#!/bin/bash
set -e

CERT_DIR="/certs"
CA_KEY="$CERT_DIR/ca.key"
CA_CERT="$CERT_DIR/ca.crt"
SERVER_KEY="$CERT_DIR/server.key"
SERVER_CSR="$CERT_DIR/server.csr"
SERVER_CERT="$CERT_DIR/server.crt"

# Defaults
CERT_COUNTRY="${CERT_COUNTRY:-DE}"
CERT_STATE="${CERT_STATE:-Bavaria}"
CERT_CITY="${CERT_CITY:-Munich}"
CERT_ORG="${CERT_ORG:-MyOrganization}"
CERT_OU="${CERT_OU:-IT}"
CERT_CN="${CERT_CN:-proxy.local}"
CERT_DAYS="${CERT_DAYS:-36500}"

# Skip if certs already exist
if [ -f "$CA_CERT" ] && [ -f "$SERVER_CERT" ] && [ -f "$SERVER_KEY" ]; then
    echo "Certificates already exist. Skipping generation."
    echo "Delete files in $CERT_DIR to regenerate."
    exit 0
fi

echo "=== Generating CA (Certificate Authority) ==="
openssl genrsa -out "$CA_KEY" 4096

openssl req -new -x509 -days "$CERT_DAYS" -key "$CA_KEY" -out "$CA_CERT" \
    -subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_CITY/O=$CERT_ORG/OU=$CERT_OU/CN=$CERT_CN CA"

echo "=== Generating Server Certificate ==="
openssl genrsa -out "$SERVER_KEY" 4096

openssl req -new -key "$SERVER_KEY" -out "$SERVER_CSR" \
    -subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_CITY/O=$CERT_ORG/OU=$CERT_OU/CN=$CERT_CN"

# Create extension file for SAN (Subject Alternative Names)
cat > "$CERT_DIR/server.ext" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names

[alt_names]
DNS.1=$CERT_CN
DNS.2=localhost
IP.1=127.0.0.1
EOF

openssl x509 -req -in "$SERVER_CSR" -CA "$CA_CERT" -CAkey "$CA_KEY" \
    -CAcreateserial -out "$SERVER_CERT" -days "$CERT_DAYS" \
    -extfile "$CERT_DIR/server.ext"

# Cleanup
rm -f "$SERVER_CSR" "$CERT_DIR/server.ext" "$CERT_DIR/ca.srl"

echo "=== Certificates generated successfully ==="
echo "CA Certificate:     $CA_CERT"
echo "Server Certificate: $SERVER_CERT"
echo "Server Key:         $SERVER_KEY"
echo "Validity:           $CERT_DAYS days (~$(($CERT_DAYS / 365)) years)"