#!/bin/sh

DIR_ETC=./etc/

HOST_CA_PRIV=${DIR_ETC}private/host/meutel_host_ca
USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
HOST_CONFIG_ROOT=${DIR_ETC}public/host/
USER_CONFIG_ROOT=${DIR_ETC}public/user/

# public key file
PUBKEY=$1
# certificate type: user/host
TYPE=$2
# config name
NAME=$3
# certificate validity duration
VALIDITY=$4
# principals for user cert
PRINCIPALS=$5
# certificate options
OPTS=$6

check_pubkey()
{
	if [ ! -f $PUBKEY ]; then
		echo "missing public key: $PUBKEY" >&2
		exit 2
	fi
}

check_ca_key()
{
	CA_PRIV=$1
	if [ ! -f $CA_PRIV ]; then
		echo "missing private CA key: $CA_PRIV" >&2
		exit 2
	fi
}

check_config()
{
	CONFIG_DIR=$1
	if [ ! -d $CONFIG_DIR ]; then
		echo "missing config: $CONFIG_DIR" >&2
		exit 3
	fi
}

user_cert()
{
	check_ca_key $USER_CA_PRIV
	USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
	check_config $USER_CONFIG
	if [ -z "$PRINCIPALS" ]; then
		echo "missing principals" >&2
		exit 4
	fi
	if [ -z "$VALIDITY" ]; then
		echo "missing validity duration" >&2
		exit 4
	fi
  if ls $USER_CONFIG/*-cert.pub 2>/dev/null > /dev/null ; then
    SERIAL=$(( $( ls $USER_CONFIG/*-cert.pub | wc -l ) + 1 ))
  else
    SERIAL=1
  fi
  TS=$( date '+%Y%m%d%H%M.%S' )
  CERT_ID="Cert $NAME for $PRINCIPALS generated $TS"
  USER_PUB_KEY="$USER_CONFIG/key-${TS}.pub"
  # copy key
  cp -f "$PUBKEY" "$USER_PUB_KEY"

  echo "Generate user certificate"
  echo "  key: $PUBKEY"
  echo "  serial: $SERIAL"
  echo "  ID: $CERT_ID"
  echo "  principals: $PRINCIPALS"
  echo "  validity: $VALIDITY"

	ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" -O "$OPTS" -V "$VALIDITY" -z "$SERIAL" "$USER_PUB_KEY"
  # TODO copy cert
  # TODO displqy certificate
}

host_cert()
{
	check_ca_key $HOST_CA_PRIV
	HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
	check_config $HOST_CONFIG
}

check_pubkey
case $TYPE in
	"user")
		user_cert
		;;
	"host")
		host_cert
		;;
	*)
		echo "unknown certificate type" >&2
		exit 1
		;;
esac