#!/bin/sh
export GNUPGHOME=$ROOT/gpg/gnupghome

pem_to_onion_url()
{
  perl -MMIME::Base64 -MDigest::SHA=sha1 -MMIME::Base32=RFC -e '
  $key=decode_base64(join "", grep {!/[-:]/} qx(ssh-keygen -m PEM -e -f $ARGV[0]));
  printf "%s.onion\n", lc MIME::Base32::encode(substr(sha1($key), 0, 10))' "$1"
}

makepub () {
  tag="$1"
  path="$2"
  [ -f $path ] || {
    mkdir -p "$(dirname $path)"
    kiki --show-pem "$tag" | ssh-keygen -f /dev/stdin -i -m PKCS8 > "$path"
    echo "$path": exported >&2
  }
}

# External commands invoked by kiki in order to generate keys.
# Notice that $file will not be interpolated until kiki runs the command.
ssh='mkdir -p "$(dirname $file)" && ssh-keygen -P "" -q -f $file -b 2048'
ssl='mkdir -p "$(dirname $file)" && openssl genrsa -out $file 1024'

tty -s && echo -n 'Passphrase: '
read passphrase

# First, we ensure that the tor key exists and is imported
# so that we know where to put the strongswan key.
torkey="$ROOT"/var/lib/tor/samizdat/private_key
echo "$passphrase" | \
  kiki --keypairs tor="$torkey{$ssl}" \
       --passphrase-fd 0  || exit
onion_url=$(pem_to_onion_url "$torkey") || exit

# Now import, export, or generate the remaining secret keys.
echo "$passphrase" | \
  kiki --keypairs                                                         \
          strongswan="$ROOT"/etc/ipsec.d/private/"$onion_url".pem{"$ssl"} \
          ssh-client="$ROOT"/root/.ssh/id_rsa{"$ssh"}                     \
          ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key{"$ssh"}               \
       --passphrase-fd 0  || exit

# Finally, export public keys if they do not exist.
makepub ssh-client "$ROOT/root/.ssh/id_rsa.pub"
makepub ssh-host   "$ROOT/etc/ssh/ssh_host_rsa_key.pub"

# TODO: makepub can be made obsolete by implementing something like this:
# kiki --public ssh-client=$ROOT$HOME/.ssh/id_rsa.pub          \
#               ssh-host="$ROOT"/etc/ssh/ssh_host_rsa_key.pub