#!/bin/sh

openssl_bin=../apps/openssl/.libs/openssl

function section_message {
    echo ""
    echo "#---------#---------#---------#---------#---------#---------#---------#--------"
    echo "==="
    echo "=== (Section) $1 `date +'%Y/%m/%d %H:%M:%S'`"
    echo "==="
}

function start_message {
    echo ""
    echo "[TEST] $1"
}

function check_exit_status {
    status=$1
    if [ $status -ne 0 ] ; then
        echo ":-< error occurs, exit status = [ $status ]"
        exit $status
    else
        echo ":-) success. "
    fi
}

#---------#---------#---------#---------#---------#---------#---------#---------

#
# create ssldir, and all files generated by this script goes under this dir.
#
ssldir="test"

if [ -d $ssldir ] ; then
    echo "directory [ $ssldir ] exists, this script deletes this directory ..."
    /bin/rm -rf $ssldir
fi

mkdir -p $ssldir

export OPENSSL_CONF=$ssldir/openssl.cnf
touch $OPENSSL_CONF

#---------#---------#---------#---------#---------#---------#---------#---------

section_message "setup local CA"

#
# prepare test openssl.cnf
#

ca_dir=$ssldir/testCA
tsa_dir=$ssldir/testTSA
ocsp_dir=$ssldir/testOCSP

cat << __EOF__ > $ssldir/openssl.cnf
oid_section             = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca    = CA_default
[ CA_default ]
dir           = ./$ca_dir
crl_dir       = \$dir/crl
database      = \$dir/index.txt
new_certs_dir = \$dir/newcerts
serial        = \$dir/serial
crlnumber     = \$dir/crlnumber
default_days  = 1
default_md    = default
policy        = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
distinguished_name      = req_distinguished_name
[ req_distinguished_name ]
countryName                     = Country Name
countryName_default             = JP
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name
stateOrProvinceName_default     = Tokyo
organizationName                = Organization Name
organizationName_default        = TEST_DUMMY_COMPANY
commonName                      = Common Name
[ tsa ]
default_tsa   = tsa_config1
[ tsa_config1 ]
dir           = ./$tsa_dir
serial        = \$dir/serial
crypto_device = builtin
digests       = sha1, sha256, sha384, sha512
default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3
[ tsa_ext ]
keyUsage = critical,nonRepudiation
extendedKeyUsage = critical,timeStamping
[ ocsp_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = OCSPSigning
__EOF__

#---------#---------#---------#---------#---------#---------#---------#---------

#
# setup test CA
#

mkdir -p $ca_dir
mkdir -p $tsa_dir
mkdir -p $ocsp_dir

mkdir -p $ca_dir/certs
mkdir -p $ca_dir/private
mkdir -p $ca_dir/crl
mkdir -p $ca_dir/newcerts
chmod 700 $ca_dir/private
echo "01" > $ca_dir/serial
touch $ca_dir/index.txt
touch $ca_dir/crlnumber
echo "01" > $ca_dir/crlnumber

#
# setup test TSA
#
mkdir -p $tsa_dir/private
chmod 700 $tsa_dir/private
echo "01" > $tsa_dir/serial
touch $tsa_dir/index.txt

#
# setup test OCSP
#
mkdir -p $ocsp_dir/private
chmod 700 $ocsp_dir/private

#---------#---------#---------#---------#---------#---------#---------#---------

# --- CA initiate (generate CA key and cert) ---

start_message "req ... generate CA key and self signed cert"

ca_cert=$ca_dir/ca_cert.pem
ca_key=$ca_dir/private/ca_key.pem ca_pass=test-ca-pass

subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testCA.test_dummy.com/'

$openssl_bin req -new -x509 -newkey rsa:2048 -out $ca_cert -keyout $ca_key \
    -days 1 -passout pass:$ca_pass -batch -subj $subj
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- TSA initiate (generate TSA key and cert) ---

start_message "req ... generate TSA key and cert"

# generate CSR for TSA

tsa_csr=$tsa_dir/tsa_csr.pem
tsa_key=$tsa_dir/private/tsa_key.pem
tsa_pass=test-tsa-pass

subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testTSA.test_dummy.com/'

$openssl_bin req -new -keyout $tsa_key -out $tsa_csr -passout pass:$tsa_pass -subj $subj
check_exit_status $?

start_message "ca ... sign by CA with TSA extensions"

tsa_cert=$tsa_dir/tsa_cert.pem

$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
-in $tsa_csr -out $tsa_cert -extensions tsa_ext
check_exit_status $?

#---------#---------#---------#---------#---------#---------#---------#---------

# --- OCSP initiate (generate OCSP key and cert) ---

start_message "req ... generate OCSP key and cert"

# generate CSR for OCSP

ocsp_csr=$ocsp_dir/ocsp_csr.pem
ocsp_key=$ocsp_dir/private/ocsp_key.pem

subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=testOCSP.test_dummy.com/'

$openssl_bin req -new -keyout $ocsp_key -nodes -out $ocsp_csr -subj $subj
check_exit_status $?

start_message "ca ... sign by CA with OCSP extensions"

ocsp_cert=$ocsp_dir/ocsp_cert.pem

$openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \
-in $ocsp_csr -out $ocsp_cert -extensions ocsp_ext
check_exit_status $?