#! /bin/sh

set -e

storepass='changeit'
if [ -f /etc/default/cacerts ]; then
    . /etc/default/cacerts
fi

KEYSTORE=/etc/ssl/certs/java/cacerts

echo ""
if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
    echo "updates of cacerts keystore disabled."
    exit 0
fi

for jvm in /usr/lib/jvm/java-1.6.0-openjdk /opt/java/jre; do
    if [ -x $jvm/bin/keytool ]; then
	break
    fi
done

if [ ! -x $jvm/bin/keytool ]; then
  exit 0
fi

export JAVA_HOME=$jvm
PATH=$JAVA_HOME/bin:$PATH

# read lines of the form: [+-]/etc/ssl/certs/*.pem
echo "updating keystore $KEYSTORE..."

errors=0
log=$(mktemp)
while read line; do
    pem=${line#[+-]*}
    alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
    alias=${alias%*_}
    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
	-storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
	&& exists=yes || exists=no
    case "$line" in
    +*)
	if [ "$exists" = yes ]; then
	    echo "  already exists: ${line#+*}"
	else
	    if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
		-alias "$alias" -file "$pem" > $log 2>&1
	    then
		echo "  added: ${line#+*}"
	    elif grep -q 'Signature not available' $log; then
		echo "  ignored import, signature not available: ${line#+*}"
		cat $log
	    else
		echo >&2 "  error adding ${line#+*}"
		errors=$(expr $errors + 1)
	    fi
	fi
	;;
    -*)
	if [ "$exists" = yes ]; then
	    if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
		-noprompt -storepass "$storepass" \
		-alias "$alias"
	    then
		echo "  removed ${line#-*}"
	    else
		echo >&2 "  error removing ${line#+*}"
		errors=$(expr $errors + 1)
	    fi
	else
	    echo "  does not exist: ${line#-*}"
	fi
	;;
    *)
	echo >&2 "  $0: Unknown line $line"
    esac
done
rm -f $log

if [ $errors -gt 0 ]; then
    echo >&2 "failed."
    exit 1
fi
echo "done."