require 'puppet/ssl/openssl_loader'

##
# SSL is a private module with class methods that help work with x.509
# subjects and errors.
#
# @api private
module Puppet::Util::SSL

  @@dn_parsers = nil
  @@no_name = nil

  # Given a DN string, parse it into an OpenSSL certificate subject.  This
  # method will flexibly handle both OpenSSL and RFC2253 formats, as given by
  # nginx and Apache, respectively.
  #
  # @param [String] dn the x.509 Distinguished Name (DN) string.
  #
  # @return [OpenSSL::X509::Name] the certificate subject
  def self.subject_from_dn(dn)
    if is_possibly_valid_dn?(dn)
      parsers = @@dn_parsers ||= [
            OpenSSL::X509::Name.method(:parse_rfc2253),
            OpenSSL::X509::Name.method(:parse_openssl)
        ]
      parsers.each do |parser|
        begin
          return parser.call(dn)
        rescue OpenSSL::X509::NameError
        end
      end
    end

    @@no_name ||= OpenSSL::X509::Name.new
  end

  ##
  # cn_from_subject extracts the CN from the given OpenSSL certificate
  # subject.
  #
  # @api private
  #
  # @param [OpenSSL::X509::Name] subject the subject to extract the CN field from
  #
  # @return [String, nil] the CN, or nil if not found
  def self.cn_from_subject(subject)
    if subject.respond_to? :to_a
      (subject.to_a.assoc('CN') || [])[1]
    end
  end

  def self.is_possibly_valid_dn?(dn)
    dn =~ /=/
  end

  ##
  # Extract and format meaningful error messages from OpenSSL::OpenSSLErrors
  # and a Validator. Re-raises the error if unknown.
  #
  # @api private
  #
  # @param [OpenSSL::OpenSSLError] error An error thrown during creating a
  #   connection
  # @param [Puppet::SSL::DefaultValidator] verifier A Validator who may have
  #   invalidated the connection
  # @param [String] host The DNS name of the other end of the SSL connection
  #
  # @raises [Puppet::Error, OpenSSL::OpenSSLError]
  def self.handle_connection_error(error, verifier, host)
    # can be nil
    peer_cert = verifier.peer_certs.last

    if error.message.include? "certificate verify failed"
      msg = error.message
      msg << ": [" + verifier.verify_errors.join('; ') + "]"
      raise Puppet::Error, msg, error.backtrace
    elsif peer_cert && !OpenSSL::SSL.verify_certificate_identity(peer_cert, host)
      raise Puppet::SSL::CertMismatchError.new(peer_cert, host)
    else
      raise error
    end
  end
end