#!/bin/bash
# vim: syntax=sh

shopt -s nullglob

cafile="/var/lib/ca-certificates/ca-bundle.pem"
cadir="/etc/ssl/certs"

for i in "$@"; do
	if [ "$i" = "-f" ]; then
		fresh=1
	elif [ "$i" = "-v" ]; then
		verbose=1
	fi
done

if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
	exit 0
fi
echo "creating $cafile ..."
cat > "$cafile.new" <<EOF
#
# automatically created by $0. Do not edit!
#
# Use of this file is deprecated and should only be used as last
# resort by applications that cannot parse the $cadir directory.
# You should avoid hardcoding any paths in applications anyways though.
# Use e.g.
# SSL_CTX_set_default_verify_paths() instead.
#
EOF
for i in `find $cadir/*`; do
	fname=`echo $i | cut -f 5 -d '/'`
	if [[ ! $fname =~ ^[0-9a-z]{8}\.[0-9]$ ]]; then
		continue
	fi

	# only include certificates trusted for server auth
	if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
		trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
		case "$trust" in
			*serverAuth*) ;;
			*) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
		esac
	fi
	openssl x509 -in "$i"
done >> "$cafile.new"
mv "$cafile.new" "$cafile"

chown root:system $cafile
chmod 664 $cafile
chsmack -a "System::Shared" $cafile