#!/bin/sh

. /etc/functions.sh
OPENSSL="openssl req -new"
OPENSSLCA="openssl ca -create_serial"
KEY_OUT="/etc/ipsec.d/private/RootCA.pem"
REQ_OUT="/tmp/RootCAreq.pem"
CA_OUT="/etc/ipsec.d/cacerts/RootCA.crt"
CA_OUTPUT="/var/tmp_ca_output"
OPENSSL_X509="openssl x509"
SSL_CFG="/etc/ssl/openssl.cnf"
TMP_REQ_EXTENSION="/var/req_extension"
TMP_OPENSSL_CONF="/var/tmp_openssl.conf"
REQ_EXT_WORD="req_ext"
strExt=""

RootCA_status=$(uci -c /etc/config/ get certificate.RootCA.status);
if [ "$RootCA_status" != "" -a "$RootCA_status" != "Requesting" ]; then
	json -f /var/cert.json set ca status=duplicated
	return 0;
fi

cacert_create() {

  config_load ipsec_cer_config	
	config_get organization_unit RootCA organization_unit
	config_get organization RootCA organization
	config_get location RootCA location
	config_get state RootCA state
	config_get common_name RootCA common_name
	config_get country RootCA country
	config_get e_mail RootCA e_mail
	config_get key_size RootCA key_size
	
	C_com="C=$country"
	ST_com="ST=$state"
	L_com="L=$location"
	O_com="O=$organization"
	OU_com="OU=$organization_unit"
	CN_com="CN=$common_name"
	EM_com="emailAddress=$e_mail"
		
mv $CA_OUT $CA_OUT.bak		
mv $KEY_OUT $KEY_OUT.bak
rm -rf /etc/ipsec.d/newcerts/index.txt
rm -rf /etc/ipsec.d/newcerts/serial
touch /etc/ipsec.d/newcerts/index.txt
echo 01 > /etc/ipsec.d/newcerts/serial

$OPENSSL -keyout $KEY_OUT -out $REQ_OUT -passout pass:$1 -subj "/$C_com/$ST_com/$L_com/$O_com/$OU_com/$CN_com/$EM_com"
$OPENSSLCA -out $CA_OUT -days 3650 -batch -keyfile $KEY_OUT -passin pass:$1 -selfsign -extensions v3_ca -infiles $REQ_OUT 

$OPENSSL_X509 -in $CA_OUT -noout -issuer -subject -dates > $CA_OUTPUT

if [ ! -s $CA_OUTPUT ]; then
	#echo "Root CA file is invalid"
	json -f /var/cert.json set ca status=certfileinvalid
	return 0;
fi

#issuer=$(cat $CA_OUTPUT | grep issuer | cut -c 8-100);
#subject=$(cat $CA_OUTPUT | grep subject | cut -c 9-100);
issuer=$(cat $CA_OUTPUT | grep issuer | sed 's/^.*CN=//g' |sed 's/\/.*//g');
subject=$(cat $CA_OUTPUT | grep subject | sed 's/^.*CN=//g' |sed 's/\/.*//g');
from=$(cat $CA_OUTPUT | grep notBefore| cut -c 11-100);
to=$(cat $CA_OUTPUT | grep notAfter | cut -c 10-100);

status="RootCA";
name="RootCA";

uci set certificate.$name=trustca
uci set certificate.$name.issuer="$issuer"  
uci set certificate.$name.subject="$subject"  
uci set certificate.$name.from="$from"  
uci set certificate.$name.to="$to"  
uci set certificate.$name.status="$status"	  

rm -rf $CA_OUT.bak
rm -rf $KEY_OUT.bak
rm -rf $CA_OUTPUT
json -f /var/cert.json set ca status=success
uci commit certificate
ipsec whack --rereadcacerts

}

config_load ipsec_cer_config

if [ ! -s $1 ];then
cacert_create $1 
fi