#!/bin/sh

. /etc/functions.sh
OPENSSL="openssl req -newkey"
KEY_OUT="/var/tmp_key_file.pem"
REQ_OUT="/var/newreq.pem"
SSL_CFG="/etc/ssl/openssl.cnf"
TMP_REQ_EXTENSION="/var/req_extension"
TMP_OPENSSL_CONF="/var/tmp_openssl.conf"
REQ_EXT_WORD="req_ext"
strExt=""

MAX_CNT=256

cert_create() {

     config_load ipsec_cer_config
	config_get new $1 new
	
	if   [ "$new" != "1" ]; then
		return 99;
	fi
	
	config_get id_type $1 id_type
	config_get id_value $1 id_value
	config_get organization_unit $1 organization_unit
	config_get organization $1 organization
	config_get location $1 location
	config_get state $1 state
	config_get common_name $1 common_name
	config_get country $1 country
	config_get e_mail $1 e_mail
	config_get key_size $1 key_size
	config_get selfsign $1 selfsign
	
	C_com="C=$country"
	ST_com="ST=$state"
	L_com="L=$location"
	O_com="O=$organization"
	OU_com="OU=$organization_unit"
	CN_com="CN=$common_name"
	EM_com="emailAddress=$e_mail"
	
	if  [ "$id_type" == "domainname" ]; then
		echo "[ $REQ_EXT_WORD ]" > $TMP_REQ_EXTENSION;
		echo "subjectAltName=@alt_names" >> $TMP_REQ_EXTENSION;
		echo "[ alt_names ]" >> $TMP_REQ_EXTENSION;
		echo "DNS.1    = $id_value" >> $TMP_REQ_EXTENSION;
		cat $SSL_CFG > $TMP_OPENSSL_CONF;
		cat $TMP_REQ_EXTENSION >> $TMP_OPENSSL_CONF;
		SSL_CFG_PATH=$TMP_OPENSSL_CONF;
		strExt="-reqexts $REQ_EXT_WORD";
	elif  [ "$id_type" != "none" ]; then
		echo "[ $REQ_EXT_WORD ]" > $TMP_REQ_EXTENSION;
		echo "subjectAltName=$id_type:$id_value" >> $TMP_REQ_EXTENSION;
		cat $SSL_CFG > $TMP_OPENSSL_CONF;
		cat $TMP_REQ_EXTENSION >> $TMP_OPENSSL_CONF;

		SSL_CFG_PATH=$TMP_OPENSSL_CONF;
		strExt="-reqexts $REQ_EXT_WORD";
	else
		SSL_CFG_PATH=$SSL_CFG;
	fi
	
	
$OPENSSL rsa:$key_size -keyout $KEY_OUT -out $REQ_OUT -passout pass:X509_Password_$1 -config $SSL_CFG_PATH \
-subj "/$C_com/$ST_com/$L_com/$O_com/$OU_com/$CN_com/$EM_com" $strExt

#echo $strExt >> /tmp/req.txt

	if [ ! -e $REQ_OUT ]; then
		#echo "New request file is invalid"
		json -f /var/cert.json set newcert status=reqfileinvalid
		return 99;
	fi
	
	json -f /var/cert.json set newcert status=success
	
	if   [ "$TMP_OPENSSL_CONF" != "$SSL_CFG" ]; then
		rm $TMP_OPENSSL_CONF $TMP_REQ_EXTENSION
	fi
	
cursub="";

if [ ! -s $country ]; then
cursub=" /C=$country";		
fi
if [ ! -s $state ]; then
cursub="$cursub/ST=$state";		
fi
if [ ! -s $location ]; then
cursub="$cursub/L=$location";		
fi

if [ ! -s $organization ]; then
cursub="$cursub/O=$organization";		
fi

if [ ! -s $organization_unit ]; then
cursub="$cursub/OU=$organization_unit";		
fi	

if [ ! -s $common_name ]; then
cursub="$cursub/CN=$common_name";		
fi	

if [ ! -s $e_mail ]; then
cursub="$cursub/emailAddress=$e_mail";		
fi	
	
cp $KEY_OUT /etc/ipsec.d/private/private_key_$1.pem
cp $REQ_OUT /etc/ipsec.d/certs/$1.pem

name=$1;
status="Requesting";

num=$(uci show certificate | grep -c usercertificate)
if [ "$num" -ge "$MAX_CNT" ]; then
	#echo "The max entries of Local Certificate is $MAX_CNT"
	son -f /var/cert.json set newcert status=maxcertexceed
	return 99;
fi

uci set certificate.$name=usercertificate
uci set certificate.$name.issuer=""  
uci set certificate.$name.csubject="$cursub"
uci set certificate.$name.subject="$common_name"  
uci set certificate.$name.from=""  
uci set certificate.$name.to=""  
uci set certificate.$name.status="$status"	  

rm -f $KEY_OUT
rm -f $REQ_OUT

	uci set ipsec_cer_config.$1.new=0
	uci commit ipsec_cer_config
	
	if   [ "$selfsign" == "enable" ]; then
		config_get pass $name pass
		/sbin/signcert $name $pass 1
	fi
}

config_load ipsec_cer_config

if [ ! -s $1 ];then
profile=$1;
uci set ipsec_cer_config.$profile=certificate-config
uci set ipsec_cer_config.$profile.new=1
cert_create $profile 
ret=$?
else
config_foreach cert_create
fi

if [ $ret = "99" ];then
	return 99;
else	
	uci commit certificate
fi	