#! /bin/sh

set -e

storepass='changeit'
if [ -f /etc/default/cacerts ]; then
    . /etc/default/cacerts
fi

KEYSTORE=/etc/ssl/certs/java/cacerts

echo ""
if [ "$cacerts_updates" != yes ] || [ "$CACERT_UPDATES" = disabled ]; then
    echo "updates of cacerts keystore disabled."
    exit 0
fi

for jvm in java-6-openjdk java-6-sun java-6-cacao; do
    if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then
	break
    fi
done
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH

temp_jvm_cfg=
if [ ! -f /etc/$jvm/jvm.cfg ]; then
    # the jre is not yet configured, but jvm.cfg is needed to run it
    temp_jvm_cfg=/etc/$jvm/jvm.cfg
    mkdir -p /etc/$jvm
    printf -- "-server KNOWN\n" > $temp_jvm_cfg
fi

# read lines of the form: [+-]/etc/ssl/certs/*.pem

echo "updating keystore $KEYSTORE..."

errors=0
while read line; do
    pem=${line#[+-]*}
    alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
    alias=${alias%*_}
    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE \
	-storepass "$storepass" -alias "$alias" >/dev/null 2>&1 \
	&& exists=yes || exists=no
    case "$line" in
    +*)
	if [ "$exists" = yes ]; then
	    echo "  already exists: ${line#+*}"
	else
	    if LANG=C LC_ALL=C keytool -importcert -trustcacerts \
		-keystore $KEYSTORE -noprompt -storepass "$storepass" \
		-alias "$alias" -file "$pem"
	    then
		echo "  added: ${line#+*}"
	    else
		echo >&2 "  error adding ${line#+*}"
		errors=$(expr $errors + 1)
	    fi
	fi
	;;
    -*)
	if [ "$exists" = yes ]; then
	    if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
		-noprompt -storepass "$storepass" \
		-alias "$alias"
	    then
		echo "  removed ${line#-*}"
	    else
		echo >&2 "  error removing ${line#+*}"
		errors=$(expr $errors + 1)
	    fi
	else
	    echo "  does not exists: ${line#-*}"
	fi
	;;
    *)
	echo >&2 "  $0: Unknown line $line"
    esac
done

[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg

if [ $errors -gt 0 ]; then
    echo >&2 "failed."
    exit 1
fi
echo "done."
