#!/bin/sh
#
# Bootstrap script should be run only once. If there are already certificates
# generated, skip the execution.
#
cd `dirname $0`
if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
  exit 0
fi

#
#  This is a wrapper script to create default certificates when the
#  server starts via systemd. It should also ensure that the
#  permissions and owners are correct for the generated files. Once
# the certificates have been created, this file should be deleted.
#
#  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
#
umask 027
cd `dirname $0`

if [ ! -e random ]; then
  ln -sf /dev/urandom random
fi

make -h > /dev/null 2>&1

#
#  If we have a working "make", then use it.  Otherwise, run the commands
#  manually.
#
if [ "$?" = "0" ]; then
  make all
  ret=$?
  chown root:radiusd dh ca.* client.* server.*
  chmod 640 dh ca.* client.* server.*
  exit $ret
fi

#
#  The following commands were created by running "make -n", and edited
#  to remove the trailing backslash, and to add "exit 1" after the commands.
#
#  Don't edit the following text.  Instead, edit the Makefile, and
#  re-generate these commands.
#
if [ ! -e dh ]; then
  cp rfc3526-group-18-8192.dhparam dh
fi

if [ ! -e server.key ]; then
  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
  chmod g+r server.key
fi

if [ ! -e ca.key ]; then
  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
fi

if [ ! -e index.txt ]; then
  touch index.txt
fi

if [ ! -e serial ]; then
  echo '01' > serial
fi

if [ ! -e server.crt ]; then
  openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
fi

if [ ! -e server.p12 ]; then
  openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
  chmod g+r server.p12
fi

if [ ! -e server.pem ]; then
  openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
  openssl verify -CAfile ca.pem server.pem || exit 1
  chmod g+r server.pem
fi

if [ ! -e ca.der ]; then
  openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi

if [ ! -e client.key ]; then
  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
  chmod g+r client.key
fi

if [ ! -e client.crt ]; then
  openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi

chown root:radiusd dh ca.* client.* server.*
chmod 640 dh ca.* client.* server.*
