#!/bin/sh
# pk12extract - Extract a backward-compatible .p12 bundle. 
# 
# Necessary for clients that don't like OpenSSL 3.
# Notably MacOS and iOS.
# Ref: https://developer.apple.com/forums/thread/697030

# Collect parameters

	while getopts "d:n:o:" option; do
		case $option in
			d) # NSS database path
				nss=$OPTARG;;
			n) # Certificate nickname
				nick=$OPTARG;;
			o) # Output filename
				result=$OPTARG;;
		esac
	done

# Parameter check

	if [[ -z "$nss" || -z $nick || -z $result ]]; then
		echo
		echo "Usage:	pk12extract -d nssPath -n nickname -o outFileName"
		echo
		echo "Example:	pk12extract -d /var/lib/ipsec/nss -n 'Hugh iPhone' -o hugh_iphone.p12"
		echo
		exit 1
	fi

# Read the password

	read -s -p "Enter password for PKCS12 file: " pass

# Get the client p12 file from the nss database:

	pk12util -W $pass -d $nss -n "$nick" -o "$result"

# Take apart the p12 file:

	openssl pkcs12 -in "$result" \
		-passin pass:$pass \
		-cacerts -nokeys -out ca.crt

	openssl pkcs12 -in "$result" \
		-passin pass:$pass \
		-clcerts -nokeys -out client.crt

	openssl pkcs12 -in "$result" \
		-passin  pass:$pass \
		-passout pass:$pass \
		-nocerts -out client.key

# Reassemble as a pem:

	cat   client.key client.crt ca.crt > client.pem
	rm -f client.key client.crt ca.crt

# Create a legacy .p12 file using a deprecated cipher:

	openssl pkcs12 \
		-in client.pem \
		-keypbe  PBE-SHA1-3DES \
		-certpbe PBE-SHA1-3DES \
		-export -legacy -name "$nick" \
		-passin  pass:$pass \
		-passout pass:$pass \
		-out "$result"

	rm -f client.pem

# END