@echo off

SETLOCAL

@REM Copyright 2019 NXP
@REM
@REM SPDX-License-Identifier: Apache-2.0
@REM
@REM
@REM Use openssl and ssscli to provision attached secure element
@REM Note-1: Connect via JRCP_v2 (default) or JRCP_v1 (aka RJCT) server
@REM Note-2: Set IOT_SE to either se050 or a71ch
@REM
@REM The script takes two mandatory parameters:
@REM    ec_keytype
@REM    the ip_address:port of the JRCP server to connect to
@REM e.g.:
@REM    windowsProvision.bat prime256v1 192.168.2.75:8050
@REM
@REM An optional third parameter specifies the secure element targeted.
@REM The default secure element is se050

@set IOT_SE=se050
@REM @set IOT_SE=a71ch

@REM Handle parameters passed, do a sanity check before proceeding
IF NOT "%~1" == "" (
    IF "%~1"=="prime192v1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="NIST_P192"
    ) ELSE IF "%~1"=="secp224r1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="NIST_P224"
    ) ELSE IF "%~1"=="prime256v1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="NIST_P256"
    ) ELSE IF "%~1"=="secp384r1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="NIST_P384"
    ) ELSE IF "%~1"=="secp521r1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="NIST_P521"
    ) ELSE IF "%~1"=="brainpoolP256r1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="Brainpool256"
    ) ELSE IF "%~1"=="brainpoolP384r1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="Brainpool384"
    ) ELSE IF "%~1"=="brainpoolP512r1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="Brainpool512"
    ) ELSE IF "%~1"=="secp192k1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="Secp192k1"
    ) ELSE IF "%~1"=="secp224k1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="Secp224k1"
    ) ELSE IF "%~1"=="secp256k1" (
        @set EC_KEY_TYPE=%~1
        @set PYCLI_EC_KEY_TYPE="Secp256k1"
    ) ELSE (
        echo %~1 is not a supported key type
        goto :SUPPORTED_KEYTYPES
    )
) ELSE (
    goto :SUPPORTED_KEYTYPES
)

IF "%~2" == "jrcpv2" (
    IF NOT "%~3" == "" (
        @SET CONNECTION_TYPE=%~2
        @SET CONNECTION_PARAM=%~3
    ) ELSE (
        echo Please provide ip_address:port of JRCP server as third argument
        pause
        goto :EOF
    )
) ELSE IF "%~2" == "vcom" (
    IF NOT "%~3" == "" (
        @SET CONNECTION_TYPE=%~2
        @SET CONNECTION_PARAM=%~3
    ) ELSE (
        echo Please provide port name as third argument
        pause
        goto :EOF
    )
) ELSE (
    echo Invalid argumenets
    pause
    goto :EOF
)

IF NOT "%~4" == "" (
    @SET IOT_SE=%~4
)

@set KEY_DIR=keys/%EC_KEY_TYPE%
@set KEY_DIR_DOS=keys\%EC_KEY_TYPE%

@cd /d %~dp0
@set OPENSSL=..\..\..\..\ext\openssl\bin\openssl.exe
@set OPENSSL_CONF=..\..\..\..\ext\openssl\ssl\openssl.cnf

if not exist ..\%KEY_DIR_DOS%\NUL (
    echo "Folder ..\%KEY_DIR_DOS% does not exist, creating it"
    mkdir ..\%KEY_DIR_DOS%
)

@set ROOT_CA=tls_rootca
@set CLIENT_FILE=tls_client
@set SERVER_FILE=tls_server
@set DIR_PATH=..\keys\%EC_KEY_TYPE%

@set ROOT_CA_CER=%DIR_PATH%\%ROOT_CA%.cer
@SET ROOT_CA_SR1=%DIR_PATH%\%ROOT_CA%.srl
@set KEY_TYPE_FILE=%DIR_PATH%\%EC_KEY_TYPE%.pem
@set ROOT_CA_KEY_PEM=%DIR_PATH%\%ROOT_CA%_key.pem
@set ROOT_CA_KEY_PUBLIC_PEM=%DIR_PATH%\%ROOT_CA%_pub_key.pem
@set ROOT_CA_KEY_DER=%DIR_PATH%\%ROOT_CA%_key.der
@set CLIENT_KEY_PEM=%DIR_PATH%\%CLIENT_FILE%_key.pem
@set CLIENT_KEY_PUBLIC_PEM=%DIR_PATH%\%CLIENT_FILE%_key_pub.pem
@set CLIENT_CER=%DIR_PATH%\%CLIENT_FILE%.cer
@set SERVER_KEY_PEM=%DIR_PATH%\%SERVER_FILE%_key.pem
@set SERVER_CSR=%DIR_PATH%\%SERVER_FILE%.csr
@set SERVER_CERTIFICATE=%DIR_PATH%\%SERVER_FILE%.cer

%OPENSSL% ecparam -name %EC_KEY_TYPE% -out %KEY_TYPE_FILE%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED

@REM Conditionally create CA key
%OPENSSL% ecparam -in %KEY_TYPE_FILE% -genkey -noout -out %ROOT_CA_KEY_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %ROOT_CA_KEY_PEM% -text -noout
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %ROOT_CA_KEY_PEM% -outform DER -out %ROOT_CA_KEY_DER%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
@REM Extract public part
%OPENSSL% ec -in %ROOT_CA_KEY_PEM% -pubout -out %ROOT_CA_KEY_PUBLIC_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED


@REM create CA certificates
%OPENSSL% req -x509 -new -nodes -key %ROOT_CA_KEY_PEM% -subj "/C=BE/ST=VlaamsBrabant/L=Leuven/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" -days 2800 -out %ROOT_CA_CER% -config %OPENSSL_CONF%
%OPENSSL% x509 -in %ROOT_CA_CER% -text -noout

@REM Create client key and extract public part
%OPENSSL% ecparam -in %KEY_TYPE_FILE% -genkey -out %CLIENT_KEY_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %CLIENT_KEY_PEM% -text -noout
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% ec -in %CLIENT_KEY_PEM% -pubout -out %CLIENT_KEY_PUBLIC_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED

@REM Now create CSR
%OPENSSL% req -new -key %CLIENT_KEY_PEM% -subj "/C=BE/ST=VlaamsBrabant/L=Leuven/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" -out %CLIENT_CER% -config %OPENSSL_CONF%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% req -in %CLIENT_CER% -text -config %OPENSSL_CONF%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED

IF EXIST %ROOT_CA_SR1% (
    @echo ">> %ROOT_CA_SR1% already exists, use it"
    @SET x509_serial=-CAserial %ROOT_CA_SR1%
) ELSE (
    @echo ">> no %ROOT_CA_SR1% found, create it"
    @SET x509_serial=-CAserial %ROOT_CA_SR1% -CAcreateserial
)

@REM Create CA signed client certificate
%OPENSSL% x509 -req -sha256 -days 2800 -in %CLIENT_CER% %x509_serial% -CA %ROOT_CA_CER% -CAkey %ROOT_CA_KEY_PEM% -out %CLIENT_CER%
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED
%OPENSSL% x509 -in %CLIENT_CER% -text -noout
if %ERRORLEVEL% GEQ 1 GOTO :OPENSSL_FAILED

@REM Conditionally create server key
%OPENSSL% ecparam -in %KEY_TYPE_FILE% -genkey -out %SERVER_KEY_PEM%
%OPENSSL% ec -in %SERVER_KEY_PEM% -text -noout


@REM Create CSR anew
%OPENSSL% req -new -key %SERVER_KEY_PEM% -subj "/C=BE/ST=VlaamsBrabant/L=Leuven/O=NXP-Demo-CA/OU=Demo-Unit/CN=localhost" -out %SERVER_CSR% -config %OPENSSL_CONF%
%OPENSSL% req -in %SERVER_CSR% -text -noout -config %OPENSSL_CONF%


@REM Always create a CA signed server certificate
%OPENSSL% x509 -req -sha256 -days 2800 -in %SERVER_CSR% %x509_serial% -CA %ROOT_CA_CER% -CAkey %ROOT_CA_KEY_PEM% -out %SERVER_CERTIFICATE%
%OPENSSL% x509 -in %SERVER_CERTIFICATE% -text -noout

@REM Provision using ssscli tool

IF "%CONNECTION_TYPE%" == "vcom" (
    @REM Use precompiled ssscli binary for vcom connection
    @set ssscli=..\..\..\..\binaries\pySSSCLI\ssscli.exe
) ELSE (
    @REM Use ssscli from vertualenv setup
    @set ssscli=ssscli
)


%ssscli% -v disconnect
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

if "%IOT_SE%" == "a71ch" (
    %ssscli% -v connect a71ch %CONNECTION_TYPE% %CONNECTION_PARAM%
    %ssscli% -v a71ch reset
) else if "%IOT_SE%" == "se05x" (
    echo %ssscli% -v connect se05x %CONNECTION_TYPE% %CONNECTION_PARAM%
    %ssscli% -v connect se05x %CONNECTION_TYPE% %CONNECTION_PARAM%
    %ssscli% -v se05x reset
) else (
    echo %IOT_SE% is not supported as secure element
    goto :EOF
)


@set client_cert_key_id=20181002
%ssscli% -v set cert %client_cert_key_id% %CLIENT_CER%
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

@set client_key_pair_id=20181001
%ssscli% -v set ecc pair %client_key_pair_id% %CLIENT_KEY_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL

@set root_cer_pub_id=7DCCBB22
%ssscli% -v set ecc pub %root_cer_pub_id% %ROOT_CA_KEY_PUBLIC_PEM%
if %ERRORLEVEL% GEQ 1 GOTO :CONFIG_TOOL


echo ## Program completed successfully
goto :EOF


@REM Usage
:SUPPORTED_KEYTYPES
    echo Please provide as first argument:  ec_keytype
    echo 'Please provide as second argument: connection type - vcom, jrcpv2'
    echo 'Please provide as third argument: connection parameter  - eg. COM3 , 127.0.0.1:8050'
    echo 'Please provide as fourth argument: Iot SE  - eg. a71ch , Default:se05x'
    echo Example invocations
    echo   %~nx0 prime256v1 jrcpv2 127.0.0.1:8050
    echo   %~nx0 prime256v1 vcom COM3 a71ch
    echo Supported key types:
    echo   prime192v1
    echo   secp224r1
    echo   prime256v1
    echo   secp384r1
    echo   secp521r1
    echo   brainpoolP256r1
    echo   brainpoolP384r1
    echo   brainpoolP512r1
    echo   secp192k1
    echo   secp224k1
    echo   secp256k1
    pause
    goto :EOF

@REM Error Handling
:OPENSSL_FAILED
    echo ### OpenSSL failed
    pause
    goto :EOF

:CONFIG_TOOL
    echo ### No configuration tool (ssscli)
    pause
    goto :EOF