#!/usr/bin/sh
#----------------------------------------------------------------------------------
# /var/install/bin/certs-find-duplicate-certs - find duplicate certificates
#
# Copyright (c) 2015-2025  The Eisfair Team, team(at)eisfair(dot)org
#
# Creation:     2014-04-14  jed
# Last Update:  $Id$
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#----------------------------------------------------------------------------------

# include eislib
. /var/install/include/eislib

module_name="`basename ${0}`"

# activate debug output
#debug_certs=true
if ${debug_certs:-false}
then
    exec 2> /tmp/${module_name}-trace$$.log
    set -x
    ask_debug=true
    export ask_debug
fi

#----------------------------------------------------------------------------------
# show wait
#----------------------------------------------------------------------------------
show_wait ()
{
    mecho -n "   wait [ "
    colpos=1
    while [ -n "`ps --no-headers $!`" ]
    do
        mecho --info -n "."
        sleep 1
        colpos=`expr ${colpos} + 1`

        if [ "${colpos}" -ge 52 ]
        then
            mecho " ]"
            mecho -n "   wait [ "
            colpos=1
        fi
    done

    mecho " ] "
}

#----------------------------------------------------------------------------------
# check if certificate is valid
# input : $1 - name of cert file
# return:  0 - valid
#          1 - not valid
#----------------------------------------------------------------------------------
is_valid_cert ()
{
    _ivc_cert="$1"
    _ivc_ret=1
    if [ -n "${_ivc_cert}" ]
    then
        grep -q '\---BEGIN CERTIFICATE---' "${_ivc_cert}"

        if [ $? -eq 0 ]
        then
            grep -q '\---END CERTIFICATE---' "${_ivc_cert}"

            if [ $? -eq 0 ]
            then
                _ivc_ret=0
            fi
        fi
    fi

    return ${_ivc_ret}
}

#==================================================================================
# main
#==================================================================================

tmpdir=/tmp
ssldir=/usr/local/ssl

certdir=${ssldir}/certs
certarchdir=${certdir}/archive

openssl_bin=/usr/bin/openssl
tmp_file=/tmp/${module_name}.tmp

color=''
frame=''
if [ -f /etc/config.d/setup ]
then
    if $(grep -qE "^MENU=['\"]/var/install/bin/show-menu['\"]"  /etc/config.d/setup)
    then
        color='--nocolor'
        frame='--noframe'
    fi
fi

# print header
clrhome
mecho --info "Check if duplicate certificates exist"
echo
echo "Certificate directory: ${certdir}"
echo
echo "updating hashes ..."

# make sure that the hashes are up-to-date
/var/install/bin/certs-update-hashes --quiet --certdir

echo "searching duplicate certificate files ..."

rm -f ${tmp_file}*
for CERT in `find ${certdir} -maxdepth 1 -type f -name "*.pem"`
do
    # loop over all certificates
    if is_valid_cert "${CERT}"
    then
        # valid certificate, go on ...
        # get rid of possible double-quotes (")
        subject="`${openssl_bin} x509 -in "${CERT}" -noout -subject | tr -d '"'`"

        # check anchor
        anchor='CN'
        echo ${subject} | grep -q "CN *="

        if [ $? -ne 0 ]
        then
            # default CN= anchor not found
            echo ${subject} | grep -q "OU *="

            if [ $? -eq 0 ]
            then
                # alternative OU= anchor found
                anchor="OU"
            fi
        fi

        file_name=`basename ${CERT}`
        subject_hash=`${openssl_bin} x509 -in "${CERT}" -noout -subject_hash`

        # write information to temporary file
        echo "${subject_hash}|${file_name}" >> ${tmp_file}
    fi
done

# sort temporary data and make it uniq
sort ${tmp_file} | uniq -w8 -D > ${tmp_file}-uniq
rm -f ${tmp_file}

if [ -s "${tmp_file}-uniq" ]
then
    # duplicate certificate exists

    # 1ece4d4c|MY_isrg_root_ocsp_x1.pem
    # 1ece4d4c|isrg_root_ocsp_x1.pem
    # 8d33f237|MY_r3.pem
    # 8d33f237|r3.pem

    echo "duplicate certificates found:"

    subject_hash=''
    subject_hash_prev=''
    first_line=1
    while read -r LINE
    do
        if [ -n "${LINE}" ]
        then
            subject_hash=`echo "${LINE}" | cut -d'|' -f1`
            file_name=`echo "${LINE}" | cut -d'|' -f2`

            if [ "${subject_hash}" != "${subject_hash_prev}" ]
            then
                # current and previous hashes differ
                if [ ${first_line} -eq 0 ]
                then
                    # terminate output line
                    echo
                fi

                first_line=0

                # output intial certificate file name with duplicate hash
                mecho -n --warn "- ${file_name}"
            else
                # output additional certificate file name with duplicate hash
                mecho -n --warn ", ${file_name}"
            fi

            subject_hash_prev="${subject_hash}"
        fi
    done < ${tmp_file}-uniq

    # terminate last output line
    echo

    rm -f ${tmp_file}-uniq

    echo
    echo "Please remove duplicate certificate files and update the certificate hashes!"
    echo
else
    echo "no duplicate certificate fles found."
fi

anykey

exit 0