#!/bin/sh

. /etc/functions.sh
OPENSSL_X509="openssl x509"
TEMP_CA="/var/tmp_trust_ca.pem"
CA_OUTPUT="/var/tmp_ca_output"
MAX_CNT=32
TEMP_CERT="/var/certificate_tmp"
TEMP_KEY="/var/certificate_tmp_key"
TEMP_CERT_PKCS12="/var/certificate_tmp_pkcs12.pem"

name=$( echo $1  |cut -d"." -f 1);

ca_status=$(uci -c /etc/config/ get certificate.$name.status);
if [ "$ca_status" != "" -a "$ca_status" != "Requesting" ]; then
	json set uploadca status=duplicated
	return 0;
fi

if [ "$2" = "1" ]; then
	echo "CA Upload PKCS12" > /dev/console
	upload_pass="$3"
	openssl pkcs12 -in $TEMP_CA -info -nodes -password pass:test_$upload_pass 1>/tmp/check_pkcs12 2>&1
	[ "$(cat /tmp/check_pkcs12 | grep "invalid password" -c)" = "0" ] && {
		echo "Please upload PKCS12 file"
		json set uploadca status=cafileinvalid
		return 0;
	}
	openssl pkcs12 -in $TEMP_CA -out $TEMP_CERT_PKCS12 -nodes -password pass:$upload_pass
	[ -s $TEMP_CERT_PKCS12 ] || {
		echo "Invalid Password"
		json set uploadca status=passwordinvalid
		return 0;
	}
	rm $TEMP_CA
	openssl rsa -in $TEMP_CERT_PKCS12 -out $TEMP_KEY
	openssl x509 -in $TEMP_CERT_PKCS12 -out $TEMP_CA
elif [ "$2" = "2" ]; then
	echo "CA Upload Certificate and Private Key" > /dev/console
	upload_pass="$3"
	[ "$(cat $TEMP_CA | grep "BEGIN CERTIFICATE" -c)" = "0" ] && {
		echo "Invalid certificate."
		json set uploadca status=cafileinvalid
		return 0;
	}
	openssl rsa -inform PEM -outform PEM -in $TEMP_KEY -out $TEMP_KEY -passin pass:$upload_pass
	[ "$(cat $TEMP_KEY | grep "BEGIN RSA PRIVATE KEY" -c)" = "0" ] && {
		echo "Invalid private key."
		json set uploadca status=keyfileinvalid
		return 0;
	}
	[ "$(cat $TEMP_KEY | grep "ENCRYPTED" -c)" != "0" ] && {
		echo "Invalid Password"
		json set uploadca status=passwordinvalid
		return 0;
	}
fi

$OPENSSL_X509 -in $TEMP_CA -noout -issuer -subject -dates > $CA_OUTPUT

if [ ! -s $CA_OUTPUT ]; then
	echo "CA file is invalid"
	json set uploadca status=cafileinvalid
	return 0;
fi



#issuer=$(cat $CA_OUTPUT | grep issuer | cut -c 8-100);
#subject=$(cat $CA_OUTPUT | grep subject | cut -c 9-100);
issuer=$(cat $CA_OUTPUT | grep issuer | sed 's/^.*CN=//g' |sed 's/\/.*//g');
subject=$(cat $CA_OUTPUT | grep subject | sed 's/^.*CN=//g' |sed 's/\/.*//g');
from=$(cat $CA_OUTPUT | grep notBefore| cut -c 11-100);
to=$(cat $CA_OUTPUT | grep notAfter | cut -c 10-100);
if [ "$issuer" = "$subject" -a "$2" != "0" ]; then
	status="RootCA";
else
	status="OK";
fi


num=$(uci show certificate | grep -c trustca)
num=$(expr $num - 1)
if [ "$num" -ge "$MAX_CNT" ]; then
	echo "The max entries of TRUST CA exclude ROOTCA is $MAX_CNT"
	json set uploadca status=entryexceed
	return 0;
fi

uci set certificate.$name=trustca
uci set certificate.$name.issuer="$issuer"  
uci set certificate.$name.subject="$subject"  
uci set certificate.$name.from="$from"  
uci set certificate.$name.to="$to"
uci set certificate.$name.status="$status"
uci set certificate.$name.upload_type="$2"
uci commit certificate

ipsec whack --rereadcacerts
echo "Import Success"
json set uploadca status=importsuccess

cp $TEMP_CA /etc/ipsec.d/cacerts/$name.crt
if [ "$2" = "1" -o "$2" = "2" ]; then
	cp $TEMP_KEY /etc/ipsec.d/private/$name.pem
fi

rm -f $TEMP_CA
rm -f $CA_OUTPUT
