#!/usr/bin/ruby

require 'net/http'
require 'json'
require 'base64'
require 'jwt'


def request_nonce( uri: )
  http = Net::HTTP.new( uri.hostname, 443 )
  http.use_ssl = true
  http.set_debug_output($stdout)
  res = http.head( uri.path )
  res['Replay-Nonce']
end

def request_newAccount( uri:, data: )
  http = Net::HTTP.new( uri.hostname, 443 )
  http.use_ssl = true
  http.set_debug_output($stdout)
  headers = { 'Content-Type': 'application/jose+json' }
  http.post( uri.path, data, headers )
end



ecdsa_key = OpenSSL::PKey::EC.generate('prime256v1')
params = optional_parameters = { kid: 'foobar', use: 'sig', alg: 'ES256' }
jwk_key = JWT::JWK.new( ecdsa_key, params )
puts "private jwk_key"
puts jwk_key.export( include_private: true )
puts "public jwk_key"
puts jwk_key.export


acme_directory_uri = URI('https://acme-staging-v02.api.letsencrypt.org/directory')
acme_directory_uri.freeze

acme_directory_json = Net::HTTP.get(acme_directory_uri)
acme_directory = JSON.parse(acme_directory_json)

newAccount_uri = URI( acme_directory['newAccount'] )
newNonce_uri = URI( acme_directory['newNonce'] )


nonce = request_nonce( :uri => newNonce_uri )
puts "nonce"
puts nonce


stub_account_for_new_account = {
  contact: [
    "mailto:sysadmin@henk.geekmail.org"
  ],
  termsOfServiceAgreed: true,
  onlyReturnExisting: true
}

stub_account_for_new_account_json = JSON.generate(stub_account_for_new_account)
puts "stub_account_for_new_account_json"
puts stub_account_for_new_account_json
# stub_account_for_new_account_base64 = Base64.urlsafe_encode64(stub_account_for_new_account_json, padding: false)


protected_request_header = {
  alg: 'ES256',
  nonce: nonce,
  url: newAccount_uri,
  jwk: jwk_key.export
}

protected_request_header_json = JSON.generate( protected_request_header )
puts "protected_request_header_json"
puts protected_request_header_json
# protected_request_header_base64 = Base64.urlsafe_encode64( protected_request_header_json, padding: false )


# newAccount_header_with_payload = JSON.generate( {
#   :protected => protected_request_header_base64,
#   :payload => stub_account_for_new_account_base64,
# }
                                              # )

# #signing_key requires jwt somewhat newer than in debian stable (2.5.0)
stub_account_for_new_account_signature = JWT.encode( stub_account_for_new_account_json, jwk_key.signing_key, 'ES256', protected_request_header )
puts "stub_account_for_new_account_signature"
puts stub_account_for_new_account_signature


# newAccount_request_body = {
#   :protected => protected_request_header_base64,
#   :payload => stub_account_for_new_account_base64,
#   :signature => stub_account_for_new_account_signature
# }


# newAccount_request_body_json = JSON.generate( newAccount_request_body )
# puts "newAccount_request_body_json"
# puts newAccount_request_body_json

# puts request_newAccount( :uri => newAccount_uri, :data => newAccount_request_body_json )
puts request_newAccount( :uri => newAccount_uri, :data => stub_account_for_new_account_signature )