#!/bin/sh -efu

. cert-sh-functions
. /etc/courier-authlib/authdaemon.conf

TLS_CACHEFILE="${TLS_CACHEFILE:-}"
TLS_DHPARAMS="${TLS_DHPARAMS:-}"
TLS_CERTFILE="${TLS_CERTFILE:-}"
SSL_KEY_BITS=4096
SSL_DH_BITS=4096
SSL_DEFAULT_MD=sha256
CUSTOM_CERT=0
CUSTOM_DH="${CUSTOM_DH:-}"

DH_CHECK_EXPIRED_INTERVAL=25

DEFAULT_CERT="
[ req ]
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
default_md = $SSL_DEFAULT_MD

[ req_dn ]
CN=@HOSTNAME@
O=@PRODUCT@

[ cert_type ]
nsCertType = server
"

prepare_dh()
{
	if [ -s "$1" -a -n "$TLS_DHPARAMS" ]; then
		if [ "$1" != "$TLS_DHPARAMS" ]; then
			rm -f "$TLS_DHPARAMS" ||:
			cp "$1" "$TLS_DHPARAMS"
		fi
		chown "$COURIER_UID:$COURIER_GID" "$TLS_DHPARAMS"
	fi
}

init_tls()
{
	local certconf=/etc/courier-imap/"$1".custom.cnf
	[ -d /etc/courier-imap/ssl ] || mkdir -p /etc/courier-imap/ssl
	[ -s "$certconf" ] && CUSTOM_CERT=1
	if test "$TLS_CACHEFILE" != ""; then
		rm -f $TLS_CACHEFILE ||:
		touch "$TLS_CACHEFILE" && \
		chown "$COURIER_UID:$COURIER_GID" "$TLS_CACHEFILE" && \
		chmod 600 "$TLS_CACHEFILE"
	fi
	# create DH if needed
	if [ -n "$CUSTOM_DH" ]; then
		prepare_dh "$CUSTOM_DH"
	else
		ssl_check_dhparam "$1" || ssl_make_dhparam "$1"
		prepare_dh "$SSL_KEYDIR/$1.dh"
		# worth to try
		renew_dh "$1"
	fi
	if is_yes "$CUSTOM_CERT" && [ -z "$certconf" ]; then
		printf 'Using custom ssl certs, skipping self-signed certs generation...'
		exit 0
	fi
	ssl_generate "$1"
	if [ -s "$SSL_KEYDIR/$1.pem" -a -n "$TLS_CERTFILE" ]; then
		cp "$SSL_KEYDIR/$1.pem" "$TLS_CERTFILE" && \
		chown "$COURIER_UID:$COURIER_GID" "$TLS_CERTFILE"
		chmod 600 "$TLS_CERTFILE"
	fi
}

# re-implement mkdhparams script using cert-sh-functions
renew_dh()
{
	ssl_check_dhparam "$1" || return
	if [ "$(find "$SSL_KEYDIR/$1.dh" -mtime +$DH_CHECK_EXPIRED_INTERVAL -print)" = "" ]; then
		# less than required
		return
	else
		printf "DH params for %s older than %s days, regenerating...\n" "$1" "$DH_CHECK_EXPIRED_INTERVAL"
		ssl_make_dhparam "$1"
		prepare_dh "$SSL_KEYDIR/$1.dh"
	fi
}

