#!/bin/bash

# Get configuration
if [ -f /etc/make-ca.conf ]; then
    . /etc/make-ca.conf
else
    #Use defaults if make-ca.conf does not exist
    ANCHORDIR="/etc/pki/anchors"
    ANCHORLIST="/etc/pki/anchors.md5sums"
    LOCALDIR="/etc/ssl/local"
    MD5SUM="/usr/bin/md5sum"
fi

# Dump to a temporary directory
TEMPDIR=`mktemp -d`
/usr/bin/trust extract --filter=certificates \
                       --format=openssl-directory \
                       --overwrite \
                       "${TEMPDIR}"

# Create a list of anchors that were not present or have been modified
"${MD5SUM}" "${ANCHORDIR}"/* \
    2> /dev/null > "${TEMPDIR}/anchors.md5sums"
diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" \
    2> /dev/null > "${TEMPDIR}/diff" 
grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 | \
    sed '/x-certificate-extension/d' 2> /dev/null > "${TEMPDIR}/certlist"

echo -e "\nThe following certificates have local modifications:\n"

# Copy new certificates to LOCALDIR
for certificate in `cat "${TEMPDIR}/certlist"` ; do
    LABEL=`grep -m 1 "^label:" "${certificate}" | sed 's@^label: @@'`
    LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@"@@g' -e 's@ @_@g'`

    # Determine default usage (this can be changed later)
    usage=$(openssl x509 -in ${certificate} -noout -text | \
                grep -A1 "X509v3 Key Usage:")
    trust=""
    echo ${usage} | grep -q "Certificate Sign" &&
         trust="${trust} -addtrust serverAuth"
    echo ${usage} | grep -q "Digital Signature" &&
         trust="${trust} -addtrust emailProtection"

    # Place into LOCALDIR
    openssl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \
            ${trust} -out "${LOCALDIR}/${LABELNEW}.pem"
    echo -e "${LABELNEW}"
    unset LABEL LABELNEW usage trust
done
echo ""

# Clean up
rm -rf "${TEMPDIR}"
unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR