#!/bin/bash

set -xe

cd $(dirname $0)

mkdir -p pki
cd pki

# Create a certificate authority that both the client side and the server side of
# the RPC protocol will use to authenticate the other side.
if [ ! -f garage-ca.key ]; then
    echo "Generating Garage CA keys..."
	openssl genpkey -algorithm ED25519 -out garage-ca.key
	openssl req -x509 -new -nodes -key garage-ca.key -sha256 -days 3650 -out garage-ca.crt -subj "/C=FR/O=Garage"
fi


# Generate a certificate that can be used either as a server certificate
# or a client certificate. This is what the RPC client and server will use
# to prove that they are authenticated by the CA.
if [ ! -f garage.crt ]; then
	echo "Generating Garage agent keys..."
	if [ ! -f garage.key ]; then
		openssl genpkey -algorithm ED25519 -out garage.key
	fi
	openssl req -new -sha256 -key garage.key -subj "/C=FR/O=Garage/CN=garage" \
		-out garage.csr
	openssl req -in garage.csr -noout -text
	openssl x509 -req -in garage.csr \
		-extensions v3_req \
		-extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
O = Garage
CN = garage

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = garage
EOF
) \
		-CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \
		-out garage.crt -days 365
fi

# Client-only certificate used for the CLI
if [ ! -f garage-client.crt ]; then
	echo "Generating Garage client keys..."
	if [ ! -f garage-client.key ]; then
		openssl genpkey -algorithm ED25519 -out garage-client.key
	fi
	openssl req -new -sha256 -key garage-client.key -subj "/C=FR/O=Garage" \
		-out garage-client.csr
	openssl req -in garage-client.csr -noout -text
	openssl x509 -req -in garage-client.csr \
		-extensions v3_req \
		-extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
O = Garage

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
EOF
) \
		-CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \
		-out garage-client.crt -days 365
fi