#!/bin/ksh
#
# ident	"@(#)certtool.sh	1.1	05/08/18 SMI"
#
# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

usage() {

echo ""
echo "**           SMC Certificate Tool          **"
echo ""
echo "This is a wrapper over Java Keytool Utillity used to manage"
echo "SMC's Keystore required for SSL communication."
echo ""
echo "Please consult JDK Security Tool Documentation for more info"
echo "on KeyTool."
echo ""
echo "\"`basename $0`\" accepts a subset of the options in KeyTool. The"
echo "following options are restricted:"
echo ""
echo "    \"-keystore\" \"-storetype\" \"-storepass\" \"-keypass\""
echo "    \"-alias\" \"-provider\""
echo ""
echo "In addition only the following operations are supported"
echo ""
echo "-import -file <cert.file>"
echo "        Imports a trusted certificate/certificate chain into SMC's"
echo "        keystore. This is typically used to import a certificate"
echo "        reply received from a CA as the result of submitting a"
echo "        Certificate Signing Request"
echo ""
echo "-list <-rfc | -v>"
echo "        Prints the contents of SMC Server's keystore. If the -v"
echo "        option is specified, the certificate is printed in"
echo "        human-readable format. If the -rfc option is specified"
echo "        certificate contents are printed using the printable"
echo "        encoding format"
echo ""
echo "-genkey [-keyalg <alg>] [-keysize <number>] [-validity <no of days>]"
echo "        Generates a key pair (a public key and associated private key)."
echo "        Wraps the public key into an X.509 v1 self-signed certificate,"
echo "        which is stored as a single-element certificate chain."
echo ""
echo "        This entry is subsequently used by the SMC Server in all SSL"
echo "        communications.  -keyalg defaults to RSA, -keysize defaults to"
echo "        1024 and -validity defaults to 365."
echo ""
echo "-certreq -file <output certreq file>"
echo '        Generates a Certificate Signing Request (CSR), using the PKCS#10'
echo "        format."
echo '        A CSR is intended to be sent to a certificate authority (CA).'
echo "        The CA will authenticate the certificate requestor and will"
echo "        return a certificate or certificate chain, used to replace the"
echo '        existing self-signed certificate chain (generated via -genkey'
echo '        as above) in the keystore.'
echo ""
}

EGREP=/usr/bin/egrep
PROPDIR=/var/sadm/smc/properties
KEYSTORE=$PROPDIR/.server
KEYTOOL=/usr/bin/keytool
ALIAS=smcserverkey
KEYPASS=passphrase
STOREPASS=passphrase

echo "$@" | $EGREP "keystore|storetype|storepass|keypass|alias|provider" 2>&1 > /dev/null

if [[ $? -eq 0 ]]
then
	echo ""
	echo "The options \"-keystore\",\"-storetype\",\"-storepass\",\"-keypass\""
	echo "            \"-alias\",\"-provider\""
	echo "must not be specified"
	echo ""
	exit 1
fi

if [[ ! -d $PROPDIR ]]
then
	mkdir -p $PROPDIR
	if [[ $? -ne 0 ]]
	then
		echo ""
		echo "Unable to create SMC Server's properties directory."
		echo "You should run this script as root."
		echo ""
		exit 1
	fi
fi

if [[ "$1" != "-genkey" && "x$1" != "x" ]]
then
	if [[ ! -f "$KEYSTORE" ]]
	then
		echo ""
		echo "SMC Server's Keystore does not exist. Please initialize via"
		echo "`basename $0` -genkey"
		echo ""
		echo "Execute `basename $0` without options for more help"
		echo ""
		exit 1
	fi
fi

if [[ "$1" = "-import" ]]
then
	$KEYTOOL "$@" -alias $ALIAS -trustcacerts -v -keystore $KEYSTORE -keypass $KEYPASS -storepass $STOREPASS

elif [[ "$1" = "-list" ]]
then
	$KEYTOOL "$@" -alias $ALIAS -keystore $KEYSTORE -keypass $KEYPASS -storepass $STOREPASS

elif [[ "$1" = "-genkey" ]]
then
	if [[ ! -w $PROPDIR ]]
	then
		echo ""
		echo "SMC Server properties directory is not writable."
		echo "You should run this script as root."
		echo ""
		exit 1
	fi

	ALGOPTS=
	echo "$*" | grep keyalg
	if [[ $? -ne 0 ]]
	then
		ALGOPTS="-keyalg RSA"
	fi

	echo "$*" | grep keysize
	if [[ $? -ne 0 ]]
	then
		ALGOPTS="$ALGOPTS -keysize 1024"
	fi

	echo "$*" | grep validity
	if [[ $? -ne 0 ]]
	then
		ALGOPTS="$ALGOPTS -validity 365"
	fi
	$KEYTOOL "$@" -alias $ALIAS $CMDLINE -keystore $KEYSTORE -keypass $KEYPASS -storepass $STOREPASS -v
	chmod 700 $KEYSTORE

elif [[ "$1" = "-certreq" ]]
then
	$KEYTOOL "$@" -alias $ALIAS $CMDLINE -keystore $KEYSTORE -keypass $KEYPASS -storepass $STOREPASS -v
else
	usage
fi
echo ""
