#!/bin/bash -eux
# Copyright 2014 The ChromiumOS Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

me=${0##*/}
TMP="$me.tmp"

# Work in scratch directory
cd "$OUTDIR"

# some stuff we'll need
DEVKEYS=${SRCDIR}/tests/devkeys
TESTKEYS=${SRCDIR}/tests/testkeys
SIGNER=${SRCDIR}/tests/external_rsa_signer.sh


# Create a copy of an existing keyblock, using the old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
  --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
  --flags 23 \
  --signprivate "${DEVKEYS}/root_key.vbprivk"

# Check it.
"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock0" \
  --signpubkey "${DEVKEYS}/root_key.vbpubk"

# It should be the same as the dev-key firmware keyblock
cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock0"


# Now create it the new way
"${FUTILITY}" --debug sign \
  --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
  --flags 23 \
  --signprivate "${DEVKEYS}/root_key.vbprivk" \
  --outfile "${TMP}.keyblock1"

# It should be the same too.
cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock1"


# Create a keyblock without signing it.

# old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
  --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
  --flags 14

# new way
"${FUTILITY}" --debug sign \
  --flags 14 \
  "${DEVKEYS}/firmware_data_key.vbpubk" \
  "${TMP}.keyblock1"

cmp "${TMP}.keyblock0" "${TMP}.keyblock1"


# Create one using PEM args

# old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock2" \
  --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
  --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
  --pem_algorithm 8 \
  --flags 9

# verify it
"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock2" \
  --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"

# new way
"${FUTILITY}" --debug sign \
  --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
  --pem_algo 8 \
  --flags 9 \
  "${DEVKEYS}/firmware_data_key.vbpubk" \
  "${TMP}.keyblock3"

cmp "${TMP}.keyblock2" "${TMP}.keyblock3"

# Try it with an external signer

# old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock4" \
  --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
  --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
  --pem_algorithm 8 \
  --flags 19 \
  --externalsigner "${SIGNER}"

# verify it
"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock4" \
  --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"

# new way
"${FUTILITY}" --debug sign \
  --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
  --pem_algo 8 \
  --pem_external "${SIGNER}" \
  --flags 19 \
  "${DEVKEYS}/firmware_data_key.vbpubk" \
  "${TMP}.keyblock5"

cmp "${TMP}.keyblock4" "${TMP}.keyblock5"


# cleanup
rm -rf "${TMP}"*
exit 0