#!/bin/sh
#
# ident "%W% %E% SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
#

SCRIPT_NAME=`basename $0`
SCRIPT_DIR=`dirname $0`

# If SCRIPT_DIR is not an absolute path name
# (i.e. it doesn't begin with a '/')
# then we try to find the absolute path name using 'pwd'.

case $SCRIPT_DIR in
/* )
	;;
 * )
	INVOKING_DIRECTORY=`/usr/bin/pwd`
	SCRIPT_DIR=$INVOKING_DIRECTORY/$SCRIPT_DIR
	;;
esac

BASEDIR=$SCRIPT_DIR/..

VSroot_cert_file=$BASEDIR/certs/VerisignCA.cert
test_cert_file=$BASEDIR/certs/VerisignTestCA.cert

action="prod"			# default: production certificate


testCA_DN="\"OU=FOR VERISIGN AUTHORIZED TESTING ONLY. NO ASSURANCES (C)VS1997, OU=WWW.VERISIGN.COM/REPOSITORY/TESTCPS INCORP. BY REF. LIAB. LTD., O=VERISIGN\, INC\""

filedir="/tmp/$$.externalcerts"

myExit()
{
        gettext SUNWhttp "\nExiting SSL certificate installation...\n"
        exit 1
}
 
usage()
{
  gettext SUNWhttp "usage: sslstorex -c cert_file [-o test | prod | update] [-i ip] [uid]\n"
  gettext SUNWhttp "where...\n"
  gettext SUNWhttp "-c filepath\tthe certificate reply file from the external CA.\n"
  gettext SUNWhttp "[-o option]\tthe type of certificate:\n"
  gettext SUNWhttp "\t\t\ttest: test certificate (Free: 2 weeks validity)\n"
  gettext SUNWhttp "\t\t\tprod: production certificate (default) (1 yr validity)\n"
  gettext SUNWhttp "\t\t\tupdate: Migrate from a test cert to a production cert.\n"
  gettext SUNWhttp "[-i ip]\t\tIP address of the host the certificate is for.\n"
  gettext SUNWhttp "[uid]\t\tthe user id of web server process. (default uid = 0)\n\n"
}
 

removeTestKey()
{
  if [ -z "$IP" ]; then
  	/opt/SUNWut/http/ski/bin/keypkg -Rhs -t "$testCA_DN"
  else	
  	/opt/SUNWut/http/ski/bin/keypkg -Rhs -L $IP -t "$testCA_DN"
  fi
}

installExternal()
{

  if [ ! -s "$root_cert_file" ]; then
    gettext SUNWhttp "No Root CA Certificate file found\n"
    usage
    myExit
  fi
    
  # Make sure root CA cert has BEGIN boundary
  /usr/bin/grep "BEGIN" $root_cert_file >/dev/null 2>&1
  if [ $? = 1 ]; then
    gettext SUNWhttp "Corrupt Root CA certificate: BEGIN boundary missing\n"
    myExit
  fi

  # Make sure root CA cert has END boundary
  /usr/bin/grep "END" $root_cert_file >/dev/null 2>&1
  if [ $? = 1 ]; then
    gettext SUNWhttp "Corrupt Root CA certificate: END boundary missing\n"
    myExit
  fi

  # Skistore the root CA cert
  /opt/SUNWut/http/ski/bin/skistore -c $root_cert_file
  if [ $? = 1 ]; then
    gettext SUNWhttp "Failed to skistore root CA certificate\n"
    myExit
  fi

  # Skilogin the host's key
  if [ -z "$IP" ]; then
  	/opt/SUNWut/http/ski/bin/skilogin -h 0 $uid
  else
	/opt/SUNWut/http/ski/bin/skilogin -h -L $IP 0 $uid
  fi

  # Add root CA's public key to list of trusted public keys
  if [ -z "$IP" ]; then
  	/opt/SUNWut/http/ski/bin/keypkg -Ah $root_cert_file
  else
	/opt/SUNWut/http/ski/bin/keypkg -Ah -L $IP $root_cert_file
  fi

  if [ -z "$IP" ]; then
  	/opt/SUNWut/http/ski/bin/skiverify -h -i $inputfile -c $filedir > /dev/null 2>&1
  else
	/opt/SUNWut/http/ski/bin/skiverify -h -L $IP -i $inputfile -c $filedir > /dev/null 2>&1
  fi

  if [ $? = 1 ]; then
    # Check if the certificate is X509
    /opt/SUNWut/http/ski/bin/skicert -S $inputfile > /dev/null 2>&1
    if [ $? = 1 ]; then
      /opt/SUNWut/http/ski/bin/skicert -B -S $inputfile > /dev/null 2>&1
      BFLAG=-B
      if [ $? = 1 ]; then
	gettext SUNWhttp "skiverify failed and is not a X509 certificate\n"
	myExit
      fi
    fi
    /usr/bin/mkdir $filedir
    /usr/bin/mkdir $filedir/certs
    DN=`/opt/SUNWut/http/ski/bin/skicert $BFLAG -S $inputfile | /usr/bin/grep Subject: |\
     /usr/bin/awk -F: '{print $2}'`
    if [ -z "$IP" ]; then
      HOSTNAME=`/usr/bin/hostname`
      IP=`/usr/bin/getent hosts $HOSTNAME | awk '{print $1}'`
    fi
    /usr/bin/cp $inputfile $filedir/certs/${IP}.CERT
    echo "$IP	$DN" > $filedir/new_cred_list
  fi

  # remove previous certificates
  if [ -z "$IP" ]; then 
    /opt/SUNWut/http/ski/bin/skicert -Rhes
  else
    /opt/SUNWut/http/ski/bin/skicert -Rhes -L $IP
  fi

  # store the new external certificate
  /opt/SUNWut/http/ski/bin/skistore -d $filedir
  if [ $? = 1 ]; then
	myExit
  fi
}
 
# ----------------Main Routine--------------------------------------
 
WHO=`id | sed "s/uid=[0-9]*(\([^ )]*\)).*/\1/"`
 
if [ $WHO != "root" ]; then
       gettext SUNWhttp "ERROR: You must be \"root\" to run this script.\n" 
       myExit
fi
 
while getopts "c:i:o:" arg
do
  case $arg in
    c)      inputfile=$OPTARG;;
    o)	    action=$OPTARG;;
    i)      IP=$OPTARG;;
    \?)     usage
            myExit;;
  esac
done
 
shift `expr $OPTIND - 1`
uid=`expr "$1"`

if [ -z "$uid" ]; then
  uid=0
fi

# check for correct format of IP address
if [ -n "$IP" ]; then
  newip=`echo $IP | sed 's/[^0-9.].*/NOT/'`
  if [ $IP != $newip ]; then
    gettext SUNWhttp "ERROR: IP address is incorrectly formatted.\n"
    myExit
  fi
fi

if [ "$action" = "test" ]; then
  root_cert_file=$test_cert_file
elif [ "$action" = "prod" ] || [ "$action" = "update" ]; then
  root_cert_file=$VSroot_cert_file
else
  # incorrect option
  gettext SUNWhttp "Invalid certificate type option specified\n"
  usage
  myExit
fi  
  
if [ -z "$inputfile" ]; then
  gettext SUNWhttp "ERROR: You must specify the certificate reply file from the external CA.\n"
  usage
  myExit
fi

if [ ! -s "$inputfile" ]; then
  gettext SUNWhttp "ERROR: Unable to access certificate file.\n"
  myExit
fi

if [ "$action" = "update" ]; then
  removeTestKey
fi

installExternal

rm -rf "$filedir"
