#!/bin/sh

# To allow Rudder to provide its own version of openssl
PATH=/opt/rudder/bin:$PATH
export PATH

if type openssl 2>/dev/null >/dev/null
then
  :
else
  echo "ERROR: openssl binary is missing !"
  exit 1
fi

# md4 md5 sha sha1 sha224 sha256 sha384 sha512 whirlpool
# The oldest openssl we support is 0.9.8 and it supports sha512
HASH=sha512

# the file to sign
FILE="$1"
if [ ! -f "${FILE}" ]
then
  echo "ERROR: Cannot sign: The file ${FILE} doesn't exist"
  exit 2
fi

VERSION="$2"
# default version is 1.0
# Versions 1.x are compatible
if [ "${VERSION}" = "" ]
then
  VERSION="1.0"
fi

# the key to use for signature
PRIVKEY="/var/rudder/cfengine-community/ppkeys/localhost.priv"
PUBKEY="/var/rudder/cfengine-community/ppkeys/localhost.pub"

# cfengine  passphrase
PASSPHRASE="Cfengine passphrase"

# Create signature
SIGNATURE=`openssl dgst -passin "pass:${PASSPHRASE}" -${HASH} -hex -sign "${PRIVKEY}" < "${FILE}" | sed -e 's/.*= //'`

# Hostname (informative only, it can be slightly different from the rudder detected one)
HOSTNAME=`hostname 2>/dev/null`
[ -z "${HOSTNAME}" ] && HOSTNAME=`hostnamectl hostname 2>/dev/null`

# Private key modification date
if [ `uname -s` = "Darwin" ]
then
  KEYDATE=`stat -f "%Sm" ${PRIVKEY}`
else
  KEYDATE=`stat -c %y ${PRIVKEY}`
fi

# Public key identifier (last 4 bytes of the modulus)
KEYID=`openssl rsa -passin "pass:${PASSPHRASE}" -in "${PRIVKEY}" -noout -modulus | sed 's/.*\(........\)$/\1/'`

if [ "${VERSION}" = "1.0" ]
then
  # Create a signature FILE
  cat > "${FILE}.sign" <<EOF
header=rudder-signature-v1
algorithm=${HASH}
digest=${SIGNATURE}
hostname=${HOSTNAME}
keydate=${KEYDATE}
keyid=${KEYID}
EOF

elif [ "${VERSION}" = "1.1" ]
then
  SHORT_PUBKEY=`sed '/---/d' "${PUBKEY}" | tr -d '\n'`
  HASH_VALUE=`openssl "${HASH}" "${FILE}" | sed "s/.*(.*)= \\(.*\\)/\\1/"`
  # Create a signature FILE
  cat > "${FILE}.sign" <<EOF
header=rudder-signature-v1
algorithm=${HASH}
digest=${SIGNATURE}
hash_value=${HASH_VALUE}
short_pubkey=${SHORT_PUBKEY}
hostname=${HOSTNAME}
keydate=${KEYDATE}
keyid=${KEYID}
EOF

else
  echo "ERROR: Unsupported signature version ${VERSION}"
  exit 1

fi
