#!/bin/sh
set -e
days="3650"
keyout="syncthing.key"
reqout="$(mktemp)"
certout="syncthing.crt"
alg="ED25519"

help() {
cat <<EOF
$0 [ -c <certificate_out> ] [ -k <key_out> ] [ -448 ]
Defaults are:
certificate_out: 'syncthing.crt'
key_out: 'syncthing.key'

Optionally, the -448 option will generate an ED448 key instead of ED25519.

EOF
exit 1
}

while [ $# -gt 0 ] ; do case $1 in
	-c) certout="$2" ; shift ; shift ;;
	-k) keyout="$2" ; shift ; shift ;;
	-448) alg="ED448"; shift ;;
	*) help ;;
esac ; done

v3Section="
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = syncthing
"

openssl genpkey -algorithm $alg > "$keyout"

cnf="$(mktemp)"
cat > "$cnf" <<EOF
[req]
distinguished_name = req_distinguished_name
prompt = no
req_extensions = v3_req
[req_distinguished_name]
OU = Automatically Generated
O = Syncthing
CN = syncthing
[v3_req]
$v3Section
EOF

extfile="$(mktemp)"
cat > "$extfile" <<EOF
[v3_ca]
$v3Section
EOF

openssl req -new -out "$reqout" -key "$keyout" -config "$cnf"

rm "$cnf"

openssl x509 -req -days "$days" -in "$reqout" -signkey "$keyout" \
	-extensions v3_ca \
	-extfile "$extfile" \
	-out "$certout"

rm "$extfile"
rm "$reqout"