#!/bin/sh
# keygen.sh — generate an Ed25519 keypair for signing release binaries and SSH access
#
# Usage:
#   sh scripts/keygen.sh <developer-name>
#
# Output:
#   ~/.keys/<developer-name>.key      — private key PEM (KEEP SECRET, never commit)
#   ~/.keys/<developer-name>.key.pub  — SSH public key (OpenSSH format, for authorized_keys)
#   developers/<developer-name>.pub   — raw base64 public key (for binary signing, commit this)
#
# The same key is used for both release signing and SSH access to debug LiveCD.
# Requirements: openssl 3.x, python3

set -e

NAME="$1"
if [ -z "$NAME" ]; then
    echo "Usage: sh scripts/keygen.sh <developer-name>" >&2
    echo "Example: sh scripts/keygen.sh mchusavitin" >&2
    exit 1
fi

PRIVATE_KEY_PATH="$HOME/.keys/${NAME}.key"
PUBLIC_KEY_PATH="$(dirname "$0")/../developers/${NAME}.pub"

if [ -f "$PRIVATE_KEY_PATH" ]; then
    echo "Private key already exists at $PRIVATE_KEY_PATH" >&2
    echo "Delete it manually if you want to regenerate." >&2
    exit 1
fi

mkdir -p "$HOME/.keys"
chmod 700 "$HOME/.keys"

# Generate Ed25519 private key (PEM format)
openssl genpkey -algorithm ed25519 -out "$PRIVATE_KEY_PATH"
chmod 600 "$PRIVATE_KEY_PATH"

SSH_PUB_PATH="${HOME}/.keys/${NAME}.key.pub"

# Extract raw 32-byte public key and base64-encode it (for release signing)
openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform DER \
    | tail -c 32 \
    | base64 > "$PUBLIC_KEY_PATH"

# Export OpenSSH public key (for authorized_keys / SSH access to debug LiveCD)
# openssl can write SSH format directly in 3.x
openssl pkey -in "$PRIVATE_KEY_PATH" -pubout -outform PEM \
    | python3 - "$NAME" "$SSH_PUB_PATH" <<'PYEOF'
# Convert OpenSSH-compatible PEM public key to authorized_keys line format
import sys, base64, struct, hashlib

name = sys.argv[1]
out_path = sys.argv[2]
pem_lines = sys.stdin.read().strip().splitlines()
der = base64.b64decode("".join(pem_lines[1:-1]))

# Ed25519 DER SubjectPublicKeyInfo: last 32 bytes are the raw key
raw = der[-32:]

# Build OpenSSH wire format: length-prefixed "ssh-ed25519" + length-prefixed key
def pack(b):
    return struct.pack(">I", len(b)) + b

wire = pack(b"ssh-ed25519") + pack(raw)
b64 = base64.b64encode(wire).decode()
line = f"ssh-ed25519 {b64} {name}\n"

with open(out_path, "w") as f:
    f.write(line)
print(f"SSH public key: {out_path}")
PYEOF

chmod 600 "$SSH_PUB_PATH"

echo "Private key:     $PRIVATE_KEY_PATH   (DO NOT share or commit)"
echo "Signing pub key: $PUBLIC_KEY_PATH    (commit this to the keys repo)"
echo "SSH pub key:     $SSH_PUB_PATH       (add to LiveCD authorized_keys)"
echo ""
echo "Next steps:"
echo "  1. git add developers/${NAME}.pub && git commit -m 'add ${NAME} public key'"
echo "  2. git push"
echo "  3. Rebuild any release binaries to include the new key"
echo "  4. To SSH into debug LiveCD: sh iso/builder/build-debug.sh --authorized-keys ${SSH_PUB_PATH}"