<#
.SYNOPSIS
Use Cloudflare API to check DKIM Key Lenght and Alert for 1024bit Ones
#>

param(
    [Parameter(Mandatory=$true)][string]$Domain,
    [Parameter(Mandatory=$true)][string]$CloudflareApiToken
)

$headers = @{
    "Authorization" = "Bearer $CloudflareApiToken"
    "Content-Type"  = "application/json"
}

# 1. Get Zone ID
$zone = (Invoke-RestMethod "https://api.cloudflare.com/client/v4/zones?name=$Domain" -Headers $headers -Method Get).result[0]
if (-not $zone) { Write-Error "Domain not found in your Cloudflare account."; exit 1 }
$zoneId = $zone.id

# 2. Get all DNS records
$allRecords = @()
$page = 1
do {
    $resp = Invoke-RestMethod "https://api.cloudflare.com/client/v4/zones/$zoneId/dns_records?per_page=1000&page=$page" -Headers $headers -Method Get
    $allRecords += $resp.result
    $page++
} while ($resp.result_info.page -lt $resp.result_info.total_pages)

# 3. Find DKIM records
$dkimRecords = $allRecords | Where-Object { $_.name -like "*_domainkey*" -and $_.type -in 'TXT','CNAME' } | Sort-Object name
if ($dkimRecords.Count -eq 0) { Write-Host "No DKIM records found." -ForegroundColor Yellow; exit 0 }

# 4. EXACT bit length (strips leading zero byte)
function Get-ExactDKIMBits {
    param([string]$txt)
    $txt = $txt -replace '"','' -replace '\s+',''
    if ($txt -notmatch 'p=([A-Za-z0-9+/=]+)') { return $null }
    try {
        $bytes = [Convert]::FromBase64String($matches[1])
        $i = 0
        while ($i -lt $bytes.Length - 10) {
            if ($bytes[$i] -eq 0x02) {  # INTEGER tag
                $i++
                $lenByte = $bytes[$i++]
                if ($lenByte -lt 128) {
                    $len = $lenByte
                } else {
                    $n = $lenByte - 128
                    $len = 0
                    for ($j = 0; $j -lt $n; $j++) { $len = ($len -shl 8) + $bytes[$i++] }
                }
                $start = $i
                if ($bytes[$start] -eq 0x00) { $start++; $len-- }  # strip leading zero
                return $len * 8
            }
            $i++
        }
    } catch { }
    return $null
}

# 5. Process records
$weak1024 = @()
$strong   = 0

foreach ($rec in $dkimRecords) {
    $selector = ($rec.name -split '\._domainkey')[0] -split '\.' | Select-Object -Last 1
    Write-Host "$($rec.name)  (selector: $selector)" -ForegroundColor White

    if ($rec.type -eq 'TXT') {
        $txtValue = $rec.content
    } else {
        Write-Host "    CNAME -> $($rec.content)" -ForegroundColor Cyan
        $result = Resolve-DnsName $rec.content -Type TXT -Server 8.8.8.8 -ErrorAction SilentlyContinue
        $txtValue = ($result.Strings -join '')
    }

    $bits = Get-ExactDKIMBits $txtValue

    if ($bits) {
        $color = if ($bits -eq 1024) { 'Yellow' } else { 'Green' }
        Write-Host "    Key size: $bits-bit" -ForegroundColor $color
        if ($bits -eq 1024) { $weak1024 += $selector } else { $strong++ }
    } else {
        Write-Host "    No valid DKIM key found" -ForegroundColor Red
    }
    Write-Host ""
}

# 6. Final report (100% clean strings)
Write-Host "==============================================" -ForegroundColor Magenta
Write-Host "DKIM KEY REPORT - $Domain" -ForegroundColor Magenta
Write-Host "==============================================" -ForegroundColor Magenta
Write-Host "1024-bit keys (weak - upgrade required) : $($weak1024.Count)" -ForegroundColor Yellow
Write-Host "2048-bit+ keys (secure)                 : $strong" -ForegroundColor Green
Write-Host "==============================================" -ForegroundColor Magenta

if ($weak1024.Count -gt 0) {
    Write-Host "`nWEAK 1024-bit selectors that need upgrading:" -ForegroundColor Red
    $weak1024 | Sort-Object | ForEach-Object { Write-Host "    - $_" -ForegroundColor Yellow }
    Write-Host "`nAction: Contact your email providers and request 2048-bit key rotation." -ForegroundColor Red
} else {
    Write-Host "`nPERFECT! All DKIM keys are 2048-bit or stronger." -ForegroundColor Green
}