#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-

PREFIX=/usr/local
ROLE=testforge
BASE=/usr/share/ca-certificates/mozilla
TO=/usr/local/share/ca-certificates/mozilla
VER=20190110
DIR=ca-certificates-$VER
URL=deb.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_$VER.tar.xz
URL_CERTDATA=hg.mozilla.org/releases/mozilla-beta/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
LOG_DIR=/var/local/var/log

[ -d $LOG_DIR ] || mkdir $LOG_DIR
LOG_FILE=$LOG_DIR/ca-certificates_$$.log
rm -f $LOG_FILE

# on Gentoo it may be up to date
if false && which equery 2>/dev/null >/dev/null ; then
    # 20190110.3.43
    equery f app-misc/ca-certificates|grep /usr/share/doc/ca-certificates-$VER
fi

[ -d $TO ] || mkdir -p $TO
cd /usr/local/src || exit 1

if [ ! -d $DIR ] ; then
    grep -q "^wlan[1-9][0-9]*[ 	]00000000" /proc/net/route || { echo INFO: not connected ; exit 0 ; }
    [ -f /usr/local/net/Http/$URL ] || \
      wget -xcP /usr/local/net/Http/ http://$URL || exit 1
    tar xvfJ /usr/local/net/Http/$URL
  fi

cd $DIR/mozilla || exit 2
# will regenerate these if they exist
rm -f *crt

# leave the original OS /usr/share certs renamed to .old
ls $BASE/*.crt >/dev/null 2>/dev/null && \
for file in $BASE/*.crt ; do
    [ -f "$file.old" ] && sudo rm "$file.old"
    sudo mv "$file" "$file.old" || \
      { echo ERROR: moving $file $file.old ; exit 3 ; }
  done

[ -f blacklist.txt ] || { echo ERROR: missing blacklist.txt ; exit 4 ; }

if [ ! -f certdata.txt.mozilla ] && grep -q "^wlan[1-9][0-9]*[ 	]00000000" /proc/net/route ; then
    [ -f /usr/local/net/Http/$URL_CERTDATA ] || \
      wget -xcP /usr/local/net/Http/ http://$URL_CERTDATA
fi
if [ ! -f certdata.txt.mozilla ] && [ -f /usr/local/net/Http/$URL ] ; then
    cp -p /usr/local/net/Http/$URL_CERTDATA certdata.txt.mozilla
fi

if [ -f certdata.txt.mozilla -a certdata.txt.mozilla -nt certdata.txt ] ; then
    [ -f certdata.txt.debian ] || mv certdata.txt certdata.txt.debian
    cp -p certdata.txt.mozilla certdata.txt
  fi
python2 ./certdata2pem.py >> $LOG_FILE  2>&1 || exit 5

ls *.crt >/dev/null 2>/dev/null && \
for file in *crt ; do
    sudo mv $file $TO/$file || \
      { echo ERROR: moving $file $TO/$file ; exit 6 ; }
  done

[ -f $TO/blacklist.txt ] || \
  sudo cp -p blacklist.txt $TO

#[ -f /etc/ca-certificates.conf ] && [ ! -f /etc/ca-certificates.conf.old ] && \
#  sudo mv /etc/ca-certificates.conf /etc/ca-certificates.conf.old
# morons: this return rc=0 even when there is an exception  - with java7 -
# org.debian.security.InvalidKeystorePasswordException: Cannot open Java keystore. Is the password correct?
sudo bash /usr/sbin/update-ca-certificates --verbose > $LOG_FILE  2>&1
[ $? -ne 0 ] && exit 7$?

grep Exception: $LOG_FILE && exit 8

cd /usr/local/share/ca-certificates/mozilla || exit 9
for file in *crt; do diff $file /usr/share/ca-certificates/mozilla/$file.old ; done \
    >> $LOG_FILE 2>&1

cd /usr/share/ca-certificates/mozilla || exit 10
echo INFO: /usr/share/ca-certificates/mozilla    >> $LOG_FILE 2>&1
for file in *.old; do diff $file /usr/local/share/ca-certificates/mozilla$( basename $file .old );done \
    >> $LOG_FILE 2>&1

exit 0


# alternate
# wget -xcP /usr/local/net/Http/ http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20190110_all.deb;alien -t -c /usr/local/net/Http/ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20190110_all.deb ; tar xvfz ca-certificates-20190110.tgz -C /usr/local/share/ca-certificates/mozilla