#!/bin/bash
#
# Generate keypairs.
#
# This script is just a wrapper to easily generate keys for
# automated systems.
# 

# Generate a keypair, ssh version
function genpair_ssh {
  echo "Make sure that $KEYDIR is atop of an encrypted volume."
  read -p "Hit ENTER to continue." prompt

  # TODO: programatically enter blank passphrase twice
  ssh-keygen -t dsa -f $TMPWORK/id_dsa -C "root@$NODE"

  # Encrypt the result
  echo "Encrypting secret key into keyringer..."
  cat $TMPWORK/id_dsa     | keyringer_exec encrypt $BASEDIR $FILE
  echo "Encrypting public key into keyringer..."
  cat $TMPWORK/id_dsa.pub | keyringer_exec encrypt $BASEDIR $FILE.pub

  # TODO: add outfiles into version control
  if [ ! -z "$OUTFILE" ]; then
    mkdir -p `dirname $OUTFILE`
    echo Saving copies at $OUTFILE and $OUTFILE.pub
    cat $TMPWORK/id_dsa     > $OUTFILE
    cat $TMPWORK/id_dsa.pub > $OUTFILE.pub
  fi

  echo "Done"  
}

# Generate a keypair, gpg version
function genpair_gpg {
  echo "Make sure that $KEYDIR is atop of an encrypted volume."
  read -s -p "Enter password for the private key: " passphrase
  
  # TODO: insert 279 random bytes
  # TODO: custom Name-Comment and Name-Email
  # TODO: allow for empty passphrases
  gpg --homedir $TMPWORK --gen-key --batch <<EOF
    Key-Type: RSA
    Key-Length: 4096
    Subkey-Type: ELG-E
    Subkey-Length: 4096
    Name-Real: $NODE
    Name-Comment: backupninja
    Name-Email: root@$NODE
    Expire-Date: 0
    Passphrase: $passphrase
    %commit
EOF

  # Encrypt the result
  echo "Encrypting secret key into keyringer..."
  gpg --armor --homedir $TMPWORK --export-secret-keys | keyringer_exec encrypt $BASEDIR $FILE
  echo "Encrypting public key into keyringer..."
  gpg --armor --homedir $TMPWORK --export             | keyringer_exec encrypt $BASEDIR $FILE.pub
  echo "Encrypting passphrase into keyringer..."
  echo "Passphrase for $FILE: $passphrase"         | keyringer_exec encrypt $BASEDIR $FILE.passwd

  # TODO: add outfiles into version control
  if [ ! -z "$OUTFILE" ]; then
    mkdir -p `dirname $OUTFILE`
    echo Saving copies at $OUTFILE and $OUTFILE.pub
    gpg --armor --homedir $TMPWORK --export-secret-keys > $OUTFILE
    gpg --armor --homedir $TMPWORK --export             > $OUTFILE.pub
  fi

  echo "Done"  
}

# Generate a keypair, ssl version
function genpair_ssl {
  echo "Make sure that $KEYDIR is atop of an encrypted volume."
  read -p "Hit ENTER to continue." prompt

  # Setup
  cd $TMPWORK

  # Generate certificate
  $LIB/csr.sh $NODE

  # Self-sign
  openssl x509 -in $NODE"_csr.pem" -out $NODE.crt -req -signkey $NODE"_privatekey.pem" -days 365
  chmod 600 $NODE"_privatekey.pem"

  # Encrypt the result
  echo "Encrypting private key into keyringer..."
  cat $NODE"_privatekey.pem" | keyringer_exec encrypt $BASEDIR $FILE.pem
  echo "Encrypting certificate request into keyringer..."
  cat $NODE"_csr.pem"        | keyringer_exec encrypt $BASEDIR $FILE.csr
  echo "Encrypting certificate into keyringer..."
  cat $NODE.crt              | keyringer_exec encrypt $BASEDIR $FILE.crt

  cd $CWD

  if [ ! -z "$OUTFILE" ]; then
    mkdir -p `dirname $OUTFILE`
    echo Saving copies at $OUTFILE.pem, $OUTFILE.csr and $OUTFILE.crt
    cat $TMPWORK/$NODE"_privatekey.pem" > $OUTFILE.pem
    cat $TMPWORK/$NODE"_csr.pem"        > $OUTFILE.csr
    cat $TMPWORK/$NODE.crt              > $OUTFILE.crt
  fi

  # Show cert fingerprint
  openssl x509 -noout -in $TMPWORK/$NODE.crt -fingerprint

  echo "Done"
}

# Load functions
LIB="`dirname $0`/../../lib/keyringer"
source $LIB/functions || exit 1

# Aditional parameters
KEYTYPE="$2"
FILE="$3"
NODE="$4"
OUTFILE="$5"
CWD="`pwd`"

# Verify
if [ -z "$NODE" ]; then
  echo -e "Usage: keyringer <keyring> $BASENAME <gpg|ssh|ssl> <file> <hostname> [outfile]"
  echo -e "Options:"
  echo -e "\t gpg|ssh|ssl: key type."
  echo -e "\t file       : base file name for encrypted output (relative to keys folder)"
  echo -e "\t hostname   : host for the key pair"
  echo -e "\t outfile    : optional unencrypted output file, useful for deployment"
  exit 1
elif [ ! -e "$KEYDIR" ]; then
  echo "Folder not found: $KEYDIR, leaving"
  exit 1
fi

# Set a tmp file
keyringer_set_tmpfile genpair -d

# Dispatch
echo "Generating $KEYTYPE for $NODE..."
genpair_$KEYTYPE

# Cleanup
cd $CWD
rm -rf $TMPWORK
trap - EXIT