/***
   verify.c 

   to verify attribute credential to see if the issuer is valid,
   validity time is still within range and signature is valid
   if attrcert is supplied, it will do signature verification, if
   both attrcert and cert are of the same, then a self-signing
   signature verification is done implicitly
***/

#include "creddy_internal.h"

extern certificate_t *abac_attribute_cert_from_file(char *filename);

void verify_main(options_t *opts) {
    certificate_t *subject_cert = NULL;

    if (opts->cert == NULL)
        usage(opts);

    abac_id_t *issuer = abac_id_from_file(opts->cert);
    if (issuer == NULL)
        errx(1, "Can't load issuer cert from %s", opts->cert);
    certificate_t *cert = abac_id_cert(issuer); 

    if (opts->attrcert != NULL) {
        subject_cert = abac_attribute_cert_from_file(opts->attrcert);
        if(subject_cert == NULL)
           errx(1, "Can't load attribute cert from %s", opts->cert);
    }

    int good = 0;
    if(subject_cert == NULL ) {
        if (cert->get_validity(cert, NULL, NULL, NULL)) {
            puts("certificates valid");
            good=1;
        } else puts("certificate not valid now");
        } else {
/** XXX 5.0.1 
            if (subject_cert->issued_by(subject_cert, cert, NULL)) {
*/
            if (subject_cert->issued_by(subject_cert, cert)) {
                if (subject_cert->get_validity(subject_cert, NULL, NULL, NULL)) {
                    if (cert->get_validity(cert, NULL, NULL, NULL)) {
                        puts("signature good, certificates valid");
                        good = 1;
                    } else puts("signature good, issuer cert not valid now");
                } else puts("signature good, cert not valid now");
            } else puts("signature invalid");
    }

    if (subject_cert != NULL)
        DESTROY_IF(subject_cert);
    abac_id_free(issuer);

    exit(good ? 0 : 1);
}