// tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU
//              manager, WARC/geminispace browser
// Copyright (C) 2021-2024 Sergey Matveev <stargrave@stargrave.org>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, version 3 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package tofuproxy

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"crypto/x509/pkix"
	"log"
	"math/big"
	"sync"
	"time"
)

type X509Keypair struct {
	cert *x509.Certificate
	prv  crypto.PrivateKey
}

var (
	hostCerts  = make(map[string]*X509Keypair)
	hostCertsM sync.Mutex
	Serial     *big.Int
	X509Algo   string
)

func init() {
	max := big.NewInt(0)
	max = max.SetBit(max, 128, 1)
	var err error
	Serial, err = rand.Int(rand.Reader, max)
	if err != nil {
		panic(err)
	}
}

func NewKeypair(ai string) (pub, prv any) {
	switch ai {
	case "ecdsa":
		prvEcdsa, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
		if err != nil {
			log.Fatalln(err)
		}
		prv = prvEcdsa
		pub = prvEcdsa.Public()
	case "eddsa":
		var err error
		pub, prv, err = ed25519.GenerateKey(rand.Reader)
		if err != nil {
			log.Fatalln(err)
		}
	default:
		log.Fatalln("unknown algorithm specified")
	}
	return
}

func newX509Keypair(
	host string,
	caCert *x509.Certificate,
	caPrv crypto.PrivateKey,
) *X509Keypair {
	pub, prv := NewKeypair(X509Algo)
	notBefore := time.Now()
	notAfter := notBefore.Add(24 * time.Hour)
	Serial = Serial.Add(Serial, big.NewInt(1))
	template := x509.Certificate{
		SerialNumber: Serial,
		Subject:      pkix.Name{CommonName: host},
		DNSNames:     []string{host},
		NotBefore:    notBefore,
		NotAfter:     notAfter,
	}
	certRaw, err := x509.CreateCertificate(
		rand.Reader, &template, caCert, pub, caPrv,
	)
	if err != nil {
		log.Fatalln(err)
	}
	cert, err := x509.ParseCertificate(certRaw)
	if err != nil {
		log.Fatalln(err)
	}
	return &X509Keypair{cert, prv}
}