#!/usr/bin/env bash
# generate_certificate.sh — Create a self-signed X.509 certificate for
# open62541 OPC UA applications.  Outputs DER-encoded certificate and
# private-key files suitable for the demo programs in this project.
#
# Arguments:
#   $1  certs_dir  — output directory for generated files (created if missing)
#   $2  name       — identity name (e.g. "ServerLDS", "Client")
#   $3  uri        — (optional) application URI; defaults to urn:localhost:bobink:<name>
#
# Options:
#   -p <passphrase>  — encrypt the private key with the given passphrase
#
# Produces:
#   <certs_dir>/<name>_cert.der   — DER-encoded X.509 certificate
#   <certs_dir>/<name>_cert.pem   — PEM-encoded X.509 certificate
#   <certs_dir>/<name>_key.der    — DER-encoded RSA private key
#   <certs_dir>/<name>_key.pem    — PEM-encoded RSA private key
#   <certs_dir>/<name>.cnf        — OpenSSL config (intermediate, kept for reference)

set -euo pipefail # Fail fast; no unset vars; catch pipe failures.

passphrase=""
while getopts "p:" opt; do
  case "$opt" in
    p) passphrase="$OPTARG" ;;
    *)
      echo "Usage: generate_certificate.sh [-p passphrase] <certs_dir> <name> [uri]" >&2
      exit 1
      ;;
  esac
done
shift $((OPTIND - 1))

if [ $# -lt 2 ] || [ $# -gt 3 ]; then
  echo "Usage: generate_certificate.sh [-p passphrase] <certs_dir> <name> [uri]" >&2
  exit 1
fi

certs_dir="$1"
name="$2"
cn="${name}@localhost"
uri="${3:-urn:localhost:bobink:${name}}"

mkdir -p "$certs_dir"

cnf="$certs_dir/${name}.cnf"
cat >"$cnf" <<EOF
[req]
distinguished_name = req_dn
x509_extensions = v3_ext
prompt = no

[req_dn]
C  = FR
O  = Bobink
CN = ${cn}

# OPC UA Part 6 §6.2.2: application-instance certificates must carry these
# key usages, both server and client auth, and a URI SAN matching the
# application URI.
[v3_ext]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:localhost, URI:${uri}
EOF

if [ -n "$passphrase" ]; then
  pass_args=(-passout "pass:$passphrase")
else
  pass_args=(-nodes)
fi

openssl req -x509 -newkey rsa:2048 "${pass_args[@]}" -sha256 \
  -days 365 \
  -config "$cnf" \
  -keyout "$certs_dir/${name}_key.pem" \
  -out "$certs_dir/${name}_cert.pem" \
  2>/dev/null

openssl x509 -in "$certs_dir/${name}_cert.pem" -outform der \
  -out "$certs_dir/${name}_cert.der"

if [ -n "$passphrase" ]; then
  openssl pkcs8 -topk8 -in "$certs_dir/${name}_key.pem" -outform der \
    -out "$certs_dir/${name}_key.der" \
    -passin "pass:$passphrase" -passout "pass:$passphrase"
else
  openssl rsa -in "$certs_dir/${name}_key.pem" -outform der \
    -out "$certs_dir/${name}_key.der" 2>/dev/null
fi

echo "Generated certificate '$name' (CN=$cn, URI=$uri):"
echo "  $certs_dir/${name}_cert.der"
echo "  $certs_dir/${name}_cert.pem"
echo "  $certs_dir/${name}_key.der"
echo "  $certs_dir/${name}_key.pem"