#!/bin/sh

### Amfora ###
# https://github.com/makeworld-the-better-one/amfora
#
## Trust store format ##
# The file "~/.cache/amfora/tofu.toml" is used.
# It contains 2 lines for each host:port:
# 1. "example/org:port" = "spki:sha256:uppercase"  -> certificate public key (SPKI) fingerprint
# 2. "example/org/expiry:port" = expiry date
# Dots in the hostname are converted to slashes.
# IDNs are converted to punycode.
#
## Example ##
# $ cat ~/.cache/amfora/tofu.toml
# "gemini/circumlunar/space" = "1A03A15619200DB4496494EC90381C1FE8BD9E0142260F6D8A3D962ED3CFC72F"
# "gemini/circumlunar/space/expiry" = 2025-10-03T13:50:37Z

set -o errexit  # (-e) exit immediately if any command has a non-zero exit status
set -o nounset  # (-u) don't accept undefined variables
#set -o xtrace  # for debugging

timestamp_start=$(date +%s)

# Go where this script is.
cd "$(dirname "$0")" || exit

trust_store="tofu.toml"

# Remove the old trust store.
rm -f "$trust_store"

# Add the "cert_is_not_within_expiry_boundaries" function.
. ../expiry-boundaries.sh

for cert_file in ../certs/*; do

  cert=$(cat "$cert_file")

  if cert_is_not_within_expiry_boundaries; then
    >&2 echo "excluded: $cert_file"
    continue
  fi

  host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
  port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$')

  # Hostname to punycode.
  host=$(echo "$host" | idn --allow-unassigned)

  # Replace dots with slashes.
  host=$(echo "$host" | tr . /)

  # Append port if not default
  if [ "$port" = 1965 ]; then
    port_string=''
  else
    port_string=":$port"
  fi

  # Certificate public key (SPKI) fingerprint
  fingerprint=$(echo "$cert" \
    | openssl x509 -pubkey -noout \
    | openssl pkey -pubin -outform der \
    | openssl dgst -sha256 \
    | cut -d ' ' -f 2 \
    | tr '[:lower:]' '[:upper:]')
  line1=$(printf "\"%s$port_string\" = \"%s\"" "$host" "$fingerprint")

  # Expiry date
  enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
  enddate=$(date -d "$enddate" +"%Y-%m-%dT%H:%M:%SZ" --utc)
  line2=$(printf "\"%s/expiry$port_string\" = %s" "$host" "$enddate")

  printf "%s\n%s\n" "$line1" "$line2" >> "$trust_store"

done

timestamp_end=$(date +%s)
exec_time="$((timestamp_end - timestamp_start))"
exec_time_formatted="$(date -d "@$exec_time" --utc "+%H:%M:%S")"

echo "OK (duration: $exec_time_formatted)"