#!/bin/bash

if [ $UID -ne 0 ]; then
 echo script requires root permissions!
 exit;
fi;

datadir=$(occ config:system:get datadirectory)
user="admin"
ssldir="$datadir/$user/files/SSLCerts"
sslshortdir=$(basename $ssldir)

tmpdir=$(mktemp -d)

keyfile="private_key.pem"
certfile="certificate.pem"
intermediatesfile="intermediates.pem"

key=$ssldir/$keyfile
cert=$ssldir/$certfile
intermediates=$ssldir/$intermediatesfile

if [ ! -d $ssldir ]; then
   echo "Could not find SSL directory $sslshortdir ($ssldir) for user $user!"
   exit 1
fi

key_pattern="-----BEGIN RSA PRIVATE KEY-----"
cert_pattern="-----BEGIN CERTIFICATE-----"
dhparams_pattern="-----BEGIN DH PARAMETERS-----"


# Check key
if [ ! -e $key ]; then
  echo "Private key $keyfile not found in Folder $sslshortdir of user $user!"
  exit 1
fi

if ! grep -q -- "$key_pattern" $key; then
  echo "Private key $keyfile is not in DER format."
  exit 1
fi

# Check certificate
if [ ! -e $cert ]; then
  echo "$certfile not found in Folder $sslshortdir of user $user!"
  exit 1
fi

if ! grep -q -- "$cert_pattern" $cert; then
  echo "$certfile is not in DER format."
  exit 1
fi

# Check if private key and cert match

mod_cert=$(openssl x509 -noout -modulus -in $cert | openssl sha1)
mod_key=$(openssl rsa -noout -modulus -in $key | openssl sha1)

if [ "$mod_cert" != "$mod_key" ]; then
  echo "Certificate does not match private key"
  exit 1
fi

if [ ! -e $intermediates ]; then
  verify_args="-CAfile $intermediates"
fi

# Verify certificate chain
tmpres=$(openssl verify -verbose -CApath /etc/ssl/certs $cert)
if echo "$tmpres"|grep -v ': OK'; then
  echo "Issues found while verifying the certificate chain:"
  echo $tmpres
  exit 1
fi

cp $cert $tmpdir
cert=$tmpdir/$certfile

# Protect against logjam, apache 2.4.7 style
if ! grep -q -- "$dhparams_pattern" $cert; then
#  openssl dhparam -out $tmpdir/dh_2048.pem 2048
  cat $tmpdir/dh_2048.pem >> $tmpdir/$certfile
fi


install -m 600 -o root $key /etc/ssl/private/appliance_$keyfile
install -m 644 -o root $tmpdir/$certfile /etc/ssl/certs/appliance_$certfile
if [ -e $intermediates ]; then
  install -m 644 -o root $intermediates /etc/ssl/certs/appliance_$intermediatesfile
fi

rm -rf $tmpdir
