#!/usr/bin/env python3
"""
Script to generate test certificates for VeriFactu API testing.
Each certificate has a DIFFERENT password for testing purposes.
"""

import datetime
import json
import os
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend

PASSWORDS = {
    "valid_365days": "password365",
    "valid_60days": "password60",
    "expired": "password_expired",
    "expiring_soon": "password_expiring",
    "not_yet_valid": "password_future",
}

base_dir = os.path.join(os.path.dirname(__file__), "certs")
os.makedirs(base_dir, exist_ok=True)

def generate_cert(output_path, password, days_offset, test_name):
    private_key = rsa.generate_private_key(65537, 2048, default_backend())
    
    subject = issuer = x509.Name([
        x509.NameAttribute(NameOID.COMMON_NAME, test_name),
    ])
    
    now = datetime.datetime.utcnow()
    not_valid_before = now + datetime.timedelta(days=days_offset[0])
    not_valid_after = now + datetime.timedelta(days=days_offset[1])
    
    cert = x509.CertificateBuilder().subject_name(subject).issuer_name(
        issuer
    ).public_key(private_key.public_key()).serial_number(
        x509.random_serial_number()
    ).not_valid_before(not_valid_before).not_valid_after(
        not_valid_after
    ).sign(private_key, hashes.SHA256(), default_backend())
    
    from cryptography.hazmat.primitives.serialization import pkcs12
    
    p12_data = pkcs12.serialize_key_and_certificates(
        name=test_name.encode(),
        key=private_key,
        cert=cert,
        cas=None,
        encryption_algorithm=serialization.BestAvailableEncryption(password.encode())
    )
    
    with open(output_path, "wb") as f:
        f.write(p12_data)
    
    print(f"[OK] Generated: {os.path.basename(output_path)}")
    print(f"      Password: {password}")
    print(f"      Days valid: {days_offset[1] - days_offset[0]}")
    return password

print("=" * 60)
print("Generating Certificates with UNIQUE passwords")
print("=" * 60)
print()

generate_cert(os.path.join(base_dir, "valid_365days.p12"), PASSWORDS["valid_365days"], (0, 365), "Valid 365 days")
print()
generate_cert(os.path.join(base_dir, "valid_60days.p12"), PASSWORDS["valid_60days"], (0, 60), "Valid 60 days")
print()
generate_cert(os.path.join(base_dir, "expired.p12"), PASSWORDS["expired"], (-20, -5), "Expired")
print()
generate_cert(os.path.join(base_dir, "expiring_soon.p12"), PASSWORDS["expiring_soon"], (0, 15), "Expiring Soon")
print()
generate_cert(os.path.join(base_dir, "not_yet_valid.p12"), PASSWORDS["not_yet_valid"], (30, 395), "Not Yet Valid")
print()

print("=" * 60)
print("Password Reference:")
print("=" * 60)
for k, v in PASSWORDS.items():
    print(f"  {k}: {v}")
print()

with open("test_passwords.json", "w") as f:
    json.dump(PASSWORDS, f, indent=2)
print("Saved: test_passwords.json")