#! /bin/sh
# Copyright (c) 2004 Trimble Navigation Limited
# $Id: makeSSLCert,v 1.6 2004/07/26 21:32:58 tom Exp $
# $Source: /home/CVS/fireballTop/fireballFS/root/usr/local/fireball/makeSSLCert,v $

########################################################################
#
# makeSSLCert
#
# Script to create the certificate and ssl keys needed by the
# HTTPS service provided by Apache's modSSL.
# Called at power up time from "frontpanel_task" just prior to
# starting the httpd (Apache) program.  Can also be called as needed
# during normal operation to regenerate the cert/keys.  This would be
# needed when the contents of the certificate needed to change, as
# would be the case if the user wanted to change the system identity
# encoded in the certificate.
########################################################################


PATH="$PATH:/usr/local/bin:/usr/bin:/usr/local/fireball:/usr/local/ssl/bin"
export PATH


# Make sure the directory /etc/sysconfig/ssl exists.
# If not, create it.
if [[ ! -d /etc/sysconfig/ssl ]]
then
    mkdir -p -m 755 /etc/sysconfig/ssl
fi


# Make sure the sslCert.conf configuration file exists.
# If not, initialize the file from fireball/defaults/sysconfig
#  and delete old cert & key so that they will be recreated.
if [[ ! -f /etc/sysconfig/sslCert.conf ]]
then
  cp /usr/local/fireball/defaults/sysconfig/sslCert.conf \
     /etc/sysconfig/sslCert.conf
  rm /etc/sysconfig/ssl/fb_priv.key
  rm /etc/sysconfig/ssl/fb_cert.crt
fi


# If either the private key or the certificate is missing, regenerate
# both of them.
if [[  ! -s /etc/sysconfig/ssl/fb_priv.key
    || ! -s /etc/sysconfig/ssl/fb_cert.crt 
   ]]
then

    serialNum=$(warranty -s)     # Fetch serial number.
                                 # Returns "Serial_number: 1234567890"
    serialNum=${serialNum#* }    # Drop all but the number itself.

    # Define the location where openssl will save its random number
    # seed.  Unclear what this is used for, but openssl will  make a
    # file and complain if it can't.  By default it would put the seed
    # in ./.rnd (in current working directory, whereever that is when
    # this script is run) and that is probably not writeable.  Setting
    # this environment variable forces the location.
    export RANDFILE=/etc/sysconfig/ssl/rnd

    # Make the private key & certificate
    # Save stdout & stderr
    result=$(openssl req -new -days 10000 -x509 -set_serial "$serialNum" \
        -newkey rsa:512 -nodes -keyout /etc/sysconfig/ssl/fb_priv.key \
        -config /etc/sysconfig/sslCert.conf \
        -out /etc/sysconfig/ssl/fb_cert.crt 2>&1)

    # Save stdout & stderr to the syslog just in case there was a 
    # problem.
    logger -t makeSSLCert -- "$result"

    # Kill httpd if it was running (as detected by the presence of
    # the PID file).
    # This causes Apache to reload new certificate.
    if [ -s /var/run/httpd.pid ]
    then
      kill $(</var/run/httpd.pid)
    fi

fi

if [[ -s /etc/sysconfig/ssl/fb_priv.key  
   && -s /etc/sysconfig/ssl/fb_cert.crt 
   ]]
then
    exit 0    # Indicate success
else
    echo "Unable to create SSL Key & Certificate"
    exit 1    # Indicate failure
fi


# End of script makeSSLCert
