#!/usr/bin/python3
#
# Univention SSL
#  checks validity of the local SSL certificate
#
# SPDX-FileCopyrightText: 2006-2026 Univention GmbH
# SPDX-License-Identifier: AGPL-3.0-only

import datetime

from cryptography import x509

from univention.config_registry import ConfigRegistry


_CRYPT_HAS_UTC = hasattr(x509.Certificate, 'not_valid_after_utc')  # > Debian bookworm
_bc = ConfigRegistry()
_bc.load()


def get_validity_date(certFile):
    """returns the validity date fo the locale SSL certificate or None on failure"""
    try:
        with open(certFile, 'rb') as fd:
            cert = x509.load_pem_x509_certificate(fd.read())
        if _CRYPT_HAS_UTC:
            return cert.not_valid_after_utc
        return cert.not_valid_after.replace(tzinfo=datetime.UTC)
    except Exception:
        return None


def get_validity_days(certFile):
    """
    returns the validity of the local SSL certificate in days. If the
    validity could not be determined 0 is returned
    """
    after = get_validity_date(certFile)
    if after:
        return int(after.timestamp()) // 60 // 60 // 24

    return 0


if __name__ == '__main__':
    fqdn = '.'.join([_bc['hostname'], _bc['domainname']])
    caExpiry = False

    days = get_validity_days('/etc/univention/ssl/%s/cert.pem' % fqdn)
    days_ca = get_validity_days('/etc/univention/ssl/ucsCA/CAcert.pem')

    if days and days != _bc.get('ssl/validity/host', -1):
        _bc['ssl/validity/host'] = str(days)
        _bc.save()

    if days_ca and days_ca != _bc.get('ssl/validity/root', -1):
        _bc['ssl/validity/root'] = str(days_ca)
        _bc.save()
