use pki_types::CertificateDer;
use schannel::cert_context::ValidUses;
use schannel::cert_store::CertStore;

use super::CertificateResult;

pub fn load_native_certs() -> CertificateResult {
    let mut result = CertificateResult::default();
    let current_user_store = match CertStore::open_current_user("ROOT") {
        Ok(store) => store,
        Err(err) => {
            result.os_error(err.into(), "failed to open current user certificate store");
            return result;
        }
    };

    for cert in current_user_store.certs() {
        if usable_for_rustls(cert.valid_uses().unwrap()) && cert.is_time_valid().unwrap() {
            result
                .certs
                .push(CertificateDer::from(cert.to_der().to_vec()));
        }
    }

    result
}

fn usable_for_rustls(uses: ValidUses) -> bool {
    match uses {
        ValidUses::All => true,
        ValidUses::Oids(strs) => strs
            .iter()
            .any(|x| x == PKIX_SERVER_AUTH),
    }
}

static PKIX_SERVER_AUTH: &str = "1.3.6.1.5.5.7.3.1";