#!/usr/bin/env python3

import argparse
import base64
import http.server
import json
import pathlib
import ssl
import subprocess
import urllib.parse

import lxml
import signxml

version = '2.2.13.38'
identifier = 'f8e5f470-bcff-4c50-8fd6-ccfa2fea12d6'

# XML templates for detached signatures
detached_digest = '''\
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>\
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>\
<ds:Reference URI="{reference}">\
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>\
<ds:DigestValue>{digest}</ds:DigestValue>\
</ds:Reference>\
</ds:SignedInfo>'''

detached_response = '''\
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">\
<ds:SignedInfo>\
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>\
<ds:Reference URI="{reference}">\
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
<ds:DigestValue>{digest}</ds:DigestValue>\
</ds:Reference>\
</ds:SignedInfo>\
<ds:SignatureValue>{signature}</ds:SignatureValue>\
<ds:KeyInfo>\
<ds:X509Data><ds:X509Certificate>{certificate}</ds:X509Certificate></ds:X509Data>\
</ds:KeyInfo>\
</ds:Signature>'''

def sign(data, key, cert):
    if 'SIG_TYPE_DETACHED' in data['options']:
        # might be possible to use signxml for detached signatures also
        reference, digest = data['URIId'][0].split(',')
        signature = subprocess.run(
            ['openssl', 'dgst', '-sha1', '-sign', key], capture_output=True,
            input=detached_digest.format(reference=reference, digest=digest).encode()
        ).stdout
        return detached_response.format(
            reference=reference, digest=digest,
            signature=base64.b64encode(signature).decode(),
            certificate=open(cert).read() # strip header and footer
                .split('-----BEGIN CERTIFICATE-----', 1)[1]
                .split('-----END CERTIFICATE-----', 1)[0])
    else:
        original = lxml.etree.fromstring(data['bytes'][0].removeprefix('XML:').encode())
        signed = signxml.XMLSigner().sign(original, key=open(key).read(), cert=open(cert).read())
        return lxml.etree.tostring(signed, encoding='unicode')

class Handler(http.server.BaseHTTPRequestHandler):
    def reply(self, data):
        self.send_response(200)
        self.send_header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept')
        self.send_header('Access-Control-Allow-Methods', 'POST,GET,OPTIONS')
        self.send_header('Access-Control-Allow-Origin', '*')
        self.send_header('Access-Control-Allow-Private-Network', 'true')
        self.end_headers()
        self.wfile.write(json.dumps(data).encode())

    def do_GET(self):
        url = urllib.parse.urlparse(self.path)
        match url.path:
            case '/version':
                self.reply({'identifier': identifier, 'version': version})

    def do_POST(self):
        url = urllib.parse.urlparse(self.path)
        match url.path:
            case '/updateLicense':
                self.reply({'error': 1, 'errorMessage': 'OK'})
            case '/signXML':
                length = int(self.headers['content-length'])
                data = json.loads(self.rfile.read(length).decode())
                print(f'{self.headers.get("origin", "unknown")} wants to sign:\n{data}\nConfirm?', end=' ')
                if input() in ('y', 'yes'):
                    signed = sign(data, key=self.server.user_key, cert=self.server.user_cert)
                    self.reply({
                        'error': 1,
                        'errorMessage': '',
                        'filename': '',
                        'result': '<?xml version="1.0" encoding="UTF-8" standalone="no" ?>' + signed,
                        'signatures': [],
                        'timestamps': []
                    })
                else:
                    self.reply({'error': -1, 'errorMessage': 'aborted'})

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Fake the proXSign® application.')
    parser.add_argument('-k', '--user-key', type=pathlib.Path, required=True, help='key file')
    parser.add_argument('-c', '--user-cert', type=pathlib.Path, required=True, help='certificate file')
    parser.add_argument('-K', '--app-key', type=pathlib.Path, required=True, help='app key file')
    parser.add_argument('-C', '--app-cert', type=pathlib.Path, required=True, help='app certificate file')
    parser.add_argument('-p', '--port', type=int, default=14972, help='port to listen on')
    args = parser.parse_args()

    tls_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    tls_context.check_hostname = False
    tls_context.load_cert_chain(keyfile=args.app_key, certfile=args.app_cert)

    httpd = http.server.HTTPServer(('localhost', args.port), Handler)
    httpd.user_key = args.user_key
    httpd.user_cert = args.user_cert
    httpd.socket = tls_context.wrap_socket(httpd.socket, server_side=True)
    httpd.serve_forever()