#!/bin/sh

#
# Portions of this file Copyright 1999-2005 University of Chicago
# Portions of this file Copyright 1999-2005 The University of Southern California.
#
# This file or a portion of this file is licensed under the
# terms of the Globus Toolkit Public License, found at
# http://www.globus.org/toolkit/download/license.html.
# If you redistribute this file, with or without
# modifications, you must include this notice in the file.
#

#
# globus-cert-info
#
# Easily extract information from a user's cert.
#

if test -z "${GLOBUS_LOCATION}"; then
    echo ""
    echo "ERROR: Please set GLOBUS_LOCATION to the Globus installation directory before"
    echo "running this script"
    echo ""
    exit 1
fi

. ${GLOBUS_LOCATION}/libexec/globus-script-initializer
globus_source ${GLOBUS_LOCATION}/libexec/globus-sh-tools.sh

PROGRAM_NAME=`echo $0 | ${GLOBUS_SH_SED-sed} 's|.*/||g'`

PROGRAM_VERSION=`echo '$Revision: 1.9.4.1 $'| ${GLOBUS_SH_SED-sed} -e 's|\\$||g' -e 's|Revision: \(.*\)|\1|'`

VERSION="2.11"

PACKAGE="globus_gsi_cert_utils"

DIRT_TIMESTAMP="1196701943"
DIRT_BRANCH_ID="63"

short_usage="$PROGRAM_NAME [-help] [-file certfile] [-all] [-subject] [...]"

long_usage () {
    ${GLOBUS_SH_CAT-cat} >&2 <<EOF

${short_usage}

    Displays certificate information. Unless the optional -file
    argument is given, the default location of the file containing the
    certficate is assumed:

      -- The location pointed to by the X509_USER_CERT.
      -- If X509_USER_CERT not set, $HOME/.globus/usercert.pem.

    Several options can be given: The output of
        "grid-cert-info -subject -issuer"
    is equivalent to that of
        "grid-cert-info -subject ; grid-cert-info -issuer"

    Options
      -help, -usage                Display usage
      -version                     Display version
      -file certfile     |-f       Use 'certfile' at non-default location

    Options determining what to print from certificate

      -all                        Whole certificate
      -subject           |-s      Subject string of the cert
      -issuer            |-i      Issuer of the cert
      -issuerhash        |-ih     Hash of the issuer name 
      -startdate         |-sd     Validity of cert: start date
      -enddate           |-ed     Validity of cert: end date

EOF
}

# See http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch05.html#prewsaa-env-credentials
find_default_credential()
{
    if [ -n "$X509_USER_CERT" ]; then
        echo "$X509_USER_CERT"
    elif [ -r "${HOME}/.globus/usercert.pem" ]; then
        echo "${HOME}/.globus/usercert.pem"
    elif [ -r "${HOME}/.globus/usercred.p12" ]; then
        echo "${HOME}/.globus/usercred.p12"
    else
        echo ""
    fi
}

globus_source $libexecdir/globus-args-parser-header $@


#SSL related needs
PATH=${GLOBUS_LOCATION}/bin:${PATH}
SSL_EXEC="openssl"
	

# DEFault Generated Files
cert_format=x509

toprint=""

# set default location of certificate (may be overridden by --file)
#
certfile=`find_default_credential`

while [ "X$1" != "X" ]; do
    case $1 in
    -file| -f)
	if [ -n "$2" -a -f "$2" -a -r "$2" ]; then
	    certfile=$2
	else
	    globus_args_option_error "$1" "\"$2\" is not a valid filename"
	fi
	shift
	;;
    -all)
	toprint="$toprint -text"
	;;
    -subject|-s)
	toprint="$toprint SUBJECT"
	;;
    -issuerhash|-ih)
	toprint="$toprint -issuer_hash"
	;;
    -issuer|-i)
	toprint="$toprint -issuer"
	;;
    -startdate|-sd)
	toprint="$toprint -startdate"
	;;
    -enddate|-ed)
	toprint="$toprint -enddate"
	;;
    *)
	globus_args_unrecognized_option "$1"
	;;
    esac
    shift
done

if test "$certfile" = ""; then
    echo "Error: Cannot locate certificate" 1>&2
    exit 1;
elif echo "$certfile" | grep '\.p12' > /dev/null 2>&1 ; then
    cert_format=pkcs12
elif echo "$certfile" | grep '\.pem' > /dev/null 2>&1 ; then
    cert_format=x509
else
    echo "Error: certificate file \"$certfile\" is not .pem or .p12" 1>&2
    exit 1;
fi

if [ "X$toprint" = "X" ]; then
    toprint="-text"
fi

if [ ! \( -f "${certfile}" -a -r "${certfile}" \) ]; then
    echo "ERROR: Cannot read certificate file ${certfile}" >&2
    exit 1
fi
 
if [ "$cert_format" = pkcs12 ]; then
    echo "Credentials are in pkcs12 format, OpenSSL will prompt for p12 password"
    cert_data="`${SSL_EXEC} pkcs12 -nokeys -clcerts -nomacver -in ${certfile}`"
    command_stub="${SSL_EXEC} x509 -noout "
else
    command_stub="${SSL_EXEC} x509 -noout -in ${certfile}"
fi


# Will probably need this...
if [ "$cert_format" = pkcs12 ]; then
    subject=`echo "$cert_data" | eval ${command_stub} -subject`
else
    subject=`eval ${command_stub} -subject` 
fi

if test $? -ne 0 ; then
    exit 1
fi

subject=`echo ${subject} | ${GLOBUS_SH_SED-sed} 's%^subject=\ *%%'`

eval set -- "$toprint"
for i in "$@"; do
    case "$i" in
    -*)
	echo "$cert_data" | eval "{ ${command_stub} $i || exit $?; } | ${GLOBUS_SH_SED-sed} 's/^[a-zA-Z]*=[ ]*//'"
	;;
    SUBJECT)
	# Do not show the proxy levels
	echo "${subject}" | ${GLOBUS_SH_SED-sed} -e 's%/CN=proxy%%g' -e 's%/CN=limited proxy%%g'
	;;
    esac
done

