#!/bin/bash
# state:
#       check  ----- check certificate files by openssl
# cert: certificate
# chain: chain
# key: provate key
export LANG=en_EN.UTF-8
export NOLOCALE=yes
export PATH=/sbin:/bin:/usr/sbin:/usr/bin

OPENSSL=/usr/bin/openssl

[[ -z $DEBUG  ]] && DEBUG=0
BASE_DIR=/opt/webdir
LOGS_DIR=$BASE_DIR/logs
TEMP_DIR=$BASE_DIR/temp

TMP_DIR=$BASE_DIR/tmp
[[ ! -d $TMP_DIR  ]] && mkdir -m 700 $TMP_DIR
LOG_FILE=$TMP_DIR/bx_cert$$.log
TMP_FILE=$(mktemp $TMP_DIR/bx_certXXXXX)

#set -x

log(){
    mess=$1

    echo "$(date +%s) $mess" >> $LOG_FILE
}

debug(){
    mess=$1

    [[ $DEBUG -gt 0  ]] && log "$mess"
}

# print error message
print_error() {
    msg="$1"
    log "$msg"
    echo "{\"changed\":false,\"failed\":true,\"msg\":\"$msg\"}"
    [[ -f $TMP_FILE ]] && rm -f $TMP_FILE
    exit 1
}

# print ok
print_ok() {
    msg="$1"

    echo "{\"changed\":false,\"msg\":\"$msg\"}"
    debug "$msg"
    [[ -f $TMP_FILE ]] && rm -f $TMP_FILE

    exit 0
}

test_files() {
    [[ -x $OPENSSL  ]] || \
        print_error "Not found openssl command. Please run, yum install openssl." 

    # test variables and file
    if [[ -z $cert ]]; then
        print_error "Option cert= cannot be empty."
    fi
    if [[ -z $priv ]]; then
        print_error "Option priv= cannot be empty."
    fi

    for file in "$cert" "$priv" "$chain"; do
        [[ (-n $file) && ( ! -f $file ) ]] && \
            print_error "Cannot find file=$file"
    done

    # check rsa key
    if [[ $( grep -c "ENCRYPTED" $priv 2>/dev/null ) -gt 0 ]]; then
        print_error \
            "Unsupported private key format; Private key must be PEM-encoded and unencrypted"
    fi

    $OPENSSL rsa -in "$priv" -check > $TMP_FILE 2>&1
    rsa_rtn=$?
    [[ $rsa_rtn -gt 0 ]] && \
        print_error "Testing private key=$priv return error: $rsa_rtn"

    # check certificate and chain file
    if [[ -n $chain ]]; then
        $OPENSSL verify -untrusted $chain $cert >$TMP_FILE 2>&1
        ver_rtn=$?

        if [[ $ver_rtn -gt 0 ]]; then
            error_msg=$(tail -n1 $TMP_FILE)
            $OPENSSL verify -verbose -x509_strict -CAfile $chain $cert >$TMP_FILE 2>&1
            if [[ $? -gt 0 ]]; then
                print_error \
                    "Testing certificate and chain return error: $ver_rtn $error_msg"
            fi
        fi
    else
        $OPENSSL x509 -in $cert -enddate -noout >$TMP_FILE 2>&1
        ver_rtn=$?
        [[ $ver_rtn -gt 0 ]] && \
            print_error \
            "Testing certificate return error: $ver_rtn $(head -n1 $TMP_FILE)"
        enddate=$(date -d "$(cat $TMP_FILE | cut -d'=' -f2)" +%s)
        date=$(date +%s)
        [[ $enddate -le $date ]] &&
            print_error \
            "Certificate $cert has expired"
    fi

    # check certificate and private key
    cert_md5=$($OPENSSL x509 -noout -modulus -in $cert | $OPENSSL md5)
    priv_md5=$($OPENSSL rsa  -noout -modulus -in $priv | $OPENSSL md5)
    if [[ $cert_md5 != "$priv_md5" ]]; then
        print_error \
        "The certificate and private key do not match."
    fi
    print_ok "The certificate and private key are good."
}

# get ansible options
source ${1}

test_files