package handlers

import "crypto/x509"
import "encoding/pem"
import "testing"

import "codit/internal/models"

func TestBuildCRLPEMIncludesOddLengthHexSerials(t *testing.T) {
	var certPEM string
	var keyPEM string
	var ca models.PKICA
	var certs []models.PKICert
	var crlPEM string
	var block *pem.Block
	var crl *x509.RevocationList
	var entries []x509.RevocationListEntry
	var err error

	certPEM, keyPEM, err = generateRootCA("test-ca", 365)
	if err != nil {
		t.Fatalf("generate root ca: %v", err)
	}
	ca = models.PKICA{
		ID:      "ca1",
		Name:    "test-ca",
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	}
	certs = []models.PKICert{
		{SerialHex: "5", Status: "revoked", RevokedAt: 1700000000},
		{SerialHex: "0a", Status: "revoked", RevokedAt: 1700000100},
		{SerialHex: "zz", Status: "revoked", RevokedAt: 1700000200},
		{SerialHex: "b", Status: "active", RevokedAt: 1700000300},
	}

	crlPEM, err = buildCRLPEM(ca, certs)
	if err != nil {
		t.Fatalf("build crl: %v", err)
	}
	block, _ = pem.Decode([]byte(crlPEM))
	if block == nil {
		t.Fatalf("decode crl pem: nil block")
	}
	crl, err = x509.ParseRevocationList(block.Bytes)
	if err != nil {
		t.Fatalf("parse revocation list: %v", err)
	}
	entries = crl.RevokedCertificateEntries
	if len(entries) != 2 {
		t.Fatalf("unexpected revoked entry count: got=%d want=2", len(entries))
	}
	if entries[0].SerialNumber.Text(16) != "5" {
		t.Fatalf("unexpected first serial: got=%s want=5", entries[0].SerialNumber.Text(16))
	}
	if entries[1].SerialNumber.Text(16) != "a" {
		t.Fatalf("unexpected second serial: got=%s want=a", entries[1].SerialNumber.Text(16))
	}
}

func TestIssueCertFromCAUsesValidSeconds(t *testing.T) {
	var certPEM string
	var keyPEM string
	var ca models.PKICA
	var issuedPEM string
	var block *pem.Block
	var cert *x509.Certificate
	var err error
	var validity int64

	certPEM, keyPEM, err = generateRootCA("test-ca", 365)
	if err != nil {
		t.Fatalf("generate root ca: %v", err)
	}
	ca = models.PKICA{
		ID:      "ca1",
		Name:    "test-ca",
		CertPEM: certPEM,
		KeyPEM:  keyPEM,
	}
	issuedPEM, _, _, _, err = issueCertFromCA(ca, 123, "server.example.com", []string{"server.example.com"}, []string{"127.0.0.1"}, 3600, false)
	if err != nil {
		t.Fatalf("issue cert: %v", err)
	}
	block, _ = pem.Decode([]byte(issuedPEM))
	if block == nil {
		t.Fatalf("decode cert pem: nil block")
	}
	cert, err = x509.ParseCertificate(block.Bytes)
	if err != nil {
		t.Fatalf("parse certificate: %v", err)
	}
	validity = int64(cert.NotAfter.Sub(cert.NotBefore).Seconds())
	if validity < 3599 || validity > 3601 {
		t.Fatalf("unexpected validity seconds: got=%d want~=3600", validity)
	}
}