#!/bin/bash
set -e -o pipefail

if [ -z "$VAULT_TOKEN" -o -z "$VAULT_ADDR" ] ; then
    echo No Vault server or token set
    exit 1
fi
set -u

download_certs() {
    ca="$1"
    subdir="$2"
    trust="$3"
    mkdir -p "${subdir}"
    for uuid in $(bao list -format=json "${ca}/issuers" | jq -r '.[]'); do
        name=$(bao read -field=issuer_name "${ca}/issuer/${uuid}")
        args=
        if [ -n "$trust" ] ; then
            args+=" -addtrust ${trust}"
        fi
        bao read -field=certificate "${ca}/issuer/${uuid}" | openssl x509 -out "${subdir}/${name}.pem" -setalias "${uuid}" ${args}
    done
}

download_certs "root_ca" "certs" "anyExtendedKeyUsage"
download_certs "acme_ca" "certs" "anyExtendedKeyUsage"
download_certs "secureboot_ca" "certs/secureboot" "codeSigning"