#!/bin/bash
# Script to sign a certificate request with UCS CA
# Usage: ./sign-cert.sh <req-file> <hostname> [days]

set -e

# Configuration
UCS_SERVER="10.0.0.21"
UCS_USER="root"
DEFAULT_DAYS=3650

# Check arguments
if [ $# -lt 2 ]; then
    echo "Usage: $0 <req-file> <hostname> [days]"
    echo ""
    echo "Example: $0 webui.req myserver 3650"
    echo ""
    echo "The script will:"
    echo "  1. Copy the CSR to UCS server"
    echo "  2. Sign it with the UCS CA (preserving extensions)"
    echo "  3. Download the signed certificate to current directory"
    exit 1
fi

REQ_FILE="$1"
HOSTNAME="$2"
DAYS="${3:-$DEFAULT_DAYS}"

# Validate req file exists
if [ ! -f "$REQ_FILE" ]; then
    echo "Error: Certificate request file '$REQ_FILE' not found!"
    exit 1
fi

# Get absolute path of req file
REQ_FILE=$(realpath "$REQ_FILE")
OUTPUT_FILE="${HOSTNAME}-cert.pem"

echo "=========================================="
echo "UCS Certificate Signing Script"
echo "=========================================="
echo "Request file: $REQ_FILE"
echo "Hostname:     $HOSTNAME"
echo "Valid days:   $DAYS"
echo "Output file:  $OUTPUT_FILE"
echo "=========================================="
echo ""

# Extract SAN from CSR and fix format
echo "[1/4] Extracting Subject Alternative Names from CSR..."
SAN_ENTRIES=$(openssl req -in "$REQ_FILE" -noout -text | grep -A 1 "Subject Alternative Name" | tail -1 | sed 's/^ *//' | sed 's/IP Address:/IP:/g' || echo "")

if [ -z "$SAN_ENTRIES" ]; then
    echo "Warning: No Subject Alternative Names found in CSR"
    SAN_CONFIG=""
else
    echo "Found SANs: $SAN_ENTRIES"
    SAN_CONFIG="subjectAltName = $SAN_ENTRIES"
fi

# Step 2: Copy CSR to UCS server
echo "[2/4] Copying CSR to UCS server..."
scp "$REQ_FILE" ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}.csr
if [ $? -ne 0 ]; then
    echo "Error: Failed to copy CSR to UCS server"
    exit 1
fi

# Step 3: Sign using x509 command with CA password
echo "[3/4] Signing certificate on UCS server..."

# Create extension config and sign on UCS server
ssh ${UCS_USER}@${UCS_SERVER} "
set -e

# Create extensions config
cat > /tmp/${HOSTNAME}-ext.cnf << 'EXTCONF'
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
${SAN_CONFIG}
EXTCONF

# Sign the certificate using CA password file
openssl x509 -req \
    -in /tmp/${HOSTNAME}.csr \
    -CA /etc/univention/ssl/ucsCA/CAcert.pem \
    -CAkey /etc/univention/ssl/ucsCA/private/CAkey.pem \
    -CAcreateserial \
    -out /tmp/${HOSTNAME}-cert.pem \
    -days ${DAYS} \
    -sha256 \
    -extfile /tmp/${HOSTNAME}-ext.cnf \
    -passin file:/etc/univention/ssl/password
"

if [ $? -ne 0 ]; then
    echo "Error: Failed to sign certificate"
    exit 1
fi

# Step 4: Download signed certificate
echo "[4/4] Downloading signed certificate..."
scp ${UCS_USER}@${UCS_SERVER}:/tmp/${HOSTNAME}-cert.pem "$OUTPUT_FILE"
if [ $? -ne 0 ]; then
    echo "Error: Failed to download signed certificate"
    exit 1
fi

# Clean up on UCS server
ssh ${UCS_USER}@${UCS_SERVER} "rm -f /tmp/${HOSTNAME}.csr /tmp/${HOSTNAME}-cert.pem /tmp/${HOSTNAME}-ext.cnf"

echo ""
echo "=========================================="
echo "✓ Certificate signed successfully!"
echo "=========================================="
echo "Certificate saved to: $OUTPUT_FILE"
echo ""
echo "Certificate details:"
openssl x509 -in "$OUTPUT_FILE" -noout -subject -issuer -dates
echo ""
echo "Subject Alternative Names:"
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 2 "Subject Alternative Name" | tail -2 || echo "  (none)"
echo ""
echo "Extended Key Usage:"
openssl x509 -in "$OUTPUT_FILE" -noout -text | grep -A 1 "Extended Key Usage" | tail -1 || echo "  (none)"
echo "=========================================="