#!/bin/sh

### Lagrange ###
# https://gmi.skyjake.fi/lagrange/
#
## Trust store format ##
# The file "~/.config/lagrange/trusted.2.txt" is used on GNU/Linux and BSD.
# For other platforms, see https://github.com/skyjake/lagrange#user-files
# This file contains one line for each host:
# example.org;port expiry_timestamp pubkey:sha256
# IDNs are converted to punycode.
#
## Example ##
# $ cat ~/.config/lagrange/trusted2.txt
# gemini.circumlunar.space;1965 1759495837 5b4086d6914231f55828c815faae1f10e28b8bd42af6a1e286a711e9b7d78326
#
# Prior to v1.6.0 (2021-07-26), the file "~/.config/lagrange/trusted.txt"
# was used, with entries in this format:
# example.org expiry_timestamp cert:sha256

set -o errexit  # (-e) exit immediately if any command has a non-zero exit status
set -o nounset  # (-u) don't accept undefined variables
#set -o xtrace  # for debugging

timestamp_start=$(date +%s)

# Go where this script is.
cd "$(dirname "$0")" || exit

trust_store1="trusted.txt"
trust_store2="trusted.2.txt"  # since v1.6.0 (2021-07-26)

# Remove the old trust stores.
rm -f "$trust_store1" "$trust_store2"

# Add the "cert_is_not_within_expiry_boundaries" function.
. ../expiry-boundaries.sh

for cert_file in ../certs/*; do

  cert=$(cat "$cert_file")

  if cert_is_not_within_expiry_boundaries; then
    >&2 echo "excluded: $cert_file"
    continue
  fi

  host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
  port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$')

  # Hostname to punycode.
  host=$(echo "$host" | idn --allow-unassigned)

  # Expiry date
  enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
  enddate=$(date -d "$enddate" +%s --utc)

  # Certificate fingerprint
  cert_fingerprint=$(echo "$cert" \
    | openssl x509 -outform der \
    | sha256sum \
    | cut -d ' ' -f 1)

  # Certificate public key (SPKI) fingerprint
  pubkey_fingerprint=$(echo "$cert" \
    | openssl x509 -pubkey -noout \
    | openssl pkey -pubin -outform der \
    | sha256sum \
    | cut -d ' ' -f 1)

  echo "$host $enddate $cert_fingerprint" >> "$trust_store1"
  echo "$host;$port $enddate $pubkey_fingerprint" >> "$trust_store2"

done

timestamp_end=$(date +%s)
exec_time="$((timestamp_end - timestamp_start))"
exec_time_formatted="$(date -d "@$exec_time" --utc "+%H:%M:%S")"

echo "OK (duration: $exec_time_formatted)"