#!/bin/sh -e

set -e

. /usr/share/debconf/confmodule

db_input medium libreswan/restart || true

db_input high libreswan/install_x509_certificate || true
db_go || true

db_get libreswan/install_x509_certificate
if [ "$RET" = "true" ]; then
    db_input high libreswan/how_to_get_x509_certificate || true
    db_go || true

    db_get libreswan/how_to_get_x509_certificate
    if [ "$RET" = "create" ]; then
	# create a new certificate
	db_input medium libreswan/rsa_key_length || true
	db_input high libreswan/x509_self_signed || true
	# we can't allow the country code to be empty - openssl will
	# refuse to create a certificate this way
	countrycode=""
	while [ -z "$countrycode" ]; do
	   db_input medium libreswan/x509_country_code || true
	   db_go || true
	   db_get libreswan/x509_country_code
	   countrycode="$RET"
	done
	db_input medium libreswan/x509_state_name || true
	db_input medium libreswan/x509_locality_name || true
	db_input medium libreswan/x509_organization_name || true
	db_input medium libreswan/x509_organizational_unit || true
	db_input medium libreswan/x509_common_name || true
	db_input medium libreswan/x509_email_address || true
	db_go || true
    elif [ "$RET" = "import" ]; then
	# existing certificate - use it
	db_input critical libreswan/existing_x509_certificate_filename || true
	db_input critical libreswan/existing_x509_key_filename || true
	db_input critical libreswan/existing_x509_rootca_filename || true
	db_go || true
    fi
fi