#!/usr/bin/env bash
set -euo pipefail

if ! command -v docker >/dev/null 2>&1; then
    echo "[gost-validate] docker is required but not found on PATH" >&2
    exit 1
fi

ROOT_DIR="$(git rev-parse --show-toplevel)"
TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
LOG_ROOT="${OPENSSL_GOST_LOG_DIR:-${ROOT_DIR}/logs/openssl_gost_validation_${TIMESTAMP}}"
IMAGE="${OPENSSL_GOST_IMAGE:-rnix/openssl-gost:latest}"
MOUNT_PATH="${LOG_ROOT}"

UNAME_OUT="$(uname -s || true)"
case "${UNAME_OUT}" in
    MINGW*|MSYS*|CYGWIN*)
        if command -v wslpath >/dev/null 2>&1; then
            # Docker Desktop on Windows prefers Windows-style mount paths.
            MOUNT_PATH="$(wslpath -m "${LOG_ROOT}")"
        fi
        ;;
    *)
        MOUNT_PATH="${LOG_ROOT}"
        ;;
esac

mkdir -p "${LOG_ROOT}"

cat >"${LOG_ROOT}/message.txt" <<'EOF'
StellaOps OpenSSL GOST validation message (md_gost12_256)
EOF

echo "[gost-validate] Using image ${IMAGE}"
docker pull "${IMAGE}" >/dev/null

CONTAINER_SCRIPT_PATH="${LOG_ROOT}/container-script.sh"

cat > "${CONTAINER_SCRIPT_PATH}" <<'CONTAINER_SCRIPT'
set -eu

MESSAGE="/out/message.txt"

openssl version -a > /out/openssl-version.txt
openssl engine -c > /out/engine-list.txt

openssl genpkey -engine gost -algorithm gost2012_256 -pkeyopt paramset:A -out /tmp/gost.key.pem >/dev/null
openssl pkey -engine gost -in /tmp/gost.key.pem -pubout -out /out/gost.pub.pem >/dev/null

DIGEST_LINE="$(openssl dgst -engine gost -md_gost12_256 "${MESSAGE}")"
echo "${DIGEST_LINE}" > /out/digest.txt
DIGEST="$(printf "%s" "${DIGEST_LINE}" | awk -F'= ' '{print $2}')"

openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature1.bin "${MESSAGE}"
openssl dgst -engine gost -md_gost12_256 -sign /tmp/gost.key.pem -out /tmp/signature2.bin "${MESSAGE}"

openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature1.bin "${MESSAGE}" > /out/verify1.txt
openssl dgst -engine gost -md_gost12_256 -verify /out/gost.pub.pem -signature /tmp/signature2.bin "${MESSAGE}" > /out/verify2.txt

SIG1_SHA="$(sha256sum /tmp/signature1.bin | awk '{print $1}')"
SIG2_SHA="$(sha256sum /tmp/signature2.bin | awk '{print $1}')"
MSG_SHA="$(sha256sum "${MESSAGE}" | awk '{print $1}')"

cp /tmp/signature1.bin /out/signature1.bin
cp /tmp/signature2.bin /out/signature2.bin

DETERMINISTIC_BOOL=false
DETERMINISTIC_LABEL="no"
if [ "${SIG1_SHA}" = "${SIG2_SHA}" ]; then
  DETERMINISTIC_BOOL=true
  DETERMINISTIC_LABEL="yes"
fi

cat > /out/summary.txt <<SUMMARY
OpenSSL GOST validation (Linux engine)
Image: ${VALIDATION_IMAGE:-unknown}
Digest algorithm: md_gost12_256
Message SHA256: ${MSG_SHA}
Digest: ${DIGEST}
Signature1 SHA256: ${SIG1_SHA}
Signature2 SHA256: ${SIG2_SHA}
Signatures deterministic: ${DETERMINISTIC_LABEL}
SUMMARY

cat > /out/summary.json <<SUMMARYJSON
{
  "image": "${VALIDATION_IMAGE:-unknown}",
  "digest_algorithm": "md_gost12_256",
  "message_sha256": "${MSG_SHA}",
  "digest": "${DIGEST}",
  "signature1_sha256": "${SIG1_SHA}",
  "signature2_sha256": "${SIG2_SHA}",
  "signatures_deterministic": ${DETERMINISTIC_BOOL}
}
SUMMARYJSON

CONTAINER_SCRIPT

docker run --rm \
    -e VALIDATION_IMAGE="${IMAGE}" \
    -v "${MOUNT_PATH}:/out" \
    "${IMAGE}" /bin/sh "/out/$(basename "${CONTAINER_SCRIPT_PATH}")"

rm -f "${CONTAINER_SCRIPT_PATH}"

echo "[gost-validate] Artifacts written to ${LOG_ROOT}"
echo "[gost-validate] Summary:"
cat "${LOG_ROOT}/summary.txt"