package keygen

import (
	"b612.me/starcrypto"
	"b612.me/staros"
	"crypto"
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/hex"
	"encoding/pem"
	"errors"
	"fmt"
	"io"
	"math/big"
	"os"
	"path/filepath"
	"strings"
	"time"
)

type KeyGen struct {
	Type      string
	Encrypt   string
	Bits      int
	Outfolder string
	Prefix    string
	Force     bool
	//
	Country            string
	Locality           string
	Organization       string
	OrganizationalUnit string
	CommonName         string
	StartDate          time.Time
	EndDate            time.Time
}

func (k *KeyGen) Gen() error {
	if !k.Force && staros.Exists(filepath.Join(k.Outfolder, k.Prefix+".crt")) {
		return errors.New("crt file exists")
	}
	if !k.Force && staros.Exists(filepath.Join(k.Outfolder, k.Prefix)) {
		return errors.New("key file exists")
	}
	if !k.Force && staros.Exists(filepath.Join(k.Outfolder, k.Prefix+".pub")) {
		return errors.New("ssh pub file exists")
	}
	if !k.Force && staros.Exists(filepath.Join(k.Outfolder, k.Prefix+".key.pub")) {
		return errors.New("pub file exists")
	}
	var sshPubByte, keyPubByte, keyPrivByte, Crt []byte

	var priv, pub any
	var err error
	switch strings.ToLower(k.Type) {
	case "rsa":
		priv, pub, err = starcrypto.GenerateRsaKey(k.Bits)
		if err != nil {
			return err
		}
	case "ecdsa", "ecdh":
		var cr elliptic.Curve
		switch k.Bits {
		case 224:
			cr = elliptic.P224()
		case 256:
			cr = elliptic.P256()
		case 384:
			cr = elliptic.P384()
		case 521:
			cr = elliptic.P521()
		default:
			return errors.New("invalid bits,should be 224,256,384,521")
		}
		priv, pub, err = starcrypto.GenerateEcdsaKey(cr)
		if err != nil {
			return err
		}
	case "ed25519":
		pub, priv, err = ed25519.GenerateKey(rand.Reader)
		if err != nil {
			return err
		}
	default:
		return errors.New("invalid key type,only support rsa,ecdsa")
	}
	sshPubByte, err = starcrypto.EncodeSSHPublicKey(pub)
	if err != nil {
		return err
	}
	keyPubByte, err = starcrypto.EncodePublicKey(pub)
	if err != nil {
		return err
	}
	keyPrivByte, err = starcrypto.EncodePrivateKey(priv, k.Encrypt)
	if err != nil {
		return err
	}
	_, Crt, err = k.GenerateCert(priv)
	if err != nil {
		return err
	}
	err = os.WriteFile(filepath.Join(k.Outfolder, k.Prefix+".crt"), Crt, 0644)
	if err != nil {
		return err
	}
	err = os.WriteFile(filepath.Join(k.Outfolder, k.Prefix), keyPrivByte, 0644)
	if err != nil {
		return err
	}
	err = os.WriteFile(filepath.Join(k.Outfolder, k.Prefix+".pub"), sshPubByte, 0644)
	if err != nil {
		return err
	}
	err = os.WriteFile(filepath.Join(k.Outfolder, k.Prefix+".key.pub"), keyPubByte, 0644)
	if err != nil {
		return err
	}
	return nil
}

func (k *KeyGen) GenerateCert(priv crypto.PrivateKey) ([]byte, []byte, error) {
	//csr,pub
	tmpByte := make([]byte, 64)
	io.ReadFull(rand.Reader, tmpByte)
	hexStr := starcrypto.String(tmpByte)
	data, _ := hex.DecodeString(hexStr)
	num := new(big.Int).SetBytes(data)
	var country, locality, organization, organizationalUnit []string
	if k.Country != "" {
		country = []string{k.Country}
	}
	if k.Locality != "" {
		locality = []string{k.Locality}
	}
	if k.Organization != "" {
		organization = []string{k.Organization}
	}
	if k.OrganizationalUnit != "" {
		organizationalUnit = []string{k.OrganizationalUnit}

	}
	var rootCsr = &x509.Certificate{
		Version:      3,
		SerialNumber: num,
		Subject: pkix.Name{
			Country:            country,
			Locality:           locality,
			Organization:       organization,
			OrganizationalUnit: organizationalUnit,
			CommonName:         k.CommonName,
		},
		NotBefore:             k.StartDate,
		NotAfter:              k.EndDate,
		BasicConstraintsValid: true,
		IsCA:                  false,
		MaxPathLenZero:        false,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageDigitalSignature,
	}
	var cert []byte
	var err error
	switch priv.(type) {
	case *rsa.PrivateKey:
		cert, err = MakeCert(priv.(*rsa.PrivateKey), rootCsr, rootCsr, priv.(*rsa.PrivateKey).Public())
		if err != nil {
			return nil, nil, err
		}
	case *ecdsa.PrivateKey:
		cert, err = MakeCert(priv.(*ecdsa.PrivateKey), rootCsr, rootCsr, priv.(*ecdsa.PrivateKey).Public())
	case ed25519.PrivateKey:
		cert, err = MakeCert(priv.(ed25519.PrivateKey), rootCsr, rootCsr, priv.(ed25519.PrivateKey).Public())
	default:
		return nil, nil, errors.New("invalid private key type:" + fmt.Sprintf("%T", priv))
	}

	csrPem := pem.EncodeToMemory(&pem.Block{
		Type:  "CERTIFICATE REQUEST",
		Bytes: rootCsr.Raw,
	})
	return csrPem, cert, nil
}

func MakeCert(caKey any, caCrt *x509.Certificate, csr *x509.Certificate, pub any) ([]byte, error) {
	der, err := x509.CreateCertificate(rand.Reader, csr, caCrt, pub, caKey)
	if err != nil {
		return nil, err
	}
	cert, err := x509.ParseCertificate(der)
	if err != nil {
		return nil, err
	}
	certBlock := &pem.Block{
		Type:  "CERTIFICATE",
		Bytes: cert.Raw,
	}
	pemData := pem.EncodeToMemory(certBlock)
	return pemData, nil
}