/*
 *  Embedded Linux library
 *
 *  Copyright (C) 2018  Intel Corporation. All rights reserved.
 *
 *  This library is free software; you can redistribute it and/or
 *  modify it under the terms of the GNU Lesser General Public
 *  License as published by the Free Software Foundation; either
 *  version 2.1 of the License, or (at your option) any later version.
 *
 *  This library is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 *  Lesser General Public License for more details.
 *
 *  You should have received a copy of the GNU Lesser General Public
 *  License along with this library; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdio.h>
#include <errno.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

#include <ell/ell.h>
#include "ell/tls-private.h"

static int load_cert_chain(const char *file, struct l_certchain **certchain)
{
	int fd;
	struct stat st;
	char *data;
	int err;

	fd = open(file, O_RDONLY);
	if (fd < 0) {
		fprintf(stderr, "Could not open %s: %s\n",
						file, strerror(errno));
		return -errno;
	}

	if (fstat(fd, &st) < 0) {
		err = -errno;
		fprintf(stderr, "Could not stat %s: %s\n",
						file, strerror(errno));
		goto close_file;
	}

	if (st.st_size == 0) {
		err = -EINVAL;
		fprintf(stderr, "Certificate file %s is empty!\n", file);
		goto close_file;
	}

	data = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
	if (data == MAP_FAILED) {
		err = -errno;
		fprintf(stderr, "Could not mmap %s: %s\n",
						file, strerror(errno));
		goto close_file;
	}

	err = tls_parse_certificate_list(data, st.st_size, certchain);
	if (err < 0)
		fprintf(stderr, "Could not parse certificate list: %s\n",
						strerror(-err));

	munmap(data, st.st_size);

close_file:
	close(fd);
	return err;
}

static void usage(const char *bin)
{
	printf("%s - TLS certificate chain verification utility\n\n", bin);

	printf("Usage: %s [options] <ca_cert file> <raw certificates file>\n"
		"  <ca_cert file> - local CA Certificate to validate against\n"
		"  <raw certificates file> - Certificates obtained from PCAP\n"
		"  --help\n\n", bin);
}

int main(int argc, char *argv[])
{
	int status = EXIT_FAILURE;
	struct l_certchain *certchain;
	struct l_queue *ca_certs;
	int err;
	const char *error_str;

	if (argc != 3) {
		usage(argv[0]);
		return -1;
	}

	l_log_set_stderr();

	err = load_cert_chain(argv[2], &certchain);
	if (err < 0)
		goto done;

	if (!certchain) {
		status = EXIT_SUCCESS;
		fprintf(stdout, "Certchain is empty, nothing to do\n");
		goto done;
	}

	ca_certs = l_pem_load_certificate_list(argv[1]);
	if (!ca_certs) {
		fprintf(stderr, "Unable to load CA certifiates\n");
		goto free_certchain;
	}

	if (!l_certchain_verify(certchain, ca_certs, &error_str)) {
		fprintf(stderr, "Verification failed: %s\n", error_str);
		goto free_cacert;
	}

	fprintf(stdout, "Verification succeeded\n");
	status = EXIT_SUCCESS;

free_cacert:
	l_queue_destroy(ca_certs, (l_queue_destroy_func_t) l_cert_free);
free_certchain:
	l_certchain_free(certchain);
done:
	return status;
}