#!/bin/ksh
# 2016-12-02 (c) Olaf Bohlen <olbohlen@eenfach.de>
# this is a SMF service method to update root certificate copies
# for curl, openssl, etc.

# CDDL HEADER START

# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.

# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.illumos.org/license/CDDL.
# See the License for the specific language governing permissions
# and limitations under the License.

# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]

# CDDL HEADER END


# include SMF 
. /lib/svc/share/smf_include.sh

# our variables
typeset tmpcabundle
typeset cabundle
typeset cert
typeset hashval
typeset subject
typeset capath
typeset osslcerts


if [ -n "${SMF_FMRI}" ]; then
    # make /etc/certs/CA configurable by SMF
    capath=$(svcprop -p config/capath ${SMF_FMRI})
    # get the cabundle file name by SMF
    cabundle=$(svcprop -p config/cabundle ${SMF_FMRI})
    # get a openssl cert dir by SMF
    osslcerts=$(svcprop -p config/opensslcerts ${SMF_FMRI})
fi

# if capath is not set in SMF, set a default
if [ "x${capath}" == "x" ]; then
    capath=/etc/certs/CA
fi

# if unset, set default
if [ "x${cabundle}" == "x" ]; then
    cabundle=/etc/certs/ca-certificates.crt
fi

if [ "x${osslcerts}" == "x" ]; then
    osslcerts=/etc/openssl/certs
fi

# check if capath is a directory, else break here
if ! [ -d ${capath} ]; then
    printf "E: %s is not a directoy!\n" "${capath}" >/dev/fd/2
    exit 1
fi

# check if osslcerts is a directory, else break here
if ! [ -d ${osslcerts} ]; then
    printf "E: %s is not a directory!\n" "${osslcerts}" >/dev/fd/2
    exit 1
fi

# check if capath has a newer mtime, else do not generate new certs
if [ ${capath} -nt ${osslcerts} ]; then
    # generate a temporary new cabundle file
    tmpcabundle=$(mktemp)

    cat >${tmpcabundle} <<EOF
## OpenIndiana CA Root Certificate Bundle
##
## DO NOT EDIT THIS FILE - INSTEAD RUN svcadm refresh svc:/system/ca-certificates:default
##
## This is a bundled version of all root certificates in your OpenIndiana Installation.
## If you need to add new certificates, copy the cert in PEM format to /etc/certs/CA and
## run
##
## svcadm refresh svc:/system/ca-certificates:default
##
## This will create a new version of this file including all certificates
##
## this file was created at $(date +"%Y-%m-%d %H:%M:%S") local time.
##

EOF
    cd ${capath}
    for cert in *.pem; do
	hashval=$(openssl x509 -noout -hash -in ${cert})
	subject=$(openssl x509 -noout -subject -in ${cert})
	# update for openssl
	( cd ${osslcerts} && ln -s ${capath}/${cert} ${hashval}.0 2>/dev/null)
	printf "%s\n======================================================================\n" "${subject}" >>${tmpcabundle}
	cat ${cert} >>${tmpcabundle}
	echo >>${tmpcabundle}
    done

    # now overwrite the real cabundle
    cat ${tmpcabundle} >${cabundle}

fi
