#!/bin/sh -e

USER="$1"
if test -z "$USER"; then
	echo Usage: domtool-addcert USERNAME
	exit 1
fi   

umask 0066 # Prevent others from reading any files creating on local fs

 WORKDIR=/tmp/domtool-keyreq
  KEYDIR=`domtool-config -path cert keys`/$USER
 KEYFILE=$KEYDIR/key.pem
CERTFILE=`domtool-config -path cert certs`/$USER.pem
  NEWREQ=$WORKDIR/.newreq.pem
     NEW=$WORKDIR/.new.pem
   KEYIN=$WORKDIR/.keyin
 NEWCERT=$WORKDIR/.cert
  CACONF=`domtool-config -path cert ca`/domtool-openssl.conf

mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)

mkdir $KEYDIR || echo Key directory already exists.
openssl genrsa -out $KEYFILE 4096
# chown -R domtool.nogroup $KEYDIR
# chmod for non-afs systems
chmod 700 $KEYDIR
chmod 600 $KEYFILE
if [ "$2" != '-unsafe' ]; then
    if [ -z "`getent passwd $USER`" ]; then
	echo "$USER does not exist. This must be a server principal."
    else
	chown -R $USER.nogroup $KEYDIR
    fi
fi

fs sa $KEYDIR $USER read || echo This must be a server principal.
echo "." >$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "$USER" >>$KEYIN
# fixme: domtool-config -domain
echo "$USER@`domtool-config -domain`" >>$KEYIN
echo "" >>$KEYIN
echo "" >>$KEYIN
openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
rm $KEYIN
cat $NEWREQ $KEYFILE >$NEW
rm $NEWREQ

ROOTCMD=""
# Insecure CA is OK for development, and if the CA is in afs it is
# assumed the script is being run with sufficient
# permissions. Otherwise, become root to use the ca private key,
if [ ! -r $CACONF ]; then
    ROOTCMD=sudo
fi

$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
$ROOTCMD chown `whoami` $NEWCERT
mv $NEWCERT $CERTFILE
rm $NEW
rm $WORKDIR -rf
#chown domtool.nogroup $CERTFILE