#!/bin/bash

set -e

KEYSTORE=/etc/ssl/certs/java/cacerts

storepass='changeit'
if [ -f /etc/default/cacerts ]; then
    . /etc/default/cacerts
fi

setup_path()
{
    for jvm in java-6-openjdk java-6-sun; do
	if [ -x /usr/lib/jvm/$jvm/bin/keytool ]; then
	    break
	fi
    done
    export JAVA_HOME=/usr/lib/jvm/$jvm
    PATH=$JAVA_HOME/bin:$PATH
}

first_install()
{
    cacertdir=/usr/share/ca-certificates
    log=$(tempfile)

    # aliases of pregenerated files
    pregenerated=$(tempfile)
    LANG=C LC_ALL=C keytool -list -keystore $KEYSTORE -storepass "$storepass" \
	| awk -F, '/^Certificate fingerprint/ { print s } { s=$1 } ' \
	| sort > $pregenerated

    grep -v -E '^ *$|^#' /etc/ca-certificates.conf | ( \
    errors=0
    while read line; do
	pem=${line#!*}
	alias=$(basename $pem .crt | tr A-Z a-z | tr -cs a-z0-9 _)
	alias=${alias%*_}
	case "$line" in
	    !*)
	        # remove untrusted certificate
		if LANG=C LC_ALL=C keytool -delete -keystore $KEYSTORE \
		    -storepass "$storepass" -alias "$alias" >/dev/null
		then
		    echo "  removed untrusted certificate $pem"
		else
		    # not (anymore) in keystore
		    :
		fi;;
	    *)
	        # add certificate not yet in keystore
		if [ ! -f "$cacertdir/$pem" ]; then
		    echo >&2 "warning: /etc/ca-certificates.conf lists $pem,"
		    echo >&2 "warning:   but $cacertdir/$pem does not exist."
		    continue
		fi
		if ! grep -q "^${alias}$" $pregenerated; then
		  if LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
			-noprompt -storepass "$storepass" \
			-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
		  then
		      echo "  added certificate $pem"
		  elif LANG=C LC_ALL=C keytool -importcert -trustcacerts -keystore $KEYSTORE \
		        -providerClass sun.security.pkcs11.SunPKCS11 \
		        -providerArg '${java.home}/lib/security/nss.cfg' \
			-noprompt -storepass "$storepass" \
			-alias "$alias" -file "$cacertdir/$pem" > $log 2>&1
		  then
		      echo "  added certificate $pem (using NSS provider)"
		  elif grep -q 'Signature not available' $log; then
		      echo "  ignored import, signature not available: ${line#+*}"
		      sed -e 's/^/   -> /' $log
		  else
		      echo >&2 "  error adding ${line#+*}"
		      errors=$(expr $errors + 1)
		  fi
		fi
	esac
    done
    rm -f $log
    rm -f $pregenerated
    if [ $errors -gt 0 ]; then
	echo >&2 "failed (VM used: $jvm)."
	[ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
	exit 1
    fi
    echo "done."
    )
}

case "$1" in
    configure)
        if [ -z "$2" ]; then
	    setup_path

	    if ! mountpoint -q /proc; then
		echo >&2 "the keytool command requires a mounted proc fs (/proc)."
		exit 1
	    fi

	    if [ ! -f /etc/$jvm/jvm.cfg ]; then
		# the jre is not yet configured, but jvm.cfg is needed to run it
		temp_jvm_cfg=/etc/$jvm/jvm.cfg
		mkdir -p /etc/$jvm
		printf -- "-server KNOWN\n" > $temp_jvm_cfg
	    fi

	    # on first install, remove certs untrusted by the
	    # user/admininstrator, add locally added certs
	    echo "creating $KEYSTORE..."
	    cp /usr/share/ca-certificates-java/cacerts $KEYSTORE
	    first_install

	    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
	fi
	chmod 600 /etc/default/cacerts || true
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

#DEBHELPER#

exit 0