#!/usr/bin/env bash

CERT_DIR="./storage"

mkdir -p "$CERT_DIR"

ACCOUNT_NAME="${1:-devstoreaccount1}"

# Generate CA certificate and key if they don't exist
if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
    echo "Generating CA certificate and key..."
    if ! openssl req \
        -x509 \
        -newkey rsa:4096 \
        -keyout "$CERT_DIR/ca_key.pem" \
        -out "$CERT_DIR/ca_cert.pem" \
        -days 3650 \
        -nodes \
        -subj "/CN=Azurite CA" \
        -text \
        -addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then
        echo "Error: Failed to generate CA certificate and key." >&2
        exit 1
    fi
fi

# Generate server certificate and key if they don't exist
if [[ ! -f "$CERT_DIR/server_cert.pem" || ! -f "$CERT_DIR/server_key.pem" ]]; then
    echo "Generating server certificate and key..."
    if ! openssl req \
        -newkey rsa:4096 \
        -keyout "$CERT_DIR/server_key.pem" \
        -nodes \
        -subj "/CN=${ACCOUNT_NAME}.blob.core.windows.net" \
        -addext "basicConstraints=critical,CA:FALSE" \
        -addext "keyUsage=digitalSignature,keyEncipherment" \
        -addext "extendedKeyUsage=serverAuth,clientAuth" \
        -addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:localhost,IP:127.0.0.1" \
    | openssl x509 \
        -req \
        -CA "$CERT_DIR/ca_cert.pem" \
        -CAkey "$CERT_DIR/ca_key.pem" \
        -set_serial "0x$(openssl rand -hex 16)" \
        -copy_extensions copyall \
        -days 365 \
        -text \
        -out "$CERT_DIR/server_cert.pem"; then
        echo "Error: Failed to generate server certificate and key." >&2
        exit 1
    fi
fi