package tlsutil

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"math/big"
	"net"
	"time"

	"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
)

// TLSConfig returns a *tls.Config and a flag indicating whether to use TLS.
// If cfg.TLSMode is "none", returns (nil, false, nil) for plain HTTP.
// If cfg.TLSMode is "selfsigned" or "provided", returns a TLS config and true.
func TLSConfig(cfg config.Config) (*tls.Config, bool, error) {
	if cfg.TLSMode == "none" {
		return nil, false, nil
	}

	var cert tls.Certificate
	var err error

	if cfg.TLSCert != "" && cfg.TLSKey != "" {
		cert, err = tls.LoadX509KeyPair(cfg.TLSCert, cfg.TLSKey)
	} else {
		cert, err = selfSigned()
	}
	if err != nil {
		return nil, false, err
	}

	return &tls.Config{
		Certificates: []tls.Certificate{cert},
		MinVersion:   tls.VersionTLS12,
		// NIST SP 800-52 Rev. 2 conformant cipher allowlist for TLS 1.2.
		// (TLS 1.3 ciphers are not operator-selectable in Go's stdlib —
		// the runtime picks from a fixed set of AEAD suites; that's fine
		// because all of them meet the federal bar.) Order matters when
		// preferServerCipherSuites was respected by clients; modern Go
		// uses the runtime's own preference, but the explicit list still
		// drops every weak suite a client might offer.
		// AES-128-GCM is listed before AES-256-GCM because hardware
		// AES-NI makes the 128-bit suite measurably faster with no
		// security-margin compromise (NIST allows both).
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
		},
		// NIST SP 800-52 Rev. 2 § 3.3.2: X25519, P-256, P-384.
		// X25519 first — fastest modern curve, no known weaknesses;
		// the NIST P-curves follow for clients that don't support it.
		CurvePreferences: []tls.CurveID{
			tls.X25519,
			tls.CurveP256,
			tls.CurveP384,
		},
	}, true, nil
}

// selfSigned generates an in-memory ECDSA P-256 self-signed certificate
// valid for 10 years. The certificate is never written to disk.
func selfSigned() (tls.Certificate, error) {
	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return tls.Certificate{}, err
	}

	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
	if err != nil {
		return tls.Certificate{}, err
	}

	template := &x509.Certificate{
		SerialNumber: serial,
		Subject: pkix.Name{
			CommonName:   "zddc-server",
			Organization: []string{"ZDDC"},
		},
		NotBefore:             time.Now().Add(-time.Minute),
		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		BasicConstraintsValid: true,
		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1"), net.IPv6loopback},
		DNSNames:              []string{"localhost"},
	}

	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
	if err != nil {
		return tls.Certificate{}, err
	}

	privDER, err := x509.MarshalECPrivateKey(priv)
	if err != nil {
		return tls.Certificate{}, err
	}

	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: privDER})

	return tls.X509KeyPair(certPEM, keyPEM)
}