#!/bin/bash

#set -vx

# At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.

DEST="/etc/pki/ca-trust/extracted"
P11KIT="/usr/bin/p11-kit"

# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1

# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)

$P11KIT extract \
  --format=openssl-bundle \
  --filter=certificates \
  --overwrite \
  --comment \
  $DEST/openssl/ca-bundle.trust.crt

$P11KIT extract \
  --format=pem-bundle \
  --filter=ca-anchors \
  --overwrite \
  --comment \
  --purpose \
  server-auth $DEST/pem/tls-ca-bundle.pem

$P11KIT extract \
  --format=pem-bundle \
  --filter=ca-anchors \
  --overwrite \
  --comment \
  --purpose \
  email $DEST/pem/email-ca-bundle.pem

$P11KIT extract \
  --format=pem-bundle \
  --filter=ca-anchors \
  --overwrite \
  --comment \
  --purpose \
  code-signing $DEST/pem/objsign-ca-bundle.pem

$P11KIT extract \
  --format=java-cacerts \
  --filter=ca-anchors \
  --overwrite \
  --purpose \
  server-auth $DEST/java/cacerts

$P11KIT extract \
  --format=edk2-cacerts \
  --filter=ca-anchors \
  --overwrite \
  --purpose \
  server-auth $DEST/edk2/cacerts.bin
