#!/QOpenSys/usr/bin/ksh

# Attribution: Kevin Adler 

set -e

export LC_ALL=C LANG=C

OPENSSL=$(which openssl 2> /dev/null)

if [ "$OPENSSL" = "" ]
then
  echo "openssl not found"
  exit 1
elif [ "$OPENSSL" = '/QOpenSys/usr/bin/openssl' ]
then
  case $(uname -v)$(uname -r) in
    [1-6]*) echo "Sorry, these releases are not supported"; exit 1 ;;
    
    71) CERTDIR=/QOpenSys/QIBM/ProdData/SC1/OpenSSL/openssl-0.9.8j/certs ;;
    *)  CERTDIR=/QOpenSys/QIBM/ProdData/SC1/OpenSSL/certs ;;
  esac
else 
  CERTDIR=/QOpenSys/etc/ssl/certs
fi

if which curl > /dev/null 2>&1
then
  CURL='curl --insecure --silent --location'
elif which wget > /dev/null 2>&1
then
  CURL='wget --no-check-certificate -qO-'
else
  echo "You need to install either curl or wget. Perhaps they're just not in your PATH?"
  exit 1
fi

# Create a directory to hold certificates
if [ "$CERTTMP" = "" ]
then
  CERTTMP=/tmp/certs.$$
  rm -r $CERTTMP > /dev/null 2>&1 || :
  mkdir -p $CERTTMP
  CLEANUP=Y
fi

# GitHub and BitBucket uses DigiCert certificates
for cert in DigiCertHighAssuranceEVRootCA DigiCertSHA2ExtendedValidationServerCA
do
  $CURL https://www.digicert.com/CACerts/$cert.crt | openssl x509 -inform der -out $CERTTMP/$cert.pem
done

# GitLab uses Comodo certificates
$CURL "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/970/821027" > $CERTTMP/comodorsadomainvalidationsecureserverca.crt
$CURL "https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/969/821026" > $CERTTMP/comodorsacertificationauthority.crt

# Let's Encrypt certificates
for cert in isrgrootx1 letsencryptauthorityx3
do
  $CURL https://letsencrypt.org/certs/$cert.pem.txt > $CERTTMP/$cert.pem
done

c_rehash $CERTTMP

/QOpenSys/usr/bin/cp -h $CERTTMP/* $CERTDIR

# Clean up if necessary
if [ "CLEANUP" = "Y" ]
then
  rm -r $CERTTMP
fi