#!/bin/sh

# This file is included in every trust store generator script.
#
# It defines a function which checks if the expiry date of a
# certificate is within the specified boundaries.
#
# Boundaries can be specified like this:
#
# ./generate.sh          # all certs
# ./generate.sh 90+      # certs that will expire in more than 90 days from now
# ./generate.sh 30-      # certs that have expired more than 30 days ago
# ./generate.sh 30- 90+  # both of the above; so certs are excluded if:
#                        # {30 days ago} < cert_expiry < {90 days from now}


# Get the provided boundaries, if any.
minus_timestamp=''
plus_timestamp=''
now=$(date +%s)
for arg in "$@"; do
  sign=$(expr "$arg" : '^[0-9]*\(-\|+\)$')
  if [ "$sign" = '-' ]; then
    minus_days=$(expr "$arg" : '^\([0-9]*\)-$')
    minus_timestamp=$((now - minus_days * 86400))
  elif [ "$sign" = '+' ]; then
    plus_days=$(expr "$arg" : '^\([0-9]*\)+$')
    plus_timestamp=$((now + plus_days * 86400))
  else
    continue
  fi
done


cert_is_not_within_expiry_boundaries() (

  # If `return 0`, cert will be excluded.

  if [ -z "$minus_timestamp" ] && [ -z "$plus_timestamp" ]; then
    # No boundaries were specified.
    return 1  # false
  fi

  # Get expiration date from certificate.
  cert_exp=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
  # Convert it to Unix timestamp.
  cert_exp=$(date -d "$cert_exp" +%s)

  if [ -n "$minus_timestamp" ] && [ "$cert_exp" -lt "$minus_timestamp" ]; then
    # $cert_exp < $minus_timestamp, so the cert is within boundaries.
    return 1  # false
  elif [ -n "$plus_timestamp" ] && [ "$cert_exp" -gt "$plus_timestamp" ]; then
    # $cert_exp > $plus_timestamp, so the cert is within boundaries.
    return 1  # false
  fi

  # Certs are excluded if:
  # $minus_timestamp < $cert_exp < $plus_timestamp
  return 0  # true
)