yhp-logsrv

#!/bin/bash

set -eu

cd "$(dirname "$0")"
. config # loads constants for YubiHSM object IDs and such
. common # loads helpers and reads environment variables
rm -f "$log_pubkey_file" "$log_signature_file" # extracted from yubihsm
trap clean_up EXIT

###
# Read backup
###
yubihsm_probe "to restore log server signing key from" >/dev/null
[[ -z "$authkey_passphrase" ]] && read -rp "ENTER authkey passphrase: " authkey_passphrase
[[ -z "$wrapkey_passphrase" ]] && read -rp "ENTER wrapkey passphrase: " wrapkey_passphrase
logsrv_authkey_passphrase=$(yubihsm_get_passphrase "$BACKUP_AUTH_ID" "$authkey_passphrase")

yubihsm_shell << EOF
	connect
	session open      "$BACKUP_AUTH_ID"  "$authkey_passphrase"
	get     wrapped 0 "$WRAPPING_KEY_ID" asymmetric-key "$LOGSRV_SIGNING_KEY_ID" "$wrap_file_log"
	session close   0
EOF

###
# Prepare signing oracle
###
id=$(yubihsm_probe "to provision new logsrv signing oracle on (must be in factory-reset state)")

yubihsm_shell << EOF
	connect
	session open 1 password

	put     authkey 0 "$LOGSRV_AUTH_ID"  "$LOGSRV_AUTH_LABEL"  "$LOGSRV_SIGNING_DOMAIN" sign-eddsa none "$logsrv_authkey_passphrase"
	put     wrapkey 0 "$WRAPPING_KEY_ID" "$WRAPPING_KEY_LABEL" "$LOGSRV_SIGNING_DOMAIN" import-wrapped,export-wrapped exportable-under-wrap,sign-eddsa "$wrapkey_passphrase"
	put     wrapped 0 "$WRAPPING_KEY_ID" "$wrap_file_log"

	get pubkey 0 "$LOGSRV_SIGNING_KEY_ID" "$log_pubkey_file"
	sign eddsa 0 "$LOGSRV_SIGNING_KEY_ID" ed25519 "$message_file" "$log_signature_file"

	delete          0 "$WRAPPING_KEY_ID" wrap-key
	delete          0 1                  authentication-key

	list    objects 0
	session close   0
EOF

openssl pkeyutl -verify -pubin -inkey "$log_pubkey_file" -sigfile <(base64 -d "$log_signature_file") -rawin -in "$message_file" >&2

echo "logsrv_authkey_passphrase=$logsrv_authkey_passphrase"
echo "logsrv_serial_number=$id"
echo ""
cat "$log_pubkey_file"