#include <stdlib.h>
#include <stdio.h>
#include "asn1.h"
#include "str.h"
#include "textcode.h"

struct x509signature {
  struct string oid;	/* you are not expected to actually decode this */
  size_t oididx;	/* if this is (size_t)-1, then the parser did not know the OID.
			   Otherwise it's the index into oid2string.  oid2string[oididx].id
			   should be something like X509_ALG_SHA1RSA (see asn1.h) */
  struct string bitstring;	/* In this string, the length is in bits, not bytes! */
	/* If the length is not a multiple of 8, then the unused bits are missing in the last byte.
	 * The parser already validated that the last byte is padded with 0 bits */
};

struct x509cert {
  enum { v1=0, v1988=0, v2=1, v3=2, v1996=2 } version;
  size_t serial;
  struct x509signature algid;
  struct string issuer;		/* this is the raw asn.1 structure, a SET of "[{op}]" in scan_asn1generic terms */
  time_t notbefore, notafter;
  struct string subject;	/* this is the raw asn.1 structure, a SET of "[{op}]" in scan_asn1generic terms */
  struct x509signature sig;
};

void printasn1(const char* buf,const char* max);

static int findindn(struct string* dn,enum x509_oid id,struct string* dest) {
  size_t i;
  const char* c=dn->s;
  const char* max=dn->s+dn->l;
  for (;;) {
    struct string oid;
    size_t l=scan_asn1generic(c,max,"[{op}]",&oid,dest);
    if (l) {
      i=lookupoid(oid.s,oid.l);
      if (i!=(size_t)-1) {	// recognized the oid!
	if (oid2string[i].id==id)
	  return 1;
      }
      c+=l;
    } else break;
  }
  return 0;
}

size_t scan_certificate(const char* cert,size_t l, struct x509cert* C) {
  char* c=0,* x;
  /* if it's base64 encoded, decode first */
  if (l > 27+25+2 && str_start(cert,"-----BEGIN CERTIFICATE-----"))
certfound:
  {
    size_t cur,used;
    /* "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----" and newlines */
    c=malloc((l-27-25-2)/4*3);
    if (!c) return 0;
    x=c;
    for (cur=27; cur+26<l;) {
      size_t next;
      if (cert[cur]=='\r') ++cur;	/* skip line ending */
      if (cert[cur]=='\n') ++cur;
      next=scan_base64(cert+cur,x,&used);
      if (next==0) break;
      cur+=next;
      x+=used;
    }
    if (!str_start(cert+cur,"-----END CERTIFICATE-----")) {
      free(c);
      return 0;
    }
    cert=c;
    l=x-c;
  } else {
    /* Maybe it has text in front of the BEGIN CERTIFICATE line */
    size_t i,a=1;
    for (i=0; i+27+25+2<l; ++i) {
      if (cert[i]!='\n' && cert[i]!='\r' && (cert[i]<' ' || cert[i]>'~')) {
	a=0;
	break;
      }
      if (str_start(cert+i,"-----BEGIN CERTIFICATE-----")) {
	cert+=i;
	l-=i;
	goto certfound;
      }
    }
    if (a)	/* if we end up here, it was ascii but did not contain a certificate.  fail. */
      return 0;
  }
  /* if we end up here, we decoded some base64 data or we found some
   * binary data.  See if it looks like x.509 at all.  If it does, it
   * starts with a SEQUENCE_OF, which encodes as '0'. */
  if (*cert!='0') {
parseerror:
    free(c);
    return 0;
  }

  /* now for the heavy lifting */
  {
    unsigned long tagforversion;	// must be 0
    unsigned long version;
    struct string oidalg,algparams,pubkeyalg,extensions,oidsig,sigrest,sigdata;
    size_t i;
    if (scan_asn1generic(cert,cert+l,"{{ci]i{o!}{!}{uu}{!}{!}!}{o!}b}",
			 &tagforversion,
			 &version,
			 &C->serial,
			 &oidalg, &algparams,
			 &C->issuer,
			 &C->notbefore, &C->notafter,
			 &C->subject,
			 &pubkeyalg,
			 &extensions,
			 &oidsig, &sigrest, &sigdata)) {

      if (version==0)
	printf("X.509 certificate\n");
      else if (version==1)
	printf("X.509v2 certificate\n");
      else if (version==2)
	printf("X.509v3 certificate\n");
      else
	printf("unsupported version %ld (must be 0, 1 or 2)\n",version);

      printf("serial number %lu\n",C->serial);

      printf("issuer: ");
      {
	struct string s;
	if (findindn(&C->issuer,X509_ATTR_COUNTRY,&s))
	  printf("C=%.*s ",(int)s.l,s.s);
	if (findindn(&C->issuer,X509_ATTR_ORG,&s))
	  printf("O=%.*s ",(int)s.l,s.s);
	if (findindn(&C->issuer,X509_ATTR_COMMONNAME,&s))
	  printf("CN=%.*s ",(int)s.l,s.s);
      }
      printf("\n");

      {
	char a[100],b[100];
	a[fmt_httpdate(a,C->notbefore)]=0;
	b[fmt_httpdate(b,C->notafter)]=0;
	printf("valid not before %s and not after %s\n",a,b);
      }

      printf("subject: ");
      {
	struct string s;
	if (findindn(&C->issuer,X509_ATTR_COUNTRY,&s))
	  printf("C=%.*s ",(int)s.l,s.s);
	if (findindn(&C->issuer,X509_ATTR_ORG,&s))
	  printf("O=%.*s ",(int)s.l,s.s);
	if (findindn(&C->issuer,X509_ATTR_COMMONNAME,&s))
	  printf("CN=%.*s ",(int)s.l,s.s);
      }
      printf("\n");

      i=lookupoid(oidalg.s,oidalg.l);
      if (i!=(size_t)-1)
	printf("signature algorithm %s\n",oid2string[i].name);
      else {
	unsigned long temp[100];
	size_t len=100;
	if (scan_asn1rawoid(oidalg.s,oidalg.s+oidalg.l,temp,&len)) {
	  printf("Unknown signature algorithm (oid ");
	  for (i=0; i<len; ++i)
	    printf("%lu%s",temp[i],i+1<len?".":")\n");
	} else
	  printf("I don't know the algorithm and I can't parse/print the OID\n");
      }

      /* pubkeyalg is a SubjectPublicKeyInfo:
	 SubjectPublicKeyInfo ::=        SEQUENCE{
		 algorithm               AlgorithmIdentifier,
		 subjectPublicKey        BIT STRING}

	 AlgorithmIdentifier ::= SEQUENCE{
		 algorithm       OBJECT IDENTIFIER,
		 parameters      ANY DEFINED BY algorithm OPTIONAL}
       */

      {
	struct string pubkeyoid, pubkeyparams, bits;
	if (scan_asn1generic(pubkeyalg.s,pubkeyalg.s+pubkeyalg.l,"{o!}b",&pubkeyoid,&pubkeyparams,&bits)) {

	  i=lookupoid(pubkeyoid.s,pubkeyoid.l);
	  if (i!=(size_t)-1) {
	    printf("public key algorithm %s\n",oid2string[i].name);
	    if (oid2string[i].id==X509_ALG_RSA) {
	      size_t* modulus,* publicExponent;
	      size_t allocsize=bits.l/(8*sizeof(modulus[0]))+2;
	      modulus=malloc(allocsize);
	      publicExponent=malloc(allocsize);
	      if (!modulus || !publicExponent)
		printf("malloc for RSA bignums failed!\n");
	      else {
		if (scan_asn1generic(bits.s,bits.s+bits.l/8,"{II}",modulus,publicExponent)) {
		  if (publicExponent[0]==1)
		    printf("public exponent %lu\n",publicExponent[1]);
		  else
		    printf("public exponent is larger than a word?!\n");
		  printf("modulus: ");
		  for (i=1; i<=modulus[0]; ++i) {
		    size_t j,k;
		    for (j=0, k=modulus[i]; j<sizeof(modulus[0]); ++j) {
		      printf("%02lx:",(k>>((sizeof(modulus[0])*8)-(j+1)*8))&0xff);
		    }
		    if ((i-1)%4==3 || i==modulus[0]) printf("\n");
		  }
		} else
		  printf("bignum scanning failed!\n");
	      }
	      /* for RSA, bits is actually another sequence with two integers, modulus and publicExponent */
	      printf("pubkeyparams len %lu, bits len %lu\n",pubkeyparams.l,bits.l);
	    }
	  } else {
	    unsigned long temp[100];
	    size_t len=100;
	    if (scan_asn1rawoid(pubkeyoid.s,pubkeyoid.s+pubkeyoid.l,temp,&len)) {
	      printf("Unknown public key algorithm (oid ");
	      for (i=0; i<len; ++i)
		printf("%lu%s",temp[i],i+1<len?".":")\n");
	    } else
	      printf("I don't know the public key algorithm and I can't parse/print the OID\n");
	  }

	} else
	  printf("could not parse public key part!\n");
      }

    }
  }

//  printasn1(cert,cert+l);

}

#include "mmap.h"
#include <stdio.h>

#include "printasn1.c"

int main(int argc,char* argv[]) {
  char* buf;
  size_t l,n;
  struct x509cert c;

  buf=mmap_read(argc>1?argv[1]:"test.pem",&l);
  if (!buf) { puts("test.pem not found"); return 1; }

  n=scan_certificate(buf,l,&c);
}