#! /bin/sh
#
#
# Copyright 2000-2007 Double Precision, Inc.  See COPYING for
# distribution information.
#
# This is a short script to q`uickly generate a self-signed X.509 key for
# ESMTP STARTTLS.  Normally this script would get called by an automatic
# package installation routine.

CERTNAME=$(basename $0 | sed -e 's/^mk//;s/cert$//')

PEMFILE="$1"

if [ -z "$PEMFILE" ]; then
	PEMFILE=/etc/courier/$CERTNAME.pem
fi

if test "gnutls" = "openssl"
then
	test -x /usr/bin/openssl || exit 0
else
	test -x /usr/bin/certtool || exit 0
fi

if test -f "$PEMFILE"
then
	echo "$PEMFILE already exists."
	exit 1
fi

cleanup() {
	rm -f "$PEMFILE".rand
	rm -f "$PEMFILE"
	rm -f "$PEMFILE".key
	rm -f "$PEMFILE".cert
	exit 1
}

cd /etc/courier
umask 077
BITS="$BITS"
set -e

install -b -m 600 -o "courier" /dev/null "$PEMFILE"

if test "gnutls" = "openssl"
then
	dd if=/dev/urandom of="$PEMFILE".rand count=1 2>/dev/null
	/usr/bin/openssl req -new -x509 -days 365 -nodes \
	          -config "/etc/courier/$CERTNAME.cnf" -out "$PEMFILE" -keyout "$PEMFILE" || cleanup
	/usr/bin/openssl dhparam -2 -rand "$PEMFILE".rand 512 >>"$PEMFILE" || cleanup
	/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in "$PEMFILE" || cleanup
	rm -f "$PEMFILE".rand
else
	if test "$BITS" = ""
	then
		BITS="high"
	fi

	install -b -m 600 -o "courier" /dev/null "$PEMFILE".key
	install -v -m 600 -o "courier" /dev/null "$PEMFILE".cert

	/usr/bin/certtool --generate-privkey --sec-param=$BITS --outfile "$PEMFILE".key || cleanup
	/usr/bin/certtool --generate-self-signed --load-privkey "$PEMFILE".key --outfile "$PEMFILE".cert --template "/etc/courier/$CERTNAME.cnf" || cleanup

	cat "$PEMFILE".key "$PEMFILE".cert >"$PEMFILE"
	rm -f "$PEMFILE".key "$PEMFILE".cert
fi
