#!/bin/bash
#
# xy
#
# Author: Werner Fink
# Please send feedback to http://www.suse.de/feedback/
#
# Description:
#
# Creating (Self-)Signed SSL Certificates with OpenSSL
# for sendmail
#
###### -subj '/C=DE/ST=Bayern\/Germany/L=Fuerth/O=Private at Home/CN=speedy.localsite/emailAddress=werner.fink@arcor.de'

#
# Check for OpenSSL demo configuration
#
test -s /etc/ssl/openssl.cnf || { echo ${0##*/}: No OpenSSL package installed >&2 ; exit 1; }

#
# Ask sendmail about the configured CACertPath
#
CACertPath=$(echo /quit | sendmail -Am -bD -bt -bv -d37 | grep CACertPath) || { echo ${0##*/}: sendmail error >&2 ; exit 1; }
CACertPath=${CACertPath##*=}
test -n "${CACertPath}" -a -d "${CACertPath}" || { echo ${0##*/}: CACertPath does not exists >&2 ; exit 1; }

#
# This is the 
#
cd "${CACertPath}" || { echo ${0##*/}: Can not change to CACertPath >&2 ; exit 1; }

#
# Set secure file mode creation mask
#
umask 0066

#
# Get a valid copy of OpenSSL demo configuration
#
if test ! -s openssl.cnf ; then
    sed -r \
	-e 's@^((HOME|dir)[[:blank:]]*=[[:blank:]]*)[^[:blank:]]*([[:blank:]]*#.*)?@\1'"${CACertPath}"'\3@' \
	-e 's@^(RANDFILE[[:blank:]]*=[[:blank:]]*)[^[:blank:]]*([[:blank:]]*#.*)?@\1/dev/urandom\2@' \
	-e '\@^[[:blank:]]*\[[[:blank:]]*CA_default[[:blank:]]*\]@,\@^[[:blank:]]*\[@ {
	    s@(certificate[[:blank:]]*=[[:blank:]]*)[^[:blank:]]*([[:blank:]]*#.*)?@\1\$dir/CA.cert.pem\2@
	    s@(private_key[[:blank:]]*=[[:blank:]]*)[^[:blank:]]*([[:blank:]]*#.*)?@\1\$dir/private/CA.key.pem\2@
	    s@(default_bits[[:blank:]]*=[[:blank:]]*)[^[:blank:]]*([[:blank:]]*#.*)?@\14096\2@
	    s@^#?(unique_subject[[:blank:]]*=[[:blank:]]*)[^[:blank:]]*([[:blank:]]*#.*)?@\1no\2@
	}' /etc/ssl/openssl.cnf > openssl.cnf || \
    { echo ${0##*/}: Can not create openssl.cnf >&2 ; exit 1; }
fi

#
# The Certificate Authoritys of the smart and/or relay host if any
#
if test -n "$SENDMAIL_RELAY" -a "${SENDMAIL_RELAY,,}" != no -a ! -s ${SENDMAIL_RELAY}.pem ; then
    openssl s_client -crlf -starttls smtp -connect ${SENDMAIL_RELAY}:25 < /dev/null |
    sed -rn '\@-----BEGIN CERTIFICATE-----@,\@-----END CERTIFICATE-----@p' > ${SENDMAIL_RELAY}.pem
    ln -sf ${SENDMAIL_RELAY}.pem $(openssl x509 -noout -hash -in ${SENDMAIL_RELAY}.pem).0
fi
if test -n "$SENDMAIL_SMARTHOST" -a "${SENDMAIL_SMARTHOST,,}" != no -a ! -s ${SENDMAIL_SMARTHOST}.pem ; then
    openssl s_client -crlf -starttls smtp -connect ${SENDMAIL_SMARTHOST}:25 < /dev/null |
    sed -rn '\@-----BEGIN CERTIFICATE-----@,\@-----END CERTIFICATE-----@p' > ${SENDMAIL_SMARTHOST}.pem
    ln -sf ${SENDMAIL_SMARTHOST}.pem $(openssl x509 -noout -hash -in ${SENDMAIL_SMARTHOST}.pem).0
fi

#
# Create CA_default's
#
for dir in certs crl newcerts private ; do
    test -d "$dir" && continue
    mkdir "$dir" || { echo ${0##*/}: Can not make directory "$dir" >&2 ; exit 1; }
    test -s serial	|| echo '01' >| serial
    test -e index.txt	|| > index.txt
done

#
# Create Certificate Authority (CA)
#
if test ! -s private/CA.key.pem -a ! -s CA.cert.pem ; then
    openssl req -config $PWD/openssl.cnf -new -nodes -newkey rsa:4096 \
	-keyout $PWD/private/CA.key.pem -out CA.req.pem
    openssl ca  -config $PWD/openssl.cnf -create_serial -out CA.cert.pem \
	-days 3605 -batch -keyfile private/CA.key.pem \
	-selfsign -extensions v3_ca -infiles CA.req.pem
    rm -f CA.req.pem
    ln -sf CA.cert.pem $(openssl x509 -noout -hash -in CA.cert.pem).0
fi

#
# Create our certificates
#
if test ! -s MYClient.key.pem -a ! -s MYClient.cert.pem ; then
    openssl req -config $PWD/openssl.cnf -new -nodes -newkey rsa:4096 \
	-keyout MYClient.key.pem -out MYClient.req.pem
    openssl ca -config $PWD/openssl.cnf -policy policy_anything -out MYClient.cert.pem \
	-days 3605 -infiles MYClient.req.pem
    rm -f MYClient.req.pem
    ln -sf MYClient.cert.pem $(openssl x509 -noout -hash -in MYClient.cert.pem).0
fi

#
#
#
if test ! -s MYServer.key.pem -a ! -s MYServer.cert.pem ; then
    openssl req -config $PWD/openssl.cnf -new -nodes -newkey rsa:4096 \
	-keyout MYServer.key.pem -out MYServer.req.pem
    openssl ca -config $PWD/openssl.cnf -policy policy_anything -out MYServer.cert.pem \
	-days 3605 -infiles MYServer.req.pem
    rm -f MYServer.req.pem
    ln -sf MYServer.cert.pem $(openssl x509 -noout -hash -in MYServer.cert.pem).0
fi
