#!/bin/sh

create_mariadb_ssl_cnf()
{
if [ $# -ne 2 ] ; then
	echo "USAGE: create_mariadb_ssl_cnf CN randfilename" 1>&2
	return 1
fi
cn=$1
randfile=$2
echo
echo "RANDFILE = $randfile"
echo 
echo "[ req ]"
echo "default_bits = 4096"
echo "encrypt_key = yes"
echo "distinguished_name = req_dn"
echo "prompt = no"
echo "default_md = sha256"
echo
echo "[v3_req]"
echo "subjectAltName = DNS:$cn"
echo 
echo "[ req_dn ]"
echo "CN=$cn"
echo 
}

mariadb_ssl_rsa_setup()
{
if [ $# -ne 1 ] ; then
	echo "USAGE: mariadb_ssl_rsa_setup ssldir" 1>&2
	return 1
fi
if [ ! -d $ssldir/ssl ] ; then
	/bin/mkdir -p $ssldir/ssl
	if [ $? -ne 0 ] ; then
		return 1
	fi
else
	echo "SSL Certs exists. Remove $ssldir/ssl to proceed" 1>&2
	return 1
fi
cd $ssldir/ssl
echo "Creating MariaDB SSL/TLS Certificates"
echo pass@@xxx > passinput
/usr/bin/openssl genrsa 2048 > ca-key.pem
if [ $? -ne 0 ] ; then
	echo "failed to create ca-key.pem" 1>&2
	return 1
fi
/bin/chmod 600 ca-key.pem
create_mariadb_ssl_cnf "MariaDB admin" test1.rand > ssl.cnf
/usr/bin/openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca.pem -passin file:./passinput -config ssl.cnf
if [ $? -ne 0 ] ; then
	/bin/rm -f test1.rand ssl.cnf
	echo "failed to create ca.pem" 1>&2
	return 1
fi
/bin/rm -f test1.rand ssl.cnf

create_mariadb_ssl_cnf "MariaDB server" test2.rand > ssl.cnf
/usr/bin/openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem -passin file:./passinput -config ssl.cnf
if [ $? -ne 0 ] ; then
	/bin/rm -f test2.rand ssl.cnf
	echo "failed to create server-req.pem" 1>&2
	return 1
fi
/bin/rm -f test2.rand ssl.cnf
/usr/bin/openssl rsa -in server-key.pem -out server-key.pem
if [ $? -ne 0 ] ; then
	echo "failed to create server-key.pem" 1>&2
	return 1
fi
/bin/chmod 600 server-key.pem
/usr/bin/openssl x509 -req -in server-req.pem -days 365000 -CA ca.pem -CAkey ca-key.pem \
  -set_serial 01 -out server-cert.pem
if [ $? -ne 0 ] ; then
	echo "failed to create server-cert.pem" 1>&2
	return 1
fi

create_mariadb_ssl_cnf "MariaDB user" test3.rand > ssl.cnf
/usr/bin/openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem \
  -out client-req.pem -passin file:./passinput -config ssl.cnf
if [ $? -ne 0 ] ; then
	/bin/rm -f test3.rand ssl.cnf
	echo "failed to create client-req.pem" 1>&2
	return 1
fi
/bin/rm -f test3.rand ssl.cnf passinput
/usr/bin/openssl rsa -in client-key.pem -out client-key.pem
if [ $? -ne 0 ] ; then
	echo "failed to create client-key.pem" 1>&2
	return 1
fi
/bin/chmod 600 client-key.pem
/usr/bin/openssl x509 -req -in client-req.pem -days 365000 -CA ca.pem -CAkey ca-key.pem \
  -set_serial 01 -out client-cert.pem
if [ $? -ne 0 ] ; then
	echo "failed to create client-cert.pem" 1>&2
	return 1
fi
/usr/bin/openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
}

mariadb_ssl_rsa_setup /var/indimail/mysqldb