#! /bin/sh

set -e

storepass='changeit'
if [ -f /etc/default/cacerts ]; then
    . /etc/default/cacerts
fi

KEYSTORE=/etc/ssl/certs/java/cacerts

echo ""
if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
    echo "updates of cacerts keystore disabled."
    exit 0
fi

if ! mountpoint -q /proc; then
    echo >&2 "the keytool command requires a mounted proc fs (/proc)."
    exit 1
fi

for jvm in java-6-openjdk java-6-sun java-6-cacao; do
    if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then
	break
    fi
done
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH

temp_jvm_cfg=
if [ ! -f /etc/$jvm/jvm.cfg ]; then
    # the jre is not yet configured, but jvm.cfg is needed to run it
    temp_jvm_cfg=/etc/$jvm/jvm.cfg
    mkdir -p /etc/$jvm
    printf -- "-server KNOWN\n" > $temp_jvm_cfg
fi

# read lines of the form: [+-]/etc/ssl/certs/*.pem

echo "updating keystore $KEYSTORE..."

errors=0
log=$(tempfile)
while read line; do
    pem=${line#[+-]*}
    alias=$(basename $pem .pem | tr A-Z a-z | tr -cs a-z0-9 _)
    alias=${alias%*_}
    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
	-storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
	&& exists=yes || exists=no
    # Also search for the old incorrect alias
    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
	-storepass "$storepass" -alias "${alias}_pem" >/dev/null 2>&1 \
	&& exists_old=yes || exists_old=no
    case "$line" in
    +*)
	if [ "$exists" = yes -o "$exists_old" = yes ]; then
	    echo "  already exists: ${line#+*}"
	else
	  if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
		-alias "$alias" -file "$pem" > $log 2>&1
	  then
	      echo "  added: ${line#+*}"
	  elif LANG=C LC_ALL=C keytool -importcert -trustcacerts \
		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
	        -providerClass sun.security.pkcs11.SunPKCS11 \
	        -providerArg '${java.home}/lib/security/nss.cfg' \
		-alias "$alias" -file "$pem" > $log 2>&1
	  then
	      echo "  added: ${line#+*} (using NSS provider)"
	  elif grep -q 'Signature not available' $log; then
	      echo "  ignored import, signature not available: ${line#+*}"
	      cat $log
	  else
	      echo >&2 "  error adding ${line#+*}"
	      errors=$(expr $errors + 1)
	  fi;
	fi
	;;
    -*)
	if [ "$exists" = yes ]; then
	    if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
		-noprompt -storepass "$storepass" \
		-alias "$alias"
	    then
		echo "  removed ${line#-*}"
	    elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
		-noprompt -storepass "$storepass" \
	        -providerClass sun.security.pkcs11.SunPKCS11 \
	        -providerArg '${java.home}/lib/security/nss.cfg' \
		-alias "$alias"
	    then
		echo "  removed ${line#-*} (using NSS provider)"
	    else
		echo >&2 "  error removing ${line#+*}"
		errors=$(expr $errors + 1)
	    fi
	fi
	if [ "$exists_old" = yes ]; then
	    if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
		-noprompt -storepass "$storepass" \
		-alias "${alias}_pem"
	    then
		echo "  removed ${line#-*}"
	    elif LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
		-noprompt -storepass "$storepass" \
	        -providerClass sun.security.pkcs11.SunPKCS11 \
	        -providerArg '${java.home}/lib/security/nss.cfg' \
		-alias "${alias}_pem"
	    then
		echo "  removed ${line#-*} (using NSS provider)"
	    else
		echo >&2 "  error removing ${line#+*}"
		errors=$(expr $errors + 1)
	    fi
	fi
	if [ "$exists" != yes -a "$exists_old" != yes ]; then
	    echo "  does not exist: ${line#-*}"
	fi
	;;
    *)
	echo >&2 "  $0: Unknown line $line"
    esac
done
rm -f $log

[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg

if [ $errors -gt 0 ]; then
    echo >&2 "failed (VM used: $jvm)."
    exit 1
fi
echo "done."