#!/bin/bash

# script/sync-dod-certs: update the CA bundle with DOD intermediate and root CAs

CAS_FILE_NAME="Certificates_PKCS7_v5.3_DoD"
CA_CHAIN="ssl/server-certs/ca-chain.pem"

echo "Resetting CA bundle..."
rm ssl/server-certs/ca-chain.pem &> /dev/null || true
touch $CA_CHAIN

if [[ $FLASK_ENV != "prod" ]]; then
  # only for testing and development
  echo "Copy in testing client CA..."
  cat ssl/client-certs/client-ca.crt >> $CA_CHAIN
fi

# dod intermediate certs
echo "Adding DoD root certs"
rm -rf tmp || true
mkdir tmp
curl --silent -o tmp/dod-cas.zip "https://iasecontent.disa.mil/pki-pke/$CAS_FILE_NAME.zip"
unzip tmp/dod-cas.zip -d tmp/ &> /dev/null
openssl pkcs7 -in "tmp/$CAS_FILE_NAME/$CAS_FILE_NAME.pem.p7b" -print_certs >> $CA_CHAIN
rm -rf tmp