Skip to main content

priv/bin/barrel_p2p_gen_cert.sh

#!/usr/bin/env bash
#
# barrel_p2p_gen_cert.sh — generate a self-signed QUIC TLS cert for a
# barrel_p2p node.
#
# The kernel boots `-proto_dist quic` distribution before barrel_p2p's
# application code runs, so the cert must already exist on disk;
# `quic_dist:listen/2' fails with `{credentials, no_credentials}'
# otherwise. Run this once before the first boot.
#
# Usage:
#   barrel_p2p_gen_cert.sh [options]
#
# Options:
#   -d, --out-dir DIR   output directory (default ./data/quic)
#   -c, --cn NAME       certificate Common Name (default barrel_p2p)
#   -D, --days N        validity in days (default 365)
#   -k, --key-bits N    RSA key size (default 2048)
#   -f, --force         overwrite existing files
#   -h, --help          show this help
#
# Exit codes: 0 success, 2 usage error, 3 openssl missing or failed.

set -euo pipefail

usage() {
    sed -n '3,21p' "$0" | sed 's/^# \{0,1\}//'
}

OUT_DIR="./data/quic"
CN="barrel_p2p"
DAYS=365
KEY_BITS=2048
FORCE=0

while [[ $# -gt 0 ]]; do
    case "$1" in
        -d|--out-dir)  OUT_DIR="$2"; shift 2 ;;
        -c|--cn)       CN="$2"; shift 2 ;;
        -D|--days)     DAYS="$2"; shift 2 ;;
        -k|--key-bits) KEY_BITS="$2"; shift 2 ;;
        -f|--force)    FORCE=1; shift ;;
        -h|--help)     usage; exit 0 ;;
        *)             echo "barrel_p2p_gen_cert: unknown arg: $1" >&2; exit 2 ;;
    esac
done

if ! command -v openssl >/dev/null 2>&1; then
    echo "barrel_p2p_gen_cert: openssl not found in PATH" >&2
    exit 3
fi

CERT="$OUT_DIR/node.crt"
KEY="$OUT_DIR/node.key"

if [[ -f "$CERT" && -f "$KEY" && $FORCE -eq 0 ]]; then
    echo "barrel_p2p_gen_cert: $CERT and $KEY already exist (use --force to overwrite)"
    exit 0
fi

mkdir -p "$OUT_DIR"

if ! openssl req -x509 \
        -newkey "rsa:$KEY_BITS" -nodes \
        -days "$DAYS" \
        -keyout "$KEY" -out "$CERT" \
        -subj "/CN=$CN" 2>/dev/null
then
    echo "barrel_p2p_gen_cert: openssl failed" >&2
    exit 3
fi

chmod 600 "$KEY"
echo "barrel_p2p_gen_cert: wrote $CERT and $KEY (CN=$CN, valid $DAYS days)"