#!/bin/sh -e

# TODO:
# - parameterize hard-coded values
# - do not create security domain
# - support existing subsystem user

echo "################################################################################"

if [ -f /certs/server.p12 ]
then
    echo "INFO: Importing system certs and keys"

    pki \
        -d /etc/pki/pki-tomcat/alias \
        pkcs12-import \
        --pkcs12 /certs/server.p12 \
        --password Secret.123
fi

if [ -f /certs/admin.p12 ]
then
    echo "INFO: Importing admin cert and key"

    pki pkcs12-import \
        --pkcs12 /certs/admin.p12 \
        --password Secret.123
fi

echo "################################################################################"

# check if CA signing cert exists
rc=0
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    ca_signing > /dev/null 2>&1 || rc=$?

if [ $rc -ne 0 ]
then
    echo "INFO: Creating CA signing cert"

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-request \
        --subject "CN=CA Signing Certificate" \
        --ext /usr/share/pki/server/certs/ca_signing.conf \
        --csr /certs/ca_signing.csr

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-issue \
        --csr /certs/ca_signing.csr \
        --ext /usr/share/pki/server/certs/ca_signing.conf \
        --months-valid 12 \
        --cert /certs/ca_signing.crt

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-import \
        --cert /certs/ca_signing.crt \
        --trust CT,C,C \
        ca_signing
fi

echo "INFO: CA signing cert:"
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    ca_signing

echo "################################################################################"

# check if OCSP signing cert exists
rc=0
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    ocsp_signing > /dev/null 2>&1 || rc=$?

if [ $rc -ne 0 ]
then
    echo "INFO: Creating OCSP signing cert"

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-request \
        --subject "CN=OCSP Signing Certificate" \
        --ext /usr/share/pki/server/certs/ocsp_signing.conf \
        --csr /certs/ocsp_signing.csr

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-issue \
        --issuer ca_signing \
        --csr /certs/ocsp_signing.csr \
        --ext /usr/share/pki/server/certs/ocsp_signing.conf \
        --cert /certs/ocsp_signing.crt

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-import \
        --cert /certs/ocsp_signing.crt \
        ocsp_signing
fi

echo "INFO: OCSP signing cert:"
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    ocsp_signing

echo "################################################################################"

# check if audit signing cert exists
rc=0
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    audit_signing > /dev/null 2>&1 || rc=$?

if [ $rc -ne 0 ]
then
    echo "INFO: Creating audit signing cert"

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-request \
        --subject "CN=Audit Signing Certificate" \
        --ext /usr/share/pki/server/certs/audit_signing.conf \
        --csr /certs/audit_signing.csr

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-issue \
        --issuer ca_signing \
        --csr /certs/audit_signing.csr \
        --ext /usr/share/pki/server/certs/audit_signing.conf \
        --cert /certs/audit_signing.crt

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-import \
        --cert /certs/audit_signing.crt \
        --trust ,,P \
        audit_signing
fi

echo "INFO: Audit signing cert:"
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    audit_signing

echo "################################################################################"

# check if subsystem cert exists
rc=0
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    subsystem > /dev/null 2>&1 || rc=$?

if [ $rc -ne 0 ]
then
    echo "INFO: Creating subsystem cert"

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-request \
        --subject "CN=Subsystem Certificate" \
        --csr /certs/subsystem.csr

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-issue \
        --issuer ca_signing \
        --csr /certs/subsystem.csr \
        --ext /usr/share/pki/server/certs/subsystem.conf \
        --cert /certs/subsystem.crt

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-import \
        --cert /certs/subsystem.crt \
        subsystem
fi

echo "INFO: Subsystem cert:"
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    subsystem

echo "################################################################################"

# check if SSL server cert exists
rc=0
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    sslserver > /dev/null 2>&1 || rc=$?

if [ $rc -ne 0 ]
then
    echo "INFO: Creating SSL server cert:"

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-request \
        --subject "CN=$HOSTNAME" \
        --ext /usr/share/pki/server/certs/sslserver.conf \
        --csr /certs/sslserver.csr

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-issue \
        --issuer ca_signing \
        --csr /certs/sslserver.csr \
        --ext /usr/share/pki/server/certs/sslserver.conf \
        --cert /certs/sslserver.crt

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-import \
        --cert /certs/sslserver.crt \
        sslserver
fi

echo "INFO: SSL server cert:"
pki \
    -d /etc/pki/pki-tomcat/alias \
    nss-cert-show \
    sslserver

echo "################################################################################"

# check if admin cert exists
rc=0
pki nss-cert-show admin > /dev/null 2>&1 || rc=$?

if [ $rc -ne 0 ]
then
    echo "INFO: Creating admin cert"

    pki nss-cert-request \
        --subject "CN=Administrator" \
        --ext /usr/share/pki/server/certs/admin.conf \
        --csr /certs/admin.csr

    pki nss-cert-issue \
        --issuer ca_signing \
        --csr /certs/admin.csr \
        --ext /usr/share/pki/server/certs/admin.conf \
        --cert /certs/admin.crt

    pki nss-cert-import \
        --cert /certs/admin.crt \
        admin
fi

echo "INFO: Admin cert:"
pki nss-cert-show admin

echo "################################################################################"

if [ ! -f /certs/admin.p12 ]
then
    echo "INFO: Exporting admin cert and key"

    pki pkcs12-export \
        --pkcs12 /certs/admin.p12 \
        --password Secret.123 \
        admin
fi

if [ ! -f /certs/ca_signing.crt ]
then
    echo "INFO: Exporting CA signing cert"

    pki \
        -d /etc/pki/pki-tomcat/alias \
        nss-cert-export \
        --output-file /certs/ca_signing.crt \
        ca_signing
fi

if [ ! -f /certs/admin.crt ]
then
    echo "INFO: Exporting admin cert"

    pki nss-cert-export \
        --output-file /certs/admin.crt \
        admin
fi

echo "################################################################################"
echo "INFO: Creating PKI CA"

# Create CA with existing certs and keys, with existing database,
# with existing database user, with RSNv3, without security manager,
# and without systemd service.
pkispawn \
    -f /usr/share/pki/server/examples/installation/ca.cfg \
    -s CA \
    -D pki_ds_hostname=ds.example.com \
    -D pki_ds_ldap_port=3389 \
    -D pki_ds_setup=False \
    -D pki_share_db=True \
    -D pki_request_id_generator=random \
    -D pki_cert_id_generator=random \
    -D pki_existing=True \
    -D pki_import_system_certs=False \
    -D pki_ca_signing_nickname=ca_signing \
    -D pki_ca_signing_csr_path=/certs/ca_signing.csr \
    -D pki_ocsp_signing_nickname=ocsp_signing \
    -D pki_ocsp_signing_csr_path=/certs/ocsp_signing.csr \
    -D pki_audit_signing_nickname=audit_signing \
    -D pki_audit_signing_csr_path=/certs/audit_signing.csr \
    -D pki_subsystem_nickname=subsystem \
    -D pki_subsystem_csr_path=/certs/subsystem.csr \
    -D pki_sslserver_nickname=sslserver \
    -D pki_sslserver_csr_path=/certs/sslserver.csr \
    -D pki_admin_setup=False \
    -D pki_security_domain_setup=False \
    -D pki_security_manager=False \
    -D pki_systemd_service_create=False \
    -v

echo "################################################################################"
echo "INFO: Starting PKI CA"

pki-server run --as-current-user
