#!/usr/bin/env bash
## Regenerate the jwks-mock TLS keypair + the trust-anchor copy mounted into
## consumers. Both files are committed test artifacts (the test runs are
## deterministic, so the cert is reused across CI runs unless the keypair is
## intentionally rotated).
##
## Outputs:
##   tests/Azaion.Missions.JwksMock/tls/jwks-mock.key   (private, 0600)
##   tests/Azaion.Missions.JwksMock/tls/jwks-mock.crt   (public, ECDSA P-256, 100y)
##   tests/jwks-mock-ca.crt                              (copy of jwks-mock.crt)
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TLS_DIR="$SCRIPT_DIR/tls"
TESTS_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"

mkdir -p "$TLS_DIR"
cd "$TLS_DIR"

openssl ecparam -name prime256v1 -genkey -noout -out jwks-mock.key
openssl req -new -x509 \
  -key jwks-mock.key \
  -out jwks-mock.crt \
  -days 36500 \
  -sha256 \
  -subj "/CN=jwks-mock" \
  -addext "subjectAltName=DNS:jwks-mock,DNS:localhost,IP:127.0.0.1" \
  -addext "basicConstraints=critical,CA:TRUE" \
  -addext "keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign" \
  -addext "extendedKeyUsage=serverAuth"

chmod 600 jwks-mock.key
cp jwks-mock.crt "$TESTS_DIR/jwks-mock-ca.crt"

echo "[regen-cert] regenerated:"
echo "  $TLS_DIR/jwks-mock.key"
echo "  $TLS_DIR/jwks-mock.crt"
echo "  $TESTS_DIR/jwks-mock-ca.crt"