#!/bin/bash
#
# Install a server certificate and server key file to the location where the internal web server.
# expects it and inform the server to start using the new files.
# If a server certificate and server key file already exist, they are archived (replacing
# any current archived files if they exist).
#
#
# Change Activity:
#   05/27/2003 P. Callaghan - initial version
#   05/14/2004 M. Clark     -01 removed apache config check which failed because this is
#                               not run as root
#   05/14/2004 M. Clark     -02 change port from 8081 to 443
#
# Parameters:
#   $1: certificate file - the filename of the server certificate file to install and use.
#   $2: key file - the filename of the server key file to install and use.
#   $3: configured certificate file - the filename of the certificate that Apache is configured to use.
#   $4: configured key file - the filename of the key file that Apache is configured to use.
#   $5: configured SSL certificate chain file - the filename of the SSL certificate chain file that Apache is 
#       configured to use.
#   $6: configured archived certificate file - the filename of where the archived certificate is kept.
#   $7: configured archived key file - the filename of where the archived key file is kept.
#   $8: configured archived SSL certificate chain file - the filename of where the archived SSL certificate
#       chain file is kept.
#   $9: HTTPD executable - the filename of the HTTP daemon executable.
#   $10: HTTPD PID file - the filename of where the HTTP daemon PID number is kept. Currently, not used.
#   $11: HMC SSL specific config file - the filename of the HMC SSL specific configuration directives.
#   $12: ServerRoot directory for the HTTP daemon
#   $13: Optional SSL certificate chain file - the concatenation of all PEM-encoded CA certificate files 
#       in the signing chain, if any, that were used to sign the server certificate. 
#
# Exit status codes:
#   0: the server certificate was installed and the web server started or restarted successfully  
#   1: invalid number of arguments  
#   2: copy command of server certificate file failed
#   5: the server certificate file to install does not exist
#   6: the server key file to install does not exist
#   7: copy command of server key file failed
#   8: SSL certificate chaining file to install does not exist. 
#   9: Move command, to archive server certificate, failed.
#   11: Move command, to archive server key file, failed..
#   12: Move command, to archive SSL certificate chaining file, failed.
#   13: Server certificate file exists but not server key file and this is unexpected.
#   14: Server certificate file does not exist but server key file exists and this is unexpected.
#   15: Copy command, of SSL certificate chain file, failed.
#     

EXIT_STATUS=0
HTTPD_START_OPTIONS='-DSSL' 
HTTPD_RESTART_OPTIONS='-k graceful' 
HTTPD_SYNTAX_CHECK_OPTIONS='-t' 
TRACE='actzTrace'
#TRACE='echo'
# use correct one for the above???

# Do I need to handle backing off any copy commands that may have succeeded but where ensuing operations failed???

#ARGS="$1 $2 $3 $4 $5 $6 $7 $8 $9 ${10} ${11} ${12} ${13}"
#$TRACE "XCRTICST: -> installCert $ARGS"
$TRACE "XCRTICST: -> installCert"

if [ $# == 13 ] ; then 
  # A SSL Certificate signing chain was specified.
  CHAIN_FILE_SPECIFIED=1
else 
  if [ $# == 12 ] ; then 
    # A SSL Certificate signing chain was not specified.
    CHAIN_FILE_SPECIFIED=0
  else 
    # Invalid number of arguments. 
    EXIT_STATUS=1
    $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
    exit $EXIT_STATUS
  fi    
fi

if [ ! -f $1 ]; then            
  # Server certificate file to install does not exist. 
  EXIT_STATUS=5
  $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
  exit $EXIT_STATUS
fi

if [ ! -f $2 ]; then            
  # Server key file to install does not exist. 
  EXIT_STATUS=6
  $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
  exit $EXIT_STATUS
fi

if [ "$CHAIN_FILE_SPECIFIED" -eq 1 ]; then
  if [ ! -f ${13} ]; then            
    # SSL certificate chaining file to install does not exist. 
    EXIT_STATUS=8
    $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
    exit $EXIT_STATUS
  fi
fi

if [ -f $3 ]; then            
  if [ -f $4 ]; then            
    # Both the server certificate file and the server key file exists.
    $TRACE "XCRTICSD: -> moving the server certificate"
    mv -f $3 $6
    if [ $? != 0 ]; then
      # Move command, to archive server certificate, failed.
      EXIT_STATUS=9
      $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
      exit $EXIT_STATUS
    fi
    $TRACE "XCRTICSD: -> moving the server key file"
    mv -f $4 $7
    if [ $? != 0 ]; then
      # Move command, to archive server key file, failed..
      EXIT_STATUS=11
      $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
      exit $EXIT_STATUS
    fi
    if [ -f $5 ]; then
      # SSL certificate chain file exists so archive it.
      $TRACE "XCRTICSD: -> moving the SSL certificate chain file"
      mv -f $5 $8
      if [ $? != 0 ]; then
        # Move command, to archive SSL certificate chaining file, failed.
        EXIT_STATUS=12
        $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
        exit $EXIT_STATUS
      fi
    else
      # SSL certificate chain file does not exist so make sure
      # that there is no archived copy either.
      $TRACE "XCRTICSD: -> removing the archived SSL certificate chain file if it exists"
      rm -f $8
    fi
  else
    # Server certificate file exists but not server
    # key file and this is unexpected.
    EXIT_STATUS=13
    $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
    exit $EXIT_STATUS
  fi
else
  if [ -f $4 ]; then            
    # Server certificate file does not exist but server key file exists
    # and this is unexpected.
    EXIT_STATUS=14
    $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
    exit $EXIT_STATUS
  #else
    # Neither the server certificate file nor the server key file
    # exist so do not change the archive. 
  fi
fi

# Copy the specified server certificate file to the location where the server expects it.
$TRACE "XCRTICSD: -> copying server certificate"
cp -f $1 $3
                   
if [ $? != 0 ]; then
  # Copy command failed.
  EXIT_STATUS=2
  $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
  exit $EXIT_STATUS
fi

# Copy the specified server key file to the location where the server expects it.
$TRACE "XCRTICSD: -> copying server key file"
cp -f $2 $4
                   
if [ $? != 0 ]; then
  # Copy command failed.
  EXIT_STATUS=7
  $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
  exit $EXIT_STATUS
fi

if [ "$CHAIN_FILE_SPECIFIED" -eq 1 ]; then
  # Copy the specified SSL certificate chain file to the location where the server expects it.
  $TRACE "XCRTICSD: -> copying SSL certificate chain file"
  cp -f ${13} $5
  if [ $? != 0 ]; then
    # Copy command, of SSL certificate chain file, failed.
    EXIT_STATUS=15
    $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
    exit $EXIT_STATUS
  fi
else
  # A SSL certificate chain should not be used since it was not specified.
  $TRACE "XCRTICSD: -> removing the SSL certificate chain file if it exists"
  rm -f $5
fi

# Ensure that the server is using the correct server certificate and key file.
$TRACE "XCRTICSD: -> writing the SSL configuration file directives"
#-02 start
# echo 'Listen 8081' > ${11}
echo 'Listen 443' > ${11}
# echo '<VirtualHost _default_:8081>' >> ${11}
echo '<VirtualHost _default_:443>' >> ${11}
#-02 end
echo 'SSLEngine on' >> ${11}
echo 'SSLCertificateFile '$3 >> ${11}
echo 'SSLCertificateKeyFile '$4 >> ${11}
if [ "$CHAIN_FILE_SPECIFIED" -eq 1 ]; then
  echo 'SSLCertificateChainFile '$5 >> ${11}
fi
echo 'AddType application/x-x509-ca-cert .crt' >> ${11}
echo '</VirtualHost>' >> ${11}

# Run a syntax check on the current configuration.
#-01 $TRACE "XCRTICSD: -> checking the HTTPD configuration"
#-01 $9 $HTTPD_SYNTAX_CHECK_OPTIONS -d ${12}
#-01 if [ $? != 0 ]; then
#-01   # syntax check failed.
#-01   EXIT_STATUS=10
#-01   $TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
#-01   exit $EXIT_STATUS
#-01 fi

EXIT_STATUS=0
$TRACE "XCRTICST: <- installCert returning $EXIT_STATUS"
exit $EXIT_STATUS

 
