#!/bin/sh
set -ef

certifi_uri="https://raw.githubusercontent.com/certifi/python-certifi/${CERTIFI_COMMIT:?}/certifi/cacert.pem"
dst_dir=/usr/local/share/ca-certificates

w=$(mktemp -d) ; : "${w:?}"
w_cleanup() {
	[ -z "$w" ] || ls -lA "$w/"
	[ -z "$w" ] || rm -rf "$w"
	unset w
	exit "${1:-0}"
}

curl -sSL "${certifi_uri}" > "$w/certifi.crt"

def_bundle='/etc/ssl/certs/ca-certificates.crt'

openssl-cert-auto-pem.sh "${def_bundle}"  > "$w/cacert.pem"
openssl-cert-auto-pem.sh "$w/certifi.crt" > "$w/certifi.pem"
[ -s "$w/cacert.pem" ]  || w_cleanup 1
[ -s "$w/certifi.pem" ] || w_cleanup 1

bundle_offsets() {
	awk '
	BEGIN {
	    OFS = ","
	    m_begin="-----BEGIN CERTIFICATE-----"
	    m_end="-----END CERTIFICATE-----"
	    i_begin = 0
	}
	$0 == m_begin { i_begin = NR ; }
	$0 == m_end {
	    if (i_begin > 0) {
	        print i_begin,NR
	        i_begin = 0
	    }
	}
	' "$1"
}

bundle_offsets "$w/cacert.pem"  > "$w/cacert.off"
bundle_offsets "$w/certifi.pem" > "$w/certifi.off"
[ -s "$w/cacert.off" ]  || w_cleanup 1
[ -s "$w/certifi.off" ] || w_cleanup 1

bundle_fingerprints() {
	local a
	while read -r a ; do
		[ -n "$a" ] || continue

		{
			sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint -sha256 \
			|| \
			sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint
		} | tr '[:upper:]' '[:lower:]'
	done < "$2"
}

bundle_fingerprints "$w/cacert.pem"  "$w/cacert.off"  | sort -uV > "$w/cacert.fp"
bundle_fingerprints "$w/certifi.pem" "$w/certifi.off" | sort -uV > "$w/certifi.fp"
[ -s "$w/cacert.fp" ]  || w_cleanup 1
[ -s "$w/certifi.fp" ] || w_cleanup 1

set +e
grep -Fxv -f "$w/cacert.fp" "$w/certifi.fp" > "$w/diff.fp"
set -e

if [ -s "$w/diff.fp" ] ; then
	set +e
	grep -Fxn -f "$w/diff.fp" "$w/certifi.fp" | cut -d : -f 1 > "$w/records.diff"
	set -e

	terse_fingerprint() {
		cut -d = -f 2- | tr -cd '[:alnum:]'
	}

	mkdir "$w/extras"

	while read -r n ; do
		[ -n "$n" ] || continue

		fp=$(sed -ne "${n}p" "$w/certifi.fp" | terse_fingerprint)
		off=$(sed -ne "${n}p" "$w/certifi.off")
		sed -ne "${off}p" "$w/certifi.pem" | openssl x509 > "${dst_dir}/certifi-${fp}.crt"
	done < "$w/records.diff"
fi

rm -rf "$w" ; unset w

exec update-ca-certificates --fresh