#/bin/bash

echo "This script generates the key and certificate chain for deploying"
echo "the AAOS Debugging Restriction Controller client and service"
echo
echo "WARNING: Only use this script if you are using a self-signed CA."
echo
echo "Continue (y/N)?"
read c
if [[ "$c" != "y" ]]
then
    exit -1
fi

echo "Enter the path of the CA certificate:"
read ca_cert

echo "Enter path of the CA private key:"
read ca_key

echo
echo "Enter the number of days the token signing key should be valid for:"
echo "  (press return for 365 days)"
read validity

if [[ -z "$validity" ]] ; then
  validity=365
fi
echo "Using '$validity' days"

echo
echo "Enter the hostname that identifies the token signer:"
read hostname

echo
echo "Generating the token signing key and certificate signing request ..."
echo "Please fill in the fields when requested."
date=$(date +%Y-%m-%d)
folder=$(mktemp -d)
req="$folder/token_signing-${date}.req"
key="$folder/token_signing-${date}.key"
signed="$folder/token_signing-${date}.pem"

config="
[ server ]
basicConstraints = critical,CA:false
keyUsage = nonRepudiation, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = $hostname
"

openssl req -nodes -newkey rsa:2048 -sha256 -keyout "${key}" -out "${req}"
echo "Signing the certificate ..."

openssl x509 -req \
    -in "$req" -out "$signed" -CA "$ca_cert" -CAkey "$ca_key" \
    -sha256 -days "$validity" -set_serial 666 \
    -extensions server -extfile <(echo "$config")

key_out="token_signing_key-$date.pem"
cert_chain_out="token_signing_certs-$date.pem"
cat "$key" > "$key_out"
cat "$signed" "$ca_cert" > "$cert_chain_out"


echo "The token signing key and certificate chain have been created."
echo "See $key_out and $cert_chain_out."
echo
echo "Verifying the certificate chain ..."
openssl verify -CAfile "$ca_cert" "$cert_chain_out"
rm -rf "$folder"