#!/usr/bin/env python3
# ==========================================================================
#     _   _ _ ____            ____          _____
#    | | | (_)  _ \ ___ _ __ / ___|___  _ _|_   _| __ __ _  ___ ___ _ __
#    | |_| | | |_) / _ \ '__| |   / _ \| '_ \| || '__/ _` |/ __/ _ \ '__|
#    |  _  | |  __/  __/ |  | |__| (_) | | | | || | | (_| | (_|  __/ |
#    |_| |_|_|_|   \___|_|   \____\___/|_| |_|_||_|  \__,_|\___\___|_|
#
#       ---  High-Performance Connectivity Tracer (HiPerConTracer)  ---
#                 https://www.nntb.no/~dreibh/hipercontracer/
# ==========================================================================
#
# High-Performance Connectivity Tracer (HiPerConTracer)
# Copyright (C) 2015-2025 by Thomas Dreibholz
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
# Contact: dreibh@simula.no

import ipaddress
import netifaces
import socket
import sys

from CertificateHelper import *


# ###### Main program #######################################################

# ====== Handle command-line parameters =====================================
if len(sys.argv) < 3:
   sys.stderr.write('Usage: ' + sys.argv[0] + ' ssl_directory server [subjectAltName]\n')
   sys.exit(1)
mainDirectory = sys.argv[1]
serverName    = sys.argv[2]
if len(sys.argv) > 3:
   subjectAltName = sys.argv[3]
else:
   # ====== Prepare subjectAltName: current hostname+all addresses ==========
   subjectAltName = 'DNS:' + serverName

   # ------ Add FQDN of current hostname ------------------------------------
   fqdn = socket.getfqdn()
   if ((fqdn != serverName) and (fqdn != 'localhost')):
      subjectAltName = subjectAltName + ',DNS:' + fqdn

   # ------ Add all IP addresses --------------------------------------------
   interfaces = netifaces.interfaces()
   for family in [ netifaces.AF_INET, netifaces.AF_INET6 ]:
      localAddresses = set()
      for interface in interfaces:
         interfaceAddresses = netifaces.ifaddresses(interface).get(family)
         if interfaceAddresses:
            for interfaceAddress in interfaceAddresses:
               address = ipaddress.ip_address(interfaceAddress['addr'])
               if (not address.is_link_local) and (not address.is_loopback):
                  localAddresses.add(address)

      for localAddress in sorted(localAddresses):
         subjectAltName = subjectAltName + ',IP:' + str(localAddress)

print(subjectAltName)



# ====== Create CA hierarchy, if not existing ===============================

# ===========================================================================
# Hierarchy to be created:
# TestLevel1
#    - TestLevel2
#       - TestIntermediate
#          - TestLeaf
#             - Servers ...
#          - TestCA
#             - TestUserCA
#                - Users ...
#             - TestServerCA
#                - Servers ...
# ===========================================================================


# ====== Create Test CAs ====================================================
caKeyLength       = DefaultCAKeyLength
certKeyLength     = DefaultCertKeyLength
globalCRLFileName = "TestGlobal.crl"

# Create Test Root Level-1 CA certificate (self-signed):
TestLevel1 = CA(mainDirectory, 'TestLevel1',
                parentCA  = None,
                subject   = '/CN=Test Level-1 CA Certificate/C=NO/ST=Oslo/L=Oslo/O=Simula Research Laboratory',
                certType  = CRT_RootCA,
                keyLength = caKeyLength, globalCRLFileName = globalCRLFileName)

# Create Test Root Level-2 CA certificate (signed by Test Root Level-1):
TestLevel2 = CA(mainDirectory, 'TestLevel2',
                parentCA  = TestLevel1,
                subject   = '/CN=Test Level-2 CA Certificate/C=NO/ST=Oslo/L=Oslo/O=Simula Research Laboratory',
                certType  = CRT_IntermediateCA,
                keyLength = caKeyLength, globalCRLFileName = globalCRLFileName)

# Create Test Intermediate CA certificate (signed by Test Root Level-2):
TestIntermediate = CA(mainDirectory, 'TestIntermediate',
                      parentCA  = TestLevel2,
                      subject   = '/CN=*/C=NO/ST=Oslo/L=Oslo/O=Simula Metropolitan Centre for Digital Engineering',
                      certType  = CRT_IntermediateCA,
                      keyLength = caKeyLength, globalCRLFileName = globalCRLFileName)

# Create Test Leaf CA certificate (signed by Test Intermediate):
TestLeaf = CA(mainDirectory, 'TestLeaf',
              parentCA  = TestIntermediate,
              subject   = '/CN=*/C=NO/ST=Oslo/L=Oslo/O=Simula Metropolitan Centre for Digital Engineering/OU=SMIL Lab',
              certType  = CRT_LeafCA,
              keyLength = caKeyLength, globalCRLFileName = globalCRLFileName)


# ====== Create Test Servers ================================================
subject = '/C=NO/ST=Oslo/L=Oslo/O=Simula Metropolitan Centre for Digital Engineering/OU=SMIL Lab'
servers = {}
for server in [ serverName, 'revoked' ]:
   servers[server] = Certificate(mainDirectory, server, TestLeaf, subject, subjectAltName,
                                 keyLength = certKeyLength)
servers['revoked'].revoke()


# ====== Create Test Users ==================================================
users = {}
for user in [ 'root', 'maintainer', 'importer', 'researcher', 'revoked' ] :
   users[user] = Certificate(mainDirectory, user + '@' + serverName, TestLeaf, subject, '', CRT_User,
                             keyLength = certKeyLength)
users['revoked'].revoke()


# ====== Finally, force regeneration of the CRL to ensure it is up-to-date ==
TestLevel1.generateCRL()
