#!/bin/sh
# SPDX-License-Identifier: Apache-2.0
# (c) 2024, Konstantin Demin

set -ef

ocsp_valid_threshold=86400

usage() {
	cat >&2 <<-EOF
	# usage: ${0##*/} <in:issuer.pem> <in:cert.pem> <inout:ocsp.der>
	EOF
	exit "${1:-0}"
}
[ $# != 0 ] || usage

arg_ok=
while : ; do
	[ -n "$1" ] || break
	[ -s "$1" ] || break
	[ -n "$2" ] || break
	[ -s "$2" ] || break
	[ -n "$3" ] || break
	arg_ok=1
break ; done
[ -n "${arg_ok}" ] || usage 1
unset arg_ok

chain="$1"
cert="$2"
ocsp="$3"

ossl_ocsp_read() {
	openssl ocsp \
	  -issuer "$1" -cert "$2" -respin "$3" -resp_text
}

ossl_ocsp_next_update() {
	sed -En '/^\s*[Nn]ext [Uu]pdate:\s*(\S.+\S)\s*$/{s//\1/;p;q}'
}

need_update=1
while : ; do
	[ -s "${ocsp}" ] || break
	ossl_ocsp_read "${chain}" "${cert}" "${ocsp}" >/dev/null || break

	next_update=$(ossl_ocsp_read "${chain}" "${cert}" "${ocsp}.new" 2>/dev/null | ossl_ocsp_next_update)
	ts_now=$(date '+%s')
	ts_next=$(date -d "${next_update}" '+%s')

	ts_diff=$((ts_next - ts_now))
	[ ${ts_diff} -le ${ocsp_valid_threshold} ] || need_update=0

	unset next_update ts_now ts_next ts_diff
break ; done

if [ ${need_update} = 0 ] ; then
	env printf '%s: %q has valid and fresh OCSP response\n' "${0##*/}" "${cert}" >&2
	exit 1
fi

exec openssl-ocsp "${chain}" "${cert}" "${ocsp}"