#!/usr/bin/env python3
"""
Diia encodeData decryption using IIT EUSignCP Python library.
Called from PHP diia-handler.php when the euspe PHP extension is not available.

Usage:  python3 diia-decrypt.py <base64_encoded_encodeData>
Output: JSON to stdout — {"success": true, "data": {...}}
                    OR  {"success": false, "error": "..."}

Requires:
  - public/iit_modules/eusign.py
  - public/iit_modules/modules/64/_EUSignCP.so  (IIT Linux x86_64 .so)
  - IIT_PATH env var (optional, defaults to iit_modules/ next to this script)
"""

import sys
import os
import json
import base64

# ── IIT library paths ─────────────────────────────────────────────────────
_SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
IIT_PATH    = os.environ.get('IIT_PATH', os.path.join(_SCRIPT_DIR, 'iit_modules'))
IIT_MODULES = os.path.join(IIT_PATH, 'modules', '64')

sys.path.insert(0, IIT_MODULES)   # EUSignCP.py + _EUSignCP.so
sys.path.insert(0, IIT_PATH)      # eusign.py

# ── Argument ──────────────────────────────────────────────────────────────
if len(sys.argv) < 2:
    print(json.dumps({'success': False, 'error': 'No data argument provided'}))
    sys.exit(1)

encode_data_b64 = sys.argv[1]

# ── Base64 decode ─────────────────────────────────────────────────────────
try:
    raw_data = base64.b64decode(encode_data_b64)
except Exception as e:
    print(json.dumps({'success': False, 'error': f'Base64 decode failed: {e}'}))
    sys.exit(1)

# ── Check for plain JSON (test env may send unencrypted data) ─────────────
try:
    plain = json.loads(raw_data)
    print(json.dumps({'success': True, 'data': plain}))
    sys.exit(0)
except (json.JSONDecodeError, UnicodeDecodeError):
    pass

# ── Import IIT library ────────────────────────────────────────────────────
try:
    from eusign import EUSign
except ImportError as e:
    print(json.dumps({'success': False, 'error': f'Cannot import EUSign: {e}. Check LD_LIBRARY_PATH and IIT_PATH.'}))
    sys.exit(1)

# ── Paths ─────────────────────────────────────────────────────────────────
script_dir = os.path.dirname(os.path.abspath(__file__))
config_dir = os.path.join(script_dir, '..', 'config')

# Use project private key if exists, else fall back to IIT test Key-6.dat
pkey_file = os.environ.get('IIT_PKEY_FILE', '')
if not pkey_file or not os.path.exists(pkey_file):
    pkey_file = os.path.join(config_dir, 'diia_private_key.dat')
if not os.path.exists(pkey_file):
    pkey_file = os.path.join(IIT_PATH, 'pkey', 'Key-6.dat')

pkey_password = os.environ.get('IIT_PKEY_PASSWORD', '12345677')
pkey_issuer   = os.environ.get('IIT_PKEY_ISSUER', 'Тестовий ЦСК АТ "ІІТ"')

# CA settings — use IIT_PATH so paths work on any server
cas_file      = os.environ.get('IIT_CAS_FILE',      os.path.join(IIT_PATH, 'settings',     'CAs.Test.json'))
ca_certs_file = os.environ.get('IIT_CA_CERTS_FILE', os.path.join(IIT_PATH, 'certificates', 'CACertificates.Test.p7b'))

# ── Decrypt ───────────────────────────────────────────────────────────────
try:
    eu_sign = EUSign()
    eu_sign.initialize(
        cas_file, ca_certs_file,
        pkey_file, '', '', pkey_password,
        None, pkey_issuer
    )

    verified_data, _p_info, _p_sign_info = eu_sign.unprotect_data(None, 0, raw_data)
    result_bytes = verified_data[0]

    try:
        result = json.loads(result_bytes.decode('utf-8'))
        print(json.dumps({'success': True, 'data': result}))
    except Exception as e:
        preview = result_bytes[:300].decode('utf-8', errors='replace')
        print(json.dumps({'success': False, 'error': f'Decrypted data is not valid JSON: {preview}'}))

except Exception as e:
    print(json.dumps({'success': False, 'error': str(e)}))
    sys.exit(1)