# functions for handling ASCEDS_OPENSSL=${ASCEDS_SSLDIR}/openssl.cnf
# 
# asceds-openssl-check "<hostname>"
# checks if <hostname> is configured into openssl.cnf
#    returns 0 if configured, 1 if not configured
# 
# asceds-openssl-add "<hostname>"
# adds <hostname> to the SANS list in openssl.cnf
#    returns 0 if successful, 1 if not
# 
# asceds-openssl-del "<hostname>"
# deletes <hostname> from the SANS list in openssl.cnf
#    returns 0 if successful, 1 if not
# 
# 
# 
# 
##################################################################
# checks if <hostname> is configured into openssl.cnf
#    returns 0 if configured, 1 if not configured

# Usage: asceds-openssl-check "<hostname>"
asceds-openssl-check()
{
   local HSTNAME="$1"
   if [ -z "${HSTNAME}" ] ; then
      asceds-error "Empty value for the hostname"
   fi

   if [ ! -r "${ASCEDS_OPENSSL}" ] ; then
      asceds-error "No ${ASCEDS_OPENSSL} file on this system"
   fi

   TESTHST=$( sed -e "s/#.*//g" ${ASCEDS_OPENSSL} | \
              grep "=\s*${HSTNAME}\s*" | wc -l )
   if [ "${TESTHST}" = "0" ] ; then
      asceds-echo "${HSTNAME} not configured into ${ASCEDS_OPENSSL}"
      return 1
   else
      asceds-echo "${HSTNAME} configured into ${ASCEDS_OPENSSL} ${TESTHST} time(s)"
      return 0
   fi
}

##################################################################
# adds <hostname> to the SANS list in openssl.cnf
#    returns 0 if successful, 1 if not

# Usage: asceds-openssl-add "<hostname>"
asceds-openssl-add()
{
   local HSTNAME="$1"
   if [ -z "${HSTNAME}" ] ; then
      asceds-error "Empty value for the hostname"
   fi

   if [ ! -r "${ASCEDS_OPENSSL}" ] ; then
      asceds-error "No ${ASCEDS_OPENSSL} file on this system"
   fi

   SANS_CURRENT=$( ${GREP} "^\s*DNS.[0-9]*\s*=" ${ASCEDS_OPENSSL} | \
      sed -e "s/.*=\s*//" | sort | uniq | xargs | tr '[:upper:]' '[:lower:]' )

   # add new value
   SANSTEST=$( cat <<< ${SANS_CURRENT} | ${GREP} -E "(^| )${HSTNAME}" )
   if [ -z "${SANSTEST}" ] ; then
      asceds-echo "Adding ${HSTNAME} to the list of SANS from ${ASCEDS_OPENSSL}"
      SANS_CURRENT="${SANS_CURRENT} ${HSTNAME}"
   else 
      asceds-warning "Hostname ${HSTNAME} already in the list of SANS from ${ASCEDS_OPENSSL}"
      return 0
   fi

   # add the fqdn if missing
   FQDN_SSL=$( hostname -f | tr '[:upper:]' '[:lower:]' )
   if [ -z "$( cat <<< ${SANS_CURRENT} | ${GREP} -w ${FQDN_SSL} )" ] ; then
      asceds-echo "Adding FQDN ${FQDN_SSL} to the list of SANS from ${ASCEDS_OPENSSL}"
      SANS_CURRENT="${FQDN_SSL} ${SANS_CURRENT}"
   fi
   SANS_CURRENT_COUNT=$( cat <<< ${SANS_CURRENT} | wc -w )

   # keep backup of the original
   ${CP} -af ${ASCEDS_OPENSSL} ${ASCEDS_OPENSSL}.bak

   # check for proper config of [ alt_names ] in the process
   TESTALTNAMES=$( ${GREP} "^[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*@alt_names[[:space:]]*$" \
          ${ASCEDS_OPENSSL} )
   if [ -z "${TESTALTNAMES}" ] ; then
      TESTALTNAMES1=$( ${GREP} "^[[:space:]]*#[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*@alt_names[[:space:]]*$" \
                   ${ASCEDS_OPENSSL} )
      if [ -n "${TESTALTNAMES1}" ] ; then
         # subjectAltName is commented out
         asceds-echo "subjectAltName line commented out; un-commenting"
         sed -i -e "s/^[[:space:]]*#[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*@alt_names[[:space:]]*$/subjectAltName=@alt_names/" \
                    ${ASCEDS_OPENSSL}
      else
         # subjectAltName line doesn't exist at all
         asceds-echo "Adding subjectAltName=@alt_names and the [ alt_names ] section to openssl.cnf"

         csplit -s -f ${ASCEDS_OPENSSL}xx ${ASCEDS_OPENSSL} '/^[[:space:]]*\[[[:space:]]*v3_req[[:space:]]*\][[:space:]]*$/'+1
         ${MV} -f ${ASCEDS_OPENSSL}xx00 ${ASCEDS_OPENSSL}
         ${MV} -f ${ASCEDS_OPENSSL}xx01 ${ASCEDS_OPENSSL}.body
         csplit -s -f ${ASCEDS_OPENSSL}xx ${ASCEDS_OPENSSL}.body '/^[[:space:]]*\[/'
         cat ${ASCEDS_OPENSSL}xx00 >> ${ASCEDS_OPENSSL}
         cat <<< 'subjectAltName=@alt_names' >> ${ASCEDS_OPENSSL}
         cat <<< '' >> ${ASCEDS_OPENSSL}
         cat <<< '[ alt_names ]'>> ${ASCEDS_OPENSSL}
         cat <<< "DNS.1=${FQDN_SSL}" >> ${ASCEDS_OPENSSL}
         cat <<< '' >> ${ASCEDS_OPENSSL}
         cat ${ASCEDS_OPENSSL}xx01 >> ${ASCEDS_OPENSSL}
         ${RM} -f ${ASCEDS_OPENSSL}xx00 ${ASCEDS_OPENSSL}xx01 {ASCEDS_OPENSSL}.body

      fi
   fi

   # Split openssl.cf in head+tail
   csplit -s -f ${ASCEDS_OPENSSL}xx ${ASCEDS_OPENSSL} \
      '/^\s*\[\s*alt_names\s*\]\s*$/'+1
   ${MV} -f ${ASCEDS_OPENSSL}xx00 ${ASCEDS_OPENSSL}
   ${GREP} -v "^[[:space:]]*DNS.[0-9]*[[:space:]]*=" ${ASCEDS_OPENSSL}xx01 > \
      ${ASCEDS_OPENSSL}.tail   

   # add DNS lines in [ alt_names ]
   SC=0
   for SANS_NAME in ${SANS_CURRENT} ; do
      
     SC=$(( ${SC}+1 ))
     cat <<< "DNS.${SC} = ${SANS_NAME}" >> ${ASCEDS_OPENSSL} 
   done
   
   # add the tail
   cat ${ASCEDS_OPENSSL}.tail >> ${ASCEDS_OPENSSL}

   # clean up
   ${RM} -f ${ASCEDS_OPENSSL}.tail ${ASCEDS_OPENSSL}xx01

   asceds-openssl-check "${HSTNAME}" || return 0
   return 1
}

##################################################################
# deletes <hostname> from the SANS list in openssl.cnf
#    returns 0 if successful, 1 if not

# Usage: asceds-openssl-del "<hostname>"
asceds-openssl-del()
{
   local HSTNAME="$1"
   if [ -z "${HSTNAME}" ] ; then
      asceds-error "Empty value for the hostname"
   fi

   if [ ! -r "${ASCEDS_OPENSSL}" ] ; then
      asceds-error "No ${ASCEDS_OPENSSL} file on this system"
   fi

   SANS_CURRENT=$( ${GREP} "^\s*DNS.[0-9]*\s*=" ${ASCEDS_OPENSSL} | \
         sed -e "s/.*=[[:space:]]*//" | \
         ${GREP} -v -E "^${HSTNAME}([[:space:]]|$)" | \
         sort | uniq | xargs | tr '[:upper:]' '[:lower:]' )

   # add the fqdn  if missing
   FQDN_SSL=$( hostname -f  | tr '[:upper:]' '[:lower:]' )
   if [ -z "$( cat <<< ${SANS_CURRENT} | ${GREP} -w ${FQDN_SSL} )" ] ; then
      asceds-echo "Adding FQDN ${FQDN_SSL} to the list of SANS from ${ASCEDS_OPENSSL}"
      SANS_CURRENT="${FQDN_SSL} ${SANS_CURRENT}"
   fi
   SANS_CURRENT_COUNT=$( cat <<< ${SANS_CURRENT} | wc -w )

   # keep backup of the original
   ${CP} -af ${ASCEDS_OPENSSL} ${ASCEDS_OPENSSL}.bak

   # Split openssl.cf in head+tail
   csplit -s -f ${ASCEDS_OPENSSL}xx ${ASCEDS_OPENSSL} \
      '/^[[:space:]]*\[[[:space:]]*alt_names[[:space:]]*\][[:space:]]*$/'+1
   ${MV} -f ${ASCEDS_OPENSSL}xx00 ${ASCEDS_OPENSSL}
   ${GREP} -v "^[[:space:]]*DNS.[0-9]*[[:space:]]*=" \
      ${ASCEDS_OPENSSL}xx01 > ${ASCEDS_OPENSSL}.tail   

   # add DNS lines in [ alt_names ]
   SC=0
   for SANS_NAME in ${SANS_CURRENT} ; do
      
     SC=$(( ${SC}+1 ))
     cat <<< "DNS.${SC} = ${SANS_NAME}" >> ${ASCEDS_OPENSSL} 
   done
   
   # add the tail
   cat ${ASCEDS_OPENSSL}.tail >> ${ASCEDS_OPENSSL}

   # clean up
   ${RM} -f ${ASCEDS_OPENSSL}.tail ${ASCEDS_OPENSSL}xx01

   # if that's the last SANS value, comment out the subjectAltName line
   if [ "${SANS_CURRENT_COUNT}" -le "1" ] ; then
      sed -i -e "/^[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*@alt_names[[:space:]]*$/ s/^/#/" \
         ${ASCEDS_OPENSSL}
   fi

   asceds-openssl-check "${HSTNAME}" || return 1
   return 0
}

##################################################################

