#!/bin/bash
#
# Art by doka@funlab.cc, 2024

# Only DigiCert G2 and G5 (no Thawte, GeoTrust, RapidSSL and Baltimore)
URLS=$(
  for URL in $(curl -s https://www.digicert.com/kb/digicert-root-certificates.htm |
        egrep "\bDigiCert\b.*G[25]" | egrep -vi "\bbaltimore\b" |
        egrep -o '<a href="[^"]+' | awk -F\" '/\.pem$/ {print $NF}'); do
    echo $URL
  done | sort | uniq
)

# Let's Enrypt certificates
BASE="https://letsencrypt.org"
URLS+=$'\n'$(
  for URL in $(curl -s $BASE/certificates | egrep -o '<a href="[^"]+' | egrep -v -- "-cross\." | awk -F\" '/\.pem$/ {print $NF}'); do
    [[ $URL =~ ^https? ]] || URL="${BASE}${URL}"
    echo $URL
  done | sort | uniq
)

APP_DIR=$(dirname $(realpath $0))
BUN="$APP_DIR/DigiLets-bundle.pem"
> $BUN
NOW=$(date +%s)
for URL in $URLS; do
  #echo "DEBUG: Found $URL"
  CERT=$(curl -s $URL)
  END=$(date -d "$(echo "$CERT" | openssl x509 -enddate -noout | sed 's/^notAfter\s*=\s*//g')" +"%s")
  # If certificate not expired, then add it to the bundle
  [[ $END -gt $NOW ]] && echo "$CERT" | openssl x509 -subject -enddate -serial >> $BUN
done

# Cloudflare DNS specific
DOH="$APP_DIR/DoH.pem"
> $DOH
openssl s_client -connect cloudflare-dns.com:443 </dev/null 2>/dev/null | sed -n '/^-----BEGIN/,/^-----END/p' | openssl x509 -subject -enddate -serial >> $DOH

cat $BUN | sha256sum | awk '{print $1}' > ${BUN}.sha256sum.txt
cat $DOH | sha256sum | awk '{print $1}' > ${DOH}.sha256sum.txt

exit 0