#!/bin/bash

TEMPDIR=`mktemp -d`
pushd ${TEMPDIR} > /dev/null 2>&1

function get_p11_label() {
  # $1 == individual nss certificate extracted from certdata.txt
  #       or x509 certificate with OpenSSL text values

  # Get the subject line for any certs and do some early normalization
  subjectline=$(grep -m1 "Subject:" ${1} | sed -e 's@\s*=\s*@=@g' \
                     -e "s@(@ - @g" -e "s@)@ - @g" -e 's@\\@-@g' )

  # Try for CN first (and further normalize)
  p11label="$(echo ${subjectline} | grep -o "CN=.*$" | cut -d '=' -f 2 | \
              sed -e 's@[A-Z]*$@@g' -e 's@, $@@' -e 's@"@@g' -e 's@,@@g')"

  # Fallback to the last OU value if CN does not exeist in Subject string
  ## Special case for GlobalSign certs
  if [ "${p11label}" == "" -o "${p11label}" == "GlobalSign" ]; then
      p11label="$(echo ${subjectline} | grep -o "OU=.*$" | \
                  sed 's@OU=.*, OU=@OU=@g'| cut -d '=' -f 2 | \
                  sed -e 's@[A-Z]*$@@' -e 's@, $@@' -e 's@"@@g' -e 's@,@@g')"

      # If still empty, fall back to Object value as a last resort
      if [ "${p11label}" == "" ]; then
          p11label="$(echo ${subjectline} | grep -o "O=.*$" | \
                      cut -d '=' -f 2 | sed -e 's@[A-Z]*$@@g' \
                      -e 's@, $@@' -e 's@"@@g' -e 's@,@@g')"
      fi
  fi
}

# Get this list:

# Federal Common Policy CA G2 (FPKI)
wget -4 http://repo.fpki.gov/fcpca/fcpcag2.crt

# Old U.S. Treasuray Root CAs (long lifetime, against current FPKI policy)
#2006
wget -4 https://pki.treas.gov/trca4.cer
#2016
wget -4 https://pki.treas.gov/trca5.cer
# TRCA Issued CAs
wget -4 https://pki.treas.gov/root_sia.p7b

# FPKI-TRCA Cross signing cert
wget -4 https://pki.treas.gov/FCPCAG2_TRCA.cer

# U.S. Treasury Operational CA (TOCA)
wget -4 https://pki.treas.gov/toca_ee_aia.p7b

# Fscal Service CA (FSCA)
wget -4 https://pki.treas.gov/fsca_ee_aia.p7b

# NASA Operation Certification Authority (NOCA)
wget -4 https://pki.treas.gov/noca_ee_aia.p7b

# Social Security Administration CA (SSACA)
wget -4 https://pki.treas.gov/ssaca_ee_aia.p7b

# Department of Homeland Security CA (DHSCA)
wget -4 https://pki.treas.gov/dhsca_ee_aia.p7b

# Department of Verterans Affairs CA (VACA)
wget -4 https://pki.treas.gov/vaca_ee_aia.p7b

# Department of Defense Roots 2-5
wget -4 https://militarycac.com/CACDrivers/DoDRoot2-5.p7b

# Department of Defense CA-33 through DOC SW CA-61
wget -4 https://militarycac.com/maccerts/AllCerts.p7b

# DoD PKI
wget -4 https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_DoD.zip
unzip certificates_pkcs7_DoD.zip
cp Certificates_PKCS7_v5.8_DoD/*.der.p7b .
rm -rf Certificates_pkcs7_v5.8_DoD
rm -f certificates_pkcs7_DoD.zip

# ECA PKI
wget -4 https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_ECA.zip
unzip certificates_pkcs7_ECA.zip
cp Certificates_PKCS7_v5.6_ECA/*.der.p7b .
rm -rf Certificates_PKCS7_v5.6_ECA
rm -f certificates_pkcs7_ECA.zip

# JITC PKI
wget -4 https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_JITC.zip
unzip certificates_pkcs7_JITC.zip
cp Certificates_PKCS7_v5.8_JITC//*.der.p7b .
rm -rf Certificates_PKCS7_v5.8_JITC/
rm -f certificates_pkcs7_JITC.zip

# SIPR PKI
# Unfortunately, SIPRNet PKI data is not available to the public

# Web Content Filtering PKI
wget -4 https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_v5-11_wcf.zip
unzip unclass-certificates_pkcs7_v5-11_wcf.zip
cp Certificates_PKCS7_v5.11_WCF/*.der.p7b .
rm -rf Certificates_PKCS7_v5.11_WCF/
rm unclass-certificates_pkcs7_v5-11_wcf.zip

# Convert p7b to pem
for file in *.p7b; do
   outfile=$(echo $file | sed 's@p7b@cer@')
   openssl pkcs7 -inform der -in ${file} -print_certs -text -out ${outfile}
done
rm -f *.p7b

openssl x509 -inform der -in fcpcag2.crt -out fcpcag2.cer
rm -f fcpcag2.crt

for cert in *.cer; do
  starts=$(grep -n "^-----BEGIN CERTIFICATE-----" ${cert} | cut -d ":" -f 1)
  stops=$(grep -n "^-----END CERTIFICATE-----" ${cert} | cut -d ":" -f 1)
  for start in ${starts}; do
    for stop in ${stops}; do
      if test ${stop} -gt ${start}; then
        hash=$(sed -n "${start},${stop}p" ${cert} | openssl x509 -noout -hash)
        sed -n "${start},${stop}p" ${cert} | openssl x509 -text -out ${hash}.crt
        break;
      fi
    done
  done
done
rm -f *.cer
unset cert starts stops start stop hash

for cert in *.crt; do
  get_p11_label ${cert}
  hash=$(openssl x509 -in ${cert} -noout -hash)
  usage=$(grep -A1 "X509v3 Key Usage:" ${cert})
  trust=""
  echo ${usage} | grep -q "Certificate Sign" &&
       trust="${trust} -addtrust serverAuth"
  echo ${usage} | grep -q "Digital Signature" &&
       trust="${trust} -addtrust emailProtection"
  openssl x509 -in ${cert} -text -fingerprint -setalias "${p11label}" \
          ${trust} > ${hash}.pem
  unset usage trust p11label hash
done
rm -f *.crt
unset cert

cp -v *.pem /etc/ssl/local
popd > /dev/null 2>&1
rm -rf ${TEMPDIR}
/usr/sbin/make-ca -f -g