#!/usr/bin/env bash
# $Id: mkpem,v 1.2 2007/01/11 05:47:05 friedman Exp $

# Commentary:

# Example config.dn:
#
#     C            = US
#     ST           = California
#     L            = San Francisco
#     O            = Nocturnal Aviation, Inc.
#     CN           = hostname.domainname
#     emailAddress = georgebush@whitehouse.gov

# Code:

# Return the next emacs-style backup file name for a given file on disk,
# based on the VERSION_CONTROL environment variable.
# `t' or `numbered' means make numeric backup versions unconditionally.
# `nil' or `existing' means make them for files that have some already.
# `never' or `simple' means do not make them.
make_backup_file_name()
{
  local name=$1
  shift

  case $VERSION_CONTROL in
    never | simple ) result=$name~ ;;
    * )
      highest=$(for f in "$name".~*~ ; do echo "$f"; done \
                | sed -ne 's/~$//' -e 's/.*\.~//' -e p \
                | sort -nr \
                | head -1)
      case $highest in
        '*' | '' ) highest=0 ;;
      esac
      case $VERSION_CONTROL in
        nil | existing )
          case $highest in
            0 ) result=$name~ ;;
          esac ;;
        t | numbered | * )
          next=$(( $highest + 1 ))
          result=$name.~$next~ ;;
      esac ;;
  esac

  echo "$result"
}

mkpem()
{
  local config=$1
  local pem=$2
  shift; shift

  if [[ -f $pem ]]; then
    bck=$(make_backup_file_name "$pem")
    echo "Moving existing $pem -> $bck"
    echo
    mv "$pem" "$bck"
  fi

  {
    echo "[ req ]"
    echo RANDFILE               = /dev/urandom
    echo distinguished_name     = req_dn
    echo prompt                 = no
    echo x509_extensions        = v3_ca
    echo
    echo "[ v3_ca ]"
    echo subjectKeyIdentifier   = hash
    echo authorityKeyIdentifier = keyid:always,issuer:always
    #echo basicConstraints      = CA:true
    #echo nsCertType            = critical, sslCA, emailCA, client, server, email, objsign
    echo basicConstraints       = CA:false
    echo nsCertType             = server
    echo
    echo "[ req_dn ]"
    while read l; do echo "$l" ; done < $config
  } | openssl req \
        -config     /dev/stdin     \
        -newkey     rsa:1024       \
        -x509                      \
        -sha1                      \
        -nodes                     \
        -days       $(( 365 * 5 )) \
        -keyout     "$pem"         \
        -out        "$pem"         \
        "$@"

  { echo
    openssl x509 -in "$pem" -noout -text
  } >> "$pem"

}

main()
{
  umask 077

  case $# in
    0 ) echo $"Usage: `basename $0` configfile.dn" 1>&2
        exit 1 ;;
  esac

  config=$1
  shift
  pem=`basename $config .dn`.pem
  mkpem "$config" "$pem" "$@"
}

main "$@"

# eof