#! /bin/bash
# Copyright (C) 2008, 2009, 2011 Red Hat, Inc.  All rights reserved.
#
# This copyrighted material is made available to anyone wishing to use, modify,
# copy, or redistribute it subject to the terms and conditions of the GNU
# General Public License v.2.  This program is distributed in the hope that it
# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the
# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details.  You should have
# received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
# Floor, Boston, MA 02110-1301, USA.  Any Red Hat trademarks that are
# incorporated in the source code or documentation are not subject to the GNU
# General Public License and may only be used or replicated with the express
# permission of Red Hat, Inc.
#
# Red Hat Author: Miloslav Trmac <mitr@redhat.com>

mkdir -p ~/.sigul
cd ~/.sigul
if [ ! -f cert8.db ]; then
    echo ----------------------------------------
    echo 'Creating a NSS database.'
    echo ' Choose a NSS database password, which will be necessary to use the '
    echo ' sigul client.'
    echo ----------------------------------------
    certutil -d . -N
elif certutil -d . -L -n sigul-client-cert &> /dev/null; then
    echo ----------------------------------------
    echo 'You already have a sigul-client-cert certificate configured.'
    echo
    echo 'This script will not automatically replace it.  If you want to do so,'
    echo 'run the following command manually to remove the existing'
    echo 'certificate:'
    echo '    certutil -d ~/.sigul -D -n sigul-client-cert'
    echo 'Then rerun sigul_setup_client to import a new certificate.'
    echo ----------------------------------------
    exit 1
fi

nss_password_file=''
if [ -f client.conf ]; then
    sed -n 's/^[ \t]*nss-password:[ \t]*\(.*\)$/\1/p' client.conf > nss-password
    if [ -s nss-password ]; then
	trap 'shred -u nss-password' 0
	nss_password_file=nss-password
	echo ----------------------------------------
	echo 'Using NSS database password from ~/.sigul/client.conf'
	echo ----------------------------------------
    else
	rm nss-password
    fi
fi

echo ----------------------------------------
echo 'Importing CA certificate'
echo ----------------------------------------
certutil ${nss_password_file:+-f} $nss_password_file -d . \
    -A -n fedora-ca -t TC,, -a < ~/.fedora-server-ca.cert

echo ----------------------------------------
echo 'Importing user certificate.'
echo ' Choose an "export password".  You will only need to remember it until'
echo ' this script finishes.'
echo ----------------------------------------
openssl pkcs12 -export -out client.pem -in ~/.fedora.cert \
    -name sigul-client-cert
echo ----------------------------------------
if [ -z "$nss_password_file" ]; then
    echo ' When prompted for '\''Password or Pin for "NSS Certificate DB",'
    echo ' enter the NSS database password.'
    echo
fi
echo ' When prompted for "password for PKCS12 file", enter the "export'
echo ' password".'
echo ----------------------------------------
pk12util ${nss_password_file:+-k} $nss_password_file -d . -i client.pem
shred -u client.pem

if [ -f client.conf ]; then
    echo ----------------------------------------
    echo '~/.sigul/client.conf exists, not replacing it.'
    if [ -z "$nss_password_file" ]; then
	echo 'Edit [nss] nss-password if necessary.'
    fi
    echo ----------------------------------------
else
    echo ----------------------------------------
    echo -n 'Enter the NSS database password again: '
    stty -echo
    read -r nss_pw
    stty echo
    echo
    echo ----------------------------------------
    cat > client.conf <<EOF
[nss]
nss-password: $nss_pw
EOF
fi

echo 'Done.'
