#!/usr/bin/env bash
# $Id: mkpem,v 1.4 2011/02/13 22:53:44 friedman Exp $

# Commentary:

# Example config.dn for an SSL server certificate:
#
#     C            = US
#     ST           = California
#     L            = San Francisco
#     O            = Nocturnal Aviation, Inc.
#     CN           = hostname.domainname
#
# Order is least significant to most significant!
# Usually you want to list C first and CN last.

# Code:

# Return the next emacs-style backup file name for a given file on disk,
# based on the VERSION_CONTROL environment variable.
# `t' or `numbered' means make numeric backup versions unconditionally.
# `nil' or `existing' means make them for files that have some already.
# `never' or `simple' means do not make them.
make_backup_file_name()
{
  local name=$1
  shift

  case $VERSION_CONTROL in
    never | simple ) result=$name~ ;;
    * )
      highest=$(for f in "$name".~*~ ; do echo "$f"; done \
                | sed -ne 's/~$//' -e 's/.*\.~//' -e p \
                | sort -nr \
                | head -1)
      case $highest in
        '*' | '' ) highest=0 ;;
      esac
      case $VERSION_CONTROL in
        nil | existing )
          case $highest in
            0 ) result=$name~ ;;
          esac ;;
        t | numbered | * )
          next=$(( $highest + 1 ))
          result=$name.~$next~ ;;
      esac ;;
  esac

  echo "$result"
}

mkpem()
{
  local config=$1
  local pem=$2
  shift; shift

  if [[ -f $pem ]]; then
    bck=$(make_backup_file_name "$pem")
    echo "Moving existing $pem -> $bck"
    echo
    mv "$pem" "$bck"
  fi

  {
    echo "[ req ]"
    echo RANDFILE                = /dev/urandom
    echo prompt                  = no
    echo x509_extensions         = v3_ca
    echo distinguished_name      = req_dn

    echo
    echo "[ v3_ca ]"
    echo  subjectKeyIdentifier   = hash
    echo  authorityKeyIdentifier = keyid:always,issuer:always

    # Critical means cert should be rejected when used for purposes other
    # than those indicated in this extension.
    #
    #echo basicConstraints       = critical, CA:true, pathlen:0
    echo  basicConstraints       = critical, CA:false

    #echo keyUsage               = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
    echo keyUsage                = critical, keyEncipherment

    #echo extendedKeyUsage       = critical, serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, msSGC, nsSGC
    echo  extendedKeyUsage       = critical, serverAuth

    # Don't use nsCertType; deprecated.
    #echo nsCertType             = critical, sslCA, emailCA, client, server, email, objsign
    #echo nsCertType             = critical, server

    #echo subjectAltName         = email:foo@company.com, email:bar@company.com
    #echo subjectAltName         = DNS:foo.company.com, DNS:bar.company.com

    echo
    echo "[ req_dn ]"
    while read l; do echo "$l" ; done < $config
  } | openssl req \
        -config     /dev/stdin      \
        -newkey     rsa:1024        \
        -x509                       \
        -sha1                       \
        -nodes                      \
        -days       $(( 365 * 10 )) \
        -keyout     "$pem"          \
        -out        "$pem"          \
        "$@"

  { echo
    openssl x509 -in "$pem" -noout -text
  } >> "$pem"

}

main()
{
  umask 077

  case $# in
    0 ) echo $"Usage: `basename $0` configfile.dn" 1>&2
        exit 1 ;;
  esac

  config=$1
  shift
  pem=`basename $config .dn`.pem
  mkpem "$config" "$pem" "$@"
}

main "$@"

# eof