#! /bin/ksh
#
# Generate agent passwords , private key and self-signed certificate
#
EXEC_DIR=`dirname $0`

# NON RANDOM PASSWORD FOR DEBUGGING PURPOSES ONLY
# MUST BE REMOVE IN FINAL VERSION
PASSWORD="null"

while getopts p:d: c
do
    case $c in
      p) PASSWORD=$OPTARG;;
      d) SECURITY_DIR=$OPTARG;;
    esac
done

. ${EXEC_DIR}/.env

# Sanity check
if [ ! -d ${SECURITY_DIR} ]
then
  echo "Error: security dir $SECURITY_DIR does not exist."
  exit 1
fi

# Remove any previous installed files

rm -f ${AGENT_PASS_FILE}
rm -f ${AGENT_KEYSTORE}
rm -f ${AGENT_TRUSTSTORE}
rm -f ${SECURITY_DIR}/nss/cert.ca
rm -f ${SECURITY_DIR}/nss/cert*.db
rm -f ${SECURITY_DIR}/nss/key*.db
rm -f ${SECURITY_DIR}/nss/secmod.db
rm -f ${SECURITY_DIR}/certreq.agent
rm -f ${SECURITY_DIR}/cert.agent

# Create security dir if it does not already exist
[ ! -d ${SECURITY_DIR} ] && mkdir -p ${SECURITY_DIR}
chmod 755 ${SECURITY_DIR}

# Save current umask value
curr_umask=`umask` 

# Generate a random password
umask 0377
if [ $PASSWORD = "null" ]
then
  ${JAVA} -cp ${CLASSPATH} ${GEN_PASS_CLASS} > ${AGENT_PASS_FILE} 2>${TMP_OUT}
  [ $? -ne 0 ] && { echo "Error: cannot generate agent password:" ; cat ${TMP_OUT}; exit 1; }
else
  echo $PASSWORD > ${AGENT_PASS_FILE}
fi

# Generate a random seed for certutil
umask 077
${JAVA} -cp ${CLASSPATH} ${GEN_SEED_CLASS} 24 > ${MFWK_TMP_SEED}
[ $? -ne 0 ] && { echo "Error: cannot generate random seed" ; cat ${TMP_OUT}; exit 1; }

# set back previous umask
umask $curr_umask

# Generate the agent private key and the self-signed certificate
cat ${AGENT_PASS_FILE} ${AGENT_PASS_FILE} | ${KEYTOOL} -genkey \
        -alias ${AGENT_PRIV_ALIAS} \
	-keyalg $ALGO \
	-keysize $KEYSIZE \
	-sigalg $SIGALGO \
        -keystore ${AGENT_KEYSTORE} \
	-storetype ${STORETYPE} \
        -dname "$DNAME" \
	-validity $VALIDITY > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot generate agent private key." ; cat ${TMP_OUT}; exit 1; }

# Local certificate authority creation
mkdir -p ${SECURITY_DIR}/nss
chmod 755 ${SECURITY_DIR}/nss

# Create new certificate and key databases
${CERTUTIL} -N \
            -d ${SECURITY_DIR}/nss \
            -f ${AGENT_PASS_FILE}  > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot generate CA db files"; cat ${TMP_OUT}; exit 1; }

# create self-signed certificate for the MFWK CA
${CERTUTIL} -S \
            -n mfwk_ca \
	    -k rsa \
	    -s "${CA_DNAME}" \
            -x \
	    -v ${VALIDITY_MONTH} \
	    -t "uCT,uCT,uCT" \
	    -z ${MFWK_TMP_SEED} \
	    -d ${SECURITY_DIR}/nss \
	    -f ${AGENT_PASS_FILE} > ${TMP_OUT} 2>&1
     
[ $? -ne 0 ] && { echo "Error: cannot generate CA self-signed certificate"; cat ${TMP_OUT}; exit 1; }	 

# export MFWK CA self-signed certificate to a file
${CERTUTIL} -L \
	    -n mfwk_ca \
	    -a \
	    -o ${SECURITY_DIR}/nss/cert.ca \
	    -d ${SECURITY_DIR}/nss \
	    -f ${AGENT_PASS_FILE} > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot export CA self-signed certificate"; cat ${TMP_OUT}; exit 1; }	 

# Sign the agent certificate with the MFWK CA certificate
# Create the certificate signing request for the agent

cat ${AGENT_PASS_FILE} ${AGENT_PASS_FILE} | ${KEYTOOL} -certreq \
	-alias  $AGENT_PRIV_ALIAS \
	-sigalg $SIGALGO \
	-file ${SECURITY_DIR}/certreq.agent \
	-keystore ${AGENT_KEYSTORE} > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot generate agent certificate signing request." ; cat ${TMP_OUT}; exit 1; }

# Sign the agent certificate with the CA 
${CERTUTIL} -C \
	    -i ${SECURITY_DIR}/certreq.agent \
	    -c mfwk_ca \
	    -v $VALIDITY_MONTH \
	    -a \
	    -o ${SECURITY_DIR}/cert.agent \
	    -d ${SECURITY_DIR}/nss \
	    -f ${AGENT_PASS_FILE} > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot sign agent certificate with CA." ; cat ${TMP_OUT}; exit 1; }

# Import CA certificate in agent's keystore
cat ${AGENT_PASS_FILE} ${AGENT_PASS_FILE} | ${KEYTOOL} -import \
	    -noprompt \
	    -alias mfwk_ca \
	    -file ${SECURITY_DIR}/nss/cert.ca \
	    -keystore ${AGENT_KEYSTORE} > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot import CA self-signed certificate into agent's keystore"; cat ${TMP_OUT}; exit 1; }

# Import CA certificate in common truststore
${KEYTOOL} -import \
	-noprompt \
	-alias mfwk_ca \
	-file ${SECURITY_DIR}/nss/cert.ca \
	-storepass ${AGENT_TRUST_PASS} \
	-keystore ${AGENT_TRUSTSTORE} > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot import CA self-signed certificate into agent's truststore"; cat ${TMP_OUT}; exit 1; }
 
# Import certificate reply
cat ${AGENT_PASS_FILE} ${AGENT_PASS_FILE} | ${KEYTOOL} -import \
	 -alias ${AGENT_PRIV_ALIAS} \
	 -file ${SECURITY_DIR}/cert.agent \
	 -keystore ${AGENT_KEYSTORE} > ${TMP_OUT} 2>&1

[ $? -ne 0 ] && { echo "Error: cannot import agent certificate into agent's keystore"; cat ${TMP_OUT}; exit 1; }

# Remove temporary file containing the random seed
rm -f ${MFWK_TMP_SEED}

# Remove agent certificate request
rm -f ${SECURITY_DIR}/certreq.agent

# Remove exported CA certificate 
rm -f ${SECURITY_DIR}/nss/cert.ca

# Remove exported agent certificate
rm -f ${SECURITY_DIR}/cert.agent

# Remove output file as everything is ok
rm -f ${TMP_OUT}
