#!/bin/bash
# Script to generate ML-DSA-87 certificates for wolfSSL
# Creates both root CA and entity certificates using ML-DSA-87

set -e  # Exit on any error

# Create certificates directory if it doesn't exist
mkdir -p certs

echo "==== Generating ML-DSA-87 Root CA ===="

# Generate the root private key
openssl genpkey -algorithm mldsa87 -out certs/mldsa87_root_key.pem
echo "Root private key generated."

# Generate self-signed root certificate
openssl req -new -x509 -key certs/mldsa87_root_key.pem -out certs/mldsa87_root_cert.pem \
    -days 3650 -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com" \
    -addext "basicConstraints=critical,CA:true" \
    -addext "keyUsage=critical,keyCertSign,cRLSign"
echo "Root certificate generated."

echo "==== Generating ML-DSA-87 Entity Certificate ===="

# Generate entity private key
openssl genpkey -algorithm mldsa87 -out certs/mldsa87_entity_key.pem
echo "Entity private key generated."

# Generate certificate request
openssl req -new -key certs/mldsa87_entity_key.pem -out certs/mldsa87_entity.csr \
    -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Development/CN=www.wolfssl.com"
echo "Entity certificate request generated."

# Create an extension file for the certificate
cat > certs/mldsa87_entity_extfile.cnf << EOF
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
EOF

# Sign the certificate with the root CA
openssl x509 -req -in certs/mldsa87_entity.csr -out certs/mldsa87_entity_cert.pem \
    -CA certs/mldsa87_root_cert.pem -CAkey certs/mldsa87_root_key.pem \
    -CAcreateserial -days 3650 \
    -extfile certs/mldsa87_entity_extfile.cnf
echo "Entity certificate generated."

# Clean up temporary files
rm -f certs/mldsa87_entity.csr certs/mldsa87_entity_extfile.cnf certs/mldsa87_root_cert.srl

echo "==== Certificate Verification ===="
# Verify entity certificate against root
openssl verify -CAfile certs/mldsa87_root_cert.pem certs/mldsa87_entity_cert.pem
echo "Verification completed."

echo "==== Certificate Generation Complete ===="
echo "Files generated:"
ls -la certs/

echo "==== Instructions for Use with wolfSSL ===="
echo "In your wolfSSL code, use the following file paths:"
echo "  Root CA: certs/mldsa87_root_cert.pem"
echo "  Entity Certificate: certs/mldsa87_entity_cert.pem"
echo "  Entity Private Key: certs/mldsa87_entity_key.pem"