#!/bin/bash

set -e

CERTSDIR="${ROOT}/etc/ssl/certs"
CERTBUNDLE="${CERTSDIR}/ca-certificates.crt"
SKIP_REHASH=0

while [[ $# -gt 0 ]]; do
    case "$1" in
        --skip-rehash)
            SKIP_REHASH=1 ;;
        --help|-h|*)
            echo "$0 [--skip-rehash]"
            exit ;;
    esac
    shift
done

if [[ ! -w "${CERTSDIR}" ]]; then
    echo "Error: SSL certificate directory ${CERTSDIR} isn't writable" >&2
    exit 1
fi

if [[ ${SKIP_REHASH} -ne 1 ]]; then
    c_rehash "${CERTSDIR}"
fi

if [[ ! -e "${CERTBUNDLE}" || "${CERTSDIR}" -nt "${CERTBUNDLE}" ]]; then
    echo "Recreating certificate bundle ${CERTBUNDLE}"
    TEMPBUNDLE=$(mktemp "${CERTBUNDLE}.XXXXXXXXXX")
    trap "rm -f '${CERTSDIR}/${TEMPBUNDLE}'" EXIT

    # Use .0 instead of .pem to pull in only what c_rehash validated
    sed --separate '$a\' "${CERTSDIR}"/*.[0-9] >"${TEMPBUNDLE}"

    chmod 644 "${TEMPBUNDLE}"
    mv -f "${TEMPBUNDLE}" "${CERTBUNDLE}"
    trap - EXIT

    # Update the bundle's mtime so future runs know not to regenerate it
    touch --reference="${CERTSDIR}" "${CERTBUNDLE}"
fi
