#!/bin/sh
action=$1
name=$2
days=1825
lockfile=/tmp/packagemanager-gencert.lock

if [ -z "$name" -o -z "$action" ]
then
	echo Usage: $0 'create|info|showcert|showkey <subject name>'
	exit 1
fi

umask 027

email=mail@example.com
dir=$HOME/VPNCA
conf=$dir/openssl.cnf
c=DE
st=NRW
l=Stadt
o=Firma
subject="/C=$c/ST=$st/L=$l/O=$o/CN=$name/emailAddress=$email"
cert_id=$name

if [ "$action" = "info" ]
then
	openssl x509 -in $dir/certsbyname/$cert_id.pem -subject -serial -dates -fingerprint -noout
	exit 0
fi

if [ "$action" = "showkey" ]
then
	cat $dir/keys/$cert_id.key
	exit 0
fi

if [ "$action" = "showcert" ]
then
	sed -n -e '/-----BEGIN CERTIFICATE-----/,$ p' $dir/certsbyname/$cert_id.pem
	exit 0
fi

if [ "$action" = "create" -o "$action" = "createserver" ]
then
	: ok
else
	echo invalid command $action
	exit 1
fi

if [ -f "$lockfile" ]
then
	echo error: lockfile exists, exiting.
	exit 2
fi

read capassword

serial=$(cat $dir/serial)

keyfile=$dir/keys/$cert_id.key
reqfile=$dir/req/$cert_id.req
newcert=$dir/newcerts/$serial:$cert_id.pem
namecert=$dir/certsbyname/$cert_id.pem

echo $capassword | openssl rsa -in $dir/cakey.pem -passin stdin -noout
if [ $? != 0 ]
then
	echo error: wrong ca password
	exit 3
fi

touch $lockfile

openssl req -new -config $conf -nodes -keyout $keyfile -out $reqfile -subj "$subject"
if [ "$action" = "createserver" ]
then
	ext=v3_server
else
	ext=v3_client
fi
echo $capassword | openssl ca -config $conf -passin stdin -batch -days $days -in $reqfile -out $newcert -extensions $ext
if [ $? = 0 ]
then
	# cp --backup=numbered $newcert $namecert
	cp $newcert $namecert
	chmod a+r $namecert
	rm -f $lockfile
	echo success
	exit 0
else
	rm $keyfile $reqfile
	rm -f $lockfile
	echo error: failed to sign certificate
	exit 4
fi
