#!/bin/sh

. /usr/share/debconf/confmodule

# Create the ssl-cert system group for snakeoil ownership:
if ! getent passwd ssl-cert >/dev/null; then
	addgroup --quiet --system ssl-cert
fi

# Check if the generated snakeoil key/cert has been generated 
# from a vulnerable openssl version and replace it if necessary.
if [ -n "$2" ] ; then
	check_key=""
	if dpkg --compare-versions "$2" lt 1.0.13-0ubuntu0.7.04.1; then
		check_key="yes"
	elif dpkg --compare-versions "$2" ge 1.0.13-1 && dpkg --compare-versions "$2" lt 1.0.14-0ubuntu0.7.10.1; then
		check_key="yes"
	elif dpkg --compare-versions "$2" ge 1.0.14-0ubuntu1 && dpkg --compare-versions "$2" lt 1.0.14-0ubuntu2.1; then
		check_key="yes"
	fi

	CERT="/etc/ssl/certs/ssl-cert-snakeoil.pem"
	KEY="/etc/ssl/private/ssl-cert-snakeoil.key"
	# check if the cert and key file exist,
	# the issuer and subject are the same (self signed cert)
	# and the private key is vulnerable
	if [ "${check_key}" = "yes" -a \
	     -e "${CERT}" -a -e "${KEY}" -a \
	     "$(openssl x509 -issuer -noout < ${CERT} | sed 's/issuer= //')" = "$(openssl x509 -subject -noout < ${CERT} | sed 's/subject= //')" ]; then
	    	if ! openssl-vulnkey -q ${KEY}; then
			db_version 2.0
        		db_input critical make-ssl-cert/vulnerable_prng || true
        		db_go
			make-ssl-cert generate-default-snakeoil --force-overwrite
		fi
	fi
fi

# no need to perform any check. If the certificates are there
# it will exit 0.
make-ssl-cert generate-default-snakeoil

# Make sure the permissions on /etc/ssl/private are okay:
chgrp ssl-cert /etc/ssl/private
chmod g+x /etc/ssl/private

# If we're upgrading from an older version, fix the unreadable key:
if dpkg --compare-versions "$2" lt 1.0.12; then
	chgrp ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
	chmod g+r /etc/ssl/private/ssl-cert-snakeoil.key
fi

#DEBHELPER#
