#!/bin/sh

DEST=/opt/freeware/etc/ssl/certs/extracted

# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1

# Avoid using the RPM version of libintl - /usr/opt/rpm/lib/libintl.a
/usr/sbin/slibclean
export LIBPATH=/opt/freeware/lib:/usr/lib:/lib

# OpenSSL PEM format bundle includes certificates with trust flag, i.e.
# (BEGIN TRUSTED CERTIFICATE)
/opt/freeware/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt

# TLS, email and signature PEM format bundles
/opt/freeware/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/opt/freeware/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/opt/freeware/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem

# Java format bundle
/opt/freeware/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts

# EDK2 format bundle
# /opt/freeware/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin

# Create links
# /opt/freeware/etc/ssl/certs/ca-bundle.crt can be used by older software, like GO.
# Do not change it as far as possible.
ln -sf $DEST/pem/tls-ca-bundle.pem              /opt/freeware/etc/ssl/certs/ca-bundle.crt
ln -sf $DEST/openssl/ca-bundle.trust.crt        /opt/freeware/etc/ssl/certs/ca-bundle.trust.crt
ln -sf /opt/freeware/etc/ssl/certs/ca-bundle.crt /var/ssl/cert.pem
ln -sf /var/ssl/cert.pem                         /var/ssl/64/cert.pem
if test -d /var/ssl/certs && ! test -h /var/ssl/certs ; then
    echo "/var/ssl/certs exists. Save it as /var/ssl/certs.orig."
    mv /var/ssl/certs /var/ssl/certs.orig
fi
ln -sf /opt/freeware/etc/ssl/certs               /var/ssl/

