#!/bin/sh

set -ue
PATH="/usr/bin:/bin"
export PATH

BASEDIR="$(dirname -- "$0")"
OU="InterIMAP test suite"
cd "$BASEDIR"

OPENSSL_CONF="./openssl.cnf"
export OPENSSL_CONF

cadir="$(mktemp --tmpdir --directory)"
trap 'rm -rf -- "$cadir"' EXIT INT TERM
genpkey() {
    local key="$1"
    shift
    openssl genpkey -out "$key" "$@" 2>&1
}

# generate CA (we intentionally throw away the private key and serial
# file to avoid reuse)
genpkey "$cadir/ca.key" -algorithm RSA
openssl req -new -x509 -rand /dev/urandom \
    -subj "/OU=$OU/CN=Fake Root CA" \
    -addext subjectKeyIdentifier="hash" \
    -addext authorityKeyIdentifier="keyid:always,issuer" \
    -addext basicConstraints="critical,CA:TRUE" \
    -key "$cadir/ca.key" -out ./ca.crt

SERIAL=1
new() {
    local key="$1" cn="$2"
    openssl req -new -rand /dev/urandom -key "$key" \
        -subj "/OU=$OU/CN=$cn" ${3+-addext subjectAltName="$3"} \
        -out "$cadir/new.csr"
	cat >"$cadir/new-ext.cnf" <<-EOF
		basicConstraints = critical, CA:FALSE
		keyUsage = critical, digitalSignature, keyEncipherment
		extendedKeyUsage = critical, serverAuth
	EOF
    if [ -n "${3+x}" ]; then
        printf "subjectAltName = %s\\n" "$3" >>"$cadir/new-ext.cnf"
    fi
    openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \
        -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf" 2>&1
}

genpkey ./dovecot.rsa.key -algorithm RSA
new ./dovecot.rsa.key "localhost" "DNS:localhost,DNS:ip6-localhost,IP:127.0.0.1,IP:::1" >./dovecot.rsa.crt

genpkey ./dovecot.ecdsa.key -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve
new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt

genpkey ./dovecot.rsa2.key -algorithm RSA
new ./dovecot.rsa2.key "imap.example.net" "DNS:imap.example.net,DNS:localhost" >./dovecot.rsa2.crt