#! /bin/sh
#
#
# Copyright 2000-2007 Double Precision, Inc.  See COPYING for
# distribution information.
#
# This is a short script to q`uickly generate a self-signed X.509 key for
# STARTTLS.  Normally this script would get called by an automatic
# package installation routine.

CERTNAME=$(basename $0 | sed -e 's/^mk//;s/cert$//')

PEMFILE="$1"
if [ -z "$PEMFILE" ]; then
	PEMFILE=/etc/courier/$CERTNAME.pem
fi

KEYFILE="$PEMFILE.key"
CERTFILE="$PEMFILE.cert"
RANDFILE="$PEMFILE.rand"

if test "gnutls" = "openssl"
then
	test -x /usr/bin/openssl || exit 0
else
	test -x /usr/bin/certtool || exit 0
fi

if test -f "$PEMFILE"
then
	echo "$PEMFILE already exists."
	exit 1
fi

cleanup() {
	rm -f "$PEMFILE"
	rm -f "$KEYFILE"
	rm -f "$CERTFILE"
	rm -f "$RANDFILE"
	exit 1
}

cd /etc/courier
umask 077
BITS="$BITS"
set -e

install -b -m 600 -o "courier" /dev/null "$PEMFILE"

if test "gnutls" = "openssl"
then
	dd if=/dev/urandom of="$RANDFILE" count=1 2>/dev/null
	/usr/bin/openssl req -new -x509 -days 365 -nodes \
		  -config "/etc/courier/$CERTNAME.cnf" -out "$PEMFILE" -keyout "$PEMFILE" || cleanup
	/usr/bin/openssl dhparam -2 -rand "$RANDFILE" 512 >>"$PEMFILE" || cleanup
	/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in "$PEMFILE" || cleanup
	rm -f "$RANDFILE"
else
	if test "$BITS" = ""
	then
		BITS="high"
	fi

	install -b -m 600 -o "courier" /dev/null "$KEYFILE"
	install -v -m 600 -o "courier" /dev/null "$CERTFILE"

	/usr/bin/certtool --generate-privkey --sec-param=$BITS --outfile "$KEYFILE"
	/usr/bin/certtool --generate-self-signed --load-privkey "$KEYFILE" --outfile "$CERTFILE" --template "/etc/courier/$CERTNAME.cnf"

	cat "$KEYFILE" "$CERTFILE" > "$PEMFILE"
	rm -f "$KEYFILE" "$CERTFILE"
fi
