#!/bin/bash

# Patch nss.conf to enable HTTPS support on port 443 for Linux

EXIT=0
FILE="/etc/httpd/conf.d/nss.conf"
NSSDB=$APL_VAR/nss
TMP=$NSSDB/tmp
OPENSSL=/usr/bin/openssl
CERTUTIL=/usr/bin/certutil
PK12UTIL=/usr/bin/pk12util

if [ -w ${FILE} ]; then
	# remove dangerous patches from previous installation if exist
        perl -pi -e '$_="" if /(videoNEXT|Include.*conf.d\/va-|Listen 443)/' $FILE
        perl -pi -e 's|_default_:443.+_default_:8443|_default_:8443|'        $FILE

	# make new patches
	perl -pi -e '	
		$_.="Listen 443\n" if /^Listen 8443/;
		$_="<VirtualHost _default_:443 _default_:8443>\n# Include videoNEXT configuration\nInclude conf.d/va-*-apache.inc\n" if /<VirtualHost\s+_default_:8443>/;
        ' $FILE
        perl -pi -e 's/\+rsa_rc4_128_md5/-rsa_rc4_128_md5/' $FILE
        perl -pi -e 's/\+rsa_rc4_128_sha/-rsa_rc4_128_sha/' $FILE
		
	if [ $? -eq 0 ]; then
	    printf "%s\n" "OK: file '${FILE}' patched for listening on 443"
	else
	    printf "%s\n" "ERROR: patch file '${FILE}' for listening on 443"
	    EXIT=1
	fi
	
	# Create own self-signed certificate for NSS
	if [ ! -f $NSSDB/cert8.db ]; then
		host=$(hostname)
		subj_ca="/C=US/ST=VA/O=VideoArchive/CN=ca.${host}"
		subj="/C=US/ST=VA/O=VideoArchive/CN=${host}"
		rm -rf $NSSDB/*
		mkdir -p $TMP
		rm -rf $TMP/*
		$OPENSSL req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -subj $subj_ca -keyout $TMP/ca.key -out $TMP/ca.crt
		$OPENSSL pkcs12 -export -in $TMP/ca.crt -inkey $TMP/ca.key -out $TMP/ca.p12 -name 'cacert' -passout pass:foo
		$OPENSSL req -newkey rsa:2048 -nodes -subj $subj -keyout $TMP/server.key -out $TMP/server.csr
		$OPENSSL x509 -req -in $TMP/server.csr -CA $TMP/ca.crt -CAkey $TMP/ca.key -CAcreateserial -sha256 -out $TMP/server.crt -days 3650
		$OPENSSL pkcs12 -export -in $TMP/server.crt -inkey $TMP/server.key -out $TMP/server.p12 -name 'Server-Cert' -passout pass:foo
		$CERTUTIL -N --empty-password -d $NSSDB
		$PK12UTIL pk12util -i $TMP/ca.p12 -d $NSSDB -W foo
		$PK12UTIL pk12util -i $TMP/server.p12 -d $NSSDB -W foo
		$CERTUTIL -M -t CTu,CTu,CTu -n "cacert" -d $NSSDB
		$CERTUTIL -M -t u,u,u -n "Server-Cert" -d $NSSDB
		rm -rf $TMP
		export NSSDB
		perl -pi -e "s{^NSSCertificateDatabase.*}{NSSCertificateDatabase $NSSDB}" $FILE
		chown root:$APL_HTTPD_GRP $NSSDB/*
		chmod 640 $NSSDB/*
	fi

else
	printf "%s\n" "file '${FILE}' not writable or does not exist"
	EXIT=1
fi

exit ${EXIT}
