#!python3
# dlitz 2025-2026

import tempfile
import os

from cryptography import x509
from cryptography.hazmat.primitives.hashes import SHA256
from cryptography.hazmat.primitives.serialization import (
    BestAvailableEncryption,
    KeySerializationEncryption,
    PrivateFormat,
    load_pem_private_key,
    load_pem_public_key,
    pkcs12,
)

from .cert_util import split_certs
from .routeros_ssh import RouterOS_SSH
from .ssl_util import SSLUtil


class MTCertPusher:

    temporary_directory = "/dev/shm"

    def __init__(self, ssl_util: SSLUtil, ros_ssh: RouterOS_SSH):
        self.ssl_util = ssl_util
        self.ros = ros_ssh
        self.tempdir = tempfile.TemporaryDirectory(dir=self.temporary_directory)

    def __del__(self):
        self.close()

    def close(self):
        try:
            tempdir = self.tempdir
        except AttributeError:
            pass
        else:
            self.tempdir.cleanup()
            del self.tempdir

    def generate_random_pkcs12_passphrase(self):
        return os.urandom(64).hex()

    def install_key_and_certificates(
        self, key: str, cert: str, chain: str | None = None
    ):
        private_key_obj = load_pem_private_key(key.encode())
        cert_obj = x509.load_pem_x509_certificate(cert.encode())
        if cert_obj.public_key() != private_key_obj.public_key():
            raise ValueError("certificate does not match private key")

        passphrase = self.generate_random_pkcs12_passphrase()
        p12 = self.ssl_util.create_pkcs12_from_key_and_certificates(key=key, cert=cert, passphrase=passphrase)