package cms

import (
	"bytes"
	"crypto"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"log"
	"testing"

	openssl "github.com/InfiniteLoopSpace/go_S-MIME/openssl"
	pki "github.com/InfiniteLoopSpace/go_S-MIME/pki"
)

var (
	root = pki.New(pki.IsCA, pki.Subject(pkix.Name{
		CommonName: "root.example.com",
	}))

	intermediate = root.Issue(pki.IsCA, pki.Subject(pkix.Name{
		CommonName: "intermediate.example.com",
	}))

	leaf = intermediate.Issue(pki.Subject(pkix.Name{
		CommonName: "leaf.example.com",
	}))

	keyPair = tls.Certificate{
		Certificate: [][]byte{leaf.Certificate.Raw, intermediate.Certificate.Raw, root.Certificate.Raw},
		PrivateKey:  leaf.PrivateKey.(crypto.PrivateKey),
	}
)

func TestAuthEnrypt(t *testing.T) {

	cms, err := New(keyPair)
	if err != nil {
		t.Error(err)
	}

	plaintext := []byte("Hallo Welt!")

	ciphertext, err := cms.AuthEncrypt(plaintext, []*x509.Certificate{leaf.Certificate})
	if err != nil {
		t.Error(err)
	}

	plain, err := cms.AuthDecrypt(ciphertext)
	if err != nil {
		log.Fatal(err)
	}

	if !bytes.Equal(plaintext, plain) {
		t.Fatal("Encryption and decryption are not inverse")
	}
}

func TestEnryptDecrypt(t *testing.T) {

	cms, err := New(keyPair)
	if err != nil {
		t.Error(err)
	}

	plaintext := []byte("Hallo Welt!")

	ciphertext, err := cms.Encrypt(plaintext, []*x509.Certificate{leaf.Certificate})
	if err != nil {
		t.Error(err)
	}

	plain, err := cms.Decrypt(ciphertext)
	if err != nil {
		log.Fatal(err)
	}

	if !bytes.Equal(plaintext, plain) {
		t.Fatal("Encryption and decryption are not inverse")
	}
}

func TestSignVerify(t *testing.T) {
	cms, err := New(keyPair)
	if err != nil {
		t.Error(err)
	}

	cms.roots.AddCert(root.Certificate)

	msg := []byte("Hallo Welt!")

	der, err := cms.Sign(msg)
	if err != nil {
		t.Error(err)
	}

	_, err = cms.Verify(der)
	if err != nil {
		t.Error(err)
	}
}

func TestEncryptOpenSSL(t *testing.T) {
	message := []byte("Hallo Welt!")

	der, err := openssl.Encrypt(message, leaf.Certificate)
	if err != nil {
		t.Error(err)
	}

	cms, err := New(keyPair)
	plain, err := cms.Decrypt(der)
	if err != nil {
		t.Error(err)
	}

	if !bytes.Equal(message, plain) {
		t.Fatal("Encryption and decryption are not inverse")
	}
}

func TestDecryptOpenSSL(t *testing.T) {
	message := []byte("Hallo Welt!")

	cms, _ := New()
	ciphertext, err := cms.Encrypt(message, []*x509.Certificate{leaf.Certificate})
	if err != nil {
		t.Error(err)
	}

	plain, err := openssl.Decrypt(ciphertext, leaf.PrivateKey)
	if err != nil {
		t.Error(err)
	}

	if !bytes.Equal(message, plain) {
		t.Fatal("Encryption and decryption are not inverse")
	}
}

func TestSignOpenSSL(t *testing.T) {
	message := []byte("Hallo Welt")

	sig, err := openssl.SignDetached(message, leaf.Certificate, leaf.PrivateKey, intermediate.Certificate)
	if err != nil {
		t.Error(err)
	}

	cms, err := New()
	if err != nil {
		t.Error(err)
	}
	cms.roots.AddCert(root.Certificate)

	_, err = cms.Verify(sig)
	if err != nil {
		t.Error(err)
	}
}

func TestVerifyOpenSSL(t *testing.T) {
	cms, err := New(keyPair)
	if err != nil {
		t.Error(err)
	}

	cms.TimeStamp = true

	cms.roots.AddCert(root.Certificate)

	msg := []byte("Hallo Welt!")

	der, err := cms.Sign(msg)
	if err != nil {
		t.Error(err)
	}

	sig, err := openssl.Verify(der, root.Certificate)
	if err != nil {
		t.Error(err)
	}

	if !bytes.Equal(msg, sig) {
		t.Fatal("Signed message and message do not agree!")
	}
}