#!/bin/bash

# This tool installs the client certificate in Firefox and Chromium.

username="$1"

userhome="/home/$username"
certificate="$userhome/.config/clientcert.p12"

runuser -u "$username" -- mkdir -p "$userhome/.config"
mv "$userhome/clientcert.p12" "$certificate"
chown "$username:$username" "$certificate"

# Delete all Firefox data
rm -rf "$userhome/.mozilla/"

# Create an empty profile
runuser -u "$username" -- mkdir -p "$userhome/.mozilla/firefox/main"

# Tell Firefox to user this profile
cat <<EOF >"$userhome/.mozilla/firefox/profiles.ini"
[Profile0]
Name=main
IsRelative=1
Path=main

[General]
StartWithLastProfile=1
Version=2

[Install3B6073811A6ABF12]
Default=main
Locked=1

EOF

chown "$username:$username" "$userhome/.mozilla/firefox/profiles.ini"

# Create a certificate database
runuser -u "$username" -- certutil -d "sql:$userhome/.mozilla/firefox/main/" -N --empty-password

# Import the client certificate
runuser -u "$username" -- pk12util -d "sql:$userhome/.mozilla/firefox/main/" -i "$certificate" -K "" -W ""

# Do the same for the NSS shared certificate database, used by Chromium
rm -rf "$userhome/.pki/"
runuser -u "$username" -- mkdir -p "$userhome/.pki/nssdb"
runuser -u "$username" -- certutil -d "sql:$userhome/.pki/nssdb/" -N --empty-password
runuser -u "$username" -- pk12util -d "sql:$userhome/.pki/nssdb/" -i "$certificate" -K "" -W ""