#!/usr/bin/env bash

# For the license, see the LICENSE file in the root directory.

ROOT=${abs_top_builddir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
SRCDIR=${abs_top_srcdir:-$(dirname "$0")/..}

source ${TESTDIR}/common
skip_test_no_tpm12 "${SWTPM_EXE}"

SWTPM_LOCALCA=${ROOT}/src/swtpm_localca/swtpm_localca

workdir="$(mktemp -d)" || exit 1

SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial

PATH=${ROOT}/src/swtpm_bios:$PATH

trap "cleanup" SIGTERM EXIT

function cleanup()
{
	rm -rf ${workdir}
}

# We want swtpm_cert to use the local CA and see that the
# local CA script automatically creates a signingkey and
# self-signed certificate; use ${WORKDIR} in the config files
# to test env variable resolution

cat <<_EOF_ > ${workdir}/swtpm-localca.conf
statedir=\${WORKDIR}
signingkey = \${WORKDIR}/signingkey.pem
issuercert = \${WORKDIR}/issuercert.pem
certserial = \${WORKDIR}/certserial
_EOF_

cat <<_EOF_ > ${workdir}/swtpm-localca.options
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 1.2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_

cat <<_EOF_ > ${workdir}/swtpm_setup.conf
create_certs_tool=${SWTPM_LOCALCA}
create_certs_tool_config=\${WORKDIR}/swtpm-localca.conf
create_certs_tool_options=\${WORKDIR}/swtpm-localca.options
_EOF_

# We need to adapt the PATH so the correct swtpm_cert is picked
export PATH=${ROOT}/src/swtpm_cert:${PATH}

# Create a ROOT CA with a password-protected private key
export SWTPM_ROOTCA_PASSWORD=password

# we need to create at least one cert: --create-ek-cert
WORKDIR=${workdir} \
  $SWTPM_SETUP \
	--tpm-state ${workdir} \
	--create-ek-cert \
	--config ${workdir}/swtpm_setup.conf \
	--logfile ${workdir}/logfile \
	--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
	--write-ek-cert-files "${workdir}"

if [ $? -ne 0 ]; then
	echo "Error: Could not run $SWTPM_SETUP."
	echo "Setup Logfile:"
	cat ${workdir}/logfile
	exit 1
fi

if [ ! -r "${SIGNINGKEY}" ]; then
	echo "Error: Signingkey file ${SIGNINGKEY} was not created."
	echo "Setup Logfile:"
	cat ${workdir}/logfile
	exit 1
fi

if [ ! -r "${ISSUERCERT}" ]; then
	echo "Error: Issuer cert file ${ISSUERCERT} was not created."
	echo "Setup Logfile:"
	cat ${workdir}/logfile
	exit 1
fi

if [ ! -r "${CERTSERIAL}" ]; then
	echo "Error: Cert serial number file ${CERTSERIAL} was not created."
	echo "Setup Logfile:"
	cat ${workdir}/logfile
	exit 1
fi

if [ -z "$(grep "ENCRYPTED PRIVATE KEY" ${workdir}/swtpm-localca-rootca-privkey.pem)" ]; then
	echo "Error: Root CA's private key should be encrypted"
	cat ${workdir}/swtpm-localca-rootca-privkey.pem
	exit 1
fi

certfile="${workdir}/ek-rsa2048.crt"
if [ ! -f "${certfile}" ]; then
	echo "Error: EK file '${certfile}' was not written."
	ls -l "${workdir}"
	exit 1
fi

if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "2048 bits")" ]; then
	echo "Error: EK file '${certfile}' is not an RSA 2048 bit key."
	$CERTTOOL --inder --infile "${certfile}" -i
	exit 1
fi

expiration="$($CERTTOOL --inder --infile "${certfile}" -i | grep "Not After:")"
expected1="Not After: Fri Dec 31 23:59:59 UTC 9999"
# 32bit machines
expected2="Not After: Thu Dec 31 23:23:23 UTC 2037"
if [ -z "$(echo "${expiration}" | grep "${expected1}")" ] && \
   [ -z "$(echo "${expiration}" | grep "${expected2}")" ]; then
	echo "Error: EK file '${certfile}' does not expire in 9999 or 2037"
	echo "actual   : ${expiration}"
	echo "expected1: ${expected1}"
	echo "expected2: ${expected2} (32 bit machines)"
	exit 1
fi

echo "OK"

exit 0
