.Principal;
  import java.security.PrivateKey;
  import java.security.PublicKey;
  import java.security.SecureRandom;
  import java.security.Signature;
  import java.security.SignatureException;
  import java.security.cert.CertPath;
  import java.security.cert.CertPathBuilder;
  import java.security.cert.CertPathBuilderException;
  import java.security.cert.CertPathValidator;
  import java.security.cert.CertPathValidatorException;
  import java.security.cert.CertPathValidatorResult;
  import java.security.cert.CertSelector;
  import java.security.cert.CertStore;
  import java.security.cert.Certificate;
  import java.security.cert.CertificateEncodingException;
  import java.security.cert.CertificateException;
  import java.security.cert.CertificateFactory;
  import java.security.cert.CertificateParsingException;
  import java.security.cert.CollectionCertStoreParameters;
  import java.security.cert.PKIXBuilderParameters;
  import java.security.cert.PKIXCertPathValidatorResult;
  import java.security.cert.PKIXParameters;
  import java.security.cert.X509CRL;
  import java.security.cert.X509CertSelector;
  import java.security.cert.X509Certificate;
  import java.util.ArrayList;
  import java.util.Arrays;
  import java.util.Collection;
  import java.util.Collections;
  import java.util.Date;
  import java.util.Enumeration;
  import java.util.HashMap;
  import java.util.Hashtable;
  import java.util.LinkedList;
  import java.util.List;
  import java.util.Map;
  import java.util.Vector;
  import java.util.regex.Matcher;
  import java.util.regex.Pattern;
  
  import org.apache.log4j.Level;
  import org.apache.log4j.Logger;
  import org.bouncycastle.asn1.ASN1Encodable;
  import org.bouncycastle.asn1.ASN1InputStream;
  import org.bouncycastle.asn1.ASN1Sequence;
  import org.bouncycastle.asn1.DEREncodable;
  import org.bouncycastle.asn1.DERObjectIdentifier;
  import org.bouncycastle.asn1.DEROutputStream;
  import org.bouncycastle.asn1.DERSequence;
  import org.bouncycastle.asn1.DERTaggedObject;
  import org.bouncycastle.asn1.DERUTF8String;
  import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
  import org.bouncycastle.asn1.x509.DistributionPoint;
  import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
  import org.bouncycastle.asn1.x509.GeneralName;
  import org.bouncycastle.asn1.x509.GeneralNames;
  import org.bouncycastle.asn1.x509.KeyPurposeId;
  import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
  import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
  import org.bouncycastle.asn1.x509.X509Extensions;
  import org.bouncycastle.asn1.x509.X509Name;
  import org.bouncycastle.cms.CMSSignedGenerator;
  import org.bouncycastle.jce.ECNamedCurveTable;
  import org.bouncycastle.jce.PKCS10CertificationRequest;
  import org.bouncycastle.jce.X509KeyUsage;
  import org.bouncycastle.jce.spec.ECParameterSpec;
  import org.bouncycastle.openssl.PEMWriter;
  import org.bouncycastle.x509.X509V3CertificateGenerator;
  import org.eparapher.core.EParapherManager;
  import org.eparapher.core.crypto.EPCryptoProviderManager;
  import org.eparapher.core.crypto.EPKeystoreManager;
  import org.eparapher.core.tools.JVMSettings;
  
  public class CertificateManager {
  	
  	private static Logger log = Logger.getLogger(CertificateManager.class);
  	
  	private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");
  
  	    /**
 	     * Returns the identities of the remote server as defined in the specified certificate. The
 	     * identities are defined in the subjectDN of the certificate and it can also be defined in
 	     * the subjectAltName extensions of type "xmpp". When the extension is being used then the
 	     * identities defined in the extension are going to be returned. Otherwise, the value stored in
 	     * the subjectDN is returned.
 	     *
 	     * @param x509Certificate the certificate the holds the identities of the remote server.
 	     * @return the identities of the remote server as defined in the specified certificate.
 	     */
 	    public static List<String> getPeerIdentities(X509Certificate x509Certificate) {
 	        // Look the identity in the subjectAltName extension if available
 	        List<String> names = getSubjectAlternativeNames(x509Certificate);
 	        if (names.isEmpty()) {
 	            String name = x509Certificate.getSubjectDN().getName();
 	            Matcher matcher = cnPattern.matcher(name);
 	            if (matcher.find()) {
 	                name = matcher.group(2);
 	            }
 	            // Create an array with the unique identity
 	            names = new ArrayList<String>();
 	            names.add(name);
 	        }
 	        return names;
 	    }
 
 	    /**
 	     * Returns the JID representation of an XMPP entity contained as a SubjectAltName extension
 	     * in the certificate. If none was found then return <tt>null</tt>.
 	     *
 	     * @param certificate the certificate presented by the remote entity.
 	     * @return the JID representation of an XMPP entity contained as a SubjectAltName extension
 	     *         in the certificate. If none was found then return <tt>null</tt>.
 	     */
 	    private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {
 	        List<String> identities = new ArrayList<String>();
 	        try {
 	            Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
 	            // Check that the certificate includes the SubjectAltName extension
 	            if (altNames == null) {
 	                return Collections.emptyList();
 	            }
 	            // Use the type OtherName to search for the certified server name
 	            for (List<?> item : altNames) {
 	                Integer type = (Integer) item.get(0);
 	                if (type == 0) {
 	                    // Type OtherName found so return the associated value
 	                    try {
 	                        // Value is encoded using ASN.1 so decode it to get the server's identity
 	                        ASN1InputStream decoder = new ASN1InputStream((byte[]) item.toArray()[1]);
 	                        DEREncodable encoded = decoder.readObject();
 	                        encoded = ((DERSequence) encoded).getObjectAt(1);
 	                        encoded = ((DERTaggedObject) encoded).getObject();
 	                        encoded = ((DERTaggedObject) encoded).getObject();
 	                        String identity = ((DERUTF8String) encoded).getString();
 	                        // Add the decoded server name to the list of identities
 	                        identities.add(identity);
 	                    }
 	                    catch (UnsupportedEncodingException e) {
 	                    	log.error("Error decoding subjectAltName",e);
 	                    }
 	                    catch (IOException e) {
 	                    	log.error("Error decoding subjectAltName",e);
 	                    }
 	                    catch (Exception e) {
 	                        log.error("Error decoding subjectAltName",e);
 	                    }
 	                }
 	                // Other types are not good for XMPP so ignore them
 	                log.info("SubjectAltName of invalid type found: " + certificate);
 	            }
 	        }
 	        catch (CertificateParsingException e) {
 	            log.error("Error parsing SubjectAltName in certificate: ",e);
 	        }
 	        return identities;
 	    }
 		public static boolean isValidKeyUsageForEncryption(X509Certificate cert) {
 			boolean[] keyUsage = cert.getKeyUsage();
 			return keyUsage[CertificateInfo.KEYENCIPHERMENT];
 		}
 
 		public static boolean isValidKeyUsageForNonRepudiation(X509Certificate cert) {
 			boolean[] keyUsage = cert.getKeyUsage();
 			return keyUsage[CertificateInfo.NONREPUDIATION];
 		}
 
 		public static boolean isValidKeyUsageForSignature(X509Certificate cert) {
 			boolean[] keyUsage = cert.getKeyUsage();
 			return keyUsage[CertificateInfo.DIGITALSIGNATURE];
 		}
 	    /**
 	     * Returns true if an RSA certificate was found in the specified keystore for the specified domain.
 	     *
 	     * @param ksKeys the keystore that contains the certificates.
 	     * @param domain domain of the server signed by the certificate.
 	     * @return true if an RSA certificate was found in the specified keystore for the specified domain.
 	     * @throws KeyStoreException
 	     */
 	    public static boolean isRSACertificate(KeyStore ksKeys, String domain) throws KeyStoreException {
 	        return isCertificate(ksKeys, domain, "RSA");
 	    }
 
 	    /**
 	     * Returns true if an DSA certificate was found in the specified keystore for the specified domain.
 	     *
 	     * @param ksKeys the keystore that contains the certificates.
 	     * @param domain domain of the server signed by the certificate.
 	     * @return true if an DSA certificate was found in the specified keystore for the specified domain.
 	     * @throws KeyStoreException
 	     */
 	    public static boolean isDSACertificate(KeyStore ksKeys, String domain) throws KeyStoreException {
 	        return isCertificate(ksKeys, domain, "DSA");
 	    }
 
 	    /**
 	     * Returns true if the specified certificate is using the DSA algorithm. The DSA algorithm is not
 	     * good for encryption but only for authentication. On the other hand, the RSA algorithm is good
 	     * for encryption and authentication.
 	     *
 	     * @param certificate the certificate to analyze.
 	     * @return true if the specified certificate is using the DSA algorithm.
 	     * @throws KeyStoreException
 	     */
 	    public static boolean isDSACertificate(X509Certificate certificate) throws KeyStoreException {
 	        return certificate.getPublicKey().getAlgorithm().equals("DSA");
 	    }
 
 	    /**
 	     * Returns true if the specified certificate is using the Elliptic Curve (EC) algorithm. This algorithm is
 	     * good for signature operations.
 	     *
 	     * @param certificate the certificate to analyze.
 	     * @return true if the specified certificate is using the DSA algorithm.
 	     * @throws KeyStoreException
 	     */
 	    public static boolean isECCertificate(X509Certificate certificate) throws KeyStoreException {
 	        return (certificate.getPublicKey().getAlgorithm().equals("EC") || 
 	        		certificate.getPublicKey().getAlgorithm().equals("GOST")) ;
 	    }
 	    
 	    /**
 	     * Returns true if a certificate with the specifed configuration was found in the key store.
 	     *
 	     * @param ksKeys the keystore to use for searching the certificate.
 	     * @param domain the domain present in the subjectAltName.
 	     * @param algorithm the DSA or RSA algorithm used by the certificate.
 	     * @return true if a certificate with the specifed configuration was found in the key store.
 	     * @throws KeyStoreException
 	     */
 	    private static boolean isCertificate(KeyStore ksKeys, String domain, String algorithm) throws KeyStoreException {
 	        for (Enumeration<String> aliases = ksKeys.aliases(); aliases.hasMoreElements();) {
 	            X509Certificate certificate = (X509Certificate) ksKeys.getCertificate(aliases.nextElement());
 	            for (String identity : getPeerIdentities(certificate)) {
 	                if (identity.endsWith(domain) && certificate.getPublicKey().getAlgorithm().equals(algorithm)) {
 	                    return true;
 	                }
 	            }
 	        }
 	        return false;
 	    }
 
 	    /**
 	     * Creates and returns the content of a new singing request for the specified certificate. Signing
 	     * requests are required by Certificate Authorities as part of their signing process. The signing request
 	     * contains information about the certificate issuer, subject DN, subject alternative names and public key.
 	     * Private keys are not included. After the Certificate Authority verified and signed the certificate a new
 	     * certificate is going to be returned. Use {@link #installReply(java.security.KeyStore, java.security.KeyStore, String, String, java.io.InputStream, boolean, boolean)}
 	     * to import the CA reply.
 	     *
 	     * @param cert the certificate to create a signing request.
 	     * @param privKey the private key of the certificate.
 	     * @return the content of a new singing request for the specified certificate.
 	     * @throws Exception
 	     */
 	    public static String createSigningRequest(X509Certificate cert, PrivateKey privKey) throws Exception {
 	        StringBuilder sb = new StringBuilder();
 
 	        String subject = cert.getSubjectDN().getName();
 	        X509Name xname = new X509Name(subject);
 
 	        PublicKey pubKey = cert.getPublicKey();
 
 	        String signatureAlgorithm = cert.getSigAlgName();
 
 	        PKCS10CertificationRequest csr =
 	                new PKCS10CertificationRequest(signatureAlgorithm, xname, pubKey, null, privKey);
 
 	        ByteArrayOutputStream baos = new ByteArrayOutputStream();
 	        DEROutputStream deros = new DEROutputStream(baos);
 	        deros.writeObject(csr.getDERObject());
 	        String sTmp = new String(org.bouncycastle.util.encoders.Base64.encode(baos.toByteArray()));
 
 	        // Header
 	        sb.append(X509Util.BEGIN_CERT_REQ + "\n");
 
 	        // Add signing request content (base 64 encoded)
 	        for (int iCnt = 0; iCnt < sTmp.length(); iCnt += X509Util.CERT_REQ_LINE_LENGTH) {
 	            int iLineLength;
 
 	            if ((iCnt + X509Util.CERT_REQ_LINE_LENGTH) > sTmp.length()) {
 	                iLineLength = sTmp.length() - iCnt;
 	            } else {
 	                iLineLength = X509Util.CERT_REQ_LINE_LENGTH;
 	            }
 
 	            sb.append(sTmp.substring(iCnt, iCnt + iLineLength)).append("\n");
 	        }
 
 	        // Footer
 	        sb.append(X509Util.END_CERT_REQ + "\n");
 	        return sb.toString();
 	    }
 
 	    /**
 	     * Create a PKSC10 certification signing request using the Bouncycastle provider.<br>
 	     * Save the CSR in a file.
 	     * 
 	     * @param params 
 	     * @return the filename that contains the CSR
 	     * @throws SignatureException 
 	     * @throws NoSuchProviderException 
 	     * @throws NoSuchAlgorithmException 
 	     * @throws InvalidKeyException 
 	     * @throws IOException 
 	     */
 	  public static String createSigningRequest( NewCertParams params, KeyPair keypair ) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, IOException {
 
 			//Extract info
 			PrivateKey privateKey = keypair.getPrivate();
 			PublicKey  publicKey  = keypair.getPublic();
 			X509Name subject = new X509Name(params.getSubjectDN());
 			
 			//Generate the CSR			
 			//TODO : Manage Subject Alternative Name.
 			//http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation
 			PKCS10CertificationRequest certificateRequest = new PKCS10CertificationRequest( params.getCertSigAlg(), subject, publicKey, null, privateKey);
 			
 			//Save it to a file
 			String csrFile = JVMSettings.getEParapherCSRDirectory() + File.separator + params.getAlias() + ".pem";
 
 			PEMWriter pem = new PEMWriter(new FileWriter( csrFile ));
 			pem.writeObject(certificateRequest);
 			pem.close();
 
 			return csrFile;
 	  }
 	  
 	  public static X509Certificate[] generateNewCertificate( NewCertParams params, KeyPair keypair ) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, IOException, NoSuchProviderException {
 
 			PrivateKey privateKey = keypair.getPrivate();
 			PublicKey publicKey = keypair.getPublic();
 			
 			X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
 
 			X509Name subject = new X509Name(params.getSubjectDN());
 
 			//TODO : sign with another alias key/cert
 			if (params.isSelfCertSigned() || params.isCSR())
 				certGen.setIssuerDN(subject);
 			//else ...
 			
 			certGen.setSubjectDN(subject);
 			certGen.setPublicKey(publicKey);
 			certGen.setSignatureAlgorithm(params.getCertSigAlg());
 			certGen.setNotBefore(params.getValidFrom());
 			certGen.setNotAfter(params.getValidUntil());
 			
 			//Generate random serial number
 			certGen.setSerialNumber(generateRandomSerial());
 			
 			// Setting KeyUsage
 			int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.nonRepudiation;
 			X509KeyUsage ku = new X509KeyUsage(keyusage);
 			certGen.addExtension(X509Extensions.KeyUsage.getId(), false, ku);
 			
 			// Setting Extended KeyUsage (any)
 			Vector<KeyPurposeId> extkeyusage = new Vector<KeyPurposeId>();
 			extkeyusage.add(KeyPurposeId.anyExtendedKeyUsage);
 			//extkeyusage.add(KeyPurposeId.id_kp_clientAuth);
 			//extkeyusage.add(KeyPurposeId.id_kp_emailProtection);
 			//extkeyusage.add(KeyPurposeId.id_kp_ipsecUser);
 			ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth);
 			certGen.addExtension(X509Extensions.ExtendedKeyUsage, false, extendedKeyUsage);
 
 			// Setting Subject Alternative Name
 			if (!params.getSubaltnameEMail().equals("") 
 					 || !params.getSubaltnameDNSName().equals("")
 					 || !params.getSubaltnameOtherName().equals("")) {
 				GeneralNames subjectAltName = null;
 				ASN1Encodable[] asn1san;
 				GeneralName email=null,othername=null,dnsname=null;
 				int nbsubaltname = 0;
 				
 				if (!params.getSubaltnameEMail().equals("")) {
 					email = new GeneralName(GeneralName.rfc822Name, params.getSubaltnameEMail());
 					nbsubaltname++;
 				}
 				if (!params.getSubaltnameDNSName().equals("")) {
 					dnsname = new GeneralName(GeneralName.dNSName, params.getSubaltnameDNSName());
 					nbsubaltname++;
 				}
 				if (!params.getSubaltnameOtherName().equals("")) {
 					ASN1Encodable[] othernameasn1 = new ASN1Encodable[]{ new DERObjectIdentifier("1.3.6.1.5.5.7.8.5"),
 							             								 new DERTaggedObject(true, 0, new DERUTF8String(params.getSubaltnameOtherName())) };
 					DERSequence othernameSequence = new DERSequence( othernameasn1 );
 			        othername = new GeneralName(GeneralName.otherName, othernameSequence);
 					nbsubaltname++;
 				}
 				
 				asn1san= new ASN1Encodable[nbsubaltname];
 				nbsubaltname = 0;
 				if (email!=null)
 					asn1san[nbsubaltname++] = email;
 				if (dnsname!=null)
 					asn1san[nbsubaltname++] = dnsname;
 				if (othername!=null)
 					asn1san[nbsubaltname++] = othername;
 				
 				subjectAltName = new GeneralNames( new DERSequence(asn1san));
 				certGen.addExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
 			}
 			
 			// Subject and Authority key identifier is always non-critical
 			//  and MUST be present for certificates to verify in Mozilla.
 			SubjectKeyIdentifier ski;
 			AuthorityKeyIdentifier aki;
 			
 			ASN1Sequence spki_asn1 = (ASN1Sequence) new ASN1InputStream( new ByteArrayInputStream(publicKey.getEncoded())).readObject();
 			SubjectPublicKeyInfo spki = new	SubjectPublicKeyInfo( spki_asn1);
 			ski = new SubjectKeyIdentifier(spki);
 			ASN1Sequence ac_spki_asn1 = (ASN1Sequence) new ASN1InputStream(new	ByteArrayInputStream(publicKey.getEncoded())).readObject();
 			SubjectPublicKeyInfo apki = new	SubjectPublicKeyInfo(ac_spki_asn1);
 			aki = new AuthorityKeyIdentifier(apki);
 
 			certGen.addExtension(X509Extensions.SubjectKeyIdentifier.getId(), false, ski);
 			certGen.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(),	false, aki);
 			
 			//Load Private key
 			X509Certificate[] userCertChain = new X509Certificate[1];
 			PrivateKey certsigningpk = privateKey;
 			String currentalias = EPKeystoreManager.getInstance().getUserkeystore().getDefaultAlias();
 			
 			//Generate CSR
 			if (!params.isSelfCertSigned() && !params.isCSR()) {
 				EPKeystoreManager.getInstance().getUserkeystore().setDefaultAlias(params.getIssueralias());
 				if (!EPKeystoreManager.getInstance().getUserkeystore().loadPrivateKey()) {
 					log.error("Need private key access to generate new certificate from " + params.getIssueralias());
 					return null;
 				}
 				certsigningpk = EPKeystoreManager.getInstance().getUserkeystore().getPrivateKey();
 
 				X509Certificate[] issuerCertChain = EPKeystoreManager.getInstance().getUserkeystore().getX509CertificateChain();
 				userCertChain = new X509Certificate[issuerCertChain.length+1];
 			}
 
 			//Generate Certificate
 			/*
 			if ( EPKeystoreManager.isPKCS11Used() ) {
 				String userKSProv = EPKeystoreManager.getInstance().getUserkeystore().getProviderName();
 				
 				String testData = "Test for sigggg";
 				Signature sig = Signature.getInstance("SHA1withRSA", userKSProv);
 			    sig.initSign( certsigningpk );
 			    sig.update(testData.getBytes());
 			    byte[] signedData = sig.sign();
 			    log.debug("Signed data : " + signedData );
 			    //sig.initVerify();
 			    //sig.update(testData.getBytes());
 
 				
 				userCertChain[userCertChain.length-1] = certGen.generate(certsigningpk, userKSProv);
 			} else*/
 				userCertChain[userCertChain.length-1] = certGen.generate(certsigningpk, "BC");
 
 			if (!params.isSelfCertSigned()) {
 				EPKeystoreManager.getInstance().getUserkeystore().setDefaultAlias(currentalias);
 			}
 			
 			return userCertChain;
 	  }
 
 	  public static boolean validateCertChain( X509Certificate[] certificate, boolean trustCACerts) throws Exception {
 		  try {
 	            // Generate cert path
 	            List certList = Arrays.asList(certificate);
 	            CertificateFactory factory = CertificateFactory.getInstance("X.509", "BC");
 	            CertPath path = factory.generateCertPath(certList);
 
 	            // Use the certificates in the keystore as TrustAnchors
 	            // TODO : Build trustanchors from trustestore and, if configured, from userkeystore.
 	            PKIXParameters param = new PKIXParameters(EPKeystoreManager.getInstance().getTrustStore().getKeystore());
 
 	            // Do not check a revocation list
 	            //TODO : check CRL here
 	            param.setRevocationEnabled(false);
 
 	            // Verify the trust path using the above settings            
 	            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX", "BC");
 	            CertPathValidatorResult cpvResult = certPathValidator.validate(path, param);
 
 	            return true;
 	        } catch (NoSuchAlgorithmException ex) {
 	        	log.error("error while validating a Certificate Chain",ex);
 	            //throw new WSSecurityException(WSSecurityException.FAILURE, "certpath", new Object[]{ex.getMessage()}, (Throwable) ex);
 	        } catch (CertificateException ex) {
 	        	log.error("error while validating a Certificate Chain",ex);
 	            //throw new WSSecurityException(WSSecurityException.FAILURE, "certpath", new Object[]{ex.getMessage()}, (Throwable) ex);
 	        } catch (InvalidAlgorithmParameterException ex) {
 	        	log.error("error while validating a Certificate Chain",ex);
 	            //throw new WSSecurityException(WSSecurityException.FAILURE, "certpath", new Object[]{ex.getMessage()}, (Throwable) ex);
 	        } catch (KeyStoreException ex) {
 	        	log.error("error while validating a Certificate Chain",ex);
 	            //throw new WSSecurityException(WSSecurityException.FAILURE, "certpath", new Object[]{ex.getMessage()}, (Throwable) ex);
 	        } catch (CertPathValidatorException ex) {
 	        	log.error("error while validating a Certificate Chain",ex);
 	            //throw new WSSecurityException(WSSecurityException.FAILURE, "certpath", new Object[]{ex.getMessage()}, (Throwable) ex);
 	        }
 	        return false;
 	  }
 	  public static List<X509Certificate> establishCertChain( X509Certificate certificate, boolean trustCACerts)
 	            throws Exception {
 	    	
 	    	KeyStore keyStore   = EPKeystoreManager.getInstance().getUserkeystore().getKeystore();
 	    	KeyStore trustStore = EPKeystoreManager.getInstance().getTrustStore().getKeystore();
 			  
 	        Map<Principal, List<X509Certificate>> knownCerts = new Hashtable<Principal, List<X509Certificate>>();
 	        if ( keyStore!=null && keyStore.size() > 0) {
 	            knownCerts.putAll(getCertsByIssuer(keyStore));
 	        }
 	        
 	        if (trustCACerts && trustStore.size() > 0) {
 	            knownCerts.putAll(getCertsByIssuer(trustStore));
 	        }
 
 	        LinkedList<X509Certificate> answer = new LinkedList<X509Certificate>();
 	        if (buildChain(certificate, answer, knownCerts)) {
 	            return answer;
 	        } else {
 	            throw new Exception("Failed to establish chain from reply");
 	        }
 	    }
 
 
 	    /**
 	     * Builds the certificate chain of the specified certificate based on the known list of certificates
 	     * that were issued by their respective Principals. Returns true if the entire chain of all certificates
 	     * was successfully built.
 	     *
 	     * @param certificate certificate to build its chain.
 	     * @param answer      the certificate chain for the corresponding certificate.
 	     * @param knownCerts  list of known certificates grouped by their issues (i.e. Principals).
 	     * @return true if the entire chain of all certificates was successfully built.
 	     */
 	    private static boolean buildChain(X509Certificate certificate, LinkedList<X509Certificate> answer,
 	                                      Map<Principal, List<X509Certificate>> knownCerts) {
 	        Principal subject = certificate.getSubjectDN();
 	        Principal issuer = certificate.getIssuerDN();
 	        // Check if the certificate is a root certificate (i.e. was issued by the same Principal that
 	        // is present in the subject)
 	        if (subject.equals(issuer)) {
 	            answer.addFirst(certificate);
 	            return true;
 	        }
 	        // Get the list of known certificates of the certificate's issuer
 	        List<X509Certificate> issuerCerts = knownCerts.get(issuer);
 	        if (issuerCerts == null || issuerCerts.isEmpty()) {
 	            // No certificates were found so building of chain failed
 	            return false;
 	        }
 	        for (X509Certificate issuerCert : issuerCerts) {
 	            PublicKey publickey = issuerCert.getPublicKey();
 	            try {
 	                // Verify the certificate with the specified public key
 	                certificate.verify(publickey);
 	                // Certificate was verified successfully so build chain of issuer's certificate
 	                if (!buildChain(issuerCert, answer, knownCerts)) {
 	                    return false;
 	                }
 	            }
 	            catch (Exception exception) {
 	                // Failed to verify certificate
 	                return false;
 	            }
 	        }
 	        answer.addFirst(certificate);
 	        return true;
 	    }
 
 	    /**
 	     * Returns a Map where the key holds the certificate issuers and values the certificates of each issuer.
 	     *
 	     * @param ks the keystore to get its certs per issuer.
 	     * @return a map with the certificates per issuer.
 	     * @throws Exception
 	     */
 	    private static Map<Principal, List<X509Certificate>> getCertsByIssuer(KeyStore ks)
 	            throws Exception {
 	        Map<Principal, List<X509Certificate>> answer = new HashMap<Principal, List<X509Certificate>>();
 	        Enumeration<String> aliases = ks.aliases();
 	        while (aliases.hasMoreElements()) {
 	            String alias = aliases.nextElement();
 	            X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
 	            cert = X509Util.getBCCertificate(cert);
 	            if (cert != null) {
 	                Principal subjectDN = cert.getSubjectDN();
 	                List<X509Certificate> vec = answer.get(subjectDN);
 	                if (vec == null) {
 	                    vec = new ArrayList<X509Certificate>();
 	                    vec.add(cert);
 	                }
 	                else {
 	                    if (!vec.contains(cert)) {
 	                        vec.add(cert);
 	                    }
 	                }
 	                answer.put(subjectDN, vec);
 	            }
 	        }
 	        return answer;
 	    }
 
 	    /**
 	     * Validates chain in certification reply, and returns the ordered
 	     * elements of the chain (with user certificate first, and root
 	     * certificate last in the array).
 	     *
 	     * @param alias the alias name
 	     * @param userCert the user certificate of the alias
 	     * @param replyCerts the chain provided in the reply
 	     */
 	    private static List<X509Certificate> validateReply(KeyStore keyStore, KeyStore trustStore, String alias,
 	                                                             X509Certificate userCert, List<X509Certificate> replyCerts,
 	                                                             boolean trustCACerts, boolean verifyRoot)
 	            throws Exception {
 	        // order the certs in the reply (bottom-up).
 	        int i;
 	        PublicKey userPubKey = userCert.getPublicKey();
 	        for (i = 0; i < replyCerts.size(); i++) {
 	            if (userPubKey.equals(replyCerts.get(i).getPublicKey())) {
 	                break;
 	            }
 	        }
 	        if (i == replyCerts.size()) {
 	            throw new Exception(
 	                    "Certificate reply does not contain public key for <alias>: " + alias);
 	        }
 
 	        X509Certificate tmpCert = replyCerts.get(0);
 	        replyCerts.set(0, replyCerts.get(i));
 	        replyCerts.set(i, tmpCert);
 	        Principal issuer = replyCerts.get(0).getIssuerDN();
 
 	        for (i = 1; i < replyCerts.size() - 1; i++) {
 	            // find a cert in the reply whose "subject" is the same as the
 	            // given "issuer"
 	            int j;
 	            for (j = i; j < replyCerts.size(); j++) {
 	                Principal subject = replyCerts.get(j).getSubjectDN();
 	                if (subject.equals(issuer)) {
 	                    tmpCert = replyCerts.get(i);
 	                    replyCerts.set(i, replyCerts.get(j));
 	                    replyCerts.set(j, tmpCert);
 	                    issuer = replyCerts.get(i).getIssuerDN();
 	                    break;
 	                }
 	            }
 	            if (j == replyCerts.size()) {
 	                throw new Exception("Incomplete certificate chain in reply");
 	            }
 	        }
 
 	        // now verify each cert in the ordered chain
 	        for (i = 0; i < replyCerts.size() - 1; i++) {
 	            PublicKey pubKey = replyCerts.get(i + 1).getPublicKey();
 	            try {
 	                replyCerts.get(i).verify(pubKey);
 	            }
 	            catch (Exception e) {
 	                throw new Exception(
 	                        "Certificate chain in reply does not verify: " + e.getMessage());
 	            }
 	        }
 
 	        if (!verifyRoot) {
 	            return replyCerts;
 	        }
 
 	        // do we trust the (root) cert at the top?
 	        X509Certificate topCert = replyCerts.get(replyCerts.size() - 1);
 	        boolean foundInKeyStore = keyStore.getCertificateAlias(topCert) != null;
 	        boolean foundInCAStore = trustCACerts && (trustStore.getCertificateAlias(topCert) != null);
 	        if (!foundInKeyStore && !foundInCAStore) {
 	            boolean verified = false;
 	            X509Certificate rootCert = null;
 	            if (trustCACerts) {
 	                for (Enumeration<String> aliases = trustStore.aliases(); aliases.hasMoreElements();) {
 	                    String name = aliases.nextElement();
 	                    rootCert = (X509Certificate) trustStore.getCertificate(name);
 	                    if (rootCert != null) {
 	                        try {
 	                            topCert.verify(rootCert.getPublicKey());
 	                            verified = true;
 	                            break;
 	                        }
 	                        catch (Exception e) {
 	                            // Ignore
 	                        }
 	                    }
 	                }
 	            }
 	            if (!verified) {
 	                return null;
 	            }
 	            else {
 	                // Check if the cert is a self-signed cert
 	                if (!topCert.getSubjectDN().equals(topCert.getIssuerDN())) {
 	                    // append the (self-signed) root CA cert to the chain
 	                    replyCerts.add(rootCert);
 	                }
 	            }
 	        }
 
 	        return replyCerts;
 	    }
 
 	    /**
 	     * Creates an X509 version3 certificate.
 	     *
 	     * @param kp           KeyPair that keeps the public and private keys for the new certificate.
 	     * @param months       time to live
 	     * @param issuerDN     Issuer string e.g "O=Grid,OU=OGSA,CN=ACME"
 	     * @param subjectDN    Subject string e.g "O=Grid,OU=OGSA,CN=John Doe"
 	     * @param domain       Domain of the server.
 	     * @param signAlgoritm Signature algorithm. This can be either a name or an OID.
 	     * @return X509 V3 Certificate
 	     * @throws GeneralSecurityException
 	     * @throws IOException
 	     */
 	    public static synchronized X509Certificate createX509V3Certificate(KeyPair kp, int months, String issuerDN,
 	                                                                        String subjectDN, String domain,
 	                                                                        String signAlgoritm)
 	            throws GeneralSecurityException, IOException {
 	        PublicKey pubKey = kp.getPublic();
 	        PrivateKey privKey = kp.getPrivate();
 
 	        byte[] serno = new byte[8];
 	        SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
 	        random.setSeed((new Date().getTime()));
 	        random.nextBytes(serno);
 	        BigInteger serial = (new java.math.BigInteger(serno)).abs();
 
 	        X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
 	        certGenerator.reset();
 
 	        certGenerator.setSerialNumber(serial);
 	        certGenerator.setIssuerDN(new X509Name(issuerDN));
 	        certGenerator.setNotBefore(new Date(System.currentTimeMillis()));
 	        certGenerator.setNotAfter(
 	                new Date(System.currentTimeMillis() + months * (1000L * 60 * 60 * 24 * 30)));
 	        certGenerator.setSubjectDN(new X509Name(subjectDN));
 	        certGenerator.setPublicKey(pubKey);
 	        certGenerator.setSignatureAlgorithm(signAlgoritm);
 
 	        // Generate the subject alternative name
 	        boolean critical = subjectDN == null || "".equals(subjectDN.trim());
 	        DERSequence othernameSequence = new DERSequence(new ASN1Encodable[]{
 	                new DERObjectIdentifier("1.3.6.1.5.5.7.8.5"), new DERTaggedObject(true, 0, new DERUTF8String(domain))});
 	        GeneralName othernameGN = new GeneralName(GeneralName.otherName, othernameSequence);
 	        GeneralNames subjectAltNames = new GeneralNames(new DERSequence(new ASN1Encodable[]{othernameGN}));
 	        // Add subject alternative name extension
 	        certGenerator.addExtension(X509Extensions.SubjectAlternativeName, critical, subjectAltNames);
 
 	        X509Certificate cert =
 	                certGenerator.generateX509Certificate(privKey, "BC", new SecureRandom());
 	        cert.checkValidity(new Date());
 	        cert.verify(pubKey);
 
 	        return cert;
 	    }
 	    
 	    public static X509CRL getCRLFromCertCDP(X509Certificate certificate)
 	    		throws CertificateParsingException {
 	    	DistributionPoint[] dps = X509Util.getCrlDistributionPoint(certificate);
 	    	X509CRL latestCRL = null;
 	    	for (int i = 0; i < dps.length; i++) {
 	    		  DistributionPoint dp = dps[i];
 	    		  X509CRL crl = null;
 	    		  crl = X509Util.loadCRLFromDP(dp);
 	    		  if (latestCRL==null) {
 	    			  latestCRL = crl;
 	    		  } else if (crl !=null) {
 	    			  if (latestCRL.getNextUpdate().before(crl.getNextUpdate()))
 	    				  latestCRL = crl;
 	    		  }
 			}
 			return latestCRL;
 	    }
 
 	    public static KeyPair generateKeyPair(NewCertParams params) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException  {
 			if (params.getKeypairAlg().equals("ECDSA"))
 				return CertificateManager.generateECKeyPair( params.getEcDSASpecName() );
 			else
 				return CertificateManager.generateKeyPair( params.getKeypairAlg(), params.getKeypairSize() );
 	    }
 	    /**
 	     * Returns a new public & private key with the specified algorithm (e.g. DSA, RSA, etc.).
 	     *
 	     * @param algorithm DSA, RSA, etc.
 	     * @param keysize   the keysize. This is an algorithm-specific metric, such as modulus
 	     *                  length, specified in number of bits.
 	     * @return a new public & private key with the specified algorithm (e.g. DSA, RSA, etc.).
 	     * @throws NoSuchAlgorithmException 
 	     * @throws NoSuchProviderException 
 	     * @throws GeneralSecurityException
 	     */
 	    public static KeyPair generateKeyPair(String algorithm, int keysize, String provider) throws NoSuchAlgorithmException, NoSuchProviderException  {
 	        KeyPairGenerator generator;
 	        if (provider == null) {
 	            generator = KeyPairGenerator.getInstance(algorithm);
 	        } else {
 	            generator = KeyPairGenerator.getInstance(algorithm, provider);
 	        }
 	        generator.initialize(keysize, new SecureRandom());
 	        return generator.generateKeyPair();
 	    }
 	    
 	    public static KeyPair generateKeyPair(String algorithm, int keysize) throws NoSuchAlgorithmException, NoSuchProviderException  {
 			//Select the Security Provider that will be used
 	    	//Strange : don't use SunMSCAPI Provider : setkey will failed!....
 			String prov=null;
 	    	if ( EPKeystoreManager.isPKCS11Used() )
 					prov = EPCryptoProviderManager.getDefaultProviderName();//getUserkeystore().getProviderName();
 			else	prov = EPCryptoProviderManager.getDefaultProviderName();
 
 	        return generateKeyPair( algorithm, keysize, prov );
 	    }
 	    public static KeyPair generateECKeyPair(String ecspecs) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException   {
 
 		    ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec(ecspecs);
 
 		    KeyPairGenerator generator = KeyPairGenerator.getInstance("ECDSA", "BC");
 
 			generator.initialize(ecSpec, new SecureRandom());
 
 	        return generator.generateKeyPair();
 	    }
 	    /** Generate Random Serial Number
 	     * if it's windows and Java 1.6 min, then use CAPI (Windows-PRNG)
 	     * Otherwise, use SHA1PRNG.
 	     * 
 	     * @return
 	     */
 	    private static BigInteger generateRandomSerial() throws NoSuchAlgorithmException {
 	        byte[] serno = new byte[8];
 	        SecureRandom random;
 			try {
 				if (JVMSettings.isJava16Min() && JVMSettings.isWindowsOS())
 					random = SecureRandom.getInstance("Windows-PRNG");
 				else 
 					random = SecureRandom.getInstance("SHA1PRNG");
 			} catch (NoSuchAlgorithmException e) {
 				String msg = "Error while generating a random serial number : " + e.getMessage();
 				EParapherManager.getInstance().getUI().errorMessage(msg,e);
 				log.error(msg, e);
 				return null;
 			}
 	        random.setSeed( System.currentTimeMillis() );
 	        random.nextBytes(serno);
 			return new BigInteger(serno).abs();
 	    }
 		/**
 		 * Check the certificate with CA certificate.
 		 *
 		 * @param certificate cert to verify
 		 * @param caCertPath collection of X509Certificate
 		 * @return true if verified OK, false if not
 		 */
 		public static boolean verify(X509Certificate certificate, Collection<X509Certificate[]> caCertPath)
 					throws Exception {
 			try {
 				// Create CertPath
 				ArrayList<X509Certificate> certlist = new ArrayList<X509Certificate>();
 				certlist.add(certificate);
 				
 				// Add other certs...
 				CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
 				java.security.cert.CertPath cp = cf.generateCertPath(certlist);
 
 				// Create TrustAnchor. Since BouncyCastle provider is used, we assume
 				//  certificate already in correct order
 				X509Certificate[] cac = (X509Certificate[]) caCertPath.toArray(new X509Certificate[] {});
 				java.security.cert.TrustAnchor anchor = new java.security.cert.TrustAnchor(cac[0], null);
 				// Set the PKIX parameters
 				java.security.cert.PKIXParameters params = new java.security.cert.PKIXParameters(java.util.Collections.singleton(anchor));
 				params.setRevocationEnabled(true);
 				params.setDate( new Date() );
 				
 				CertPathValidator cpv = CertPathValidator.getInstance("PKIX", "BC");
 				PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
 				log.info("Certificate verify result: " + result.toString());
 			} catch (java.security.cert.CertPathValidatorException cpve) {
 				throw new Exception("Invalid certificate or certificate not issued by specified CA: " + cpve.getMessage());
 			} catch (Exception e) {
 				throw new Exception("Error checking certificate chain: " + e.getMessage());
 			}
 			return true;
 		}
 		
 		public static X509Certificate[] buildChain(X509Certificate[] certs) {
 	        try {
 	        	if (Logger.getRootLogger().getLevel().toInt()<=Level.DEBUG_INT)
 	        		System.setProperty("java.security.debug","certpath");
 	            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX","BC");
 	            X509CertSelector targetConstraints = new X509CertSelector();
 
 	            KeyStore trustedKS = EPKeystoreManager.getInstance().getTrustStore().getKeystore();
 	            if (trustedKS == null) {
 	                log.warn("trusted KeyStore is null");
 	                return null;
 	            }
 
 	            PKIXBuilderParameters params = new PKIXBuilderParameters( trustedKS, targetConstraints);
 	            
 	            //Build the certificate
 	            ArrayList<X509Certificate> certsList = new ArrayList<X509Certificate>();
 	            for (int i=0; i < certs.length; i++) {
 	                certsList.add(certs[i]);
 	            }
 	            CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(certsList);
 	            CertStore store = CertStore.getInstance("Collection", ccsp);
 	            params.addCertStore(store);
 	            params.setRevocationEnabled(false);
 	            
 	            CertPath certPath = certPathBuilder.build(params).getCertPath();
 	            log.info("Cert Path building OK : " + certPath);
 	            List<Certificate> trustedChain = (List<Certificate>) certPath.getCertificates();
 	            
 	            Certificate[] cerchain = (Certificate[]) trustedChain.toArray(new Certificate[] {} );
 	            
 	            System.setProperty("java.security.debug","false");
 	            return X509Util.convertCertChaintoX509( cerchain );
 	        } catch (NoSuchAlgorithmException e) {
 	            log.error(e.getLocalizedMessage(),e);
 	        } catch (KeyStoreException e) {
 	            log.error(e.getLocalizedMessage(),e);
 	        } catch (CertPathBuilderException e) {
 	            //if (log.getLevel().toInt()<=Level.DEBUG_INT)
 	            	 log.debug(e.getLocalizedMessage(),e);
 	            //else
 	            	 log.warn(e.getLocalizedMessage());
 	        } catch (InvalidAlgorithmParameterException e) {
 	            log.error(e.getLocalizedMessage(),e);
 	        } catch (NoSuchProviderException e) {
 	            log.error(e.getLocalizedMessage(),e);
 			}
             System.setProperty("java.security.debug","false");
 	        return null;
 		}
 }