AEngineHandler.php

<?php

declare(strict_types=1);
/**
 * SPDX-FileCopyrightText: 2020-2024 LibreCode coop and contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\Libresign\Handler\CertificateEngine;

use OCA\Libresign\AppInfo\Application;
use OCA\Libresign\Exception\EmptyCertificateException;
use OCA\Libresign\Exception\InvalidPasswordException;
use OCA\Libresign\Exception\LibresignException;
use OCA\Libresign\Helper\ConfigureCheckHelper;
use OCA\Libresign\Helper\MagicGetterSetterTrait;
use OCA\Libresign\Service\CaIdentifierService;
use OCA\Libresign\Service\CertificatePolicyService;
use OCP\Files\AppData\IAppDataFactory;
use OCP\Files\IAppData;
use OCP\Files\SimpleFS\ISimpleFolder;
use OCP\IAppConfig;
use OCP\IConfig;
use OCP\IDateTimeFormatter;
use OCP\ITempManager;
use OCP\IURLGenerator;
use OpenSSLAsymmetricKey;
use OpenSSLCertificate;
use Psr\Log\LoggerInterface;
use ReflectionClass;

/**
 * @method IEngineHandler setPassword(string $password)
 * @method string getPassword()
 * @method IEngineHandler setCommonName(string $commonName)
 * @method string getCommonName()
 * @method IEngineHandler setHosts(array $hosts)
 * @method array getHosts()
 * @method IEngineHandler setFriendlyName(string $friendlyName)
 * @method string getFriendlyName()
 * @method IEngineHandler setCountry(string $country)
 * @method string getCountry()
 * @method IEngineHandler setState(string $state)
 * @method string getState()
 * @method IEngineHandler setLocality(string $locality)
 * @method string getLocality()
 * @method IEngineHandler setOrganization(string $organization)
 * @method string getOrganization()
 * @method IEngineHandler setOrganizationalUnit(array $organizationalUnit)
 * @method array getOrganizationalUnit()
 * @method IEngineHandler setUID(string $UID)
 * @method string getName()
 */
abstract class AEngineHandler implements IEngineHandler {
	use MagicGetterSetterTrait;
	use OrderCertificatesTrait;

	protected string $commonName = '';
	protected array $hosts = [];
	protected string $friendlyName = '';
	protected string $country = '';
	protected string $state = '';
	protected string $locality = '';
	protected string $organization = '';
	protected array $organizationalUnit = [];
	protected string $UID = '';
	private ?int $leafExpiryOverrideInDays = null;
	protected string $password = '';
	protected string $configPath = '';
	protected string $engine = '';
	protected string $certificate = '';
	protected string $currentCaId = '';
	protected IAppData $appData;

	public function __construct(
		protected IConfig $config,
		protected IAppConfig $appConfig,
		protected IAppDataFactory $appDataFactory,
		protected IDateTimeFormatter $dateTimeFormatter,
		protected ITempManager $tempManager,
		protected CertificatePolicyService $certificatePolicyService,
		protected IURLGenerator $urlGenerator,
		protected CaIdentifierService $caIdentifierService,
		protected LoggerInterface $logger,
	) {
		$this->appData = $appDataFactory->get('libresign');
	}

	protected function exportToPkcs12(
		OpenSSLCertificate|string $certificate,
		OpenSSLAsymmetricKey|OpenSSLCertificate|string $privateKey,
		array $options = [],
	): string {
		if (empty($certificate) || empty($privateKey)) {
			throw new EmptyCertificateException();
		}
		$certContent = null;
		try {
			openssl_pkcs12_export(
				$certificate,
				$certContent,
				$privateKey,
				$this->getPassword(),
				$options,
			);
			if (!$certContent) {
				throw new \Exception();
			}
		} catch (\Throwable) {
			throw new LibresignException('Error while creating certificate file', 500);
		}

		return $certContent;
	}

	#[\Override]
	public function updatePassword(string $certificate, string $currentPrivateKey, string $newPrivateKey): string {
		if (empty($certificate) || empty($currentPrivateKey) || empty($newPrivateKey)) {
			throw new EmptyCertificateException();
		}
		$certContent = $this->opensslPkcs12Read($certificate, $currentPrivateKey);
		$this->setPassword($newPrivateKey);
		$certContent = self::exportToPkcs12($certContent['cert'], $certContent['pkey']);
		return $certContent;
	}

	#[\Override]
	public function readCertificate(string $certificate, string $privateKey): array {
		if (empty($certificate) || empty($privateKey)) {
			throw new EmptyCertificateException();
		}
		$certContent = $this->opensslPkcs12Read($certificate, $privateKey);

		$return = $this->parseX509($certContent['cert']);
		if (isset($certContent['extracerts'])) {
			foreach ($certContent['extracerts'] as $extraCert) {
				$return['extracerts'][] = $this->parseX509($extraCert);
			}
			$return['extracerts'] = $this->orderCertificates($return['extracerts']);
		}
		return $return;
	}

	public function getCaId(): string {
		$caId = $this->caIdentifierService->getCaId();
		if (empty($caId)) {
			$this->appConfig->clearCache(true);
			$caId = $this->caIdentifierService->getCaId() ?: $this->caIdentifierService->generateCaId($this->getName());
		}
		return $caId;
	}

	#[\Override]
	public function parseCertificate(string $certificate): array {
		return $this->parseX509($certificate);
	}

	private function parseX509(string $x509): array {
		$parsed = openssl_x509_parse(openssl_x509_read($x509));

		$return = self::convertArrayToUtf8($parsed);

		foreach (['subject', 'issuer'] as $actor) {
			foreach ($return[$actor] as $part => $value) {
				if (is_string($value) && str_contains($value, ', ')) {
					$return[$actor][$part] = explode(', ', $value);
				} else {
					$return[$actor][$part] = $value;
				}
			}
		}

		$return['valid_from'] = $this->dateTimeFormatter->formatDateTime($parsed['validFrom_time_t']);
		$return['valid_to'] = $this->dateTimeFormatter->formatDateTime($parsed['validTo_time_t']);

		$this->addCrlValidationInfo($return, $x509);

		return $return;
	}

	private function addCrlValidationInfo(array &$certData, string $certPem): void {
		if (isset($certData['extensions']['crlDistributionPoints'])) {
			$crlDistributionPoints = $certData['extensions']['crlDistributionPoints'];

			preg_match_all('/URI:([^\s,\n]+)/', $crlDistributionPoints, $matches);
			$extractedUrls = $matches[1] ?? [];

			$certData['crl_urls'] = $extractedUrls;
			$crlDetails = $this->validateCrlFromUrlsWithDetails($extractedUrls, $certPem);
			$certData['crl_validation'] = $crlDetails['status'];
			if (!empty($crlDetails['revoked_at'])) {
				$certData['crl_revoked_at'] = $crlDetails['revoked_at'];
			}
		} else {
			$certData['crl_validation'] = 'missing';
			$certData['crl_urls'] = [];
		}
	}

	private static function convertArrayToUtf8($array) {
		foreach ($array as $key => $value) {
			if (is_array($value)) {
				$array[$key] = self::convertArrayToUtf8($value);
			} elseif (is_string($value)) {
				$array[$key] = mb_convert_encoding($value, 'UTF-8', 'UTF-8');
			}
		}
		return $array;
	}

	public function opensslPkcs12Read(string &$certificate, string $privateKey): array {
		openssl_pkcs12_read($certificate, $certContent, $privateKey);
		if (!empty($certContent)) {
			return $certContent;
		}
		/**
		 * Reference:
		 *
		 * https://github.com/php/php-src/issues/12128
		 * https://www.php.net/manual/en/function.openssl-pkcs12-read.php#128992
		 */
		$msg = openssl_error_string();
		if ($msg === 'error:0308010C:digital envelope routines::unsupported') {
			$tempPassword = $this->tempManager->getTemporaryFile();
			$tempEncriptedOriginal = $this->tempManager->getTemporaryFile();
			$tempEncriptedRepacked = $this->tempManager->getTemporaryFile();
			$tempDecrypted = $this->tempManager->getTemporaryFile();
			file_put_contents($tempPassword, $privateKey);
			file_put_contents($tempEncriptedOriginal, $certificate);
			shell_exec(<<<REPACK_COMMAND
				cat $tempPassword | openssl pkcs12 -legacy -in $tempEncriptedOriginal -nodes -out $tempDecrypted -passin stdin &&
				cat $tempPassword | openssl pkcs12 -in $tempDecrypted -export -out $tempEncriptedRepacked -passout stdin
				REPACK_COMMAND
			);
			$certificateRepacked = file_get_contents($tempEncriptedRepacked);
			openssl_pkcs12_read($certificateRepacked, $certContent, $privateKey);
			if (!empty($certContent)) {
				$certificate = $certificateRepacked;
				return $certContent;
			}
		}
		throw new InvalidPasswordException();
	}

	/**
	 * @param (int|string) $name
	 *
	 * @psalm-param array-key $name
	 */
	public function translateToLong($name): string {
		return match ($name) {
			'CN' => 'CommonName',
			'C' => 'Country',
			'ST' => 'State',
			'L' => 'Locality',
			'O' => 'Organization',
			'OU' => 'OrganizationalUnit',
			'UID' => 'UserIdentifier',
			default => '',
		};
	}

	#[\Override]
	public function setEngine(string $engine): void {
		$this->appConfig->setValueString(Application::APP_ID, 'certificate_engine', $engine);
		$this->engine = $engine;
		$this->configureIdentifyMethodsForEngine($engine);
	}

	/**
	 * Configure identification methods based on the certificate engine.
	 *
	 * When the engine is set to 'none', only the 'account' identification method
	 * is allowed. This is because:
	 * - The 'none' engine doesn't generate digital certificates
	 * - Without certificates, only basic password authentication is viable
	 * - The 'account' method ensures users authenticate with their Nextcloud credentials
	 *
	 * For other engines (openssl, cfssl, java), the identification methods remain
	 * unchanged to preserve existing configurations.
	 *
	 * @param string $engine The certificate engine name (i.e. 'none', 'openssl', 'cfssl')
	 */
	private function configureIdentifyMethodsForEngine(string $engine): void {
		if ($engine !== 'none') {
			return;
		}

		$config = [[
			'name' => 'account',
			'enabled' => true,
			'mandatory' => true,
		]];
		$this->appConfig->setValueArray(Application::APP_ID, 'identify_methods', $config);
	}

	#[\Override]
	public function getEngine(): string {
		if ($this->engine) {
			return $this->engine;
		}
		$this->engine = $this->appConfig->getValueString(Application::APP_ID, 'certificate_engine', 'openssl');
		return $this->engine;
	}

	#[\Override]
	public function populateInstance(array $rootCert): IEngineHandler {
		if (empty($rootCert)) {
			$rootCert = $this->appConfig->getValueArray(Application::APP_ID, 'rootCert');
		}
		if (!$rootCert) {
			return $this;
		}
		if (!empty($rootCert['names'])) {
			foreach ($rootCert['names'] as $id => $customName) {
				$longCustomName = $this->translateToLong($id);
				// Prevent to save a property that don't exists
				if (!property_exists($this, lcfirst($longCustomName))) {
					continue;
				}
				$this->{'set' . ucfirst($longCustomName)}($customName['value']);
			}
		}
		if (!$this->getCommonName()) {
			$this->setCommonName($rootCert['commonName']);
		}
		return $this;
	}

	#[\Override]
	public function getCurrentConfigPath(): string {
		if ($this->configPath) {
			return $this->configPath;
		}

		$customConfigPath = $this->appConfig->getValueString(Application::APP_ID, 'config_path');
		if ($customConfigPath && is_dir($customConfigPath)) {
			$this->configPath = $customConfigPath;
			return $this->configPath;
		}

		$this->configPath = $this->initializePkiConfigPath();
		if (!empty($this->configPath)) {
			$this->appConfig->setValueString(Application::APP_ID, 'config_path', $this->configPath);
		}
		return $this->configPath;
	}

	#[\Override]
	public function getConfigPathByParams(string $instanceId, int $generation): string {
		$engineName = $this->getName();

		$pkiDirName = $this->caIdentifierService->generatePkiDirectoryNameFromParams($instanceId, $generation, $engineName);
		$dataDir = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data/');
		$systemInstanceId = $this->config->getSystemValue('instanceid');
		$pkiPath = $dataDir . '/appdata_' . $systemInstanceId . '/libresign/' . $pkiDirName;

		if (!is_dir($pkiPath)) {
			throw new \RuntimeException("Config path does not exist for instanceId: {$instanceId}, generation: {$generation}");
		}

		return $pkiPath;
	}

	private function initializePkiConfigPath(): string {
		$caId = $this->getCaId();
		if (empty($caId)) {
			return '';
		}
		$pkiDirName = $this->caIdentifierService->generatePkiDirectoryName($caId);
		$dataDir = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data/');
		$systemInstanceId = $this->config->getSystemValue('instanceid');
		$pkiPath = $dataDir . '/appdata_' . $systemInstanceId . '/libresign/' . $pkiDirName;

		if (!is_dir($pkiPath)) {
			$this->createDirectoryWithCorrectOwnership($pkiPath);
		}

		return $pkiPath;
	}

	private function createDirectoryWithCorrectOwnership(string $path): void {
		$ownerInfo = $this->getFilesOwnerInfo();
		$fullCommand = 'mkdir -p ' . escapeshellarg($path);

		if (posix_getuid() !== $ownerInfo['uid']) {
			$fullCommand = 'runuser -u ' . $ownerInfo['name'] . ' -- ' . $fullCommand;
		}

		exec($fullCommand);
	}

	private function getFilesOwnerInfo(): array {
		$currentFile = realpath(__DIR__);
		$owner = fileowner($currentFile);
		if ($owner === false) {
			throw new \RuntimeException('Unable to get file information');
		}
		$ownerInfo = posix_getpwuid($owner);
		if ($ownerInfo === false) {
			throw new \RuntimeException('Unable to get file owner information');
		}

		return $ownerInfo;
	}

	/**
	 * @todo check a best solution to don't use reflection
	 */
	private function getInternalPathOfFolder(ISimpleFolder $node): string {
		$reflection = new \ReflectionClass($node);
		$reflectionProperty = $reflection->getProperty('folder');
		$folder = $reflectionProperty->getValue($node);
		$path = $folder->getInternalPath();
		return $path;
	}

	#[\Override]
	public function setConfigPath(string $configPath): IEngineHandler {
		if (!$configPath) {
			$this->appConfig->deleteKey(Application::APP_ID, 'config_path');
		} else {
			if (!is_dir($configPath)) {
				mkdir(
					directory: $configPath,
					recursive: true,
				);
			}
			$this->appConfig->setValueString(Application::APP_ID, 'config_path', $configPath);
		}
		$this->configPath = $configPath;
		return $this;
	}

	public function getName(): string {
		$reflect = new ReflectionClass($this);
		$className = $reflect->getShortName();
		$name = strtolower(substr($className, 0, -7));
		return $name;
	}

	protected function getNames(): array {
		$names = [
			'C' => $this->getCountry(),
			'ST' => $this->getState(),
			'L' => $this->getLocality(),
			'O' => $this->getOrganization(),
			'OU' => $this->getOrganizationalUnit(),
		];
		if ($uid = $this->getUID()) {
			$names['UID'] = $uid;
		}
		$names = array_filter($names, fn ($v) => !empty($v));
		return $names;
	}

	public function getUID(): string {
		return str_replace(' ', '+', $this->UID);
	}

	#[\Override]
	public function getLeafExpiryInDays(): int {
		if ($this->leafExpiryOverrideInDays !== null) {
			return $this->leafExpiryOverrideInDays;
		}
		$exp = $this->appConfig->getValueInt(Application::APP_ID, 'expiry_in_days', 365);
		return $exp > 0 ? $exp : 365;
	}

	#[\Override]
	public function setLeafExpiryOverrideInDays(?int $days): self {
		$this->leafExpiryOverrideInDays = ($days !== null && $days > 0) ? $days : null;
		return $this;
	}

	#[\Override]
	public function getCaExpiryInDays(): int {
		$exp = $this->appConfig->getValueInt(Application::APP_ID, 'ca_expiry_in_days', 3650); // 10 years
		return $exp > 0 ? $exp : 3650;
	}

	private function getCertificatePolicy(): array {
		$return = ['policySection' => []];
		$oid = $this->certificatePolicyService->getOid();
		$cps = $this->certificatePolicyService->getCps();
		if ($oid && $cps) {
			$return['policySection'][] = [
				'OID' => $oid,
				'CPS' => $cps,
			];
		}
		return $return;
	}

	abstract protected function getConfigureCheckResourceName(): string;

	abstract protected function getCertificateRegenerationTip(): string;

	abstract protected function getEngineSpecificChecks(): array;

	abstract protected function getSetupSuccessMessage(): string;

	abstract protected function getSetupErrorMessage(): string;

	abstract protected function getSetupErrorTip(): string;

	#[\Override]
	public function configureCheck(): array {
		$checks = $this->getEngineSpecificChecks();

		if (!$this->isSetupOk()) {
			return array_merge($checks, [
				(new ConfigureCheckHelper())
					->setErrorMessage($this->getSetupErrorMessage())
					->setResource($this->getConfigureCheckResourceName())
					->setTip($this->getSetupErrorTip())
			]);
		}

		$checks[] = (new ConfigureCheckHelper())
			->setSuccessMessage($this->getSetupSuccessMessage())
			->setResource($this->getConfigureCheckResourceName());

		$modernFeaturesCheck = $this->checkRootCertificateModernFeatures();
		if ($modernFeaturesCheck) {
			$checks[] = $modernFeaturesCheck;
		}

		$expiryCheck = $this->checkRootCertificateExpiry();
		if ($expiryCheck) {
			$checks[] = $expiryCheck;
		}

		return $checks;
	}

	protected function checkRootCertificateModernFeatures(): ?ConfigureCheckHelper {
		$configPath = $this->getCurrentConfigPath();
		$caCertPath = $configPath . DIRECTORY_SEPARATOR . 'ca.pem';

		try {
			$certContent = file_get_contents($caCertPath);
			if (!$certContent) {
				return (new ConfigureCheckHelper())
					->setErrorMessage('Failed to read root certificate file')
					->setResource($this->getConfigureCheckResourceName())
					->setTip('Check file permissions and disk space');
			}

			$x509Resource = openssl_x509_read($certContent);
			if (!$x509Resource) {
				return (new ConfigureCheckHelper())
					->setErrorMessage('Failed to parse root certificate')
					->setResource($this->getConfigureCheckResourceName())
					->setTip('Root certificate file may be corrupted or invalid');
			}

			$parsed = openssl_x509_parse($x509Resource);
			if (!$parsed) {
				return (new ConfigureCheckHelper())
					->setErrorMessage('Failed to extract root certificate information')
					->setResource($this->getConfigureCheckResourceName())
					->setTip('Root certificate may be in an unsupported format');
			}

			$criticalIssues = [];
			$minorIssues = [];

			if (isset($parsed['serialNumber'])) {
				$serialNumber = $parsed['serialNumber'];
				$serialDecimal = hexdec($serialNumber);
				if ($serialDecimal <= 1) {
					$minorIssues[] = 'Serial number is simple (zero or one)';
				}
			} else {
				$criticalIssues[] = 'Serial number is missing';
			}

			$missingExtensions = [];
			if (!isset($parsed['extensions']['subjectKeyIdentifier'])) {
				$missingExtensions[] = 'Subject Key Identifier (SKI)';
			}

			$isSelfSigned = (isset($parsed['issuer']) && isset($parsed['subject'])
							&& $parsed['issuer'] === $parsed['subject']);

			/**
			 * @todo workarround for missing AKI at certificates generated by CFSSL.
			 *
			 * CFSSL does not add Authority Key Identifier (AKI) to self-signed root certificates.
			 */
			if (!$isSelfSigned && !isset($parsed['extensions']['authorityKeyIdentifier'])) {
				$missingExtensions[] = 'Authority Key Identifier (AKI)';
			}

			if (!isset($parsed['extensions']['crlDistributionPoints'])) {
				$missingExtensions[] = 'CRL Distribution Points';
			}

			if (!empty($missingExtensions)) {
				$extensionsList = implode(', ', $missingExtensions);
				$minorIssues[] = "Missing modern extensions: {$extensionsList}";
			}

			$hasLibresignCaUuid = $this->validateLibresignCaUuidInCertificate($parsed);
			if (!$hasLibresignCaUuid) {
				$minorIssues[] = 'LibreSign CA UUID not found in Organizational Unit';
			}

			if (!empty($criticalIssues)) {
				$issuesList = implode(', ', $criticalIssues);
				return (new ConfigureCheckHelper())
					->setErrorMessage("Root certificate has critical issues: {$issuesList}")
					->setResource($this->getConfigureCheckResourceName())
					->setTip($this->getCertificateRegenerationTip());
			}

			if (!empty($minorIssues)) {
				$issuesList = implode(', ', $minorIssues);
				return (new ConfigureCheckHelper())
					->setInfoMessage("Root certificate could benefit from modern features: {$issuesList}")
					->setResource($this->getConfigureCheckResourceName())
					->setTip($this->getCertificateRegenerationTip() . ' (recommended but not required)');
			}

			return null;

		} catch (\Exception $e) {
			return (new ConfigureCheckHelper())
				->setErrorMessage('Failed to analyze root certificate: ' . $e->getMessage())
				->setResource($this->getConfigureCheckResourceName())
				->setTip('Check if the root certificate file is valid');
		}
	}

	private function validateLibresignCaUuidInCertificate(array $parsed): bool {
		if (!isset($parsed['subject']['OU'])) {
			return false;
		}

		$instanceId = $this->getLibreSignInstanceId();
		if (empty($instanceId)) {
			return false;
		}

		$organizationalUnits = $parsed['subject']['OU'];

		if (is_string($organizationalUnits)) {
			if (str_contains($organizationalUnits, ', ')) {
				$organizationalUnits = explode(', ', $organizationalUnits);
			} else {
				$organizationalUnits = [$organizationalUnits];
			}
		}

		foreach ($organizationalUnits as $ou) {
			$ou = trim($ou);
			if ($this->caIdentifierService->isValidCaId($ou, $instanceId)) {
				return true;
			}
		}

		return false;
	}

	private function getLibreSignInstanceId(): string {
		$instanceId = $this->appConfig->getValueString(Application::APP_ID, 'instance_id', '');
		if (strlen($instanceId) === 10) {
			return $instanceId;
		}
		return '';
	}

	private function calculateRemainingDays(int $validToTimestamp): int {
		$secondsPerDay = 60 * 60 * 24;
		$remainingSeconds = $validToTimestamp - time();
		return (int)ceil($remainingSeconds / $secondsPerDay);
	}

	protected function checkRootCertificateExpiry(): ?ConfigureCheckHelper {
		$configPath = $this->getCurrentConfigPath();
		$caCertPath = $configPath . DIRECTORY_SEPARATOR . 'ca.pem';

		if (!file_exists($caCertPath)) {
			return null;
		}

		$certContent = file_get_contents($caCertPath);
		if (!$certContent) {
			return null;
		}

		$x509Resource = openssl_x509_read($certContent);
		if (!$x509Resource) {
			return null;
		}

		$parsed = openssl_x509_parse($x509Resource);
		if (!$parsed) {
			return null;
		}

		$remainingDays = $this->calculateRemainingDays($parsed['validTo_time_t']);
		$leafExpiryDays = $this->getLeafExpiryInDays();

		if ($remainingDays < 0) {
			return (new ConfigureCheckHelper())
				->setErrorMessage('Root certificate has expired')
				->setResource($this->getConfigureCheckResourceName())
				->setTip($this->getCertificateRegenerationTip() . ' URGENT: Certificate is expired!');
		}

		if ($remainingDays <= 7) {
			return (new ConfigureCheckHelper())
				->setErrorMessage("Root certificate expires in {$remainingDays} days")
				->setResource($this->getConfigureCheckResourceName())
				->setTip($this->getCertificateRegenerationTip() . ' URGENT: Renew immediately!');
		}

		if ($remainingDays <= 30) {
			return (new ConfigureCheckHelper())
				->setErrorMessage("Root certificate expires in {$remainingDays} days")
				->setResource($this->getConfigureCheckResourceName())
				->setTip($this->getCertificateRegenerationTip() . ' Renewal recommended soon.');
		}

		if ($remainingDays <= $leafExpiryDays) {
			return (new ConfigureCheckHelper())
				->setInfoMessage("Root certificate expires in {$remainingDays} days (leaf validity: {$leafExpiryDays} days)")
				->setResource($this->getConfigureCheckResourceName())
				->setTip('Root certificate should be renewed to ensure it can sign CRLs for all issued leaf certificates.');
		}

		return null;
	}

	#[\Override]
	public function toArray(): array {
		$generated = $this->isSetupOk();
		$return = [
			'configPath' => $this->getConfigPathForApi($generated),
			'generated' => $generated,
			'rootCert' => [
				'commonName' => $this->getCommonName(),
				'names' => [],
			],
		];
		$return = array_merge(
			$return,
			$this->getCertificatePolicy(),
		);
		$names = $this->getNames();
		foreach ($names as $name => $value) {
			$return['rootCert']['names'][] = [
				'id' => $name,
				'value' => $this->filterNameValue($name, $value, $generated),
			];
		}
		return $return;
	}

	private function getConfigPathForApi(bool $generated): string {
		return $generated ? $this->getCurrentConfigPath() : '';
	}

	private function filterNameValue(string $name, mixed $value, bool $generated): mixed {
		if ($name === 'OU' && is_array($value)) {
			if (!$generated) {
				$value = $this->removeCaIdFromOrganizationalUnit($value);
			}
			return empty($value) ? null : implode(', ', $value);
		}
		return $value;
	}

	private function removeCaIdFromOrganizationalUnit(array $organizationalUnits): array {
		$filtered = array_filter(
			$organizationalUnits,
			fn ($item) => !str_starts_with($item, 'libresign-ca-id:')
		);
		return array_values($filtered);
	}

	protected function getCrlDistributionUrl(): string {
		$caIdParsed = $this->caIdentifierService->getCaIdParsed();
		return $this->urlGenerator->linkToRouteAbsolute('libresign.crl.getRevocationList', [
			'instanceId' => $caIdParsed['instanceId'],
			'generation' => $caIdParsed['generation'],
			'engineType' => $caIdParsed['engineType'],
		]);
	}

	private function validateCrlFromUrls(array $crlUrls, string $certPem): string {
		$details = $this->validateCrlFromUrlsWithDetails($crlUrls, $certPem);
		return $details['status'];
	}

	private function validateCrlFromUrlsWithDetails(array $crlUrls, string $certPem): array {
		if (empty($crlUrls)) {
			return ['status' => 'no_urls'];
		}

		$accessibleUrls = 0;
		foreach ($crlUrls as $crlUrl) {
			try {
				$validationResult = $this->downloadAndValidateCrlWithDetails($crlUrl, $certPem);
				if ($validationResult['status'] === 'valid') {
					return $validationResult;
				}
				if ($validationResult['status'] === 'revoked') {
					return $validationResult;
				}
				$accessibleUrls++;
			} catch (\Exception $e) {
				continue;
			}
		}

		if ($accessibleUrls === 0) {
			return ['status' => 'urls_inaccessible'];
		}

		return ['status' => 'validation_failed'];
	}

	private function downloadAndValidateCrl(string $crlUrl, string $certPem): string {
		try {
			if ($this->isLocalCrlUrl($crlUrl)) {
				$crlContent = $this->generateLocalCrl($crlUrl);
			} else {
				$crlContent = $this->downloadCrlContent($crlUrl);
			}

			if (!$crlContent) {
				throw new \Exception('Failed to get CRL content');
			}

			return $this->checkCertificateInCrl($certPem, $crlContent);

		} catch (\Exception $e) {
			return 'validation_error';
		}
	}

	private function downloadAndValidateCrlWithDetails(string $crlUrl, string $certPem): array {
		try {
			if ($this->isLocalCrlUrl($crlUrl)) {
				$crlContent = $this->generateLocalCrl($crlUrl);
			} else {
				$crlContent = $this->downloadCrlContent($crlUrl);
			}

			if (!$crlContent) {
				throw new \Exception('Failed to get CRL content');
			}

			return $this->checkCertificateInCrlWithDetails($certPem, $crlContent);

		} catch (\Exception $e) {
			return ['status' => 'validation_error'];
		}
	}

	private function isLocalCrlUrl(string $url): bool {
		$host = parse_url($url, PHP_URL_HOST);
		if (!$host) {
			return false;
		}

		$trustedDomains = $this->config->getSystemValue('trusted_domains', []);

		return in_array($host, $trustedDomains, true);
	}

	private function generateLocalCrl(string $crlUrl): ?string {
		try {
			$templateUrl = $this->urlGenerator->linkToRouteAbsolute('libresign.crl.getRevocationList', [
				'instanceId' => 'INSTANCEID',
				'generation' => 999999,
				'engineType' => 'ENGINETYPE',
			]);

			$patternUrl = str_replace('INSTANCEID', '([^/_]+)', $templateUrl);
			$patternUrl = str_replace('999999', '(\d+)', $patternUrl);
			$patternUrl = str_replace('ENGINETYPE', '([^/_]+)', $patternUrl);

			$escapedPattern = str_replace([':', '/', '.'], ['\:', '\/', '\.'], $patternUrl);

			$escapedPattern = str_replace('\/apps\/', '(?:\/index\.php)?\/apps\/', $escapedPattern);

			$pattern = '/^' . $escapedPattern . '$/';
			if (preg_match($pattern, $crlUrl, $matches)) {
				$instanceId = $matches[1];
				$generation = (int)$matches[2];
				$engineType = $matches[3];

				/** @var \OCA\Libresign\Service\Crl\CrlService */
				$crlService = \OC::$server->get(\OCA\Libresign\Service\Crl\CrlService::class);

				$crlData = $crlService->generateCrlDer($instanceId, $generation, $engineType);

				return $crlData;
			}

			$this->logger->debug('CRL URL does not match expected pattern', ['url' => $crlUrl, 'pattern' => $pattern]);
			return null;
		} catch (\Exception $e) {
			$this->logger->warning('Failed to generate local CRL: ' . $e->getMessage());
			return null;
		}
	}

	private function downloadCrlContent(string $url): ?string {
		if (!filter_var($url, FILTER_VALIDATE_URL) || !in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https'])) {
			return null;
		}

		$context = stream_context_create([
			'http' => [
				'timeout' => 30,
				'user_agent' => 'LibreSign/1.0 CRL Validator',
				'follow_location' => 1,
				'max_redirects' => 3,
			]
		]);

		$content = @file_get_contents($url, false, $context);
		return $content !== false ? $content : null;
	}

	private function isSerialNumberInCrl(string $crlText, string $serialNumber): bool {
		$normalizedSerial = strtoupper($serialNumber);
		$normalizedSerial = ltrim($normalizedSerial, '0') ?: '0';

		return preg_match('/Serial Number: 0*' . preg_quote($normalizedSerial, '/') . '/', $crlText) === 1;
	}

	private function checkCertificateInCrl(string $certPem, string $crlContent): string {
		try {
			$certResource = openssl_x509_read($certPem);
			if (!$certResource) {
				return 'validation_error';
			}

			$certData = openssl_x509_parse($certResource);
			if (!isset($certData['serialNumber'])) {
				return 'validation_error';
			}

			return $this->checkCertificateInCrlWithDetails($certPem, $crlContent)['status'];

		} catch (\Exception $e) {
			return 'validation_error';
		}
	}

	private function checkCertificateInCrlWithDetails(string $certPem, string $crlContent): array {
		try {
			$certResource = openssl_x509_read($certPem);
			if (!$certResource) {
				return ['status' => 'validation_error'];
			}

			$certData = openssl_x509_parse($certResource);
			if (!isset($certData['serialNumber'])) {
				return ['status' => 'validation_error'];
			}

			$tempCrlFile = $this->tempManager->getTemporaryFile('.crl');
			file_put_contents($tempCrlFile, $crlContent);

			try {
				$crlTextCmd = sprintf(
					'openssl crl -in %s -inform DER -text -noout',
					escapeshellarg($tempCrlFile)
				);

				exec($crlTextCmd, $output, $exitCode);

				if ($exitCode !== 0) {
					return ['status' => 'validation_error'];
				}

				$crlText = implode("\n", $output);
				$serialCandidates = [$certData['serialNumber']];
				if (!empty($certData['serialNumberHex'])) {
					$serialCandidates[] = $certData['serialNumberHex'];
				}

				foreach ($serialCandidates as $serial) {
					if ($this->isSerialNumberInCrl($crlText, $serial)) {
						$revokedAt = $this->extractRevocationDateFromCrlText($crlText, $serialCandidates);
						return array_filter([
							'status' => 'revoked',
							'revoked_at' => $revokedAt,
						]);
					}
				}

				return ['status' => 'valid'];

			} finally {
				if (file_exists($tempCrlFile)) {
					unlink($tempCrlFile);
				}
			}

		} catch (\Exception $e) {
			return ['status' => 'validation_error'];
		}
	}

	private function extractRevocationDateFromCrlText(string $crlText, array $serialNumbers): ?string {
		foreach ($serialNumbers as $serial) {
			$normalizedSerial = strtoupper(ltrim((string)$serial, '0')) ?: '0';
			$pattern = '/Serial Number:\s*0*' . preg_quote($normalizedSerial, '/') . '\s*\R\s*Revocation Date:\s*([^\r\n]+)/i';
			if (preg_match($pattern, $crlText, $matches) !== 1) {
				continue;
			}
			$dateText = trim($matches[1]);
			try {
				$date = new \DateTimeImmutable($dateText, new \DateTimeZone('UTC'));
				return $date->setTimezone(new \DateTimeZone('UTC'))->format(\DateTimeInterface::ATOM);
			} catch (\Exception $e) {
				continue;
			}
		}
		return null;
	}

	#[\Override]
	public function generateCrlDer(array $revokedCertificates, string $instanceId, int $generation, int $crlNumber): string {
		$configPath = $this->getConfigPathByParams($instanceId, $generation);
		$issuer = $this->loadCaIssuer($configPath);
		$signedCrl = $this->createAndSignCrl($issuer, $revokedCertificates, $crlNumber);
		$crlDerData = $this->saveCrlToDer($signedCrl, $configPath);

		return $crlDerData;
	}

	private function loadCaIssuer(string $configPath): \phpseclib3\File\X509 {
		$caCertPath = $configPath . DIRECTORY_SEPARATOR . 'ca.pem';
		$caKeyPath = $configPath . DIRECTORY_SEPARATOR . 'ca-key.pem';

		if (!file_exists($caCertPath) || !file_exists($caKeyPath)) {
			$this->logger->error('CA certificate or private key not found', ['caCertPath' => $caCertPath, 'caKeyPath' => $caKeyPath]);
			throw new \RuntimeException('CA certificate or private key not found. Run: occ libresign:configure:openssl');
		}

		$caCert = file_get_contents($caCertPath);
		$caKey = file_get_contents($caKeyPath);

		if (!$caCert || !$caKey) {
			$this->logger->error('Failed to read CA certificate or private key', ['caCertPath' => $caCertPath, 'caKeyPath' => $caKeyPath]);
			throw new \RuntimeException('Failed to read CA certificate or private key');
		}

		$issuer = new \phpseclib3\File\X509();
		$issuer->loadX509($caCert);
		$caPrivateKey = \phpseclib3\Crypt\PublicKeyLoader::load($caKey);

		if (!$caPrivateKey instanceof \phpseclib3\Crypt\Common\PrivateKey) {
			$this->logger->error('Loaded key is not a private key', ['keyType' => get_class($caPrivateKey)]);
			throw new \RuntimeException('Loaded key is not a private key');
		}

		$issuer->setPrivateKey($caPrivateKey);
		return $issuer;
	}

	private function createAndSignCrl(\phpseclib3\File\X509 $issuer, array $revokedCertificates, int $crlNumber): array {
		$utcZone = new \DateTimeZone('UTC');
		$crlToSign = new \phpseclib3\File\X509();
		$crlToSign->setSerialNumber((string)$crlNumber, 10);
		$crlToSign->setStartDate(new \DateTime('now', $utcZone));
		$crlToSign->setEndDate(new \DateTime('+7 days', $utcZone));

		$initialCrl = $crlToSign->signCRL($issuer, $crlToSign);
		if ($initialCrl === false) {
			$this->logger->error('Failed to create initial CRL structure');
			throw new \RuntimeException('Failed to create initial CRL structure');
		}

		if (!empty($revokedCertificates)) {
			$savedCrl = $crlToSign->saveCRL($initialCrl);
			if ($savedCrl === false) {
				$this->logger->error('Failed to save initial CRL structure');
				throw new \RuntimeException('Failed to save initial CRL structure');
			}

			$crlToSign->loadCRL($savedCrl);

			$dateFormat = 'D, d M Y H:i:s O';
			foreach ($revokedCertificates as $cert) {
				$serialNumber = $cert->getSerialNumber();
				$normalizedSerial = ltrim($serialNumber, '0') ?: '0';
				$crlToSign->revoke(
					new \phpseclib3\Math\BigInteger($normalizedSerial, 16),
					$cert->getRevokedAt()->format($dateFormat)
				);
			}

			$signedCrl = $crlToSign->signCRL($issuer, $crlToSign);
		} else {
			$signedCrl = $initialCrl;
		}

		if ($signedCrl === false) {
			$this->logger->error('Failed to sign CRL', ['crlNumber' => $crlNumber]);
			throw new \RuntimeException('Failed to sign CRL');
		}

		if (!isset($signedCrl['signatureAlgorithm'])) {
			$signedCrl['signatureAlgorithm'] = ['algorithm' => 'sha256WithRSAEncryption'];
		}

		return $signedCrl;
	}

	private function saveCrlToDer(array $signedCrl, string $configPath): string {
		$crlDerPath = $configPath . DIRECTORY_SEPARATOR . 'crl.der';
		$crlToSign = new \phpseclib3\File\X509();

		$crlDerData = $crlToSign->saveCRL($signedCrl, \phpseclib3\File\X509::FORMAT_DER);

		if ($crlDerData === false) {
			$this->logger->error('Failed to save CRL in DER format');
			throw new \RuntimeException('Failed to save CRL in DER format');
		}

		if (file_put_contents($crlDerPath, $crlDerData) === false) {
			$this->logger->error('Failed to write CRL DER file', ['path' => $crlDerPath]);
			throw new \RuntimeException('Failed to write CRL DER file');
		}

		return $crlDerData;
	}

	#[\Override]
	public function validateRootCertificate(): void {
		$configPath = $this->getCurrentConfigPath();
		if (empty($configPath)) {
			return;
		}

		if (!is_dir($configPath)) {
			return;
		}

		$rootCertPath = $configPath . DIRECTORY_SEPARATOR . 'ca.pem';

		if (!file_exists($rootCertPath)) {
			return;
		}

		$rootCert = file_get_contents($rootCertPath);
		if (empty($rootCert)) {
			return;
		}

		$certificate = openssl_x509_read($rootCert);
		if ($certificate === false) {
			throw new LibresignException('Invalid root certificate content');
		}
		$certInfo = openssl_x509_parse($certificate);
		if ($certInfo === false) {
			throw new LibresignException('Failed to parse root certificate');
		}

		if ($this->checkCertificateRevoked($certInfo['serialNumber'])) {
			$this->logger->error('Root certificate has been revoked', [
				'ca_id' => $this->getCaId(),
				'impact' => 'all_leaf_certificates_invalid',
			]);
			throw new LibresignException(
				'Root certificate has been revoked. Please contact the administrator to regenerate the signing certificate.',
				\OC\AppFramework\Http::STATUS_PRECONDITION_FAILED
			);
		}

		if ($certInfo['validTo_time_t'] < time()) {
			$this->logger->error('Root certificate has expired', [
				'ca_id' => $this->getCaId(),
			]);
			throw new LibresignException(
				'Root certificate has expired. Please contact the administrator to regenerate the signing certificate.',
				\OC\AppFramework\Http::STATUS_PRECONDITION_FAILED
			);
		}

		$remainingDays = $this->calculateRemainingDays($certInfo['validTo_time_t']);
		$leafExpiryDays = $this->getLeafExpiryInDays();

		if ($remainingDays <= $leafExpiryDays) {
			$this->logger->warning('Root certificate renewal needed', [
				'remaining_days' => $remainingDays,
				'leaf_expiry_days' => $leafExpiryDays,
			]);
		}
	}

	private function checkCertificateRevoked(string $serialNumber): bool {
		try {
			/** @var \OCA\Libresign\Service\Crl\CrlService */
			$crlService = \OC::$server->get(\OCA\Libresign\Service\Crl\CrlService::class);
			$status = $crlService->getCertificateStatus($serialNumber);
			return $status['status'] === 'revoked';
		} catch (\Exception $e) {
			$this->logger->warning('Failed to check root certificate revocation status', [
				'error' => $e->getMessage()
			]);
			return false;
		}
	}
}