#!/bin/sh

set -e

if [ -z "$4" ]; then
    echo "Usage: $0 <confdir> <fqdn> <email> <org>"
    echo
    echo "      confdir is ignored"
    echo "      fqdn    is the fully qualified name of the web server"
    echo "      email   address that will appear in the certificate"
    echo "      org     is the organization name"
    exit 2
fi


# Get/set all parameters.
#
CONFDIR="$1"
FQDN="$2"
WEBMASTER="$3"
DOMAIN="$4"

SSLDIR=/etc/ssl
SSLCRTDIR=${SSLDIR}/certs
SSLKEYDIR=${SSLDIR}/private
A2CNDIR=$(dirname $0)
KEYS=


# Create temporary files.
#
TMPFILE=`tempfile -d /var/tmp -p apache2-cn`
TMPFILE2=`tempfile -d /var/tmp -p apache2-cn`


# Set trap for deleting all temp files.
#
trap "rm -f $TMPFILE $TMPFILE2" 1 2 15;


export RANDFILE=/dev/urandom
cd ${SSLDIR}


# Generate CA
#
if [ ! -f ${SSLKEYDIR}/apache2-ca.key ]; then

    (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2-ca.key 2048)
    KEYS="${KEYS}
 - ${SSLKEYDIR}/apache2-ca.key"
fi

if [ ! -f ${SSLKEYDIR}/apache2-ca.csr ] || [ -n "$KEYS" ]; then

    cat <<EOF > $TMPFILE
[ req ]
default_bits           = 2048
default_keyfile        = apache2-ca.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no

[ req_distinguished_name ]
C                      = HR
O                      = $DOMAIN
CN                     = $FQDN CA
emailAddress           = $WEBMASTER

[ req_attributes ]

EOF

    openssl req -sha256 -config $TMPFILE -new -key ${SSLKEYDIR}/apache2-ca.key -out ${SSLKEYDIR}/apache2-ca.csr
fi

if [ ! -f ${SSLCRTDIR}/apache2-ca.pem ] || [ -n "$KEYS" ]; then

    cat >$TMPFILE <<EOT
extensions = x509v3
[ x509v3 ]
subjectAltName   = email:copy
basicConstraints = CA:true,pathlen:0
nsComment        = "CARNet apache2-cn package generated custom CA certificate"
nsCertType       = sslCA
EOT

    openssl x509 -sha256 -extfile $TMPFILE -days 3651 -signkey ${SSLKEYDIR}/apache2-ca.key \
	    -in ${SSLKEYDIR}/apache2-ca.csr -req -out ${SSLCRTDIR}/apache2-ca.pem

    KEYS="${KEYS}
 - ${SSLCRTDIR}/apache2-ca.pem"
fi

mod1=`openssl x509 -sha256 -noout -modulus -in ${SSLCRTDIR}/apache2-ca.pem`
mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2-ca.key`

if [ "$mod1" != "$mod2" ]; then
    echo "Moduli for CA keys don't match."
    exit 1
fi

cd ${SSLCRTDIR}
ln -sf apache2-ca.pem $(openssl x509 -sha256 -hash -noout -in apache2-ca.pem)


# Generate server certificate
#
(umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2.key 2048)

echo 01 > "$TMPFILE2"
sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \
  <  $A2CNDIR/templates/openssl.cnf > "$TMPFILE"

openssl req -sha256 -config "$TMPFILE" -new -nodes \
	-key ${SSLKEYDIR}/apache2.key -out ${SSLKEYDIR}/apache2.csr
openssl x509 -sha256 -extfile "$TMPFILE" -days 3650 \
	-CAserial "$TMPFILE2" -CA ${SSLCRTDIR}/apache2-ca.pem -CAkey ${SSLKEYDIR}/apache2-ca.key \
	-in ${SSLKEYDIR}/apache2.csr -req -out ${SSLCRTDIR}/apache2.pem

mod1=`openssl x509 -sha256 -noout -modulus -in ${SSLCRTDIR}/apache2.pem`
mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2.key`

if [ "$mod1" != "$mod2" ]; then
    echo "Moduli for server keys don't match."
    exit 1
fi

KEYS="${KEYS}
 - ${SSLCRTDIR}/apache2.pem"
KEYS="${KEYS}
 - ${SSLKEYDIR}/apache2.key"

cd ${SSLCRTDIR}
ln -sf apache2.pem $(openssl x509 -sha256 -hash -noout -in apache2.pem)


# Fix file access permissions.
#
chmod 600 ${SSLKEYDIR}/apache2-ca.key ${SSLKEYDIR}/apache2.key


# Cleanup
#
rm -f $TMPFILE $TMPFILE2


echo "Successfully generated server key pairs:"
echo "$KEYS"
echo