#!/bin/sh

set -ue
PATH="/usr/bin:/bin"
export PATH

BASEDIR="$(dirname -- "$0")"
OU="InterIMAP test suite"
cd "$BASEDIR"

cadir="$(mktemp --tmpdir --directory)"
trap 'rm -rf -- "$cadir"' EXIT INT TERM

# generate CA (we intentionally throw away the private key and serial
# file to avoid reuse)
openssl genpkey -algorithm RSA -out "$cadir/ca.key"
openssl req -new -x509 -rand /dev/urandom -subj "/OU=$OU/CN=Fake Root CA" -key "$cadir/ca.key" -out ./ca.crt

SERIAL=1
new() {
    local key="$1" cn="$2"
    openssl req -new -rand /dev/urandom -key "$key" \
        -subj "/OU=$OU/CN=$cn" ${3+-addext subjectAltName="$3"} \
        -out "$cadir/new.csr"
	cat >"$cadir/new-ext.cnf" <<-EOF
		basicConstraints = critical, CA:FALSE
		keyUsage = critical, digitalSignature, keyEncipherment
		extendedKeyUsage = critical, serverAuth
	EOF
    if [ -n "${3+x}" ]; then
        printf "subjectAltName = %s\\n" "$3" >>"$cadir/new-ext.cnf"
    fi
    openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \
        -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf"
}

openssl genpkey -algorithm RSA -out ./dovecot.rsa.key
new ./dovecot.rsa.key "localhost" "DNS:localhost,DNS:ip6-localhost,IP:127.0.0.1,IP:::1" >./dovecot.rsa.crt

openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -out ./dovecot.ecdsa.key
new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt

openssl genpkey -algorithm RSA -out ./dovecot.rsa2.key
new ./dovecot.rsa2.key "imap.example.net" "DNS:imap.example.net,DNS:localhost" >./dovecot.rsa2.crt