#!/bin/bash

##############################################################
#
# This script updates all CRL files of the PKI used by the
# URZ. These are:
#
# UniHGW (own CA)
# Harica
# Sectigo
#
##############################################################

set -ou pipefail

###########################################################
# Global systemd/journald Functions
###########################################################

function INFO {
    echo "$1"
    echo "$1" | systemd-cat -p info -t "$(basename "$0" .sh)"
}

function WARNING {
    echo "WARNING: $1" >&2
    echo "$1" | systemd-cat -p warning -t "$(basename "$0" .sh)"
}

function ERROR {
    echo "ERROR: $1" >&2
    echo "$1" | systemd-cat -p err -t "$(basename "$0" .sh)"
}

###########################################################

PATHCRL=/etc/ssl/crl
CRL=(UniHGW-CRL-2032 GEANT-RSA-CRL GEANT-ECC-CRL HARICA-RSA-CA-CRL HARICA-ECC-CA-CRL HARICA-RSA-CRL-2021 HARICA-ECC-CRL-2021 HARICA-RSA-CRL-2025 HARICA-ECC-CRL-2025)
if [[ $(lsb_release -c | awk '{ print $2 }') == "trixie" ]]; then
    CRL=(UniHGW-CRL-2032 HARICA-RSA-CA-CRL HARICA-ECC-CA-CRL HARICA-RSA-CRL-2021 HARICA-ECC-CRL-2021 HARICA-RSA-CRL-2025 HARICA-ECC-CRL-2025)
fi
PATHSSL=/etc/ssl/certs
LASTRUN=/var/lib/runtime/$(basename "$0" .sh).lastrun
ERR=0

# Create directory if not exists
if [[ ! -d $PATHCRL ]]; then
    if ! mkdir -p $PATHCRL; then
        ERROR "Could not create $PATHCRL!"
        exit 2
    fi
fi

for CRL in "${CRL[@]}"
do
    URLCRL=https://cacher.rz.uni-greifswald.de/$CRL.pem

    # Download CRL
    if ! /usr/bin/timeout 5s wget -q -O "/tmp/$CRL.pem" "$URLCRL"; then
        ERROR "Could not download $CRL!"
        ERR=1
        continue
    fi

    # Verify CRL
    if ! /usr/bin/openssl crl -CApath "$PATHSSL" -in "/tmp/$CRL.pem" -noout > /dev/null 2>&1; then
        ERROR "Could not verify $CRL against $PATHSSL!"
        ERR=1
        rm -f "/tmp/$CRL.pem"
        continue
    fi

    # Check CRL validity
    CRLDATETIME=$(openssl crl -in "/tmp/$CRL.pem" -nextupdate -noout | sed 's/nextUpdate=//g')
    VALIDUNTIL=$(date -d "$CRLDATETIME" +%s)

    if [[ "$VALIDUNTIL" -lt $(date +%s) ]]; then
        ERROR "$CRL is invalid!"
        ERR=1
        rm -f "/tmp/$CRL.pem"
        continue
    fi

    # Move CRL to final destination path
    if ! mv -f "/tmp/$CRL.pem" "$PATHCRL/$CRL.pem"; then
        ERROR "Could not move CRL to $PATHCRL!"
        ERR=1
        rm -f "/tmp/$CRL.pem"
        continue
    fi

    # Link CRL
    if [[ ! -L "$PATHSSL"/"$CRL.pem" ]]; then
        if ! ln -s "$PATHCRL"/"$CRL.pem" "$PATHSSL"/"$CRL.pem"; then
            ERROR "Could not create CRL link to $PATHSSL!"
            ERR=1
            rm -f "$PATHCRL"/"$CRL.pem" "$PATHSSL"/"$CRL.pem"
            continue
        fi
    fi

    INFO "$CRL successfully updated"

done

# Rehash
if /usr/bin/c_rehash -n > /dev/null 2>&1; then
    INFO "Rehash successful"
else
    ERROR "Could not rehash $PATHSSL!"
    exit 2
fi

# Set runtime information
if [[ "$ERR" -eq 0 ]]; then
    date +%s > "$LASTRUN"
fi

exit 0