#!/bin/bash

# Get configuration
if [ -f /etc/make-ca.conf ]; then
    . /etc/make-ca.conf
else
    #Use defaults if make-ca.conf does not exist
    ANCHORDIR="/etc/pki/anchors"
    ANCHORLIST="/etc/pki/anchors.md5sums"
    LOCALDIR="/etc/ssl/local"
    MD5SUM="/usr/bin/md5sum"
fi

# Dump to a temporary directory
TEMPDIR=`mktemp -d`
/usr/bin/trust extract --filter=certificates \
                       --format=openssl-directory \
                       --overwrite \
                       "${TEMPDIR}"

# Create a list of anchors that were not present or have been modified
"${MD5SUM}" "${ANCHORDIR}"/*.pem \
    2> /dev/null > "${TEMPDIR}/anchors.md5sums"
diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" \
    2> /dev/null > "${TEMPDIR}/diff" 
grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 \
    2> /dev/null > "${TEMPDIR}/certlist"

echo -e "\nThe following certificates have local modifications:\n"

# Copy new certificates to LOCALDIR
for certificate in `cat "${TEMPDIR}/certlist"` ; do
    LABEL=`grep -m 1 "label:" "${certificate}"`
    LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
    cp -f "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
    echo -e "${LABELNEW}"
    unset LABEL LABELNEW
done

# Clean up
rm -rf "${TEMPDIR}"
unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR