#!/bin/sh
#
# --------------------------------------------------------------------------
# Copyright notice
# --------------------------------------------------------------------------
# Copyright: Rene Mayrhofer, Sep. 2002
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
# On Debian GNU/Linux systems, the complete text of the GNU General
# Public License can be found in `/usr/share/common-licenses/GPL'.
# --------------------------------------------------------------------------
#

set -e

insert_private_key_filename() {
	if ! grep -q ": RSA $1" /etc/ipsec.secrets; then
            echo ": RSA $1" >> /etc/ipsec.secrets
        fi
}

KEYLENGTH=2048

	countrycode="AT"
	statename="Upper Austria"
	localityname="Steyr"
	orgname="Gibraltar"
	orgunit="Gibraltar development"
	commonname="Gibraltar firewall CA (created at `date +%s`)"
	email="not specified"

	newCAkeyfile="/etc/ssl/private/cakey.pem"
        newCAcertfile="/etc/ssl/cacert.pem"
if [ ! -r $newCAkeyfile -a ! -r $newCAcertfile ]; then
	echo -n "Generating certificate authority for IPSec authentication ... "
        echo -e "$countrycode\n$statename\n$localityname\n$orgname\n$orgunit\n$commonname\n$email\n\n\n" | \
	        openssl req -new -x509 -outform PEM -newkey rsa:$KEYLENGTH \
                	-nodes -keyout "$newCAkeyfile" -keyform PEM \
        		-out "$newCAcertfile" -days 3652 \
                        -config /etc/ssl/openssl.cnf >/dev/null 2>&1
	chmod 0600 "$newCAkeyfile"
        if [ ! -e "/etc/ipsec.d/cacerts/`basename $newCAcertfile`" ]; then
            ln -s "$newCAcertfile" /etc/ipsec.d/cacerts/
	fi
        echo "done"
fi

	# create a new certificate
	commonname="Gibraltar IPSec host certificate (created at `date +%s`)"
	host=`hostname`
	newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
	newreqfile="/tmp/${host}Req.pem"
	newcertfile="/etc/ipsec.d/certs/${host}.pem"
if [ ! -r $newkeyfile -a ! -r $newcertfile ]; then
        echo -n "Generating new X.509 host certificate for IPSec authentication ... "
        # this is no longer self-signed
	echo -e "$countrycode\n$statename\n$localityname\n$orgname\n$orgunit\n$commonname\n$email\n\n\n" | \
        	openssl req -new -outform PEM -newkey rsa:$KEYLENGTH \
                	-nodes -keyout "$newkeyfile" -keyform PEM \
                        -out "$newreqfile" -days 1500 \
                        -config /etc/ssl/openssl.cnf >/dev/null 2>&1
	chmod 0600 "$newkeyfile"
	umask 077
	insert_private_key_filename "$newkeyfile"
        umask 022
        yes | openssl ca -policy policy_anything -out "$newcertfile" \
                -config /etc/ssl/openssl.cnf -infiles "$newreqfile" >/dev/null 2>&1
        rm $newreqfile
	echo "done"
fi

	# create a new certificate
	commonname="Gibraltar mail relay certificate (created at `date +%s`)"
	host=`hostname`
	newkeyfile="/etc/ssl/private/emailKey.pem"
	newreqfile="/tmp/${host}MailReq.pem"
	newcertfile="/etc/ssl/certs/emailCert.pem"
if [ ! -r $newkeyfile -a ! -r $newcertfile ]; then
        echo -n "Generating new X.509 host certificate for SMTP authentication ... "
        # this is no longer self-signed
	echo -e "$countrycode\n$statename\n$localityname\n$orgname\n$orgunit\n$commonname\n$email\n\n\n" | \
        	openssl req -new -outform PEM -newkey rsa:$KEYLENGTH \
                	-nodes -keyout "$newkeyfile" -keyform PEM \
                        -out "$newreqfile" -days 1500 \
                        -config /etc/ssl/openssl.cnf >/dev/null 2>&1
	chmod 0600 "$newkeyfile"
        yes | openssl ca -policy policy_anything -out "$newcertfile" \
                -config /etc/ssl/openssl.cnf -infiles "$newreqfile" >/dev/null 2>&1
        rm $newreqfile
	echo "done"
fi

exit 0
