#!/bin/bash
set -e

create_csr()
{
	local time="$1"
	local name="$2"
	shift 2
	faketime "$time" openssl req -new -config "${name}.cnf" -key "${name}key.pem" -out "${name}req.pem" "$@"
}

create_ca_cert()
{
	local time="$1"
	local name="$2"
	shift 2
	faketime "$time" openssl req -nodes -x509 -config "${name}caconf.cnf" -key "${name}cakey.pem" -out "${name}cacert.pem" "$@"
}

sign_certificate()
{
	local time="$1"
	local name="$2"
	local ca="$3"
	shift 3
	faketime "$time" openssl ca -batch -config "${ca}caconf.cnf" -in "${name}req.pem" -notext -out "${name}cert.pem" "$@"
}

revoke_certificate()
{
	local time="$1"
	local name="$2"
	local ca="$3"
	shift 3
	faketime "$time" openssl ca -config "${ca}caconf.cnf" -revoke "${name}cert.pem"
	faketime "$time" openssl ca -config "${ca}caconf.cnf" -gencrl -out "${ca}crl.pem"
}

sourcedir=test/certs
transport_sourcedir=test/unittest/transport/certs
destdir=debian/snakeoil-certs

[[ -d "$sourcedir" ]] || (echo>&2 "source directory $sourcedir not found"; exit 1)

mkdir -p "$destdir" "$destdir/certs" "$destdir/crl" "$destdir/certs_sec" "$destdir/crl_sec"
echo 'BAD00000' > "$destdir/serial"
echo 'BAD20000' > "$destdir/serial_sec"
touch "$destdir/index.txt" "$destdir/index_sec.txt"
echo "unique_subject = yes" > "$destdir/index.txt.attr"
echo "unique_subject = yes" > "$destdir/index_sec.txt.attr"
echo "00" > "$destdir/crlnumber"
echo "00" > "$destdir/crlnumber_sec"


cp -v "$sourcedir"/*.cnf "$sourcedir"/*key.pem "$sourcedir"/*.xml "$destdir"

# Transport CA
echo 'BAD30000' > "$destdir/ca.srl"
cp -v "$transport_sourcedir"/*.cnf "$transport_sourcedir"/*.key "$transport_sourcedir"/dh_params.pem "$destdir"

cd "$destdir"

echo>&2 "[*] Generating CA certificates"
create_ca_cert "1 month ago" main -days 90
sed -i -e 's/Main/Secondary/' seccaconf.cnf # Make CN unique
create_ca_cert "1 month ago" sec -days 90

for name in mainpub mainsub pwdpub expiredpub revokedpub
do
	echo>&2 "[*] Generating certificate $name"
	csr_options=()
	if [[ "$name" =~ ^pwd ]]
	then
		csr_options+=("-passin" "pass:testkey")
	fi
	create_csr "1 week ago" "$name" "${csr_options[@]}"
	valid_for=14
	if [[ "$name" =~ ^expire ]]
	then
		valid_for=1
	fi
	sign_certificate "1 week ago" "$name" main -days $valid_for
	if [[ "$name" =~ ^revoke ]]
	then
		revoke_certificate "1 day ago" "$name" main
	fi
done
cat maincacert.pem maincrl.pem > joinedcacertcrl.pem

# Fix expiry date in permission grants not to trigger the Y2K38 bug
sed -i -e 's/<not_after>2038/<not_after>2037/g' *.xml

# Sign permission grants
for xmlfile in *.xml
do
	smimefile="${xmlfile%.xml}.smime"
	openssl smime -sign -in "$xmlfile" -text -out "$smimefile" -signer maincacert.pem -inkey maincakey.pem
done

# Transport CA
faketime "1 month ago" openssl req -nodes -x509 -config "ca.cnf" -key "ca.key" -out "ca.crt" -days 90
faketime "1 week ago" openssl req -new -key fastdds.key -passin pass:fastddspwd -out fastdds.csr -config fastdds.cnf
faketime "1 week ago" openssl x509 -req -in fastdds.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out fastdds.crt -days 14

