#!/bin/bash
# Copyright (c) 2010 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
#

DIR="/tmp/tmp$RANDOM"
HOST=`hostname`
PWDFILE="password"
SEEDFILE="seed"
INST_DIR='/tmp/redhat/qpid'
DB_PASSWORD=""
VALID="12"
CA_PATH=""

echo ""
echo "Working in: $DIR"
echo ""

#
# ========== SETUP ============
#
# prompt user for install directory
echo ""
echo "Please specify a directory into which the created NSS database
and associated certificates will be installed."
echo ""
read -p "Enter a directory [$INST_DIR]:" ans
if [ "${#ans}" -gt 0 ]
then
  INST_DIR=$ans
fi
echo $INST_DIR

# prompt user for install directory
while [ "${#DB_PASSWORD}" -eq 0 ]; do
  echo ""
  read -sp "Enter NSS database password:" DB_PASSWORD
done
echo ""

# prompt user for existing CA.
# must contain both key & certificate
echo ""
echo "Please specify a CA.  Generated if not specified."
echo ""
read -p "Enter a path: " ans
if [ "${#ans}" -gt 0 ]
then
  CA_PATH=$ans
  echo "Using CA: $CA_PATH"
fi

# create temporary db directory
rm -rf $DIR
mkdir $DIR
cd $DIR
#
# ========== KEY SEED ===========
#
touch $SEEDFILE
i=0
while [ $i -lt 20 ]; do
  echo $RANDOM >> $SEEDFILE
  i=`expr $i + 1`
done

#
# ========== PASSWORD ===========
#

# create the password file
echo "$DB_PASSWORD" > $PWDFILE

echo ""
echo "Password file created."

#
# ========== DATABASE ============
#

# create the nss db
certutil -N -d . -f $PWDFILE

echo ""
echo "Database created."

#
# =========== CA =================
#

# create/import the CA cert
echo ""
if [ "$CA_PATH" = "" ]
then
  echo "Creating CA certificate:"
  SUBJECT="CN=redhat,O=pulp,ST=Alabama,C=US"
  certutil -S -d . -n "ca" -s $SUBJECT -t "TC,," -f $PWDFILE -z $SEEDFILE -x -v $VALID
else
  openssl pkcs12 -export -in $CA_PATH -out ca.p12 -name "ca"
  pk12util -d . -n "ca" -i ca.p12
  certutil -M -d . -n "ca" -t "TCu,Cu,Tuw"
  echo "CA certificate: $CA_PATH, imported"
fi
certutil -L -d . -n "ca" -a -o ca.crt -f $PWDFILE


echo "CA created"

#
# =========== BROKER =============
#

# create broker cert signing request
echo ""
echo "Creating BROKER certificate:"
SUBJECT="CN=$HOST,O=pulp,ST=Alabama,C=US"
certutil -R -d . -s $SUBJECT -a -o broker.req -f $PWDFILE -z $SEEDFILE

# sign the broker cert w/ CA
certutil -C -d . -c "ca" -v $VALID -uV -m1 -a -i broker.req -f $PWDFILE -o broker.crt

# import the broker cert
certutil -A -d . -n "broker" -t ",," -a -i broker.crt

echo "Broker certificate created."

#
# =========== CLIENT =============
#

# create the nss db
mkdir client
certutil -N -d client -f $PWDFILE

# create client cert signing request
echo ""
echo "Creating CLIENT certificate:"
SUBJECT="CN=client,O=pulp,ST=Alabama,C=US"
certutil -R -d client -s $SUBJECT -a -o client.req -f $PWDFILE -z $SEEDFILE

# sign the client cert w/ CA
certutil -C -d . -c "ca" -v $VALID -uC -m2 -a -i client.req -f $PWDFILE -o client.crt

# import the client cert
certutil -A -d client -n "client" -t ",," -a -i client.crt
echo "Client certificate created."

# export client p12 bundle
pk12util -d client -n "client" -o client.p12

# using openssl, generate a key & cert using the p12.
openssl pkcs12 -in client.p12 -nodes -out client.crt

echo "Client key & certificate exported"

#
# =========== INSTALL =============
#

# clean unused artifacts
rm -f *.req
rm -f *.p12
rm -rf client

# create target directory and install files
mkdir -p $INST_DIR
mkdir -p $INST_DIR/nss
cp $DIR/*.crt $INST_DIR
cp $DIR/*.db $INST_DIR/nss
cp $DIR/$PWDFILE $INST_DIR/nss

# update perms
chmod 644 $INST_DIR/*.crt
chmod 644 $INST_DIR/nss/*

echo ""
echo "Artifacts copied to: $INST_DIR."
echo ""

#
# =========== POST =============
#

echo "Please update /etc/qpidd.conf as follows:"
echo "
....
auth=no
....
# SSL
require-encryption=yes
ssl-require-client-authentication=yes
ssl-cert-db=$INST_DIR/nss
ssl-cert-password-file=$INST_DIR/nss/password
ssl-cert-name=broker
ssl-port=5674
...
"
echo ""
echo "Please configure gofer as follows:"
echo "
...
[messaging]
url=ssl://<host>:5674
cacert=$INST_DIR/ca.crt
clientcert=$INST_DIR/client.crt
"

#
# =========== CLEANUP =============
#

cd /tmp
rm -rf $DIR

