#!/bin/bash

pkcs12file=${HOME}/.globus/usercred.p12
x509certfile=${HOME}/.globus/usercert.pem
x509keyfile=${HOME}/.globus/userkey.pem

OPENSSL=/usr/bin/openssl

#ensure ${HOME}/.subversion exists
#
if [ ! -d ${HOME}/.subversion ]
then
    svn --version &> /dev/null
fi

#certificate
#
if [ ! -e ${x509certfile} ] || [ ${pkcs12file} -nt ${x509certfile} ]
then
    if [ ! -e ${x509certfile} ]
    then
        echo "x509 certificate file "${x509certfile}" not found"
    else
        echo "pkcs12 file newer than x509 certificate file"
    fi
    if [ -e ${pkcs12file} ]
    then
        echo "trying to make x509 certificate file from "${pkcs12file}
        echo "press CTR-C to abort"
        echo "you will be asked for your certificate password"
        openssl pkcs12 -in ${pkcs12file} -nokeys -clcerts -out ${x509certfile}
        if [ "$?" != "0" ]
        then
            echo "error making "${x509certfile}
            exit 1
        else
            echo ${x509certfile}" created"
            echo 
        fi
    else
        echo "please move/copy this file into "${x509certfile} 
        echo "If you have a pkcs12 certificate file (cert.p12 or usercred.p12 etc)"
        echo "the "${x509certfile}" file can be made with the command:"
        echo "openssl pkcs12 -in usercred.p12 -nokeys -clcerts -out usercert.pem"
        echo "(for a pkcs12 file called usercred.p12) then place usercert.pem in ~/.globus"
        exit 1
    fi
fi

#keyfile
#
if [ ! -e ${x509keyfile} ] || [ ${pkcs12file} -nt ${x509keyfile} ]
then
    if [ ! -e ${x509keyfile} ]
    then
        echo "x509 key file "${x509keyfile}" not found"
    else
        echo "pkcs12 file newer than x509 key file"
    fi
    if [ -e ${pkcs12file} ]
    then
        echo "trying to make x509 certificate file from "${pkcs12file}
        echo "press CTR-C to abort"
        echo "you will be asked for your certificate password then a"
        echo "password for the new keyfile, please choose a strong password"
        openssl pkcs12 -in ${pkcs12file} -nocerts -out ${x509keyfile}
        res=$?
        if [ -e  ${x509keyfile} ]
        then
            chmod 0600 ${x509keyfile}
        fi
        if [ "${res}" != "0" ]
        then
            echo "error making "${x509keyfile}
            exit 1
        else
           echo ${x509keyfile}" created"
           echo
        fi
    else
        echo "please move/copy this file into ~/.globus/userkey.pem"
        echo "If you have a pkcs12 certificate file (cert.p12 or usercred.p12 etc)"
        echo "please do: (for a pkcs12 file called usercred.p12)"
        echo "openssl pkcs12 -in usercred.p12 -nocerts -out userkey.pem"
        echo "and place userkey.pem in ~/.globus"
        echo "NOTE: userkey.pem must only be readable/writeable by the user and should have a strong password"
        echo "use: 'chmod 0600 userkey.pem' to do this."
        exit 1
    fi
fi

umask 0077
uid=`id -u`
proxycsr=`mktemp /tmp/csr.${uid}.XXXXXX`
proxykey=`mktemp /tmp/key.${uid}.XXXXXX`
proxycert=`mktemp /tmp/cert.${uid}.XXXXXX`
proxypem=`mktemp /tmp/pem.${uid}.XXXXXX`
certext=`mktemp /tmp/ext.${uid}.XXXXXX`
proxypkcs12=/tmp/pkcs12up_u${uid}

cat << __EOF__ > ${certext}
[ req ]
default_bits       = 512
default_keyfile    = proxykey.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key    = no
default_md         = md5

[ req_distinguished_name ]
countryName         = Country Name \"C\" (2 letter code)
countryName_default =

localityName         = Locality Name \"L\" (eg, city)
localityName_default =

organizationName         = Organization Name \"O\" (eg, company)
organizationName_default =

organizationalUnitName         = Organizational Unit Name \"OU\" (eg, section)
organizationalUnitName_default =

0.commonName         = Common Name \"CN\" (eg, YOUR name)
0.commonName_default =

emailAddress         = Email Address
emailAddress_default =

1.commonName         = Common Name \"CN\" (unique 8 digit number)
1.commonName_default =

[ v3_proxy ]
proxyCertInfo=critical,language:id-ppl-inheritAll
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
__EOF__

subject=`${OPENSSL} x509 -in ${x509certfile} -noout -subject | sed -e "s/subject= //"`

res=0
if [ "${res}" == "0" ]
then
    ${OPENSSL} req -config ${certext} -new -out ${proxycsr} -keyout ${proxykey} -md5 -nodes -subj "${subject}/CN=svn12345"
    res=$?
fi

if [ "${res}" == "0" ]
then
    ${OPENSSL} x509 -req -extfile ${certext} -extensions v3_proxy -md5 -set_serial 11223344 -in ${proxycsr} -days 1 -CA ${x509certfile} -CAkey ${x509keyfile} -out ${proxycert}
    res=$?
fi

if [ "${res}" == "0" ]
then
    cat ${proxycert} ${proxykey} ${x509certfile} > ${proxypem}
    res=$?
fi

if [ "${res}" == "0" ]
then
    openssl pkcs12 -export -nodes -in ${proxypem} -passout pass: -out ${proxypkcs12}
res=$?
fi

if [ "${res}" == "0" ]
then
    echo "pkcs12 proxy created"
else
    echo "error creating pkcs12 proxy"
    exit 1
fi

rm -f ${proxycsr} ${proxykey} ${proxycert} ${proxypem} ${certext}