#!/bin/bash

unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG
export LANG=en_US

set -e

libexecdir="/usr/lib/ca-certificates/java/"
cafile="/var/lib/ca-certificates/java-cacerts"
cafile_gcj="/var/lib/ca-certificates/gcj-cacerts"
cadir="/etc/ssl/certs"

tmppem="$cafile.tmp"

cleanup()
{
	rm -rf "$tmppem"
}
trap cleanup EXIT

for i in "$@"; do
	if [ "$i" = "-f" ]; then
		fresh=1
	elif [ "$i" = "-v" ]; then
		verbose=1
	fi
done

umask 0022

if [ -z "$JAVA_HOME" -a -r /etc/profile.d/alljava.sh ]; then
	. /etc/profile.d/alljava.sh
fi

if [ -n "$JAVA_HOME" ]; then
	java="$JAVA_HOME/bin/java"
else
	java=`which java`
fi

if [[ $(readlink -f "${java}") =~ gij ]]; then
    java=""
fi

if [ ! -e "$libexecdir"/keystore.jar ]; then
	# nothing to do
	exit 0
fi

mustrun=
if [ -n "$fresh" ]; then
	mustrun=1
fi
if [ -e "$libexecdir"/keystore.jar -a "$cadir" -nt "$cafile" ]; then
	mustrun=1
fi

[ -n "$mustrun" ] || exit 0

mkdir -p ${cafile%/*}
mkdir -p "$tmppem"
for i in "$cadir"/*.pem; do
	# only include certificates trusted for server auth
	if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
		trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
		case "$trust" in
			*serverAuth*) ;;
			*) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
		esac
		openssl x509 -in "$i" -out "$tmppem/${i##*/}"
	else
		ln -s "$i" "$tmppem"
	fi
done

if [ -x "$java" ]; then
	echo "creating $cafile ..."
	$java -jar $libexecdir/keystore.jar -keystore "$cafile" -cadir "$cadir" "$@"
fi
if [ -x "/usr/bin/gij" ]; then
	echo "creating $cafile_gcj ..."
	/usr/bin/gij -jar $libexecdir/keystore.jar -keystore "$cafile_gcj" -cadir "$cadir" "$@"
fi

# vim: syntax=sh