#!/bin/bash

# Script to build NSS and NSPR for a target architecture.  Requires that
# we also build on our host and use some of the resulting binaries.

set -o errtrace
trap 'echo Fatal error: script $0 aborting at line $LINENO, command \"$BASH_COMMAND\" returned $?; exit 1' ERR

readonly LOCAL_PATH=$(dirname $0)

echo '################## NSS ENVIRONMENT ##########################'
echo export TARGET_CC=${TARGET_CC}
echo export TARGET_CFLAGS=${TARGET_CFLAGS}
echo export TARGET_LDFLAGS=${TARGET_LDFLAGS}
echo export TARGET_AR=${TARGET_AR}
echo export TARGET_OUT=${TARGET_OUT}
echo export TARGET_ARCH=${TARGET_ARCH}
echo export HOST_OUT=${HOST_OUT}
echo export NSS_SRC_TAR_GZ=${NSS_SRC_TAR_GZ}
echo export NSS_TOP_DIR=${NSS_TOP_DIR}
echo export CURDIR=${CURDIR}
echo export INSTALL_SYSROOT=${INSTALL_SYSROOT}
echo '################## END NSS ENVIRONMENT #######################'

# Check to make sure we have everything we need for both builds.
if [ -z "${TARGET_CC}" -o -z "${TARGET_CFLAGS}" -o -z "${TARGET_LDFLAGS}" -o \
  -z "${TARGET_AR}" -o -z "${TARGET_OUT}" -o \
  -z "${TARGET_ARCH}" -o -z "${HOST_OUT}" -o -z "${NSS_SRC_TAR_GZ}" -o \
  -z "${NSS_TOP_DIR}" -o -z "${CURDIR}" ]; then
  echo "$0: Missing environment variables needed for build"
  exit 1
fi


# Derive the NSS flags from the target cflags with exceptions
# noted below:
#
# 1) -Ox: we only support optimized target builds
#    (see BUILD_OPT, enable/disable switches below).
# 2) -fpic won't work, upgrade to -fPIC.
# 3) NSS has some questionable string literal comparisons, we
#    need to disable error=address or it won't compile.
# 4) Remove ANDROID defines, includes, DEBUG settings, etc.
#    (NSS configure script should figure out the right values).
# 5) Suppress warnings due to compiler bug
#    https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56273
readonly NSS_CFLAGS=$(echo ${TARGET_CFLAGS} \
  -Wno-error=array-bounds \
  -Wno-error=empty-body \
  -Wno-error=old-style-declaration \
  -Wno-error=switch \
  -Wno-error=type-limits \
  -Wno-missing-field-initializers \
  -Wno-sign-compare \
  | sed \
    -e 's/ -O[s0123] / /g' \
    -e 's/ -fpic / -fPIC /g' \
    -e 's/ -Werror=address / /g' \
    -e 's/ -Wstrict-aliasing=2 / /g' \
    -e 's/ -DANDROID / /g' \
    -e 's/ -D__ANDROID__ / /g' \
    -e 's/ -DNDEBUG / /g' \
    -e 's/ -UDEBUG / /g' \
    -e 's/ -include .*\/AndroidConfig-glibc.h / /g' \
    -e 's/ -I system\/.*\/arch-arm / /g' \
    -e 's/ -I system\/.*\/linux-arm\/ / /g' \
    -e 's/ -I system\/.*\/glibc_bridge\/include / /g')

# This still leaves us with lots of important flags which we will use
# to insure compatiblity with the other binaries we will link with
# (e.g. arm v.s. thumb, fixes for unwinding stacks, extra warning checks, etc).
test \! -z "${NSS_CFLAGS}"

# These are relative paths (from the android root).
readonly HOST_OUT_INTERMEDIATES=${HOST_OUT}/obj
readonly TARGET_OUT_INTERMEDIATES=${TARGET_OUT}/obj

# This needs to be an absolute path.
readonly TOP=${CURDIR}

# Top of our toolchain root.  We need this to build
# and will be installing our headers & libs there.
readonly SYSROOT=${TOP}/${TARGET_OUT}/build_sysroot

# Sysroot to install nss files to
if [ -z "${INSTALL_SYSROOT}" ]; then
  INSTALL_SYSROOT = ${SYSROOT}
fi

# Sub directory from which we build NSS.
readonly NSS_DIR=${NSS_TOP_DIR}/nss

# Setup any global NSS build parameters (for both host
# and target).

# Enable support for Elliptic curve cryptography (ECC).
# Some of the chrome unit tests use EC keys and will
# fail without this.
readonly NSS_ENABLE_ECC=1
export NSS_ENABLE_ECC

# First, build everything for the host.  While only a few binaries
# are needed now, others might be useful later.
#
# Notes:
#
# We need nsinstall (for the target build).
# We need certutil (to create a system nssdb).
# We *may* need shlibsign (if we ever want to support FIPS 140).
# We need libraries associated with the above (certutil, shlibsign).

# Note: We make two copies of the source (for host and target)
# as the build process leaves build intermediates all over the
# place.  It is simpler and cleaner to just keep two copies.
# Also by copying and building the sources in our intermediate
# directory, we keep from poluting our source tree.

# Untar host sources
rm -rf ${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}
mkdir -p ${HOST_OUT_INTERMEDIATES}
gunzip -dc ${NSS_SRC_TAR_GZ} | tar xfC - ${HOST_OUT_INTERMEDIATES}

# Do complete host build (assumes 64-bit)
pushd ${HOST_OUT_INTERMEDIATES}/${NSS_DIR}
make BUILD_OPT=1 CC=gcc USE_64=1 nss_build_all
popd

# Locate host commands.
readonly NSINSTALL=$(find \
  ${TOP}/${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/nss/coreconf/nsinstall/ \
  -name nsinstall -type f | head -1)
readonly CERTUTIL=$(find \
  ${TOP}/${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/nss/ \
  -name certutil -type f | head -1)
if [ \! -x "${NSINSTALL}" -o \! -x "${CERTUTIL}" ]; then
  echo "$0: host commands not found"
  exit 1
fi

# Now we are ready to build for the target, setup some variables
# we will need.
readonly TOOLCHAIN_PATH=$(dirname ${TARGET_CC})
readonly CC=$(basename ${TARGET_CC})
readonly AR=$(basename ${TARGET_AR})

export PATH=${PATH}:${TOP}/${TOOLCHAIN_PATH}
readonly TARGET=$(echo $CC | sed 's/-gcc$//')

# Untar target sources
rm -rf ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}
mkdir -p ${TARGET_OUT_INTERMEDIATES}
gunzip -dc ${NSS_SRC_TAR_GZ} | tar xfC - ${TARGET_OUT_INTERMEDIATES}

# Apply target patches, if any.
readonly PATCH_SRC=${TOP}/${LOCAL_PATH}/patches
pushd ${TARGET_OUT_INTERMEDIATES}/${NSS_DIR}/
${PATCH_SRC}/applypatches.sh
popd

# We need to build the target in steps, and each of the build
# components require differnt hacks to get them to cross compile
# with our toolchain / environment.

pushd ${TARGET_OUT_INTERMEDIATES}/${NSS_DIR}

# We can't sign right now, at least until libs are stripped.
# Since we don't use FIPS 140, just disable signing entirely.
readonly SHLIBSIGN=cmd/shlibsign/sign.sh
mv ${SHLIBSIGN} ${SHLIBSIGN}-old
cp ${TOP}/${LOCAL_PATH}/dummy-sign.sh ${SHLIBSIGN}
chmod 755 ${SHLIBSIGN}

# Build NSPR.
make BUILD_OPT=1 \
  NSPR_CONFIGURE_OPTS="--target=${TARGET} --disable-debug --enable-optimize" \
  CC=${CC} DSO_CFLAGS="${NSS_CFLAGS}" LDFLAGS="${TARGET_LDFLAGS}" CPU_TAG=_${TARGET_ARCH} \
  NSINSTALL=${NSINSTALL} build_nspr

# Note: we don't define NSS_USE_SYSTEM_SQLITE, see comments in our gyp
# files.  It would be nice if we could do this.

# Build NSS (depends on our system zlib).
XCFLAGS=""
DSO_LDOPTS="-shared"
XCFLAGS+=" -I${TOP}/external/zlib --sysroot=${SYSROOT}"
DSO_LDOPTS+=" --sysroot=${SYSROOT} ${TARGET_LDFLAGS}"
make BUILD_OPT=1 CPU_TAG=_${TARGET_ARCH} OS_TEST=${TARGET_ARCH} CC=${CC} \
  DSO_CFLAGS="${NSS_CFLAGS}" AR="${AR} cr \$@" NSINSTALL=${NSINSTALL} \
  XCFLAGS="${XCFLAGS}" DSO_LDOPTS="${DSO_LDOPTS}" all

popd

# Now install the target headers and libs into our toolchain
# so we can build content_shell.  Also install libs for our
# run-time.

mkdir -p ${INSTALL_SYSROOT}/usr/include/nspr \
  ${INSTALL_SYSROOT}/usr/include/nss \
  ${INSTALL_SYSROOT}/usr/lib \
  ${TARGET_OUT}/system/lib \
  ${TARGET_OUT}/symbols/system/lib \

# Install headers for NSPR + NSS.
mkdir -p ${INSTALL_SYSROOT}/usr/include/nspr
cp -rpL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/include/* \
  ${INSTALL_SYSROOT}/usr/include/nspr

mkdir -p ${INSTALL_SYSROOT}/usr/include/nss
cp -rpL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/public/nss/* \
  ${INSTALL_SYSROOT}/usr/include/nss

# Install libraries.
for i in libnss3.so libnssutil3.so libsmime3.so libplds4.so libplc4.so \
libnspr4.so libnssckbi.so libsqlite3.so libsoftokn3.so libfreebl3.so \
libfreeblpriv3.so; do
  cp -pL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib/$i \
    ${INSTALL_SYSROOT}/usr/lib
  cp -pL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib/$i \
    ${TARGET_OUT}/symbols/system/lib
  # Note: this will get stripped during the build.
  cp -pL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib/$i \
    ${TARGET_OUT}/system/lib
done

# Create a system-level certificate database to augment the root
# certs stored in libnssckbi.so.  This system DB will by loaded
# by nss_util.cc at NSS initialization time.
#
# Note: For Eureka devices, this replaces the per-user cert DB
# usually loaded by NSS.

# We use this read-only system-level database to add certs not
# delivered as part of NSS's root cert library as well as to
# potentially modify trust settings (e.g. disable certs no
# longer trusted).

# Note: there is a symlink from /etc to /system/etc.
readonly NSSDB=${TARGET_OUT}/system/etc/pki/nssdb
rm -rf ${NSSDB}
mkdir -p ${NSSDB}

# Note: We use an insecure password as we will not be storing
# or encrypting private keys in this system db.  The
# password should not be needed (or used) by content_shell
# as it will simply be retrieving certificates.
readonly PWDFILE=${LOCAL_PATH}/insecure-certdb-password.txt

# Use the new sql sharable nssdb format
readonly SYSDB="sql:${NSSDB}"

HOST_LIBRARY_PATH=$(echo ${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib)

# Create the empty DB
LD_LIBRARY_PATH=${HOST_LIBRARY_PATH} \
  ${CERTUTIL} -N -d ${SYSDB} -f ${PWDFILE}

# Add any needed certs
# Modify trust for any certs (if needed).

# Example only:
#
#LD_LIBRARY_PATH=${HOST_LIBRARY_PATH} \
#  ${CERTUTIL} -A -d ${SYSDB} -f ${PWDFILE} -t T,, -n "evilco.com" \
#  -i "vendor/eureka/ssl-certs/usr/share/ca-certificates/evilco.crt"

exit 0