#!/usr/bin/env bash
#title           :coreos-resign-swu-file.sh
#description     :This script signs/resigns an already existent swu file with a
#                 provided private key and a certificate
#author          :Patrick Vogelaar
#date            :20240325
#version         :0.1
#usage           :coreos-resign-swu-file.sh -i <in>.swu -k <key> -c <cert>
#                 -o <output_file>
#notes           :openssl and cpio are required
#==============================================================================

SW_DESC_FILE_NAME="sw-description"
SW_DESC_SIG_FILE_NAME="sw-description.sig"
FIRMWARE_TMP_DIR="firmware_tmp"
CPIO_ORDER_FILE="cpio_order"

while getopts i:k:c:o flag
do
	case "${flag}" in
		i) swupdate_in_file=${OPTARG};;
		k) key_file=${OPTARG};;
		c) certificate=${OPTARG};;
		o) output_file=${OPTARG};;
		*);; # TODO: error handling -> unknown flag
	esac
done

### Some basic checks
if [[ -d $FIRMWARE_TMP_DIR ]]; then
	echo "ERROR: $FIRMWARE_TMP_DIR directory alread exists in this directory"
	exit 1
fi

if ! command -v openssl &> /dev/null
then
	echo "openssl could not be found"
	exit 1
fi

if ! command -v cpio &> /dev/null
then
	echo "cpio could not be found"
	exit 1
fi


mkdir -p $FIRMWARE_TMP_DIR
cd $FIRMWARE_TMP_DIR || exit 1

# store the exact order in a file
cpio --quiet --list < "../$swupdate_in_file" > $CPIO_ORDER_FILE

cpio --quiet -id < "../$swupdate_in_file"

# resign
openssl cms -sign -in $SW_DESC_FILE_NAME -out $SW_DESC_SIG_FILE_NAME -signer\
        "$certificate" -inkey "$key_file" -outform DER -nosmimecap -binary

# recreate the swu file
echo "cat < $CPIO_ORDER_FILE | cpio --quiet -ov > $output_file"
cat < $CPIO_ORDER_FILE | cpio --quiet -ov > "$output_file"