#!/bin/bash
# print fingerprints of new or changed certificates
set -e
cleanup()
{
	rm -rf new{,.files} old{,.files}
}
showcert()
{
	openssl x509 -in "$1" -noout -subject -fingerprint -nameopt multiline,utf8,-esc_msb \
	| sed -ne 's/ *commonName *= /   CN: /p; s/.*Fingerprint=/ sha1: /p'
}
cleanup
trap cleanup EXIT
mkdir old new
cd old
echo old...
VERBOSE=1 ../extractcerts.pl --trustbits < ../.osc/certdata.txt > tmp
sort < tmp > ../old.files
rm -f tmp
cd ..
cd new
echo new...
VERBOSE=1 ../extractcerts.pl --trustbits < ../certdata.txt > tmp
sort < tmp > ../new.files
rm -f tmp
cd ..
echo '----------------------------'
while read line; do
	IFS='#' eval set -- \$line
	old="$1"
	new="$2"
	common="$3"
	if [ -n "$old" ]; then
		echo "! removed: $old"
		showcert old/$old
	elif [ -n "$new" ]; then
		echo "! new: $new"
		showcert new/$new
	elif ! cmp "old/$common" "new/$common"; then
		echo "! diff: $common"
		showcert old/$common
		showcert new/$common
		diff -u old/$common new/$common || true
	fi
done < <(comm --output-delimiter='#' old.files new.files)