keystore-init

#!/usr/bin/env bash

cd "$(dirname "${BASH_SOURCE[0]}")/.."
. bin/util.sh

if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
  echo "Usage: $0 [-h|--help]"
  echo "Create the Keystore file which used to sign JWT access tokens by ManagementPortal."
  echo
  echo "To prevent the tool from querying variables interactively, please provide a DNAME"
  echo "in the following format, replacing each of the placeholders <...> with their proper value:"
  echo
  echo "    DNAME='CN=<name>,O=<organization>,L=<city>,C=<2 letter country code>' $0"
  echo
  echo "Consult the full X.500 Distinguished Name syntax for more information:"
  echo "https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html#CHDHBFGJ"
  exit
fi

check_command_exists keytool -version

function createKeyStore() {
  keystorefile="$1"
  keytoolOpts=(-keystore "${keystorefile}" -storepass radarbase -keypass radarbase $KEYSTORE_OPTS)

  if ! keytool -list "${keytoolOpts[@]}" -alias radarbase-managementportal-ec >/dev/null 2>/dev/null; then
    echo "--> Generating keystore to hold EC keypair for JWT signing"
    createOpts=(-genkeypair -validity 36500 -alias radarbase-managementportal-ec -keyalg EC -sigalg SHA256withECDSA -storetype PKCS12 $KEYSTORE_CREATE_OPTS)
    if keytool -genkeypair -help 2>&1 | grep -q -- -groupname; then
      # Java 8 or later
      createOpts+=(-groupname secp256r1)
    else
      # Java 7
      createOpts+=(-keysize 256)
    fi
    if [ -n "${DNAME}" ]; then
      createOpts+=(-dname "${DNAME}")
    fi
    keytool "${createOpts[@]}" "${keytoolOpts[@]}"
    echo
  else
    echo "--> ECDSA keypair for signing JWTs already exists. Not creating a new one."
  fi

  DNAME="$(keytool -list -v -alias radarbase-managementportal-ec "${keytoolOpts[@]}" | grep Owner: | cut -d ' ' -f 2- | head -n 1)"

  if ! keytool -list "${keytoolOpts[@]}" -alias selfsigned >/dev/null 2>/dev/null; then
    echo "--> Generating keystore to hold RSA keypair for JWT signing"
    createOpts=(-genkeypair -validity 36500 -alias selfsigned -keyalg RSA -keysize 4096 -storetype PKCS12 $KEYSTORE_CREATE_OPTS)
    if [ -n "${DNAME}" ]; then
      createOpts+=(-dname "${DNAME}")
    fi
    keytool "${createOpts[@]}" "${keytoolOpts[@]}"
    echo
  else
    echo "--> RSA keypair for signing JWTs already exists. Not creating a new one."
  fi

  if [ ! -e "${keystorefile}" ]; then
    >&2 echo "FAILED TO CREATE KEYSTORE FILE $keystorefile"
    exit 1
  fi

  if ! keytool -list "${keytoolOpts[@]}" -alias radarbase-managementportal-ec >/dev/null 2>/dev/null; then
    >&2 echo "FAILED TO CREATE ECDSA KEY radarbase-managementportal-ec in $keystorefile. Please try again."
    rm "${keystorefile}"
    exit 1
  fi

  if ! keytool -list "${keytoolOpts[@]}" -alias selfsigned >/dev/null 2>/dev/null; then
    >&2 echo "FAILED TO CREATE RSA KEY selfsigned in $keystorefile. Please try again."
    rm "${keystorefile}"
    exit 1
  fi

  chmod 400 "${keystorefile}"
}

if [ ! -f etc/management-portal/keystore.p12 ]; then
  mkdir -p etc/management-portal
  
  if [ -f etc/keystore.p12 ]; then
    cp etc/keystore.p12 etc/management-portal/keystore.p12
  fi
fi

createKeyStore etc/management-portal/keystore.p12