package tls

import (
	"bytes"
	"crypto/sha256"
	"crypto/tls"
	"crypto/x509"
	"encoding/hex"
	"errors"
	"fmt"
	"strings"
	"sync"

	CN "github.com/Dreamacro/clash/common/net"

	xtls "github.com/xtls/go"
)

var tlsCertificates = make([]tls.Certificate, 0)

var mutex sync.RWMutex
var errNotMacth error = errors.New("certificate fingerprints do not match")

func AddCertificate(privateKey, certificate string) error {
	mutex.Lock()
	defer mutex.Unlock()
	if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
		return err
	} else {
		tlsCertificates = append(tlsCertificates, cert)
	}
	return nil
}

func GetCertificates() []tls.Certificate {
	mutex.RLock()
	defer mutex.RUnlock()
	return tlsCertificates
}

func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		// ssl pining
		for i := range rawCerts {
			rawCert := rawCerts[i]
			cert, err := x509.ParseCertificate(rawCert)
			if err == nil {
				hash := sha256.Sum256(cert.Raw)
				if bytes.Equal(fingerprint[:], hash[:]) {
					return nil
				}
			}
		}
		return errNotMacth
	}
}

func convertFingerprint(fingerprint string) (*[32]byte, error) {
	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
	fpByte, err := hex.DecodeString(fingerprint)
	if err != nil {
		return nil, err
	}

	if len(fpByte) != 32 {
		return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
	}
	return (*[32]byte)(fpByte), nil
}

func GetDefaultTLSConfig() *tls.Config {
	return GetGlobalTLSConfig(nil)
}

// GetSpecifiedFingerprintTLSConfig specified fingerprint
func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		tlsConfig = GetGlobalTLSConfig(tlsConfig)
		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
		tlsConfig.InsecureSkipVerify = true
		return tlsConfig, nil
	}
}

func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
	if tlsConfig == nil {
		return &tls.Config{
			Certificates: tlsCertificates,
		}
	}
	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
	return tlsConfig
}

// GetSpecifiedFingerprintXTLSConfig specified fingerprint
func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint string) (*xtls.Config, error) {
	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
		return nil, err
	} else {
		tlsConfig=GetGlobalXTLSConfig(tlsConfig)
			tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
			tlsConfig.InsecureSkipVerify = true
			return tlsConfig, nil
	}
}

func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
	xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
	for _, cert := range tlsCertificates {
		tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
		for _, ssa := range cert.SupportedSignatureAlgorithms {
			tlsSsa := xtls.SignatureScheme(ssa)
			tlsSsaList = append(tlsSsaList, tlsSsa)
		}
		xtlsCert := xtls.Certificate{
			Certificate:                  cert.Certificate,
			PrivateKey:                   cert.PrivateKey,
			OCSPStaple:                   cert.OCSPStaple,
			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
			Leaf:                         cert.Leaf,
			SupportedSignatureAlgorithms: tlsSsaList,
		}
		xtlsCerts = append(xtlsCerts, xtlsCert)
	}
	if tlsConfig == nil {
		return &xtls.Config{
			Certificates: xtlsCerts,
		}
	}

	tlsConfig.Certificates = xtlsCerts
	return tlsConfig
}