#!/bin/bash

. sbs/exec/config/allg
. $(dirname $BASH_SOURCE)/config/functions

mkdir -p $certcadir   2>&1 >/dev/null
mkdir -p $certkeydir  2>&1 >/dev/null
mkdir -p $certcertdir 2>&1 >/dev/null
mkdir -p $certcsrdir  2>&1 >/dev/null
mkdir -p $certextdir  2>&1 >/dev/null

chown -R root:$daemongroup $certcadir
chown -R root:root         $certkeydir
chown -R root:$daemongroup $certcertdir
chown -R root:$daemongroup $certcsrdir
chown -R root:$daemongroup $certextdir

chmod 770 $certcadir
chmod 770 $certkeydir
chmod 770 $certcertdir
chmod 770 $certcsrdir
chmod 770 $certextdir

setfacl -R -m   u:$daemongroup:rwx $certkeydir
setfacl    -m d:u:$daemongroup:rwx $certkeydir

if [[ "$vakeyInput" != "" && "$vacaInput" == "" || "$vakeyInput" == "" && "$vacaInput" != "" ]]; then
    echo "#mne_lang#Bitte Schlüssel und Zertifikat hochladen#" >&2
    exit 1;
fi

if [ "$vakeyInput" != "" ]; then
  if [ "$(echo "$vakeyInput" | base64 --decode | awk '/-----BEGIN.*KEY-----/ { print 1 }')" != "1" ]; then
    echo "#mne_lang#Datei ist kein Schlüssel#" >&2
  fi

  if [ "$(echo "$vacaInput" | base64 --decode | awk '/-----BEGIN CERTIFICATE-----/ { print 1 }')" != "1" ]; then
    echo "#mne_lang#Datei ist kein Zertifikat#" >&2
  fi
    
  echo "$vakeyInput" | base64 --decode > $certcadir/ca.keynew
  check_capasswd "$vapasswdInput" $certcadir/ca.keynew
  mv $certcadir/ca.keynew $certcadir/ca.key
  echo "$vacaInput" | base64 --decode > $certcadir/ca.crt
  vaoverwriteInput=0
fi

if [ ! -f "$certcadir/ca.key" ] || [ ! -f "$certcadir/ca.crt" ] || [ "$vaoverwriteInput" = "1" ]; then
    echo "#mne_lang#Erstelle CA Zertifikat#" >&2
    echo $vapasswdInput | openssl genrsa -des3 -passout stdin -out $certcadir/ca.key 4096   >&$logfile 2>&$logfile
    echo $vapasswdInput | openssl req -new -sha256 -x509 -days 3650 -passin stdin -key $certcadir/ca.key -out $certcadir/ca.crt -config $(dirname $BASH_SOURCE)/openssl.conf -extensions v3_ca -subj "/CN=$vaorgInput CA/C=$vacountryInput/ST=$vastateInput/L=$vacityInput/O=$vaorgInput/OU=$vaorgunitInput/emailAddress=$vaemailInput" >&$logfile 2>&1
fi

chmod 660 $certcadir/ca.key
chmod 664 $certcadir/ca.crt

if [ ! -f $certkeydir/$(hostname).key ]; then
  echo "#mne_lang#Erstelle Rechner Schlüssel#" >&2
  cert_mkkey "$(hostname)"
  cert_mkcsr "$(hostname)" "$(hostname)" "$(hostname --all-fqdns | sed -e 's/ *$//' -e "s/  */\n/g" | sort -u | awk '{ printf("%s%s", space, $0); space=" "  }')"
fi

check_capasswd "$vapasswdInput"
cert_mkcrt "$(hostname)" "$vapasswdInput"

mne_error_ignore=1
rm /usr/local/share/ca-certificates/mne_sbsca_$(hostname).crt >&$logfile 2>&1
mne_error_ignore=
ln -s $certcadir/ca.crt /usr/local/share/ca-certificates/mne_sbsca_$(hostname).crt
update-ca-certificates >&$logfile 2>&1

exit 0
