#!/bin/sh
#
# Creates the CA, server and client certs to be used by tls_test.go
# http://www.rabbitmq.com/ssl.html
#
# Copy stdout into the const section of tls_test.go or use for RabbitMQ
#
root=$PWD/certs

if [ -f $root/ca/serial ]; then
  echo >&2 "Previous installation found"
  echo >&2 "Remove $root/ca and rerun to overwrite"
  exit 1
fi

mkdir -p $root/ca/private
mkdir -p $root/ca/certs
mkdir -p $root/server
mkdir -p $root/client

cd $root/ca

chmod 700 private
touch index.txt
echo 'unique_subject = no' > index.txt.attr
echo '01' > serial
echo >openssl.cnf '
[ ca ]
default_ca = testca

[ testca ]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 3650
default_md = sha1

policy = testca_policy
x509_extensions = certificate_extensions

[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 127.0.0.1
'

openssl req \
  -x509 \
  -nodes \
  -config openssl.cnf \
  -newkey rsa:2048 \
  -days 3650 \
  -subj "/CN=MyTestCA/" \
  -out cacert.pem \
  -outform PEM

openssl x509 \
  -in cacert.pem \
  -out cacert.cer \
  -outform DER

openssl genrsa -out $root/server/key.pem 2048
openssl genrsa -out $root/client/key.pem 2048

openssl req \
  -new \
  -nodes \
  -config openssl.cnf \
  -subj "/CN=127.0.0.1/O=server/" \
  -key $root/server/key.pem \
  -out $root/server/req.pem \
  -outform PEM

openssl req \
  -new \
  -nodes \
  -config openssl.cnf \
  -subj "/CN=127.0.0.1/O=client/" \
  -key $root/client/key.pem \
  -out $root/client/req.pem \
  -outform PEM

openssl ca \
  -config openssl.cnf \
  -in $root/server/req.pem \
  -out $root/server/cert.pem \
  -notext \
  -batch \
  -extensions server_ca_extensions

openssl ca \
  -config openssl.cnf \
  -in $root/client/req.pem \
  -out $root/client/cert.pem \
  -notext \
  -batch \
  -extensions client_ca_extensions

cat <<-END
const caCert = \`
`cat $root/ca/cacert.pem`
\`

const serverCert = \`
`cat $root/server/cert.pem`
\`

const serverKey = \`
`cat $root/server/key.pem`
\`

const clientCert = \`
`cat $root/client/cert.pem`
\`

const clientKey = \`
`cat $root/client/key.pem`
\`
END