#!/bin/sh
#
# S51https-cert     Generate a self-signed HTTPS certificate if none is present.
#
# Certificate  : /etc/ssl/certs/self_web_server_cert.pem
# Private key  : /etc/ssl/private/self_web_server_key.pem
#
# Generation is skipped when a provisioned certificate (deployed via setup by
# the gateway software) is already present under /etc/ssl/certs/ using the
# established *_web_server_cert.pem naming convention.
# When a real setup is applied, S11telem-config cleanup() removes both the
# provisioned and this self-signed pair, then deploys the provisioned one.
#

# Do not generate certificates when reboot was done during sysinit
[ -e /var/local/telem/sysinit_reboot ] && exit 0

# Make sure openssl exists
[ -f /usr/bin/openssl ] || exit 0

CERT_DIR=/etc/ssl/certs
KEY_DIR=/etc/ssl/private
CERT_FILE="${CERT_DIR}/self_web_server_cert.pem"
KEY_FILE="${KEY_DIR}/self_web_server_key.pem"

# Skip generation if any web server certificate is already present
# (covers both provisioned certs and a previously generated self-signed one)
if ls "${CERT_DIR}"/*_web_server_cert.pem > /dev/null 2>&1; then
	exit 0
fi

# Remove zero-size / corrupt leftovers before regenerating
if [ ! -s "${CERT_FILE}" ]; then
	echo "Removing empty HTTPS certificate..."
	! rm "${CERT_FILE}" 2>/dev/null
fi

if [ ! -s "${KEY_FILE}" ]; then
	echo "Removing empty HTTPS key..."
	! rm "${KEY_FILE}" 2>/dev/null
fi

umask 077

if [ ! -f "${KEY_FILE}" ] || [ ! -f "${CERT_FILE}" ]; then
	echo "Generating self-signed HTTPS certificate..."
	mkdir -p "${CERT_DIR}" "${KEY_DIR}"
	/usr/bin/openssl req -x509 -nodes \
		-newkey rsa:2048 \
		-keyout "${KEY_FILE}" \
		-out    "${CERT_FILE}" \
		-days   3650 \
		-subj   "/O=Martem/CN=telem-gw" \
		2>/dev/null \
	&& logger -s -p "user.info" -t "$0" "Self-signed HTTPS certificate generated." \
	|| logger -s -p "user.err"  -t "$0" "HTTPS certificate generation FAILED."
fi

start() {
	: # certificate is generated at script load time above
}

stop() {
	: # nothing to stop
}

restart() {
	stop
	start
}

case "$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  restart|reload)
	restart
	;;
  *)
	echo "Usage: $0 {start|stop|restart}"
	exit 1
esac

exit $?
