package routes

import (
	"crypto/sha1"
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"fmt"
	"net/http"

	"github.com/gin-gonic/gin"
)

// GetCertificateInfo handler
func GetCertificateInfo(c *gin.Context) {
	query := c.Query("q")
	resp, err := tls.Dial("tcp", query+":443", &tls.Config{})
	if err != nil {
		fmt.Println(err)
		c.JSON(http.StatusBadRequest, gin.H{
			"status":  false,
			"message": "Could not establish connection with server.",
		})
		return
	}
	cipherSuite := tls.CipherSuiteName(resp.ConnectionState().CipherSuite)
	v := resp.ConnectionState().Version
	var tlsVersion string
	if v == tls.VersionSSL30 {
		tlsVersion = "SSLv3"
	} else if v == tls.VersionTLS10 {
		tlsVersion = "TLSv1"
	} else if v == tls.VersionTLS11 {
		tlsVersion = "TLSv1.1"
	} else if v == tls.VersionTLS12 {
		tlsVersion = "TLSv1.2"
	} else if v == tls.VersionTLS13 {
		tlsVersion = "TLSv1.3"
	} else {
		tlsVersion = "unknown"
	}
	certificate := resp.ConnectionState().PeerCertificates[0]

	var validationType string
	for _, value := range certificate.PolicyIdentifiers {
		if value.String() == "2.23.140.1.1" {
			validationType = "EV"
		} else if value.String() == "2.23.140.1.2.2" {
			validationType = "OV"
		} else if value.String() == "2.23.140.1.2.1" {
			validationType = "DV"
		}
	}

	keyUsages := []int{}
	keyUsagesText := []string{}
	extendedKeyUsages := []int{}
	extendedKeyUsagesText := []string{}
	for _, value := range certificate.ExtKeyUsage {
		switch value {
		case 0:
			// All Usages
			extendedKeyUsages = append(extendedKeyUsages, 0)
			extendedKeyUsagesText = append(extendedKeyUsagesText, "Any/All Usages")
			break
		case 1:
			// TLS Web Server Authentication
			extendedKeyUsages = append(extendedKeyUsages, 1)
			extendedKeyUsagesText = append(extendedKeyUsagesText, "TLS Web Server Authentication")
			break
		case 2:
			// TLS Web Client Authentication
			extendedKeyUsages = append(extendedKeyUsages, 2)
			extendedKeyUsagesText = append(extendedKeyUsagesText, "TLS Web Client Authentication")
			break
		case 3:
			// Code Signing
			extendedKeyUsages = append(extendedKeyUsages, 3)
			extendedKeyUsagesText = append(extendedKeyUsagesText, "Code Signing")
			break
		case 4:
			// Email Protection
			extendedKeyUsages = append(extendedKeyUsages, 4)
			extendedKeyUsagesText = append(extendedKeyUsagesText, "Email Protection (S/MIME)")
		default:
			break
		}
	}

	if certificate.KeyUsage & x509.KeyUsageCRLSign != 0 {
		keyUsages = append(keyUsages, 0)
		keyUsagesText = append(keyUsagesText, "CRL Signing")
	}
	if certificate.KeyUsage & x509.KeyUsageCertSign != 0 {
		keyUsages = append(keyUsages, 1)
		keyUsagesText = append(keyUsagesText, "Certificate Signing")
	}
	if certificate.KeyUsage & x509.KeyUsageContentCommitment != 0 {
		keyUsages = append(keyUsages, 3)
		keyUsagesText = append(keyUsagesText, "Content Commitment")
	}
	if certificate.KeyUsage & x509.KeyUsageDataEncipherment != 0 {
		keyUsages = append(keyUsages, 4)
		keyUsagesText = append(keyUsagesText, "Data Encipherment")
	}
	if certificate.KeyUsage & x509.KeyUsageDecipherOnly != 0 {
		keyUsages = append(keyUsages, 5)
		keyUsagesText = append(keyUsagesText, "Decipher Only")
	}
	if certificate.KeyUsage & x509.KeyUsageDigitalSignature != 0 {
		keyUsages = append(keyUsages, 5)
		keyUsagesText = append(keyUsagesText, "Digital Signature")
	}
	if certificate.KeyUsage & x509.KeyUsageEncipherOnly != 0 {
		keyUsages = append(keyUsages, 6)
		keyUsagesText = append(keyUsagesText, "Encipher Only")
	}
	if certificate.KeyUsage & x509.KeyUsageKeyAgreement != 0 {
		keyUsages = append(keyUsages, 7)
		keyUsagesText = append(keyUsagesText, "Key Agreement")
	}
	if certificate.KeyUsage & x509.KeyUsageKeyEncipherment != 0 {
		keyUsages = append(keyUsages, 8)
		keyUsagesText = append(keyUsagesText, "Key Encipherment")
	}

	sum := sha1.Sum(certificate.Raw)

	c.JSON(http.StatusOK, gin.H{
		"status": true,
		"subject": gin.H{
			"commonName":         certificate.Subject.CommonName,
			"organization":       certificate.Subject.Organization,
			"organizationalUnit": certificate.Subject.OrganizationalUnit,
			"locality":           certificate.Subject.Locality,
			"country":            certificate.Subject.Country,
		},
		"issuer": gin.H{
			"commonName":         certificate.Issuer.CommonName,
			"organization":       certificate.Issuer.Organization,
			"organizationalUnit": certificate.Issuer.OrganizationalUnit,
			"locality":           certificate.Issuer.Locality,
			"country":            certificate.Issuer.Country,
		},
		"validationType":     validationType,
		"signatureAlgorithm": certificate.SignatureAlgorithm.String(),
		"publicKeyAlgorithm": certificate.PublicKeyAlgorithm.String(),
		"serialNumber":       certificate.SerialNumber.Int64(),
		"notAfter":           certificate.NotAfter,
		"keyUsage": keyUsages,
		"keyUsageAsText": keyUsagesText,
		"extendedKeyUsage":   extendedKeyUsages,
		"extendedKeyUsageAsText": extendedKeyUsagesText,
		"san":                certificate.DNSNames,
		"fingerprint":        hex.EncodeToString(sum[:]),
		"connection": gin.H{
			"tlsVersion": tlsVersion,
			"cipherSuite": cipherSuite,
		},
	})
}