#!/bin/sh
#
# SPDX-FileCopyrightText: 2003 Theodore Ts'o <tytso@alum.mit.edu>
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This script will extract the necessary certificate from the IMAP server
# It assumes that an attacker isn't trying to spoof you when you connect
# to the IMAP server!  You're better off downloading the certificate
# from a trusted source.
#

if [ $# != 1 ]; then
	echo "Usage: $0 <host>" >&2
	exit 1
fi

HOST=$1

seed=`date '+%s'`
try=0
while :; do
	TMPDIR=/tmp/get-cert.$$.$seed
	mkdir $TMPDIR 2> /dev/null && break
	if [ $try = 1000 ]; then
		echo "Cannot create temporary directory." >&2
		exit 1
	fi
	try=`expr $try + 1`
	seed=`expr \( \( $seed \* 1103515245 \) + 12345 \) % 2147483648`
done

TMPFILE=$TMPDIR/get-cert
ERRFILE=$TMPDIR/get-cert-err
CERTFILE=$TMPDIR/cert

echo QUIT | openssl s_client -connect $HOST:993 -showcerts \
	> $TMPFILE 2> $ERRFILE
sed -e '1,/^-----BEGIN CERTIFICATE-----/d' \
	-e '/^-----END CERTIFICATE-----/,$d' < $TMPFILE > $CERTFILE

if test -s $CERTFILE ; then
	echo -----BEGIN CERTIFICATE-----
	cat $CERTFILE
	echo -----END CERTIFICATE-----
else
	echo "Couldn't retrieve certificate.  openssl reported the following errors:"
	cat $ERRFILE
fi

rm -r $TMPDIR