#!/bin/sh

set -e

cleanup() {
    if [ -n "${workdir}" -a -d "${workdir}" ]; then
        rm -rf "${workdir}"
    fi
    rm -rf /var/lib/softhsm/tokens/*
    rm -rf /etc/openvpn/easy-rsa
    rm -f /etc/openvpn/ca.crt
    rm -f /etc/openvpn/dh.pem
    rm -f "/etc/openvpn/${SERVER_CERT}"
    rm -f "/etc/openvpn/${SERVER_KEY}"
    rm -f "/etc/openvpn/${CLIENT_CERT}"
    rm -f "/etc/openvpn/${CLIENT_KEY}"
    rm -f /etc/openvpn/server.conf
    rm -f /etc/openvpn/client.conf
    rm -f /etc/openvpn/ta.key
}

trap cleanup EXIT

PIN="1234"
SO_PIN="12341234"
URI="pkcs11:model=SoftHSM%20v2"
SUBJECT_SERVER="CN=openvpn-server"
SERVER_CERT="${SUBJECT_SERVER##CN=}.crt"
SERVER_KEY="${SUBJECT_SERVER##CN=}.key"
SUBJECT_CLIENT="CN=openvpn-client"
CLIENT_KEY="${SUBJECT_CLIENT##CN=}.key"
CLIENT_CERT="${SUBJECT_CLIENT##CN=}.crt"
LABEL="openvpn-client-key"

cleanup

workdir=$(mktemp -d)
easyrsa_dir="/etc/openvpn/easy-rsa"
ssl_cnf="${workdir}/ssl.cnf"
req_pem="${workdir}/req.pem"
DEB_BUILD_MULTIARCH="$(dpkg-architecture -q DEB_BUILD_MULTIARCH)"
OPENSSL_CONF="${ssl_cnf}"

cat > ${ssl_cnf} <<EOF
HOME = .
openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/${DEB_BUILD_MULTIARCH}/engines-3/pkcs11.so
MODULE_PATH = /usr/lib/${DEB_BUILD_MULTIARCH}/softhsm/libsofthsm2.so
init = 0
EOF

echo "## Initializing softhsm2"
softhsm2-util --init-token --free --label test-token --pin ${PIN} --so-pin ${SO_PIN}

echo "## Generating client RSA key in the softhsm2 token"
p11tool \
    --provider /usr/lib/${DEB_BUILD_MULTIARCH}/softhsm/libsofthsm2.so \
    --login --generate-rsa --bits 1024 --label "${LABEL}" --set-pin ${PIN} \
    --outfile /dev/stdout "${URI}"

echo "## Listing generated private key"
p11tool \
    --provider /usr/lib/${DEB_BUILD_MULTIARCH}/softhsm/libsofthsm2.so \
    --list-privkeys --login --set-pin ${PIN} "${URI}"

echo "## With openssl engine, generate a certificate request with the client RSA key in the softhsm2 token"
OPENSSL_CONF="${ssl_cnf}" openssl \
    req -engine pkcs11 -new -key "${URI};object=${LABEL};pin-value=${PIN}" \
    -keyform engine -out ${req_pem} -text -subj "/${SUBJECT_CLIENT}"

echo
echo "## Confirm openvpn can see the pkcs11 engine"
output=$(OPENSSL_CONF="${ssl_cnf}" openvpn --show-engines)
echo "${output}"
if ! echo "${output}" | grep -q pkcs11; then
    echo "## FAILED: no pkcs11 in above output"
    exit 1
fi

echo
echo "## Setting up easy-rsa"
export EASYRSA_BATCH=1
export EASYRSA_REQ_CN=easyrsa-ca
make-cadir "${easyrsa_dir}"
cd "${easyrsa_dir}"
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh

echo
echo "## Generating server certificate"
./easyrsa gen-req openvpn-server nopass
./easyrsa sign-req server openvpn-server

echo
echo "## Importing client certificate request into easy-rsa for signing"
./easyrsa import-req "${req_pem}" "${SUBJECT_CLIENT##CN=}"

echo
echo "## Signing openvpn client certificate request with easy-rsa"
./easyrsa sign-req client "${SUBJECT_CLIENT##CN=}"

echo
echo "## Importing signed client certificate into softhsm2"
p11tool --load-certificate "pki/issued/${CLIENT_CERT}" --write --login --set-pin "${PIN}" --label "${LABEL}" "${URI}"

echo
echo "## Confirming openvpn client certificate now appears in the output of openvpn --show-pks11-ids"
output=$(openvpn --show-pkcs11-ids)
echo "${output}"
if ! echo "${output}" | grep -q "${SUBJECT_CLIENT}"; then
    echo "## FAILED: openvpn cannot see our certificate in the store"
    exit 1
fi
pkcs11_id=$(echo "${output}" | grep "Serialized id:" | awk '{print $3}')
if [ -z "${pkcs11_id}" ]; then
    echo "## FAILED: no pkcs11_id URI found in --show-pkcs11-ids output"
    exit 1
fi

echo
echo "## Copying files to /etc/openvpn"
# client cert and key are all in the softhsm2 token by now
cp pki/dh.pem pki/ca.crt "pki/issued/${SERVER_CERT}" "pki/private/${SERVER_KEY}" /etc/openvpn

echo
echo "## Generating openvpn server config"
cd /etc/openvpn
openvpn --genkey --secret ta.key
cat > /etc/openvpn/server.conf <<EOF
port 1194
proto udp
dev tun
ca ca.crt
key ${SERVER_KEY}
cert ${SERVER_CERT}
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
EOF

echo "## Generating openvpn client config"
cat > /etc/openvpn/client.conf <<EOF
client
dev tun
proto udp
remote localhost 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
pkcs11-id '${pkcs11_id}'
remote-cert-tls server
tls-auth ta.key 1
verb 3
EOF

echo
echo "## Starting up openvpn server"
systemctl start openvpn@server.service

echo "## Checking if service is alive"
sleep 5s
systemctl status openvpn@server.service | cat

echo
echo "## Process is:"
ps axww | grep '/etc/openvpn/server\.conf'

echo
echo "## Starting openvpn client. There will be a console message asking for a password,"
echo "## which will pollute the terminal a bit. But this script will provide that password with"
echo "## expect(1)."

systemctl start openvpn@client.service

sleep 5
expect -d -c "spawn /usr/bin/systemd-tty-ask-password-agent; expect Password:; send \"${PIN}\r\"; expect eof"

sleep 5
echo "## Checking openvpn client service"
systemctl status openvpn@client.service | cat
echo
echo "## Process is:"
ps axww | grep "/etc/openvpn/client\.conf"

echo
echo "## Listing tun devices (we expect to have two of them)"
tuns=$(ip a | grep -E 'tun[0-9]+:')
echo "${tuns}"
n_tuns=$(echo "${tuns}" | wc -l)
if [ ${n_tuns} -ne 2 ]; then
    echo "## FAILED: expected TWO tun devices"
    exit 1
fi

echo
echo "## All good, stopping client and server services"
systemctl stop openvpn@server.service
systemctl stop openvpn@client.service

echo "## Done."