#!/usr/bin/bash

set -eu

cd "$(dirname "$0")"
. ./config # loads constants for YubiHSM object IDs and such
. ./common # gain access to a few helpers
rm -f "$log_pubkey_file" "$log_signature_file" # extracted from yubihsm
rm -f "$witness_pubkey_file" "$witness_signature_file" # extracted from yubihsm
trap clean_up EXIT

###
# Read from backup
###
id=$(yubihsm_probe "to create a backup replica from")
[[ -z "$authkey_passphrase" ]] && read -rp "ENTER authkey passphrase: " authkey_passphrase
[[ -z "$wrapkey_passphrase" ]] && read -rp "ENTER wrapkey passphrase: " wrapkey_passphrase

compability1=""
compability2=""
if version_gt "$yubihsm_version" "2.5.0"; then
  compability1=0
  compability2=asymmetric-key
fi

yubihsm_shell << EOF
    connect
    session open "$BACKUP_AUTH_ID" "$authkey_passphrase"

    get     wrapped 0 "$WRAPPING_KEY_ID" asymmetric-key "$LOGSRV_SIGNING_KEY_ID" $compability1 "$wrap_file_log"
    get     wrapped 0 "$WRAPPING_KEY_ID" asymmetric-key "$WITNESS_SIGNING_KEY_ID" $compability1 "$wrap_file_witness"

    session close   0
EOF

###
# Prepare backup replica
###
id=$(yubihsm_probe "to provision new backup replica onto (must be in factory-reset state)")
yubihsm_shell << EOF
    connect
    session open 1 password

    put     authkey 0 "$BACKUP_AUTH_ID"  "$BACKUP_AUTH_LABEL"  all all                           all                              "$authkey_passphrase"
    put     wrapkey 0 "$WRAPPING_KEY_ID" "$WRAPPING_KEY_LABEL" all import-wrapped,export-wrapped exportable-under-wrap,sign-eddsa "$wrapkey_passphrase"
    put     wrapped 0 "$WRAPPING_KEY_ID" "$wrap_file_log"
    put     wrapped 0 "$WRAPPING_KEY_ID" "$wrap_file_witness"

    get pubkey 0 "$LOGSRV_SIGNING_KEY_ID" $compability2 "$log_pubkey_file"
    get pubkey 0 "$WITNESS_SIGNING_KEY_ID" $compability2 "$witness_pubkey_file"

    sign eddsa 0 "$LOGSRV_SIGNING_KEY_ID"  ed25519 "$message_file" "$log_signature_file"
    sign eddsa 0 "$WITNESS_SIGNING_KEY_ID" ed25519 "$message_file" "$witness_signature_file"

    delete 0 1 authentication-key

    list    objects 0
    session close   0
EOF

openssl pkeyutl -verify -pubin -inkey "$log_pubkey_file"     -sigfile <(base64 -d "$log_signature_file")     -rawin -in "$message_file" >&2
openssl pkeyutl -verify -pubin -inkey "$witness_pubkey_file" -sigfile <(base64 -d "$witness_signature_file") -rawin -in "$message_file" >&2

echo "backup_authkey_passphrase=$authkey_passphrase"
echo "backup_wrapkey_passphrase=$wrapkey_passphrase"
echo "backup_serial_number=$id"
echo ""

echo "logsrv =>"
cat "$log_pubkey_file"
echo ""

echo "witness =>"
cat "$witness_pubkey_file"
