#!/bin/bash
read password

#############
# Parameter #
#############


dn_base=",ou=people,dc=smime,dc=uni-bremen,dc=de"
org1="Universitaet Bremen"
org2="Universität Bremen"


root_certicate="HARICA-GEANT.pem"

########################
# CipherMail Parameter #
########################
ENABLE_CIPHERMAIL_SUPPORT=false

base_url="https://ciphermail.neuro.uni-bremen.de"
ciphermail_username="sa"
ciphermail_password="REDACTED"

##########################################


filename_with_extention="$1"
# Remove the .p12 extension from the filename, if present
filename="${filename_with_extention%.*}"

# Read uid as external parameter
uid=$2

# Check if $1 (filename) and $2 (UID) are provided
if [ -z "${filename}" ] || [ -z "${uid}" ] || [ -z "${password}" ]; then
    echo "Usage: echo PASSWORD | ./get_public_cert.sh <filename> <uid>"
    echo "Error: Missing required arguments."
    exit 1
fi

##########################################
# Add p12 file to keystore of Ciphermail #
##########################################
if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
    java -cp '/usr/share/djigzo/lib/*' mitm.application.djigzo.tools.CertStore --import-keys --check-validity --file ${filename}.p12 --keystore-password ${password}
fi

#####################
# CipherMail cookie #
#####################
if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
    login_url="${base_url}/check"
    prefix="${base_url}/user/signing/"
    postfix="/true"

    cookies="$(mktemp).txt"

    \rm -f ${cookies}
    curl -s -c ${cookies} -o /dev/null ${base_url}
    curl -s -c ${cookies} -o /dev/null -b ${cookies} -L -d "username=${ciphermail_username}" -d "password=${ciphermail_password}" ${login_url}
fi

# Function to read first line from file and remove newline character
read_first_line() {
    local filename="$1"
    head -n 1 "${filename}" | tr -d '\n'
}

##############################
# Extract public certificate #
##############################
pem_file="$(mktemp).pem"
openssl pkcs12 -in ${filename}.p12 -clcerts -nokeys -out ${pem_file} -passin "pass:${password}"

#######################
# Certificate valid ? #
#######################

cert_valid=$(openssl verify -CAfile $root_certicate ${pem_file} 2>/dev/null | grep ": OK$" | wc -l | grep -o '^1$' | wc -l)
if (( ${cert_valid} != 1 )); then
    echo "File ${filename} is not a vaild certificate. Stopping script."
    exit 1
fi

#########################
# Convert to DER format #
#########################

der_encoded=$(openssl x509 -in "$pem_file" -outform der | base64)
if [ $? -ne 0 ]; then
    echo "Error: Unable to convert PEM data to DER."
    rm "$tmp_der"
    exit 1
fi

#############################
# Make a clean PEM from DER #
#############################

der_encoded=$(echo "$der_encoded" | tr -d '[:space:]')
tmp_der="$(mktemp)"
echo "$der_encoded" | base64 -d > "$tmp_der"
pem_data=$(openssl x509 -inform der -in "$tmp_der" -outform pem)
pem_data=$(echo "$pem_data" | base64 | tr -d '[:space:]')

if [ $? -ne 0 ]; then
    echo "Error: Unable to convert DER data back to PEM."
    rm "$tmp_der"
    exit 1
fi

# Clean up temporary files
\rm -f "$tmp_der"

###################
# email addresses #
###################
emails=$(openssl x509 -in ${pem_file} -noout -text | grep "email:" | sed 's/,/\n/g' | sed 's/email://g' | sed 's/^ *//; s/ *$//')
# Check if emails were found
if [ -z "$emails" ]; then
    echo "No emails found in certificate. Stopping script."
    exit 1
fi

# Check if emails contain @
if ! echo "$emails" | grep -q "@"; then
    echo "No valid email addresses found (missing @). Stopping script."
    exit 1
fi

##############################
# Is this a UB certificate ? #
##############################
ub=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject: | grep -oE '(O = [^,]*|O=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//' | grep -iE "(${org1}|${org2})" | wc -l | grep -o '^1$' | wc -l )
if (( ${ub} != 1 )); then
    echo "File ${filename} is not a certificate of the University of Bremen. Stopping script."
    exit 1
fi

######
# CN #
######
cn=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject:  | grep -oE '(CN = [^,]*|CN=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//')
if [ -z "${cn}" ]; then
    echo "Error: Failed to extract complete name from certificate"
    exit 1
fi

######
# SN #
######

sn=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject:  | grep -oE '(SN = [^,]*|SN=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//' )
if [ -z "${sn}" ]; then
    echo "Error: Failed to extract surename from certificate"
    exit 1
fi

######
# GN #
######

gn=$(openssl x509 -in ${pem_file} -noout -text 2>/dev/null | grep Subject:  | grep -oE '(GN = [^,]*|GN=[^,]*)' | cut -d'=' -f2 | sed 's/^ *//')
if [ -z "${gn}" ]; then
    echo "Error: Failed to extract given name from certificate"
    exit 1
fi

###############
# Expire date #
###############

cert_expire=$(openssl x509 -in ${pem_file} -noout -enddate -inform PEM 2>/dev/null | cut -d= -f2)
if [ -z "${cert_expire}" ]; then
    echo "Error: Failed to extract expiration date from certificate"
    exit 1
fi

cert_expire_clean=$(date -d "${cert_expire}" "+%B %d, %Y" 2>/dev/null || echo "${cert_expire}")
if [ $? -ne 0 ] || [ -z "${cert_expire_clean}" ]; then
    echo "Error: Failed to format expiration date"
    exit 1
fi


################################
# Prepare the ldif information #
################################

filename_ldif="$(mktemp).ldif"
\rm -f ${filename_ldif}
# Loop through each email in the emails var
echo "$emails" | while IFS= read -r mail; do
    # Skip blank lines
    [ -z "$mail" ] && continue

    ###########################
    # Add email to ciphermail #
    ###########################
    if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
        java -cp '/usr/share/djigzo/lib/*' mitm.application.djigzo.tools.CLITool --add-user ${mail} --email ${mail}
    fi
    ##########################################################
    # Activate the user under ciphermail                     #
    # i.e. force it to connect the user with the certifikate #
    ##########################################################

    if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
        email_converted=$(echo ${mail} | sed s/"\@"/"\\\$0040"/g)
        url=${prefix}${email_converted}${postfix}
        curl -s -b ${cookies} -o /dev/null "${url}"
    fi

    ############################################################
    # Convert the collected information into ldap ldif entries #
    ############################################################

    echo "dn: uid=${uid}#${mail}${dn_base}" >> ${filename_ldif}
    echo "objectClass: top" >> ${filename_ldif}
    echo "objectClass: person" >> ${filename_ldif}
    echo "objectClass: organizationalPerson" >> ${filename_ldif}
    echo "objectClass: inetOrgPerson" >> ${filename_ldif}
    echo "uid: ${uid}#${mail}" >> ${filename_ldif}
    echo "cn: ${cn}" >> ${filename_ldif}
    echo "givenName: ${gn}" >> ${filename_ldif}
    echo "sn: ${sn}" >> ${filename_ldif}
    echo "mail: ${mail}" >> ${filename_ldif}
    echo "userSMIMECertificate: ${pem_data}" >> ${filename_ldif}
    echo "userSMIMECertificate;binary:: ${der_encoded}" >> ${filename_ldif}
    echo "description: Certificate expires: ${cert_expire_clean}" >> ${filename_ldif}
    echo "" >> ${filename_ldif}
    echo "" >> ${filename_ldif}
done
\rm -f ${pem_file}

if [ "$ENABLE_CIPHERMAIL_SUPPORT" = true ]; then
    \rm -f ${cookies}
fi

#########
# Debug #
#########

echo ${filename_ldif}
cat ${filename_ldif}

######################
# Add to ldap server #
######################
# ldapadd -x -H ldap://localhost:1389 -D "cn=admin,dc=smime,dc=uni-bremen,dc=de" -W -f ${filename_ldif}
\rm -f ${filename_ldif}