package certifer

import (
	"crypto/tls"
	"crypto/x509"
	"errors"
	"google.golang.org/grpc/credentials"
)

func (c *Cert) GrpcServerConfig() (credentials.TransportCredentials, error) {
	if c.CA == nil {
		return nil, errors.New("security blob contains no CA")
	}
	certPool := x509.NewCertPool()
	if !certPool.AppendCertsFromPEM(c.CA.CertAsPem()) {
		return nil, errors.New("cannot add CA to pool")
	}

	tCertPem := c.CertAsPem()
	tKeyPem, _ := c.KeyAsPem()
	tCert, err := tls.X509KeyPair(tCertPem, tKeyPem)
	if err != nil {
		return nil, err
	}
	config := &tls.Config{
		Certificates: []tls.Certificate{tCert},
		ClientAuth:   tls.RequireAndVerifyClientCert,
		ClientCAs:    certPool,
	}
	creds := credentials.NewTLS(config)
	return creds, nil
}

func (c *Cert) GrpcClientConfig() (credentials.TransportCredentials, error) {
	if c.CA == nil {
		return nil, errors.New("security blob contains no CA")
	}
	certPool := x509.NewCertPool()
	if !certPool.AppendCertsFromPEM(c.CA.CertAsPem()) {
		return nil, errors.New("cannot add CA to pool")
	}

	tCertPem := c.CertAsPem()
	tKeyPem, _ := c.KeyAsPem()
	tCert, err := tls.X509KeyPair(tCertPem, tKeyPem)
	if err != nil {
		return nil, err
	}
	config := &tls.Config{
		Certificates: []tls.Certificate{tCert},
		RootCAs:      certPool,
	}
	creds := credentials.NewTLS(config)
	return creds, nil
}