### -*-sh-*-
###
### Key type for OpenSSL
###
### (c) 2015 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This file is part of the distorted.org.uk key management suite.
###
### distorted-keys is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### distorted-keys is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with distorted-keys; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

R_OPT="$R_IDENT:$R_IDENT"
R_OPTSEQ="$R_OPT\([[:space:]][[:space:]]*$R_OPT\)*"

R_TYPE="[$R_IDENTCHARS[:space:]][$R_IDENTCHARS[:space:]]*"
R_BASE64="[a-zA-Z0-9+/]*=*"
R_PARAMS="$R_TYPE:$R_BASE64"

defprops k_props <<EOF
algorithm		t	$R_WORD
opts			t	$R_OPTSEQ
params			t	$R_PARAMS
fresh_params_p		t	$R_IDENT
cipher			t	$R_WORD
sig_opts		t	$R_OPTSEQ
enc_opts		t	$R_OPTSEQ
EOF

: ${kprop_cipher=aes-256-cbc}
: ${kprop_fresh_params_p=nil}; boolify kprop_fresh_params_p
have_opts_p=${kprop_opts+t}${kprop_opts-nil}
have_params_p=${kprop_params+t}${kprop_params-nil}
have_alg_p=${kprop_algorithm+t}${kprop_algorithm-nil}

pem_to_line () {
  ## Read an OpenSSL PEM file from stdin and write a condensed one-line
  ## version to stdout.
  sed '/^-----BEGIN \(.*\)-----$/s//\1:/; /^-----END .*-----$/d' |
  tr -d '\n'
}

line_to_pem () {
  line=$1
  ## Write to stdout an OpenSSL PEM file corresponding to LINE.

  ty=${line%%:*}
  echo "-----BEGIN $ty-----"
  echo "${line#*:}" | fold -w64
  echo "-----END $ty-----";
}

intersperse_opts () {
  flag=$1 opts=$2

  args= sep=
  for i in $opts; do args="$args$sep$flag $i" sep=" "; done
  echo "$args"
}

k_generate() {
  base=$1 nub=$2

  ## Convert the options into OpenSSL command-line options.
  opts=$(intersperse_opts -pkeyopt "$kprop_opts")

  ## Prepare our ducks, ensuring that they're collinear.
  case $have_params_p,$have_alg_p,$kprop_fresh_params_p,$have_opts_p in
    t,nil,nil,nil)
      line_to_pem "$kprop_params" >$TMP/param
      args="-paramfile $TMP/param"
      ;;
    nil,t,t,*)
      openssl genpkey -genparam -algorithm $kprop_algorithm $opts >$TMP/param
      args="-paramfile $TMP/param"
      ;;
    nil,t,nil,*)
      args="-algorithm $kprop_algorithm $opts"
      ;;
    *)
      echo >&2 "$quis: invalid combination of properties"
      exit 1
      ;;
  esac

  ## Generate the private key.
  openssl -cipher $kprop_cipher -pass file:"$nub" -out "$base/priv"

  ## Extract the public key.
  openssl -passin file:"$nub" -in "$base/priv" -pubout "$base/pub"
}

k_encrypt () {
  base=$1

  openssl pkeyutl -encrypt -pubin -inkey "$base/pub" \
    $(intersperse_opts -pkeyopt "$kprop_enc_opts")
}

k_decrypt () {
  base=$1 nub=$2

  openssl pkeyutl -decrypt -passin file:"$nub" -inkey "$base/priv"
}

k_sign () {
  base=$1 nub=$2

  openssl pkeyutl -sign -passin file:"$nub" -inkey "$base/priv" \
    $(intersperse_opts -pkeyopt "$kprop_sig_opts") >$TMP/sig
  pem_to_line <$TMP/sig
}

k_verify () {
  base=$1 sig=$3

  line_to_pem "$3" >$TMP/sig
  openssl pkeyutl -verify -pubin -inkey "$base/pub" -sigfile $TMP/sig
}

###----- That's all, folks --------------------------------------------------