#!/bin/bash

build () { (

  
  set -e
  set -u

  # Grab functions
  [ -f /usr/lib/nannycam/nannycam.functions ] && source /usr/lib/nannycam/nannycam.functions
  [ -f nannycam.functions ] && source nannycam.functions

  # Grab configuration
  DEFAULT_CONFIG="/etc/nannycam.conf"
  if [ -z ${1:-} ]; then
    CONFIG="$DEFAULT_CONFIG"
  else
    CONFIG="$1"
  fi  
  source "$CONFIG"
  TMP=$(mktemp -d)
  AUTH_PUB_KEY_FILE="$TMP$AUTH_KEY_FILE.pub"
  TMP_AUTH_KEY_FILE="$TMP$AUTH_KEY_FILE"

  # This script is expected to be called from mkinitcpio, setup env otherwise
  ensure_mkcpinitio_environment

  # This script calls functions shared with the init hook, so setup that env too
  ensure_initramfs_environment

  # The BUILDROOT and _optgenimg varibles are set in mkinitcpio and I do feel
  # fairly bad for relying on the implementation details, but the interface
  # exposed by init_functions is not really sufficient for determining if the
  # private key will be safe. Better safe than sorry.
  assert_ephemeral "$BUILDROOT"
  assert_ephemeral "$TMP"
  assert_encrypted "$_optgenimg"

  # If any other process on the box reads the private key file then all the
  # protections are for naught.
  assert_root
  mkdir -p $(dirname "$TMP_AUTH_KEY_FILE")
  touch "$TMP_AUTH_KEY_FILE"
  chmod 700 "$TMP_AUTH_KEY_FILE"

  # Copy config to a working directory, as hash values will be appended to it
  TMPCONFIG="$TMP/nannycam.conf"
  cp "$CONFIG" "$TMPCONFIG"

  # Calculate the expected hash values to encode into the initramfs image
  # (unless they have been overridden in the config)
  if [ -z ${EXPECTED_MBR_HASH:-} ]; then
    hash_mbr
    echo "EXPECTED_MBR_HASH=\"$ACTUAL_MBR_HASH\"" >> "$TMPCONFIG"
  fi

  if [ -z ${EXPECTED_MBR_GAP_HASH:-} ]; then
    hash_mbr_gap
    echo "EXPECTED_MBR_GAP_HASH=\"$ACTUAL_MBR_GAP_HASH\"" >> "$TMPCONFIG"
  fi

  if [ -z ${EXPECTED_EFI_STUB_HASH:-} ]; then
    hash_efi_stub
    echo "EXPECTED_EFI_STUB_HASH=\"$ACTUAL_EFI_STUB_HASH\"" >> "$TMPCONFIG"
  fi
  add_file "$TMPCONFIG" "$DEFAULT_CONFIG"

  # Generate a new public key each time the initramfs is built
  openssl genpkey \
    -algorithm rsa \
    -pkeyopt rsa_keygen_bits:$AUTH_KEY_LENGTH \
    -out "$TMP_AUTH_KEY_FILE" \
    2> /dev/null
  add_file "$TMP_AUTH_KEY_FILE" "$AUTH_KEY_FILE"

  # Extract the public key 
  openssl rsa \
    -pubout \
    -out "$AUTH_PUB_KEY_FILE" \
    -outform DER \
    -in "$TMP_AUTH_KEY_FILE" \
    2> /dev/null

  # The private component is no longer required
  shred -uf "$TMP_AUTH_KEY_FILE"

  # Print a QR-code with the public half
  echo "Scan the following public key into your verification device"
  cat "$AUTH_PUB_KEY_FILE" | qrencode -8 $QR_OPTS
  read -p "Press ENTER to continue..." pause

  rm "$AUTH_PUB_KEY_FILE"
  rm -rf "$TMP"
) }

help () {
  cat <<HELPEOF
nannycam helps defend against some Evil Maid attacks. Check the output
of /usr/lib/nannycam/nannycam --help for more details. The configuration
file lives at /etc/nannycam.conf
HELPEOF
}