#!/usr/bin/env bash

printOPTIONS() {
  cat << _options
┌────────────────────────────────────────────────────────────────────────────i─┐
│ pfxexx — PFX Exporter for the ACME plugin on OPNsense                        │
│ Copyright (C) 2025  Gustavo Domínguez                                        │
│ GNU General Public License version 3                                         │
├─────────────────────────────────────────────────────────OPTIONS/REQUIREMENTS─┤
│ There are no real options*, only requirements:                               │
│ 1. The script requires bash to run. To install run: 'pkg install -y bash'.   │
│ 2. Variables must be reviewed or changed before running the script.          │
│    - Likely the most important will be the password file, the "pfile" from   │
│      which a password will be read in order to set it on PFX exports.        │
│                                                                              │
│ *: except for --unmute and --debug, neither of which affects how the script  │
│    works in terms of exporting PFXs. See more info at:                       │
│    https://ref.vitanetworks.link/en/utility-scripts/pfxexx                   │
├────────────────────────────────────────────────────────────────────────────@─┤
│ Gustavo Domínguez <deliver@senseivita.com>                                   │
│ senseivita.com | antipostal.com | vitanetworks.link                          │
└──────────────────────────────────────────────────────────────────────────────┘
_options
}
restoreOptions(){ set +e ; set +x ; set +v;}
enableDebugOptions(){ set -e ; set -x ; set -v;}
trap restoreOptions ERR EXIT
if [[ $1 =~ "debug" ]]; then enableDebugOptions; fi

verifiedPieces=''
cbn='/var/etc/acme-client/certs'
kbn='/var/etc/acme-client/keys'
ebn='/var/etc/acme-client/pfx'
cnlist=''
pfile='/var/etc/acme-client/pfiles/std'

main() {

  checkPfxExportDir() {
    if ! [[ -d "$ebn" ]]; then
      mkdir -p "$ebn"
    fi
  }

  candidates=( "$(find "$cbn" -type d -mindepth 1 -print0 | xargs -0 basename -s "$cbn")" )
  echo "${candidates[*]}"

  partsCheck() {
    for i in "${candidates[@]}"; do
      echo "$i"
      if [[ -f "$cbn/$i/cert.pem" ]]; then
        echo "$cbn/$i/cert.pem"
        if [[ -f "$cbn/$i/chain.pem" ]]; then
          echo "$cbn/$i/chain.pem"
          if [[ -f "$kbn/$i/private.key" ]]; then
            echo "$kbn/$i/private.key"
            verifiedPieces+=( "$i" )
          else continue; fi
        else continue; fi
      else continue; fi
    done
  }

  exportPFXs() {
    for iset in "${verifiedPieces[@]}"; do
      cn=$(openssl x509 -noout -subject -in "$cbn/$iset/cert.pem" | awk '{print $3}')
      cnlist+=( "$cn" )
      openssl pkcs12 -export -out "$ebn/$cn.pfx" -inkey "$kbn/$iset/private.key" -in "$cbn/$iset/cert.pem" -certfile "$cbn/$iset/chain.pem" -password file:"$pfile"
    done
  }

  printResuts() {
    echo Found the following certificates:
    printf '%s\n' "${cnlist[*]}"
  }

if checkPfxExportDir; then
  if partsCheck; then
    if exportPFXs; then
      echo "Finished successfully."
      printResuts
    else
      if [[ $1 =~ "debug" ]]; then echo "Failed exportPFXs"; fi
      exit
    fi
  else
    if [[ $1 =~ "debug" ]]; then echo "Failed partsCheck"; fi
    exit
  fi
else
  if [[ $1 =~ "debug" ]]; then echo "Failed checkPfxExportDir"; fi
  exit
fi
}

while [ "$1" != "" ]; do
  case "$1" in
    -h|--help|--options|help) printOPTIONS ;;
    --debug|debug) shift; main debug ;;
    --unmute) main ;;
    *) main > /dev/null 2>&1 ;;
  esac
  shift
done