#!/bin/bash
#
# security-checksystem
#
# Checks to see if the System.keychain is intact and working.
# If it isn't, replaces it with a new, empty, working one.
#
# Warning: This script cannot tell *why* the System.keychain cannot
# unlock. If you have reconfigured the system to intentionally deny
# access, remove this code or you will get it "fixed" on reboot.
#
export PATH=/usr/bin:/bin:/usr/sbin:/sbin

KEYCHAIN=/Library/Keychains/System.keychain
KEY=/var/db/SystemKey

/usr/bin/security show-keychain-info "$KEYCHAIN" 2>/dev/null
if [ $? -ne 0 ] ; then
	# can't unlock System.keychain
	NOW=$(date "+%F.%T")
	/usr/bin/logger -p daemon.alert "Recreating System.keychain because it cannot unlock; see $0"
	/bin/mv -f "$KEYCHAIN" "$KEYCHAIN.$NOW" 2>/dev/null
	/bin/mv -f "$KEY" "$KEY.$NOW" 2>/dev/null
	/usr/sbin/systemkeychain -C -f
fi

SYSTEM_KC_LIST=`/usr/bin/security list-keychains -d system 2>/dev/null`
KCTEST=`printf "%s" "$SYSTEM_KC_LIST" | /usr/bin/grep \""$KEYCHAIN"\"`
if [ -z "$KCTEST" ] ; then
	# System.keychain not in the search list for the system domain
	/usr/bin/logger -p daemon.alert "Adding System.keychain to system keychain list; see $0"
	/usr/bin/security list-keychains -d system -s "$KEYCHAIN"
fi
COMMON_KC_LIST=`/usr/bin/security list-keychains -d common 2>/dev/null`
KCTEST=`printf "%s" "$COMMON_KC_LIST" | /usr/bin/grep \""$KEYCHAIN"\"`
if [ -z "$KCTEST" ] ; then
	# System.keychain not in the search list for the common domain
	/usr/bin/logger -p daemon.alert "Adding System.keychain to common keychain list; see $0"
	/usr/bin/security list-keychains -d common -s "$KEYCHAIN"
fi

exit 0