//go:build integration

package integration

import (
	"crypto/x509"
	"encoding/pem"
	"os"
	"testing"

	"github.com/eggsampler/acme/v3"

	"github.com/letsencrypt/boulder/test"
)

// TestFermat ensures that a certificate public key which can be factored using
// less than 100 rounds of Fermat's Algorithm is rejected.
func TestFermat(t *testing.T) {
	t.Parallel()

	// Create a client and complete an HTTP-01 challenge for a fake domain.
	c, err := makeClient()
	test.AssertNotError(t, err, "creating acme client")

	domain := random_domain()

	order, err := c.Client.NewOrder(
		c.Account, []acme.Identifier{{Type: "dns", Value: domain}})
	test.AssertNotError(t, err, "creating new order")
	test.AssertEquals(t, len(order.Authorizations), 1)

	authUrl := order.Authorizations[0]

	auth, err := c.Client.FetchAuthorization(c.Account, authUrl)
	test.AssertNotError(t, err, "fetching authorization")

	chal, ok := auth.ChallengeMap[acme.ChallengeTypeHTTP01]
	test.Assert(t, ok, "getting HTTP-01 challenge")

	_, err = testSrvClient.AddHTTP01Response(chal.Token, chal.KeyAuthorization)
	test.AssertNotError(t, err, "")
	defer func() {
		_, err = testSrvClient.RemoveHTTP01Response(chal.Token)
		test.AssertNotError(t, err, "")
	}()

	chal, err = c.Client.UpdateChallenge(c.Account, chal)
	test.AssertNotError(t, err, "updating HTTP-01 challenge")

	// Load the Fermat-weak CSR that we'll submit for finalize. This CSR was
	// generated using test/integration/testdata/fermat_csr.go, has prime factors
	// that differ by only 2^516 + 254, and can be factored in 42 rounds.
	csrPem, err := os.ReadFile("test/integration/testdata/fermat_csr.pem")
	test.AssertNotError(t, err, "reading CSR PEM from disk")

	csrDer, _ := pem.Decode(csrPem)
	if csrDer == nil {
		t.Fatal("failed to decode CSR PEM")
	}

	csr, err := x509.ParseCertificateRequest(csrDer.Bytes)
	test.AssertNotError(t, err, "parsing CSR")

	// Finalizing the order should fail as we reject the public key.
	_, err = c.Client.FinalizeOrder(c.Account, order, csr)
	test.AssertError(t, err, "finalizing order")
	test.AssertContains(t, err.Error(), "urn:ietf:params:acme:error:badCSR")
	test.AssertContains(t, err.Error(), "key generated with factors too close together")
}