#!/bin/ksh
#
# ident "@(#)sslclauth	3.5 02/04/15 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
#
# setup the host to trust specific client ID signers to enable
# client authentication via SSL.
#

enable=false
disable=false


SCRIPT_NAME=`basename $0`
SCRIPT_DIR=`dirname $0`

# If SCRIPT_DIR is not an absolute path name
# (i.e. it doesn't begin with a '/')
# then we try to find the absolute path name using 'pwd'.

case $SCRIPT_DIR in
/* )
	;;
 * )
	INVOKING_DIRECTORY=`/usr/bin/pwd`
	SCRIPT_DIR=$INVOKING_DIRECTORY/$SCRIPT_DIR
	;;
esac

BASEDIR=$SCRIPT_DIR/..

Class1CAcert=$BASEDIR/certs/VerisignClass1CA.cert
Class2CAcert=$BASEDIR/certs/VerisignClass2CA.cert
Class3CAcert=$BASEDIR/certs/VerisignClass3CA.cert

Class1DN="\"OU=CLASS 1 PUBLIC PRIMARY CERTIFICATION AUTHORITY, O=VERISIGN\, INC., C=US\""

Class2DN="\"OU=CLASS 2 PUBLIC PRIMARY CERTIFICATION AUTHORITY, O=VERISIGN\, INC., C=US\""

Class3DN="\"OU=CLASS 3 PUBLIC PRIMARY CERTIFICATION AUTHORITY, O=VERISIGN\, INC., C=US\""

myExit()
{
        gettext SUNWhttp "\nExiting SSL client authentication setup ...\n"
        exit 1
}

usage()
{
  gettext SUNWhttp "usage: sslclauth <-e | -d> [-i <IP address>] <Signer>\n"
  gettext SUNWhttp "where...\n"
  gettext SUNWhttp "-e\t\t\tenables Clients with IDs signed by the Signer to\n"
  gettext SUNWhttp "\t\t\taccess your protected site\n"
  gettext SUNWhttp "-d\t\t\tdisables Clients with IDs signed by the Signer to\n"
  gettext SUNWhttp "\t\t\taccess your protected site\n"
  gettext SUNWhttp "[-i <IP address>]\tIP address of the SSL enabled host\n"
  gettext SUNWhttp "<Signer> is one of:\n"
  gettext SUNWhttp "\t\t\tClass1: Verisign's Class 1 CA\n"
  gettext SUNWhttp "\t\t\tClass2: Verisign's Class 2 CA\n"
  gettext SUNWhttp "\t\t\tClass3: Verisign's Class 3 CA\n\n"
}

addSigner()
{
  if [ ! -s "$cert_file" ]; then
    gettext SUNWhttp "Unable to open CA file : $Signer\n"
    myExit
  fi

  if [ -z "$IPaddr" ]; then
    /opt/SUNWut/http/ski/bin/keypkg -Ah $cert_file
  else
    /opt/SUNWut/http/ski/bin/keypkg -Ah -L $IPaddr $cert_file
  fi
}

removeSigner()
{
  if [ -z "$IPaddr" ]; then
    /opt/SUNWut/http/ski/bin/keypkg -Rh -t "$CADN"
  else
    /opt/SUNWut/http/ski/bin/keypkg -Rh -L $IPaddr -t "$CADN"
  fi
}

# ----------------Main Routine--------------------------------------

WHO=`id | sed "s/uid=[0-9]*(\([^ )]*\)).*/\1/"`
 
if [ $WHO != "root" ]; then
       gettext SUNWhttp "ERROR: You must be \"root\" to run this script.\n"
#       myExit
fi

while getopts "edi:" arg
do
  case $arg in
    e)	enable=true;;
    d)	disable=true;;
    i)	IPaddr="$OPTARG";;
    \?)	usage
        myExit;;
  esac
done

# check for correct format of IP address
if [ -n "$IPaddr" ]; then
  newip=`echo $IPaddr | sed 's/[^0-9.].*/NOT/'`
  if [ "$IPaddr" != "$newip" ]; then
    gettext SUNWhttp "ERROR: IP address is incorrectly formatted.\n"
    myExit
  fi
fi

shift `expr $OPTIND - 1`
Signer=`expr "$1"`

if [ -z "$Signer" ]; then
  usage
  myExit
fi

if [ $enable = true ] && [ $disable = true ]; then
  usage
  myExit
fi

if [ "$Signer" = "Class1" ]; then
  cert_file=$Class1CAcert
  CADN=$Class1DN
elif [ "$Signer" = "Class2" ]; then
  cert_file=$Class2CAcert
  CADN=$Class2DN
elif [ "$Signer" = "Class3" ]; then
  cert_file=$Class3CAcert
  CADN=$Class3DN
else
  # invalid Signer
  gettext SUNWhttp "Invalid Signer specified\n"
  usage
  myExit
fi  

if [ $enable = true ]; then
  addSigner
else
  removeSigner
fi
