#include <chrono>
#include <iostream>
#include <optional>
#include <stdint.h>
#include <string>
#include <vector>

#include "json.hpp"

#include "expiring_signature.h"
#include "receiver.h"
#include "sender.h"
#include "signing_key.h"
#include "sodium_helpers.h"
#include "string_helpers.h"
#include "time_helpers.h"

using namespace std;
using nlohmann::json;
using namespace BareMinimumCrypto;

string get_passphrase_from_user () {
	// In prod this would NOT be hard-coded.
	return "Correct Horse Battery Staple";
}

int happy_path () {
	// We generate a root key and keep it somewhere safe
	// (offline, hopefully)
	
	// Passphrases are mandatory for root keys, and BMC also generates
	// a salt to maximize entropy.
	const auto passphrase = get_passphrase_from_user ();
	vector <uint8_t> seed;
	seed.resize (crypto_sign_SEEDBYTES);
	
	vector <uint8_t> salt;
	salt.resize (crypto_pwhash_SALTBYTES);
	randombytes_buf (salt.data (), salt.size ());
	
	if (crypto_pwhash (
		seed.data (), seed.size (), 
		passphrase.data (), passphrase.size (), 
		salt.data (),
		crypto_pwhash_OPSLIMIT_INTERACTIVE, crypto_pwhash_MEMLIMIT_INTERACTIVE,
		crypto_pwhash_ALG_DEFAULT
	) != 0) {
		return 1;
	}
	
	vector <uint8_t> pk;
	pk.resize (crypto_sign_PUBLICKEYBYTES);
	vector <uint8_t> sk;
	sk.resize (crypto_sign_SECRETKEYBYTES);
	
	if (crypto_sign_seed_keypair (pk.data (), sk.data (), seed.data ()) != 0) {
		return 1;
	}
	
	cerr << "Passphrased root pub key " << base64_encode (pk) << endl;
	
	SigningKey root_key;
	cerr << "Root pub key " << base64_encode (root_key.pubkey ()) << endl;
	
	if (test_time () != 0) {
		return 1;
	}
	
	const auto now = Instant::now ();
	
	// The sender generates a key
	SigningKey sender_key;
	cerr << "Sender key " << base64_encode (sender_key.pubkey ()) << endl;
	
	// The root signs the sender key
	const ExpiringSignature sender_cert = std::move (*root_key.sign_key (sender_key, now));
	
	const auto sender = std::move (*Sender::create (sender_key, sender_cert));
	
	// The sender signs some important data
	const auto important_data = copy_to_bytes ("Nikolai, Anna, Ivan, Mikhail, Ivan, Nikolai, Anna. 7 4 1 4 3 5 7 4");
	const auto signed_data = std::move (*sender.sign (important_data));
	
	// The receiver verifies the data by the root public key,
	// even though the receiver has never seen the sender-key.
	
	auto verified_opt = Receiver::verify_cert_and_data (root_key.pubkey (), signed_data);
	if (! verified_opt) {
		cerr << "Receiver couldn't verify cert and data" << endl;
		return 1;
	}
	const auto verified = std::move (*verified_opt);
	
	if (verified != important_data) {
		cerr << "Verified payload did not match expected payload" << endl;
		return 1;
	}
	
	return 0;
}

int main () {
	if (test_base64 () != 0) {
		return 1;
	}
	
	if (happy_path () != 0) {
		return 1;
	}
	
	cerr << "All good." << endl;
	return 0;
}