#!/bin/bash
### Updates browser certificate databases for the current user
### Erico Mendonca <erico.mendonca@suse.com>
### Jun 2021

MAINDB="/etc/pki/nssdb"
LOGID="update-browser-certs"

logger -t $LOGID "starting browser certificate update on $HOME"

# reference: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/linux/cert_management.md

# must take it to temp dir to do a merge because certutil *insists* on opening the file as RW
TMPDB=$(mktemp -d)
cp -dpRv ${MAINDB}/* ${TMPDB}/

# Google Chrome
if [ ! -d $HOME/.pki/nssdb ]; then
	mkdir -p $HOME/.pki/nssdb
	certutil -d sql:$HOME/.pki/nssdb -N --empty-password
fi

# Warsaw certificate...
if [ -f /usr/local/etc/warsaw/rootca.crt ]; then
  certutil -D -n "Warsaw Personal CA" -d sql:${TMPDB}
  certutil -A -n "Warsaw Personal CA" -t "TCu,Cuw,Tuw" -i "/usr/local/etc/warsaw/rootca.crt" -d sql:${TMPDB}
fi

certutil --merge -d sql:$HOME/.pki/nssdb --source-dir sql:${TMPDB}
if [ $? != 0 ]; then
	logger -t $LOGID "error updating Google Chrome/Chromium certificate database at ${HOME}"
else
	logger -t $LOGID "Google Chrome/Chromium certificate database updated successfully"
fi

# Mozilla Firefox
# find out the active profile
PROFILEID=$(egrep '^Default=\w{3}+' $HOME/.mozilla/firefox/profiles.ini  | cut -d\= -f2)

if [ -z $PROFILEID ]; then
	logger -t ${LOGID} "couldn't determine Mozilla Firefox profile ID, trying to create one"
	firefox --headless 2>&1 > /dev/null &
 	while [ ! -f $HOME/.mozilla/firefox/profiles.ini ]; do
		sleep 3
	done
	logger -t ${LOGID} "profile ok"
	PROFILEID=$(egrep '^Default=\w{3}+' $HOME/.mozilla/firefox/profiles.ini  | cut -d\= -f2)
	while [ ! -f $HOME/.mozilla/firefox/${PROFILEID}/cert?.db ]; do
		sleep 1
	done
	logger -t ${LOGID} "certdb ok"
	kill %1
fi

if [ -z $PROFILEID ]; then
	logger -t ${LOGID} "couldn't determine Mozilla Firefox profile ID, skipping"
else
	logger -t ${LOGID} "updating Mozilla Firefox profile at $HOME/.mozilla/firefox/${PROFILEID}"
	while [ ! -f "$HOME/.mozilla/firefox/${PROFILEID}/cert9.db" ]; do
		sleep 1
		logger -t ${LOGID} "waiting for certdb"
	done
	logger -t ${LOGID} "certdb ok"
	certutil --merge -d sql:$HOME/.mozilla/firefox/${PROFILEID} --source-dir sql:${TMPDB}
	if [ $? != 0 ]; then
		logger -t $LOGID "error updating Mozilla Firefox certificate database at ${HOME}"
	else
		logger -t $LOGID "Mozilla Firefox certificate database for ${PROFILEID} updated successfully"
	fi
fi

rm -rf ${TMPDB}

logger -t $LOGID "browser certificate update on $HOME done"

exit 0

	

