#!/bin/sh

TMP=$(mktemp -d)

cert_parsed=$(openssl x509 -in "${1}" -text)

issuer_url=$(echo "${cert_parsed}" | grep "CA Issuers - URI:" | sed -e 's/.*URI://g')
ocsp_url=$(echo "${cert_parsed}" | grep "OCSP - URI" | sed -e 's/.*URI://g')
ocsp_host=$(echo "${ocsp_url}" | sed -e 's:.*//::g' -e 's:/.*::g')

# Getting AIA issuer certificate and converting it to PEM
! wget -q -O "${TMP}/issuer.der" "${issuer_url}" &&
	echo "ERROR: Failed fetching intermediate" && exit 1

! openssl x509 -inform der -in "${TMP}/issuer.der" -outform pem -out "${TMP}/issuer.pem" &&
	echo "ERROR: Failed to parse intermediate" && exit 1

openssl verify "${TMP}/issuer.pem" | grep error
[ $? -eq 0 ] && echo "WARNING: Couldn't verify issuer certificate"

openssl verify -CAfile "${TMP}/issuer.pem" "${1}" | grep error
[ $? -eq 0 ] && echo "WARNING: Couldn't verify certificate signature"

openssl ocsp -issuer "${TMP}/issuer.pem" -cert "${1}" -url "${ocsp_url}" -header Host="${ocsp_host}" -verify_other "${TMP}/issuer.pem" -no_nonce

rm -rf "${TMP}"
