#!/usr/bin/env bash

# For the license, see the LICENSE file in the root directory.
#set -x

TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}

SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca

workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" || exit 1

ek="80" # 2048 bit key must have highest bit set
for ((i = 1; i < 256; i++)); do
  ek="${ek}$(printf "%02x" "$i")"
done

SIGNINGKEY=${workdir}/signingkey.pem
ISSUERCERT=${workdir}/issuercert.pem
CERTSERIAL=${workdir}/certserial

PATH=${TOPBUILD}/src/swtpm_cert:$PATH

source "${TESTDIR}/common"

if ${CERTTOOL} --help | grep -q -E "\--verify-profile"; then
	verify_profile="--verify-profile=medium"
fi

trap "cleanup" SIGTERM EXIT

function cleanup()
{
	rm -rf "${workdir}"
}

cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
statedir=${workdir}
signingkey = ${SIGNINGKEY}
issuercert = ${ISSUERCERT}
certserial = ${CERTSERIAL}
signingkey_password = password
_EOF_

cat <<_EOF_ > "${workdir}/swtpm-localca.options"
--tpm-manufacturer IBM
--tpm-model swtpm-libtpms
--tpm-version 2
--platform-manufacturer Fedora
--platform-version 2.1
--platform-model QEMU
_EOF_

# the following contains the test parameters and
# expected key usage
for testparams in \
	"--allow-signing|Digital signature" \
	"--allow-signing --decryption|Digital signature,Key encipherment" \
	"--decryption|Key encipherment" \
	"|Key encipherment";
do
  params=$(echo "${testparams}" | cut -d"|" -f1)
  usage=$(echo "${testparams}" | cut -d"|" -f2)

  if ! ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid test \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params:+${params}}; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  # Signing key should always be password protected
  if ! grep -q "ENCRYPTED PRIVATE KEY" "${SIGNINGKEY}"; then
    echo "Error: Signing key is not password protected."
    exit 1
  fi

  # For the root CA's key we flip the password protection
  if [ -n "${SWTPM_ROOTCA_PASSWORD}" ] ;then
     if ! grep -q "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem"; then
       echo "Error: Root CA's private key is not password protected."
       exit 1
     fi
     unset SWTPM_ROOTCA_PASSWORD
  else
     if grep -q "ENCRYPTED PRIVATE KEY" "${workdir}/swtpm-localca-rootca-privkey.pem"; then
       echo "Error: Root CA's private key is password protected but should not be."
       exit 1
     fi
     export SWTPM_ROOTCA_PASSWORD=xyz
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  OIFS="$IFS"
  IFS=","

  for u in $usage; do
    echo "$u"
    if ! ${CERTTOOL} -i \
            --inder --infile "${workdir}/ek.cert" | \
            grep "Key Usage" -A2 | \
            grep -q "$u"; then
      echo "Error: Could not find key usage $u in key created " \
           "with $params."
    else
      echo "Found '$u'"
    fi
  done

  IFS="$OIFS"

  ${CERTTOOL} \
    -i \
    --inder --infile "${workdir}/ek.cert" \
    --outfile "${workdir}/ek.pem"

  if ! ${CERTTOOL} \
    --verify \
    ${verify_profile:+${verify_profile}} \
    --load-ca-certificate "${ISSUERCERT}" \
    --infile "${workdir}/ek.pem"; then
    echo "Error: Could not verify certificate chain."
    exit 1
  fi

  # Delete all keys to have CA re-created
  rm -rf "${workdir}"/*.pem
done

echo "Test 1: OK"
echo

#A few tests with odd vm Ids
for vmid in \
	"s p a c e|s p a c e" \
	"\$(ls)>foo|\$(ls)\>foo" \
	"\`ls\`&; #12|\`ls\`&\; #12" \
	"foo>&1<&2;\$(ls)|foo\>&1\<&2\;\$(ls)" \
	"'*|'*" \
	'"*|\"*' \
	":\$\$|:\$\$" \
	"\${t}[]|\${t}[]";
do
  in=$(echo "$vmid" | cut -d"|" -f1)
  exp=$(echo "$vmid" | cut -d"|" -f2)

  if ! ${SWTPM_LOCALCA} \
    --type ek \
    --ek "${ek}" \
    --dir "${workdir}" \
    --vmid "$in" \
    --tpm2 \
    --configfile "${workdir}/swtpm-localca.conf" \
    --optsfile "${workdir}/swtpm-localca.options" \
    --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 0 \
    ${params:+${params}} &>/dev/null; then
    echo "Error: Test with parameters '$params' failed."
    exit 1
  fi

  if [ ! -r "${workdir}/ek.cert" ]; then
    echo "Error: ${workdir}/ek.cert was not created."
    exit 1
  fi

  ac=$(${CERTTOOL} -i --inder --infile "${workdir}/ek.cert" | \
       sed -n "s/.*Subject: CN=\(.*\)$/\1/p")
  if [ "$ac" != "$exp" ]; then
    echo "Error: unexpected subject string"
    echo "actual   : $ac"
    echo "expected : $exp"
  else
    echo "Pass: $ac"
  fi
done

echo "Test 2: OK"

exit 0
