#!/bin/ksh
# 2016-12-02 (c) Olaf Bohlen <olbohlen@eenfach.de>
# this is a SMF service method to update root certificate copies
# for curl, openssl, etc.

# CDDL HEADER START

# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.

# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.illumos.org/license/CDDL.
# See the License for the specific language governing permissions
# and limitations under the License.

# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]

# CDDL HEADER END


# include SMF 
. /lib/svc/share/smf_include.sh

# our variables
typeset tmpcabundle
typeset cabundle
typeset cert
typeset hashval
typeset subject
typeset capath
typeset osslcerts

# generate a temporary new cabundle file
tmpcabundle=$(mktemp)

cat >${tmpcabundle} <<EOF
## OpenIndiana CA Root Certificate Bundle
##
## DO NOT EDIT THIS FILE - INSTEAD RUN svcadm refresh svc:/system/ca-certificates:default
##
## This is a bundled version of all root certificates in your OpenIndiana Installation.
## If you need to add new certificates, copy the cert in PEM format to /etc/certs/CA and
## run
##
## svcadm refresh svc:/system/ca-certificates:default
##
## This will create a new version of this file including all certificates
##
## this file was created at $(date +"%Y-%m-%d %H:%M:%S") local time.
##

EOF

# make /etc/certs/CA configurable by SMF
capath=$(svcprop -p config/capath ${SMF_FMRI})
# if capath is not set in SMF, set a default
if [ "x${capath}" == "x" ]; then
    capath=/etc/certs/CA
fi

# get the cabundle file name by SMF
cabundle=$(svcprop -p config/cabundle ${SMF_FMRI})
# if unset, set default
if [ "x${cabundle}" == "x" ]; then
    cabundle=/etc/certs/ca-certificates.crt
fi

# get a openssl cert dir by SMF
osslcerts=$(svcprop -p config/opensslcerts ${SMF_FMRI})
if [ "x${osslcerts}" == "x" ]; then
    osslcerts=/etc/openssl/certs
fi

# check if capath is a directory, else break here
if ! [ -d ${capath} ]; then
    printf "E: %s is not a directoy!\n" "${capath}" >/dev/fd/2
    exit 1
fi

# check if osslcerts is a directory, else break here
if ! [ -d ${osslcerts} ]; then
    printf "E: %s is not a directory!\n" "${osslcerts}" >/dev/fd/2
    exit 1
fi

cd ${capath}
for cert in *.pem; do
    hashval=$(openssl x509 -noout -hash -in ${cert})
    subject=$(openssl x509 -noout -subject -in ${cert})
    # update for openssl
    ( cd ${osslcerts} && ln -s ${capath}/${cert} ${hashval}.0 2>/dev/null)
    printf "%s\n======================================================================\n" "${subject}" >>${tmpcabundle}
    cat ${cert} >>${tmpcabundle}
    echo >>${tmpcabundle}
done

# now overwrite the real cabundle
cat ${tmpcabundle} >${cabundle}
