#!/bin/sh

DIR_ETC=./etc/

HOST_CA_PRIV=${DIR_ETC}private/host/meutel_host_ca
USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
HOST_CONFIG_ROOT=${DIR_ETC}public/host/
USER_CONFIG_ROOT=${DIR_ETC}public/user/

TYPE=$1
NAME=$2
PRINCIPALS=$3
VALIDITY=$4
OPTS=$5

check_ca_key()
{
	CA_PRIV=$1
	if [ ! -f $CA_PRIV ]; then
		echo "missing private CA key: $CA_PRIV" >&2
		exit 2
	fi
}

check_config()
{
	CONFIG_DIR=$1
	if [ ! -d $CONFIG_DIR ]; then
		echo "missing config: $CONFIG_DIR" >&2
		exit 3
	fi
}

user_cert()
{
	echo "user certificate"
	check_ca_key $USER_CA_PRIV
	USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
	check_config $USER_CONFIG
	if [ -z "$PRINCIPALS" ]; then
		echo "missing principals" >&2
		exit 4
	fi
	if [ -z "$VALIDITY" ]; then
		echo "missing validity duration" >&2
		exit 4
	fi
# ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
#                [-n principals] [-O option] [-V validity_interval]
#                [-z serial_number] file ...

	ssh-keygen 
}

host_cert()
{
	echo "host certificate"
	check_ca_key $HOST_CA_PRIV
	HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
	check_config $HOST_CONFIG
}

case $TYPE in
	"user")
		user_cert
		;;
	"host")
		host_cert
		;;
	*)
		echo "unknown certificate type" >&2
		exit 1
		;;
esac