#!/bin/bash

# generate new ca certificate, roll over the old one(s)

set -e

key_dir='#ETCDIR#/simple-pki/keys'

if [ -r '#ETCDIR#/simple-pki/ca.conf' ]; then
  . '#ETCDIR#/simple-pki/ca.conf'
fi

if [ -f "${key_dir}/${ca_name}.key.new" ] \
&& [ -f "${key_dir}/${ca_name}.crt.new" ]; then
  if [ "$(stat -c%Y "${key_dir}/${ca_name}.key.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
  || [ ! -f "${key_dir}/${ca_name}.key" ] \
  || [ "$(stat -c%Y "${key_dir}/${ca_name}.crt.new")" -lt "$(($(date +%s)-60*60*24*30))" ] \
  || [ ! -f "${key_dir}/${ca_name}.crt" ]; then
    mv "${key_dir}/${host_key_file}.key"{.new,}
    mv "${key_dir}/${host_key_file}.crt"{.new,}
  fi
fi

if [ ! -f "${key_dir}/${ca_name}.key.new" ] \
|| [ ! -f "${key_dir}/${ca_name}.crt.new" ]; then
  openssl req -x509 -new \
    -newkey rsa:4096 -sha256 \
    -keyout "${key_dir}/${ca_name}.key.new" \
    -out "${key_dir}/${ca_name}.crt.new" \
    -days 365 -nodes \
    -subj "${ca_subject}"'/CN=Certification Authority' \
    -addext 'subjectKeyIdentifier = hash' \
    -addext 'authorityKeyIdentifier = keyid:always, issuer' \
    -addext 'basicConstraints       = critical, CA:true' \
    -addext 'keyUsage               = keyCertSign, cRLSign'
done

rsync --ignore-missing-args \
  "${key_dir}/${ca_name}.crt"{.new,} \
  "${remote_host}:${remote_dir}/"

(
  cd "${key_dir}"
  printf '%s %s\n' "$(
    date -u --iso-8601=seconds -d@$(stat -c%Y "${ca_name}.key") \
    | cut -d+ -f1
  )" "$(
    sha512sum "${ca_name}.key" \
    | sed 's/\s\+/ /'
  )"
) \
| ssh "${remote_host}" '
  cd "'"${remote_dir}"'"
  while read -r time sum file; do
    rm -f ????-??-??T??\:??\:??".${file}"
    mv "${file}" "${time}.${file}"
    sed -i '"'"'
      / [^.]\+\.'"'"'"${file//./\.}"'"'"'$/d
    '"'"' sha512sums
    printf '"'"'%s  %s\n'"'"' "${sum}" "${time}.${file}" \
    >> sha512sums
  done
'