#!/bin/bash
# Dynamically substitutes extendedKeyUsage in usr_cert in an openssl config file
# ./ekusub.sh "clientAuth, serverAuth"
#requires bash 4.0 regexes

set -e
[ -n "$1" ] || cat # pass through

IFS=$'\n'
CA_STANZA=0
EKU_MODIFIED=0
while read line; do
  if [[ "$line" =~ ^\ *\[\ *usr_cert\ *\] ]]; then
    CA_STANZA=1
    echo "$line"
  elif [ $CA_STANZA == 1 ] && [[ "$line" =~ ^\ *extendedKeyUsage\ *= ]]; then
    echo -n "$line"
    echo ", $1"
    EKU_MODIFIED=1
  elif [ $CA_STANZA == 1 ] && [[ "$line" =~ ^\ *\[\ .+\ \] ]]; then
    if [ $EKU_MODIFIED == 0 ]; then
      echo "extendedKeyUsage = $1"
      echo
      EKU_MODIFIED=1
    fi
    CA_STANZA=0
    echo "$line"
  else
    echo "$line"
  fi

done