#!/bin/sh
# Copyright (c) 2017 Cisco Systems, Inc
# All rights reserved
#

function get_certificate_set()
{
    # find certificates: use LSC, or MIC
    # find certificates: Can't use HW SUDI because we don't
    # have access to HW SUDI private key file
    if [ -f /tmp/lsc/lsc_priv_key -a \
         -f /storage/lsc/device.cert -a \
         -f /storage/lsc/ra.cert ]; then
        root_ca="/storage/lsc/ra.cert"
        dev_cert="/storage/lsc/device.cert"
        key="/tmp/lsc/lsc_priv_key"
    elif [ -f /storage/lsc/key -a \
           -f /storage/lsc/ra.cert -a \
           -f /storage/lsc/device.cert ]; then
        root_ca="/storage/lsc/ra.cert"
        dev_cert="/storage/lsc/device.cert"
        key="/storage/lsc/key"
    elif [ -f /tmp/certs/sha2/cisco_signed_cert-sha2.cert -a \
           -f /tmp/certs/sha2/cisco-root-cert-sha2.cert -a \
           -f /tmp/certs/sha2/priv_key-sha2 ]; then
        root_ca="/tmp/certs/sha2/cisco-root-cert-sha2.cert"
        dev_cert="/tmp/certs/sha2/cisco_signed_cert-sha2.cert"
        key="/tmp/certs/sha2/priv_key-sha2"
    elif [ -f /tmp/certs/cisco_signed_cert.cert -a \
           -f /tmp/certs/cisco-root-cert.cert -a \
           -f /tmp/certs/priv_key ]; then
        root_ca="/tmp/certs/cisco-root-cert.cert"
        dev_cert="/tmp/certs/cisco_signed_cert.cert"
        key="/tmp/certs/priv_key"
    else
        echo "No certificates found."
        return 1;
    fi
    return 0;
}

#Waiting for TAM service to initialise then proceed further to get_certificate_set
#to avoid certificate not found issue when there is delay in creation of cert files
#only if tams_init binary is present
count=0
if [ -x /usr/sbin/tams_init ];then
    while [ ! -f /tmp/tams/tams_init_done ]; do
        sleep 1
        count=`expr $count + 1`
        if [ $count -gt 10 ]; then
            break
        fi
    done
fi

# Checking the system time and cert time and save the updated time in /tmp
rtfile=/storage/RELOADED_AT_UTC
sudicert=/tmp/sudi_certs/sudi-rsa-cert.der
miccert=/tmp/certs/cisco_signed_cert.cert
rsec=0
if [ -f $rtfile ]; then
    rtime=$(cat $rtfile | sed 's/^[A-Za-z]\{3\} \(.*\) UTC \([0-9]\{4\}\).*$/\1 \2/')
    rsec=$(date -d "$rtime" +%s)
fi
if [ -f $miccert ]; then
    certtime=$(openssl x509 -inform pem -in $miccert -startdate -noout | sed -r 's/.{10}//' | sed -r 's/.{4}$//')
elif [ -f $sudicert ]; then
    certtime=$(openssl x509 -inform der -in $sudicert -startdate -noout | sed -r 's/.{10}//' | sed -r 's/.{4}$//')
fi
certtimesec=$(date -d "$certtime" +%s)
if [ "$certtimesec" -gt "$rsec" ]; then
    echo $certtime > /tmp/CERT_START_TIME
fi

get_certificate_set

if [ $? -eq 0 ]; then
    mkdir -p /etc/lighttpd/ssl
    cp $root_ca /etc/lighttpd/ssl/root.crt
    cat $key $dev_cert > /etc/lighttpd/ssl/server.pem
fi
