package main

import (
	"fmt"
	"net/http"
	"crypto/tls"
	"crypto/x509"
	"os"
)

func main() {
	mux := &http.ServeMux{}
	mux.HandleFunc("/", handle_default)

	serverCert, err := tls.LoadX509KeyPair("certs/server.pem", "certs/server.key")
	if err != nil {
		fmt.Println("cert load error:", err)
		return
	}

	rootRaw, err := os.ReadFile("certs/root.pem")
	if err != nil {
		fmt.Println("root cert read error:", err)
		return
	}

	pool := x509.NewCertPool()
	if !pool.AppendCertsFromPEM(rootRaw) {
		fmt.Println("add pem not ok")
		return
	}

	sv := &http.Server{
		Addr: ":8080",
		Handler: mux,
		TLSConfig: &tls.Config{
			MinVersion: tls.VersionTLS13,
			PreferServerCipherSuites: true,
			Certificates: []tls.Certificate{serverCert},
			ClientAuth: tls.RequireAndVerifyClientCert,
			//ClientAuth: tls.RequireAnyClientCert,
			ClientCAs: pool,
		},
	}

	//sv.ListenAndServeTLS("certs/server.crt", "certs/server.key")
	fmt.Println("starting...")
	err = sv.ListenAndServeTLS("", "")
	fmt.Println(err)
}

func handle_default(w http.ResponseWriter, req *http.Request) {
	fmt.Fprintln(w, "hello.")
}