#!/bin/bash
(($#)) || { echo "Syntax: $0 <channel#> | CA"; exit -1; }

ca() {
    read -p "Really to discard existing credentials? y|[N]" x
    x=$x.
    x=${x:0:1}
    [[ ${x^[a-z]} != Y ]] && exit 1
    rm -f *.crt
    rm -f *.bks
    who=$ca
    set -e
    # create CA keys -----------------------------------------------------------
    echo "creating $who keys..."
    openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
    chmod 600 $who.key
    # selfsign CA public key ---------------------------------------------------
    echo "selfsigning $who public key..."
    openssl x509 -req -in $who.req -signkey $who.key -days 9999 -set_serial $RANDOM -sha512 -extfile CA.ext -out $who.crt
    # upload CA public key -----------------------------------------------------
    echo "uploading $who public key..."
    up $who.crt
    echo "$ca successfully created and uploaded."
}
channel() {
    [[ -e $ca.crt ]] && [[ -e $ca.key ]] || { echo "$ca keys not available."; exit 1; }
    who=$chan
    bouncy_store="-keystore $who.bks -storetype bks-v1 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $jar -storepass:env PASS"
    default_store="-keystore $who.jks -storepass:env PASS"
    p=heslo
    set -e
    rm -f $chan.{pem,bks,jks}
    # import CA public key into android key store ------------------------------
    store=$bouncy_store
    echo "importing $ca public key into android key store..."
    PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
    # create android client keys -----------------------------------------------
    echo "creating $who android client keys..."
    PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
    PASS=$p keytool -certreq -alias $who -file $who.req $store
     # sign android client public key -------------------------------------------
    echo "signing $who android client public key..."
    openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
    cat $ca.crt >> $who.crt
    # import client public key into android key store --------------------------
    echo "importing $who client public key into android key store..."
    PASS=$p keytool -import -alias $who -file $who.crt $store
    # import server public key into android client key store -------------------
    echo "importing server public key into android client key store..."
    PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
    rm -f $who.{req,crt}
    echo -e "*-----\n* Android client keystore $who.bks successfully created.\n*-----"
    # import CA public key into default java key store -------------------------
    store=$default_store
    echo "importing $ca public key into default java key store..."
    PASS=$p keytool -import -noprompt -alias $ca -file $ca.crt $store
    # create default java client keys ------------------------------------------
    echo "creating $who default java client keys..."
    PASS=$p keytool -genkey -alias $who -keysize 2048 -keyalg RSA -dname "CN=$who" -validity 9999 -keypass:env PASS $store
    PASS=$p keytool -certreq -alias $who -file $who.req $store
    # sign default java client public key --------------------------------------
    echo "signing $who default java client public key..."
    openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
    cat $ca.crt >> $who.crt
    # import client public key into default java key store ---------------------
    echo "importing $who client public key into default java key store..."
    PASS=$p keytool -import -alias $who -file $who.crt $store
    rm -f $who.{req,crt}
    # import server public key into default java client key store --------------
    echo "importing server public key into default java client key store..."
    PASS=$p keytool -import -noprompt -alias srv -file srv.crt $store
    echo -e "*-----\n* Default java client keystore $who.jks successfully created.\n*-----"
    # create openssl client keys -----------------------------------------------
    echo "creating $who openssl client keys..."
    openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
    # sign openssl client public key -------------------------------------------
    echo "signing $who openssl client public key..."
    openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt    
    cat $who.key $who.crt > $who.pem
    chmod 600 $who.pem
    rm -f $who.{key,req,crt}
    echo -e "*-----\n* Client keys $who.pem successfully created.\n*-----"
}
srv() {
    set -e
    who=srv
    rm -f $who.{pem,crt,key}
    # create server keys -------------------------------------------------------
    echo "creating $who server keys..."
    openssl req -new -nodes -out $who.req -keyout $who.key -subj /CN=$who -newkey rsa:2048 -sha512
    # sign server public key ---------------------------------------------------
    echo "signing $who server public key..."
    openssl x509 -req -in $who.req -CAkey $ca.key -CA $ca.crt -days 9999 -set_serial $RANDOM -sha512 -out $who.crt
    cat $who.key $who.crt > $who.pem
    chmod 600 $who.pem
    rm -f $who.{key,req}
    # upload server keys -------------------------------------------------------
    echo "uploading $who server keys..."
    up $who.pem
    echo -e "*-----\n* Server keys $who.pem successfully created and uploaded.\n*-----"
}
up() {
#    scp -p $1 hh@hal.hh.cz:/L/dejsem/ssl/
	echo "--->DUMMY UPLOAD<---"
}

ca=dejCA
# bcprov od verze 149 nabízí zvláštní typ KeyStore "BKS_V1" pro zpětnou kompatibilitu
jar=bcprov-jdk15on-150.jar
[[ -e $jar ]] || { echo "Bouncy Castle $jar not found in current dir"; exit 1; }
if [[ $1 == CA ]] 
then    ca
        srv
else    declare -i n=10#${1^^[a-z]}
        if [[ $n -gt 99 ]] || [[ $n -lt 0 ]]
        then    { echo "needed 0 =< channel# < 100"; exit 1; }
        else    chan=$(printf %02d $n)
                channel
        fi
fi
