#!/usr/bin/env bash
#
# Generate a Client Authorization keypair.
#
# Based on https://community.torproject.org/onion-services/advanced/client-auth/
# See also https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b
#
# Copyright (C) 2023 Silvio Rhatto <rhatto@riseup.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published
# by the Free Software Foundation, either version 3 of the License,
# or any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Parameters
BASENAME="`basename $0`"
ONION_AUTH_BASEDIR="$HOME/.tor/clientauthkeys"
KEY_PREFIX="${1}"
GENERATED_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.priv.pem"
PRIVATE_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.priv"
PUBLIC_KEY="$ONION_AUTH_BASEDIR/$KEY_PREFIX.pub"
AUTH_FILE="$ONION_AUTH_BASEDIR/$KEY_PREFIX.auth"

# Ensuse the auth keys folder exists
mkdir -p $ONION_AUTH_BASEDIR  || exit 1
chmod 700 $ONION_AUTH_BASEDIR || exit 1

# Syntax
if [ -z "$KEY_PREFIX" ]; then
  echo "usage: $BASENAME <key-prefix>"
  exit 1
fi

# Key checks
if [ -e "$ONION_AUTH_BASEDIR/$AUTH_FILE" ]; then
  echo "$BASENAME: key $AUTH_FILE already exists"
  exit 1
fi

# Tool checks
for tool in openssl base64pem base32; do
  if ! which $tool &> /dev/null; then
    echo "Cannot find $tool too, aborting."
    exit 1
  fi
done

# Ensure files exists with the proper permissions
touch     $GENERATED_KEY $PRIVATE_KEY $PUBLIC_KEY $AUTH_FILE
chmod 600 $GENERATED_KEY $PRIVATE_KEY $PUBLIC_KEY $AUTH_FILE

# Generate the private keypair
openssl genpkey -algorithm x25519 -out $GENERATED_KEY

# Write the private key in a separate file
cat $GENERATED_KEY       | \
  grep -v " PRIVATE KEY" | \
  base64pem -d           | \
  tail --bytes=32        | \
  base32                 | \
  sed 's/=//g' > $PRIVATE_KEY

# Write the public key in a separate file
cat $GENERATED_KEY                      | \
openssl pkey -in $GENERATED_KEY -pubout | \
  grep -v " PUBLIC KEY"                 | \
  base64pem -d                          | \
  tail --bytes=32                       | \
  base32                                | \
  sed 's/=//g' > $PUBLIC_KEY

# Write the public key in Tor's Client Authorization format
echo "descriptor:x25519:`cat $PUBLIC_KEY`" > $AUTH_FILE