import sys
import datetime
import json
from cryptography import x509
from cryptography.hazmat.primitives.serialization import pkcs12
from cryptography.hazmat.backends import default_backend

try:
    cert_path = sys.argv[1]
    password = sys.argv[2].encode()

    with open(cert_path, "rb") as f:
        p12_data = f.read()

    private_key, cert, additional_certs = pkcs12.load_key_and_certificates(
        p12_data, password, default_backend()
    )

    now = datetime.datetime.now(datetime.timezone.utc)
    not_after = cert.not_valid_after_utc.replace(tzinfo=datetime.timezone.utc)
    not_before = cert.not_valid_before_utc.replace(tzinfo=datetime.timezone.utc)

    if now > not_after:
        print("EXPIRED")
        sys.exit(1)

    if now < not_before:
        print("NOT_YET_VALID")
        sys.exit(2)

    days_until = (not_after - now).days
    result = {
        "subject": cert.subject.rfc4514_string(),
        "issuer": cert.issuer.rfc4514_string(),
        "not_after": not_after.isoformat(),
        "days": days_until
    }
    print("VALID:" + str(days_until))
    print(json.dumps(result))
except Exception as e:
    print("ERROR:" + str(e))
    sys.exit(3)