package tools

import (
	"bytes"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"math/big"
	"os"
	"time"
)

func SSL() *ssl {
	return &ssl{}
}

type (
	ssl struct {
	}
	sslcert struct {
		privateKey *rsa.PrivateKey
		Template   x509.Certificate
	}
)

func (t *ssl) Cert(cn string) (res *sslcert) {
	res = &sslcert{}
	var err error
	
	res.privateKey, err = rsa.GenerateKey(rand.Reader, 4096)
	if err != nil {
		log.Write([]byte(fmt.Sprintf("failed to generate private key: %w", err)))
		return
	}

	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		log.Write([]byte(fmt.Sprintf("failed to generate serial number: %w", err)))
		return
	}

	res.Template = x509.Certificate{
		SerialNumber: serialNumber,
		Subject: pkix.Name{
			// Organization: []string{org},
			CommonName: cn, // Essential for browsers/clients to trust the cert
		},
		NotBefore: time.Now(),
		NotAfter:  time.Now().Add(365 * 24 * time.Hour), // Valid for 1 year

		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
		BasicConstraintsValid: true,
		IsCA:                  true, // Mark as a CA to sign other certs if needed

		DNSNames: []string{cn},
	}

	return
}

func (res *sslcert) WriteCSR(file string) error {
	csrTemplate := x509.CertificateRequest{
		Subject:  res.Template.Subject,
		DNSNames: res.Template.DNSNames,
	}

	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, res.privateKey)
	if err != nil {
		return fmt.Errorf("Failed to create certificate request: %v", err)
	}

	csrPEM := pem.EncodeToMemory(&pem.Block{
		Type:  "CERTIFICATE REQUEST",
		Bytes: csrBytes,
	})

	return os.WriteFile(file, csrPEM, 0644)
}

func (res *sslcert) WritePEMs(key, crt string) error {
	certBytes, err := x509.CreateCertificate(rand.Reader, &res.Template, &res.Template, res.privateKey.PublicKey, res.privateKey)
	if err != nil {
		return fmt.Errorf("failed to create certificate: %w", err)
	}

	certPEM := new(bytes.Buffer)
	pem.Encode(certPEM, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes})

	keyPEM := new(bytes.Buffer)
	pem.Encode(keyPEM, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(res.privateKey)})

	if err := os.WriteFile(crt, certPEM.Bytes(), 0644); err != nil {
		return fmt.Errorf("failed to write cert.pem: %w", err)
	}
	if err := os.WriteFile(key, keyPEM.Bytes(), 0600); err != nil {
		return fmt.Errorf("failed to write key.pem: %w", err)
	}

	return nil
}