KEY_PASSPHRASE = None
LOADED_KEY     = None

import os
import RNS
import datetime
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.serialization import load_pem_private_key

from cryptography import __version__ as cryptography_version_str
try:
    cryptography_major_version = int(cryptography_version_str.split(".")[0])
except:
    RNS.log(f"Could not determine PyCA/cryptography version: {e}", RNS.LOG_ERROR)
    RNS.log(f"Assuming recent version with automatic backend selection", RNS.LOG_ERROR)

def get_key(key_path, force_reload=False):
    KEY_PATH = key_path
    key = None
    if LOADED_KEY != None and not force_reload:
        return LOADED_KEY
    elif os.path.isfile(KEY_PATH):
        with open(KEY_PATH, "rb") as f:
            key = load_pem_private_key(f.read(), KEY_PASSPHRASE)
    else:
        if cryptography_major_version > 3:
            key = ec.generate_private_key(curve=ec.SECP256R1())
        else:
            from cryptography.hazmat.backends import default_backend
            key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend())

        if KEY_PASSPHRASE == None:
            key_encryption = serialization.NoEncryption()
        else:
            key_encryption = serialization.BestAvailableEncryption(KEY_PASSPHRASE)

        with open(KEY_PATH, "wb") as f:
            f.write(key.private_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PrivateFormat.PKCS8,
                encryption_algorithm=key_encryption))

    return key

def gen_cert(cert_path, key):
    CERT_PATH = cert_path
    cert_attrs = [x509.NameAttribute(NameOID.COUNTRY_NAME, "NA"),
                  x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, "None"),
                  x509.NameAttribute(NameOID.LOCALITY_NAME, "Earth"),
                  x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Sideband"),
                  x509.NameAttribute(NameOID.COMMON_NAME, "Sideband Repository")]

    issuer  = x509.Name(cert_attrs)
    subject = issuer

    cb = x509.CertificateBuilder()
    cb = cb.subject_name(subject)
    cb = cb.issuer_name(issuer)
    cb = cb.public_key(key.public_key())
    cb = cb.serial_number(x509.random_serial_number())
    cb = cb.not_valid_before(datetime.datetime.now(datetime.timezone.utc)+datetime.timedelta(days=-14))
    cb = cb.not_valid_after(datetime.datetime.now(datetime.timezone.utc)+datetime.timedelta(days=3652))
    cb = cb.add_extension(x509.SubjectAlternativeName([x509.DNSName("localhost")]), critical=False)
    if cryptography_major_version > 3:
        cert = cb.sign(key, hashes.SHA256())
    else:
        from cryptography.hazmat.backends import default_backend
        cert = cb.sign(key, hashes.SHA256(), backend=default_backend())

    with open(CERT_PATH, "wb") as f:
        f.write(cert.public_bytes(serialization.Encoding.PEM))

def ensure_certificate(key_path, cert_path):
    gen_cert(cert_path, get_key(key_path))
    return cert_path