#!/bin/bash
# generate_certificate.sh — Create a self-signed X.509 certificate for
# open62541 OPC UA applications.  Outputs DER-encoded certificate and
# private-key files suitable for the demo programs in this project.
#
# Arguments:
#   $1  certs_dir  — output directory for generated files (created if missing)
#   $2  name       — identity name (e.g. "ServerLDS", "ClientFindServers")
#   $3  uri        — (optional) application URI; defaults to urn:bobink.<name>
#
# Produces:
#   <certs_dir>/<name>_cert.der   — DER-encoded X.509 certificate
#   <certs_dir>/<name>_cert.pem   — PEM-encoded X.509 certificate
#   <certs_dir>/<name>_key.der    — DER-encoded RSA private key

set -euo pipefail # Fail fast; no unset vars; catch pipe failures.

if [ $# -lt 2 ] || [ $# -gt 3 ]; then
  echo "Usage: generate_certificate.sh <certs_dir> <name> [uri]" >&2
  exit 1
fi

certs_dir="$1"
name="$2"
cn="${name}@localhost"
uri="${3:-urn:bobink.${name}}"

mkdir -p "$certs_dir"

cnf="$certs_dir/${name}.cnf"
cat >"$cnf" <<EOF
[req]
distinguished_name = req_dn
x509_extensions = v3_ext
prompt = no

[req_dn]
C  = FR
O  = Bobink
CN = ${cn}

[v3_ext]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:localhost, URI:${uri}
EOF

openssl req -x509 -newkey rsa:2048 -nodes -sha256 \
  -days 365 \
  -config "$cnf" \
  -keyout "$certs_dir/${name}_key.pem" \
  -out "$certs_dir/${name}_cert.pem" \
  2>/dev/null

openssl x509 -in "$certs_dir/${name}_cert.pem" -outform der \
  -out "$certs_dir/${name}_cert.der"
openssl rsa -in "$certs_dir/${name}_key.pem" -outform der \
  -out "$certs_dir/${name}_key.der" 2>/dev/null

rm -f "$certs_dir/${name}_key.pem" "$cnf"

echo "Generated certificate '$name' (CN=$cn, URI=$uri):"
echo "  $certs_dir/${name}_cert.der"
echo "  $certs_dir/${name}_cert.pem"
echo "  $certs_dir/${name}_key.der"