#!/usr/bin/env python
import sys
import OpenSSL.crypto as c

ca_pem = sys.argv[1]
ca_key = c.load_privatekey(c.FILETYPE_PEM, open(ca_pem).read())
ca_crt = c.load_certificate(c.FILETYPE_PEM, open(ca_pem).read())

crt = c.load_certificate(c.FILETYPE_PEM, open(sys.argv[2]).read())
crt.set_issuer(ca_crt.get_subject())

if len(sys.argv) < 3:
    crt.add_extensions([
        c.X509Extension("nameConstraints", True, "permitted;DNS:does_not_exist.com"),
    ])
else:
    nc_crt = c.load_certificate(c.FILETYPE_PEM, open(sys.argv[3]).read())
    crt.add_extensions([
        nc_crt.get_extension(n)
        for n in range(nc_crt.get_extension_count())
        if nc_crt.get_extension(n).get_short_name() == "nameConstraints"
    ])

crt.sign(ca_key, "sha1")
print c.dump_certificate(c.FILETYPE_PEM, crt)


"""

new = s.X509()
new.set_serial_number(now)
new.set_subject(orig.get_subject())
new.set_pubkey(orig.get_pubkey())
new.set_notBefore(orig.get_notBefore())
new.set_notAfter(orig.get_notAfter())
new.add_extensions([
    orig.get_extension(n) for n in range(orig.get_extension_count())
])

a = s.load_certificate(s.FILETYPE_PEM, open("/Users/wolever/EnSi/repos/devops/ssl/lum_test_ca/certs/asdf2.pem").read())
new.add_extensions([
    a.get_extension(3)
])

new.set_issuer(ca_crt.get_subject())
new.sign(ca_key, "sha1")

new_crt = s.dump_certificate(s.FILETYPE_PEM, new)

import os
open("/tmp/x.crt", "w").write(new_crt)
os.system("cat %s >> /tmp/x.crt" %(ca_pem, ))
os.system("openssl x509 -noout -text -in /tmp/x.crt")
"""