#!/usr/bin/env bash
# Inspect a BIMI mark certificate PEM (VMC or CMC).
# Usage: ./openssl-vmc-inspect.sh /path/to/certificate.pem
set -euo pipefail

PEM="${1:-}"
if [[ -z "$PEM" || ! -f "$PEM" ]]; then
  echo "Usage: $0 /path/to/certificate.pem" >&2
  exit 1
fi

echo "=== Subject / Issuer ==="
openssl x509 -in "$PEM" -noout -subject -issuer

echo "=== Validity ==="
openssl x509 -in "$PEM" -noout -dates

echo "=== Fingerprint ==="
openssl x509 -in "$PEM" -noout -fingerprint -sha256

echo "=== SANs (if any) ==="
openssl x509 -in "$PEM" -noout -ext subjectAltName 2>/dev/null || true

echo "=== Days until expiry ==="
END=$(openssl x509 -in "$PEM" -noout -enddate | cut -d= -f2)
END_EPOCH=$(date -j -f "%b %d %T %Y %Z" "$END" "+%s" 2>/dev/null || date -d "$END" "+%s")
NOW_EPOCH=$(date "+%s")
DAYS=$(( (END_EPOCH - NOW_EPOCH) / 86400 ))
echo "$DAYS"

if (( DAYS < 30 )); then
  echo "WARNING: certificate expires in under 30 days" >&2
fi
