#!/bin/bash

set -e

# Disable a critically buggy hook script during upgrade; to be removed
# after oneiric release
if [ "$2" = 20110912ubuntu1 ] && [ -e /etc/ca-certificates/update.d/jks-keystore ]
then
	chmod +x /etc/ca-certificates/update.d/jks-keystore
fi

storepass='changeit'
if [ -f /etc/default/cacerts ]; then
    . /etc/default/cacerts
fi

setup_path()
{
    for jvm in java-6-openjdk java-7-openjdk java-6-sun; do
	if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
	    break
	fi
    done
    export JAVA_HOME=/usr/lib/jvm/$jvm
    PATH=$JAVA_HOME/bin:$PATH

    CLASSPATH=/usr/share/ca-certificates-java
    export CLASSPATH
}

first_install()
{
    if which dpkg-query --version >/dev/null; then
	nsspkg=$(dpkg-query -L libnss3 | sed -n 's,\(.*\)/libnss3\.so$,\1,p')
	nssjdk=$(sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' /etc/$jvm/security/nss.cfg)
	if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
	    ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
	fi
    fi

    find /etc/ssl/certs -name \*.pem | \
    while read filename; do
	alias=$(basename $filename .pem | tr A-Z a-z | tr -cs a-z0-9 _)
	alias=${alias%*_}
        if [ -n "$FIXOLD" ]; then
            echo "-${alias}"
            echo "-${alias}_pem"
        fi
        echo "+${filename}"
    done | \
    java UpdateCertificates -storepass "$storepass"
    echo "done."
}

remove_certs()
{
    if which dpkg-query --version >/dev/null; then
	nsspkg=$(dpkg-query -L libnss3 | sed -n 's,\(.*\)/libnss3\.so$,\1,p')
	nssjdk=$(sed -n '/nssLibraryDirectory/s/.*= *\(.*\)/\1/p' /etc/$jvm/security/nss.cfg)
	if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]; then
	    ln -sf $nsspkg/libnss3.so $nssjdk/libnss3.so
	fi
    fi

    # Forcibly remove diginotar cert (LP: #920758)
    echo -e "-diginotar_root_ca\n-diginotar_root_ca_pem" | \
    java UpdateCertificates -storepass "$storepass"
    echo "done."
}

do_cleanup()
{
    [ -z "$temp_jvm_cfg" ] || rm -f $temp_jvm_cfg
    if [ -n "$nsspkg" ] && [ -n "$nssjdk" ] && [ "$nsspkg" != "$nssjdk" ]
    then
	rm -f $nssjdk/libnss3.so
    fi
}

case "$1" in
    configure)
        if dpkg --compare-versions "$2" lt "20110912ubuntu3"; then
            FIXOLD="true"
            if [ -e /etc/ssl/certs/java/cacerts ]; then
                cp -f /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.dpkg-old
            fi
        fi
        if dpkg --compare-versions "$2" lt "20110912ubuntu3.1"; then
            CLEANOLD="true"
        fi
        if [ -z "$2" -o -n "$FIXOLD" -o -n "$CLEANOLD" ]; then
	    setup_path

	    if ! mountpoint -q /proc; then
		echo >&2 "the keytool command requires a mounted proc fs (/proc)."
		exit 1
	    fi

	    if [ ! -f /etc/$jvm/jvm.cfg ]; then
		# the jre is not yet configured, but jvm.cfg is needed to run it
		temp_jvm_cfg=/etc/$jvm/jvm.cfg
		mkdir -p /etc/$jvm
		printf -- "-server KNOWN\n" > $temp_jvm_cfg
	    fi

	    if [ -z "$2" -o -n "$FIXOLD" ]; then
		if first_install; then
		    do_cleanup
		else
		    do_cleanup
		    exit 1
		fi
	    fi
	    if [ -n "$2" ]; then
		echo "removing untrusted certificates..."
		if remove_certs; then
		    do_cleanup
		else
		    do_cleanup
		    exit 1
		fi
	    fi
	fi
	chmod 600 /etc/default/cacerts || true
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

#DEBHELPER#

exit 0


