PKI_ROLE?=maintainer
PKI_DIR?=release

# Note: Only RSA signatures are supported (NU3013)
#	    https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3013)


ifeq ($(PKI_ROLE),maintainer)
.PHONY: maintainer.csr
maintainer.csr: $(PKI_DIR)/maintainer.csr
$(PKI_DIR)/maintainer.csr: KEY=$(patsubst %.csr,%.key,$@)
$(PKI_DIR)/maintainer.csr:
	openssl req \
		-new \
		-newkey rsa:4096 \
		-keyout $(KEY) \
		-out $@ \
		-sha256 \
		-addext keyUsage=critical,digitalSignature \
		-addext extendedKeyUsage=critical,codeSigning,msCodeCom \
		-subj "/C=RU/O=TrueCloudLab/OU=TrueCloudLab/CN=frostfs-sdk-csharp Release Team"
	@echo "IMPORTANT: Keep $(KEY) private!\n"
	@echo "Certificate signing request is ready.\nSend $@ to CA administrator to obtain the certificate."

$(PKI_DIR)/maintainer.pfx: $(PKI_DIR)/maintainer.cert $(PKI_DIR)/maintainer.key $(PKI_DIR)/ca.cert
	openssl verify \
		-CAfile $(PKI_DIR)/ca.cert \
		$(PKI_DIR)/maintainer.cert
	openssl pkcs12 \
		-export \
		-out $@ \
		-inkey $(PKI_DIR)/maintainer.key \
		-in $(PKI_DIR)/maintainer.cert \
		-CAfile $(PKI_DIR)/ca.cert \
		-chain \
		-passout pass:
endif


ifeq ($(PKI_ROLE),ca)
.PHONY: maintainer.cert
maintainer.cert: $(PKI_DIR)/maintainer.cert
$(PKI_DIR)/maintainer.cert: CSR=$(patsubst %.cert,%.csr,$@)
$(PKI_DIR)/maintainer.cert: $(PKI_DIR)/ca.key $(PKI_DIR)/ca.cert
	openssl req -noout -text -in $(CSR)
	@read -p "Review the CSR above. Press Enter to continue, Ctrl+C to cancel
" -r null
	openssl x509 \
		-req \
		-days 365 \
		-in $(CSR) \
		-copy_extensions copy \
		-ext keyUsage,extendedKeyUsage \
		-CA $(PKI_DIR)/ca.cert \
		-CAkey $(PKI_DIR)/ca.key \
		-CAcreateserial \
		-out $@
	echo >> $@
	cat $(PKI_DIR)/ca.cert >> $@
	openssl x509 -noout -text -in $@ -fingerprint -sha256
	@echo "Certificate is ready.\nSend $@ back to maintainer."

$(PKI_DIR)/ca.key: CERT=$(patsubst %.key,%.cert,$@)
$(PKI_DIR)/ca.key:
	openssl req \
		-x509 \
		-newkey rsa:4096 \
		-keyout $@ \
		-out $(CERT) \
		-sha256 \
		-days 3650 \
		-addext keyUsage=critical,keyCertSign \
		-subj "/C=RU/O=TrueCloudLab/OU=TrueCloudLab/CN=TrueCloudLab Code Signing Certificate Authority"
	@echo "IMPORTANT: Keep $@ private!\n"
endif