"""SSL context factory for I2P connections.

Creates ssl.SSLContext instances with appropriate settings for I2P use:
TLS 1.2+ minimum, optional hostname verification toggle.

Ported from net.i2p.util.I2PSSLSocketFactory.
"""

from __future__ import annotations

import ssl


def create_ssl_context(
    trust_store: str | None = None,
    verify_hostname: bool = True,
) -> ssl.SSLContext:
    """Create an SSL context for I2P use.

    Args:
        trust_store: Path to CA certificate file. If None, uses system CAs.
        verify_hostname: Whether to verify hostnames. Disable for .i2p.
    """
    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    ctx.minimum_version = ssl.TLSVersion.TLSv1_2

    if trust_store:
        ctx.load_verify_locations(trust_store)
    else:
        ctx.load_default_certs()

    if not verify_hostname:
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE

    return ctx