# Testing certificate parameters
# Note that some of these values are coupled to the behaviour
# of the test suite, so take care when modifying these.

# Base directory to store the CA's files
BASE_DIR=../testing-ca
# Set to 'yes' if you want all keys to be
#  regenerated even if they already exist.
FORCE_NEW_KEYS=no
# Set to 'yes' to generate keys using ECC (ECDSA based on secp384r1)
USE_ECC_KEYS=no
# Set to 'yes' if you want all certs, CSRs and CRLs to be
#  regenerated even if they already exist.
FORCE_NEW_CERTS=yes
# Set to 'yes' if you want all PKCS#12 containers to be
#  regenerated even if they already exist.
FORCE_NEW_PFX=no
# Regenerate config from defaults on every run
FORCE_CONFIG_REWRITE=no
# Value used to initialise the certificate counter
INITIAL_SERIAL=1000
# dummy password
DUMMY_PASSWORD=secret
DUMMY_PFX_PASSWORD=exportsecret
OPENSSL=openssl

MESSAGE_DIGEST=sha256

CRLDAYS=10000

# "flavour values" for the certificate
COUNTRY=BE
ORG="Example Inc"
ORG_UNIT="Testing Authority"

LOGFILE="ca-setup.log"

# validity timeframes
ROOT_START=20000101000000Z
ROOT_END=25000101000000Z

INTERM_START=20010101000000Z
INTERM_END=24000101000000Z


OCSP_START=20020101000000Z
OCSP_END=23000101000000Z

TSA_START=20020101000000Z
TSA_END=20300101000000Z

TSA2_START=20280101000000Z
TSA2_END=20400101000000Z

# in faketime-compatible format
CRL_DATE="2020-03-01 UTC"


# Signer profiles
SIGNER_NAME="Lord Testerino"
SIGNER_EMAIL="test@example.com"
SIGNER_START=20200101000000Z
SIGNER_END=20210101000000Z
SIGNER_IDENT=signer

SIGNER2_NAME="Bob Revoked"
SIGNER2_EMAIL="bob@example.com"
SIGNER2_START=20200101000000Z
SIGNER2_END=20210101000000Z
SIGNER2_IDENT=signer2
# note: GeneralizedTime doesn't seem to work for dts in the index
SIGNER2_REVO=200201000000Z

ensure_dir () {
    if [ -e "$1" ] ; then
        if [ ! -d "$1" ] ; then
            >&2 echo "$1 exists and is not a directory"
            exit 1
        fi
    else
        mkdir -p "$1"
    fi
}


init_config () {
    if [[ "$FORCE_CONFIG_REWRITE" = yes || ! -f "$BASE_DIR/openssl.cnf" ]] ; then
        # I'm assuming that the BASE_DIR never contains a colon
        #  which is good enough as far as I'm concerned
        real_base_dir=$(realpath $BASE_DIR)
        sed "s:TESTING_CA_BASE_DIR:$real_base_dir:g" openssl.base.cnf > "$BASE_DIR/openssl.cnf"
    fi
}
