#!/bin/sh

# Copyright 2018 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

try () {
  echo "$@"
  "$@" || exit 1
}

try rm -rf out
try mkdir out

try openssl genrsa -out out/key_usage_rsa_raw.key 2048
try openssl ecparam -genkey -name prime256v1 -noout \
    -out out/key_usage_p256_raw.key

# Convert the private keys to PKCS#8 format.
try openssl pkcs8 -topk8 -nocrypt -in out/key_usage_rsa_raw.key \
    -out out/key_usage_rsa.key
try openssl pkcs8 -topk8 -nocrypt -in out/key_usage_p256_raw.key \
    -out out/key_usage_p256.key

certs=" \
  rsa_no_extension \
  rsa_keyencipherment \
  rsa_digitalsignature \
  rsa_both \
  p256_no_extension \
  p256_keyagreement \
  p256_digitalsignature \
  p256_both"
for cert in $certs; do
  key=${cert%%_*}
  SUBJECT_NAME="subj_${cert}" \
    try openssl req \
    -new \
    -key "out/key_usage_${key}.key" \
    -out "out/key_usage_${cert}.csr" \
    -config ee.cnf
  try openssl x509 \
    -req \
    -in "out/key_usage_${cert}.csr" \
    -signkey "out/key_usage_${key}.key" \
    -days 3650 \
    -extfile ee.cnf \
    -extensions "ext_${cert}" \
    -out "out/key_usage_${cert}.pem" \
    -text

  try /bin/sh -c "cat out/key_usage_${key}.key out/key_usage_${cert}.pem \
      > ../certificates/key_usage_${cert}.pem"
done

try cp "out/key_usage_rsa.key" ../certificates
try cp "out/key_usage_p256.key" ../certificates