#!/bin/sh

set -eu
umask 022

tmpdir="$(mktemp -d -p /etc/mail)"
trap 'rm -rf "$tmpdir"' EXIT
chmod 0755 "$tmpdir"

awk '{
    if ($0 == "-----BEGIN CERTIFICATE-----") cert=""
    else if ($0 == "-----END CERTIFICATE-----") print cert
    else cert=cert$0
}' /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca.crt | while read -r CERT; do
    echo "$CERT" | base64 -d | openssl x509 -inform DER > \
        "${tmpdir}/$(echo "$CERT" | base64 -d | openssl x509 -inform DER -hash -noout).0"
done

if ! diff -q "$tmpdir" "/etc/mail/certs" > /dev/null 2>&1 ; then
    rm -rf /etc/mail/certs
    mv "$tmpdir" /etc/mail/certs
    exit 0
fi

exit 1