#!/usr/bin/env perl

# Copyright © 2014-2023 Jakub Wilk <jwilk@jwilk.net>
# SPDX-License-Identifier: MIT

use v5.10;

use strict;
use warnings;

no lib '.';

use English qw(-no_match_vars);
use FindBin ();

use IO::Socket::SSL;

chdir("$FindBin::Bin/..")
    or die $ERRNO;

my %hosts = (
    'online.mbank.pl' => 'ca.crt',
    'www.howsmyssl.com' => 't/howsmyssl-ca.crt',
);

my $rc = 0;
while (my ($host, $file) = each %hosts) {
    print {*STDERR} "$host ... ";
    my $pem = undef;
    my $callback = sub {
        my ($ok, undef, undef, undef, $cert) = @_;
        $pem //= Net::SSLeay::PEM_get_string_X509($cert);
        $pem //= '';
        return $ok;
    };
    eval {
        IO::Socket::SSL->new(
            PeerHost => $host,
            PeerPort => 'https',
            SSL_verify_mode => SSL_VERIFY_PEER,
            SSL_verifycn_scheme => 'http',
            SSL_verify_callback => $callback,
        ) or die $IO::Socket::SSL::SSL_ERROR;
        $pem
            or die 'unable to determine CA';
        open(my $fh, '>', "$file.new")
            or die $ERRNO;
        print {$fh} $pem;
        close($fh)
            or die $ERRNO;
        rename("$file.new", $file)
            or die $ERRNO;
    } or do {
        my $error = "$EVAL_ERROR";
        my $cruft = 'IO::Socket::IP configuration failed SSL connect attempt failed with unknown error';
        $error =~s /\A\Q$cruft error/error/;
        $error =~ s/\n+\z//;
        print {*STDERR} "FAIL: $error\n";
        $rc = 1;
        next;
    };
    print {*STDERR} "ok\n";
}
exit($rc);

# vim:ts=4 sts=4 sw=4 et
