#!/bin/sh -eu

# shellcheck enable=all disable=SC2250

PROG="${0##*/}"
if [ "$#" -ne 0 ]; then
        printf >&2 'Usage: %s\n' "$PROG" >&2
        exit 1
fi

config_file=/etc/alt-signer/config
if [ -r "$config_file" ]; then
	# shellcheck source=/dev/null
	. "$config_file"
fi

dbdir=${ALT_SIGNER_DBDIR:-/var/lib/alt-signer}

if [ ! -d "$dbdir" ]; then
	mkdir -p "$dbdir"
fi

chown alt-signer-keyring:pesign "$dbdir"
chmod 750 "$dbdir"

if certutil -d "$dbdir" -L >/dev/null 2>&1; then
        exit 0
fi

certutil -d "$dbdir" -N --empty-password

chown alt-signer-keyring:pesign "$dbdir"/*
chmod 640 "$dbdir"/*

ca_nick="${ALT_SIGNER_CA_NICKNAME:-}"
ca_cn="${ALT_SIGNER_CA_COMMON_NAME:-}"

if [ -n "$ca_nick" ] && [ -n "$ca_cn" ]; then
	efikeygen \
		--dbdir "$dbdir" \
		--self-sign \
		--ca \
		--nickname "$ALT_SIGNER_CA_NICKNAME" \
		--common-name "CN=$ALT_SIGNER_CA_COMMON_NAME" \
		#
fi
