#!/bin/bash
for jvm in /usr/lib/jvm/java-1.6.0-openjdk /opt/java/jre; do
  if [ -x $jvm/bin/keytool ]; then
    break
  fi
done
if [ ! -x $jvm/bin/keytool ]; then
  echo "No supported JRE installed"
  exit 1
fi
export JAVA_HOME=$jvm
PATH=$JAVA_HOME/bin:$PATH

KEYSTORE=/etc/ssl/certs/java/cacerts
storepass='changeit'
if [ -f /etc/default/cacerts ]; then
  . /etc/default/cacerts
fi

echo "creating $KEYSTORE..."
cp /usr/share/ca-certificates-java/cacerts $KEYSTORE
cacertdir=/usr/share/ca-certificates
pregenerated=$(mktemp)
LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \
  | awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \
  | sort > $pregenerated

grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \
errors=0
log=$(mktemp)
while read line; do
  pem=${line#!*}
  alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
  alias=${alias%*_}
  case "$line" in
    !*)
      if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
          -storepass "$storepass" -alias "$alias" > /dev/null
      then
        echo "  removed untrusted certificate $pem"
      fi
      ;;

    *)
      if [ ! -f "$cacertdir/$pem" ]; then
        echo >&2 "warning: /etc/ca-certificates.conf lists $pem,"
        echo >&2 "warning:   but $cacertdir/$pem does not exist."
        continue
      fi
      if ! grep -q "^${alias}$" $pregenerated; then
        if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
             -noprompt -storepass "$storepass" \
             -alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
        then
          echo "  added certificate $pem $alias"
        elif grep -q 'Signature not available' $log; then
          echo "  ignored import, signature not available: ${line#+*}"
          cat $log
        else
          echo >&2 "  error adding ${line#+*}"
          errors=$(expr $errors + 1)
        fi
      fi
  esac
done
rm -f $log

rm -f $pregenerated
if [ $errors -gt 0 ]; then
  echo >&2 "failed."
  exit 1
fi
echo "done."
)