package tls

import (
	"b612.me/starlog"
	"crypto/ecdsa"
	"crypto/rsa"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"github.com/spf13/cobra"
	"os"
	"path/filepath"
	"strings"
	"time"
)

var hideDetail bool
var dump string

func init() {
	Cmd.Flags().BoolVarP(&hideDetail, "hide-detail", "H", false, "隐藏证书详细信息")
	Cmd.Flags().StringVarP(&dump, "dump", "d", "", "将证书保存到文件")
}

var Cmd = &cobra.Command{
	Use:   "tls",
	Short: "查看TLS证书信息",
	Long:  "查看TLS证书信息",
	Run: func(cmd *cobra.Command, args []string) {
		for _, target := range args {
			showTls(target, !hideDetail, dump)
		}
	},
}

func showTls(target string, showDetail bool, dumpPath string) {
	if !strings.Contains(target, ":") {
		target += ":443"
	}
	starlog.Infof("正在连接服务器: %s\n", target)
	conn, err := tls.Dial("tcp", target, &tls.Config{
		InsecureSkipVerify: true,
	})
	if err != nil {
		starlog.Errorln("failed to connect: " + err.Error())
		return
	}
	defer conn.Close()
	starlog.Infoln("连接成功，正在获取证书信息")
	certs := conn.ConnectionState().PeerCertificates
	if len(certs) == 0 {
		starlog.Errorln("no certificate found")
		return
	}
	starlog.Infof("证书获取成功，证书链上共有%d个证书\n", len(certs))
	state := conn.ConnectionState()

	switch state.Version {
	case tls.VersionSSL30:
		starlog.Infoln("当前TLS版本: SSL 3.0")
	case tls.VersionTLS10:
		starlog.Infoln("当前TLS版本: TLS 1.0")
	case tls.VersionTLS11:
		starlog.Infoln("当前TLS版本: TLS 1.1")
	case tls.VersionTLS12:
		starlog.Infoln("当前TLS版本: TLS 1.2")
	case tls.VersionTLS13:
		starlog.Infoln("当前TLS版本: TLS 1.3")
	}
	switch state.CipherSuite {
	case tls.TLS_RSA_WITH_RC4_128_SHA:
		starlog.Infoln("当前加密套件: TLS_RSA_WITH_RC4_128_SHA")
	case tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_RSA_WITH_3DES_EDE_CBC_SHA")
	case tls.TLS_RSA_WITH_AES_128_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_128_CBC_SHA")
	case tls.TLS_RSA_WITH_AES_256_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_256_CBC_SHA")
	case tls.TLS_RSA_WITH_AES_128_CBC_SHA256:
		starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_128_CBC_SHA256")
	case tls.TLS_RSA_WITH_AES_128_GCM_SHA256:
		starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_128_GCM_SHA256")
	case tls.TLS_RSA_WITH_AES_256_GCM_SHA384:
		starlog.Infoln("当前加密套件: TLS_RSA_WITH_AES_256_GCM_SHA384")
	case tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
		starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA")
	case tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")
	case tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA")
	case tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_RC4_128_SHA")
	case tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA")
	case tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")
	case tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA")
	case tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
		starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256")
	case tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
	case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
	case tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
		starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256")
	case tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
	case tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
		starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384")
	case tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
		starlog.Infoln("当前加密套件: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305")
	case tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
		starlog.Infoln("当前加密套件: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305")
	case tls.TLS_AES_128_GCM_SHA256:
		starlog.Infoln("当前加密套件: TLS_AES_128_GCM_SHA256")
	case tls.TLS_AES_256_GCM_SHA384:
		starlog.Infoln("当前加密套件: TLS_AES_256_GCM_SHA384")
	case tls.TLS_CHACHA20_POLY1305_SHA256:
		starlog.Infoln("当前加密套件: TLS_CHACHA20_POLY1305_SHA256")
	default:
		starlog.Infoln("当前加密套件：", state.CipherSuite)
	}
	starlog.Infoln("服务器名称:", state.ServerName)

	if showDetail {
		for _, c := range certs {
			if c.IsCA {
				continue
			}
			fmt.Printf("----------\n证书基础信息: %+v\n", c.Subject)
			fmt.Printf("证书颁发者: %+v\n", c.Issuer)
			fmt.Printf("证书生效时间: %+v 距今：%.1f天\n", c.NotBefore.In(time.Local), time.Since(c.NotBefore).Hours()/24)
			fmt.Printf("证书过期时间: %+v 剩余：%.1f天\n", c.NotAfter.In(time.Local), c.NotAfter.Sub(time.Now()).Hours()/24)
			fmt.Printf("证书序列号: %s\n", c.SerialNumber.Text(16))
			fmt.Printf("证书签名算法: %s\n", c.SignatureAlgorithm)
			fmt.Printf("证书公钥算法: %s\n", c.PublicKeyAlgorithm)
			switch pub := c.PublicKey.(type) {
			case *rsa.PublicKey:
				fmt.Printf("RSA公钥位数: %d\n", pub.Size()*8) // RSA公钥的位数
			case *ecdsa.PublicKey:
				fmt.Printf("ECDSA Curve位数: %d\n", pub.Curve.Params().BitSize) // ECDSA公钥的位数
			}
			if len(c.DNSNames) != 0 {
				fmt.Printf("可选使用的DNS: %s\n", strings.Join(c.DNSNames, ", "))
			}
			if len(c.IPAddresses) != 0 {
				ipAddr := ""
				for _, ip := range c.IPAddresses {
					ipAddr += ip.String() + ", "
				}
				ipAddr = ipAddr[:len(ipAddr)-2]
				fmt.Printf("可选使用的IP: %s\n", ipAddr)
			}
			if len(c.EmailAddresses) != 0 {
				fmt.Printf("可选使用的Email: %s\n", strings.Join(c.EmailAddresses, ", "))
			}
			if len(c.URIs) != 0 {
				fmt.Printf("可选使用的URI: %v\n", c.URIs)
			}
			if len(c.PermittedDNSDomains) != 0 {
				fmt.Printf("批准使用的DNS: %s\n", strings.Join(c.PermittedDNSDomains, ", "))
			}
			if len(c.PermittedIPRanges) != 0 {
				ipRange := ""
				for _, ip := range c.PermittedIPRanges {
					ipRange += ip.String() + ", "
				}
				ipRange = ipRange[:len(ipRange)-2]
				fmt.Printf("批准使用的IP: %s\n", ipRange)
			}
			if len(c.PermittedEmailAddresses) != 0 {
				fmt.Printf("批准使用的Email: %s\n", strings.Join(c.PermittedEmailAddresses, ", "))
			}
			if len(c.PermittedURIDomains) != 0 {
				fmt.Printf("批准使用的URI: %s\n", strings.Join(c.PermittedURIDomains, ", "))
			}
			fmt.Printf("证书密钥用途: %s\n", strings.Join(KeyUsageToString(c.KeyUsage), ", "))
			extKeyUsage := []string{}
			for _, v := range c.ExtKeyUsage {
				switch v {
				case x509.ExtKeyUsageAny:
					extKeyUsage = append(extKeyUsage, "任何用途")
				case x509.ExtKeyUsageServerAuth:
					extKeyUsage = append(extKeyUsage, "服务器认证")
				case x509.ExtKeyUsageClientAuth:
					extKeyUsage = append(extKeyUsage, "客户端认证")
				case x509.ExtKeyUsageCodeSigning:
					extKeyUsage = append(extKeyUsage, "代码签名")
				case x509.ExtKeyUsageEmailProtection:
					extKeyUsage = append(extKeyUsage, "电子邮件保护")
				case x509.ExtKeyUsageIPSECEndSystem:
					extKeyUsage = append(extKeyUsage, "IPSEC终端系统")
				case x509.ExtKeyUsageIPSECTunnel:
					extKeyUsage = append(extKeyUsage, "IPSEC隧道")
				case x509.ExtKeyUsageIPSECUser:
					extKeyUsage = append(extKeyUsage, "IPSEC用户")
				case x509.ExtKeyUsageTimeStamping:
					extKeyUsage = append(extKeyUsage, "时间戳")
				case x509.ExtKeyUsageOCSPSigning:
					extKeyUsage = append(extKeyUsage, "OCSP签名")
				case x509.ExtKeyUsageMicrosoftServerGatedCrypto:
					extKeyUsage = append(extKeyUsage, "Microsoft服务器门控加密")
				case x509.ExtKeyUsageNetscapeServerGatedCrypto:
					extKeyUsage = append(extKeyUsage, "Netscape服务器门控加密")
				case x509.ExtKeyUsageMicrosoftCommercialCodeSigning:
					extKeyUsage = append(extKeyUsage, "Microsoft商业代码签名")
				case x509.ExtKeyUsageMicrosoftKernelCodeSigning:
					extKeyUsage = append(extKeyUsage, "Microsoft内核代码签名")
				default:
					extKeyUsage = append(extKeyUsage, fmt.Sprintf("未知用途(%d)", v))
				}
			}
			fmt.Printf("证书扩展密钥用途: %s\n", strings.Join(extKeyUsage, ", "))
			fmt.Printf("证书版本: %d\n----------\n", c.Version)
			//fmt.Printf("证书扩展信息: %+v\n\n----------", c.Extensions)
		}
		if dumpPath != "" {
			var data []byte
			var name string
			for _, c := range certs {
				if name == "" {
					name = c.Subject.CommonName + ".crt"
				}
				certBlock := &pem.Block{
					Type:  "CERTIFICATE",
					Bytes: c.Raw,
				}
				data = append(data, pem.EncodeToMemory(certBlock)...)
			}
			err = os.WriteFile(filepath.Join(dumpPath, name), data, 0644)
			if err != nil {
				starlog.Errorln("failed to write file: " + err.Error())
				return
			}
			starlog.Infoln("dumped to " + filepath.Join(dumpPath, name))
		}
	}
}

func KeyUsageToString(ku x509.KeyUsage) []string {
	usages := []string{}
	flags := []struct {
		Flag x509.KeyUsage
		Name string
	}{
		{x509.KeyUsageDigitalSignature, "数字签名"},
		{x509.KeyUsageContentCommitment, "内容承诺"},
		{x509.KeyUsageKeyEncipherment, "密钥加密"},
		{x509.KeyUsageDataEncipherment, "数据加密"},
		{x509.KeyUsageKeyAgreement, "密钥协商"},
		{x509.KeyUsageCertSign, "证书签名"},
		{x509.KeyUsageCRLSign, "CRL签名"},
		{x509.KeyUsageEncipherOnly, "仅加密"},
		{x509.KeyUsageDecipherOnly, "仅解密"},
	}

	for _, flag := range flags {
		if ku&flag.Flag != 0 {
			usages = append(usages, flag.Name)
		}
	}

	return usages
}