#!/bin/sh -efu
# SPDX-License-Identifier: GPL-2.0-or-later

# shellcheck enable=all disable=SC2250

# shellcheck source=bin/alt-signer-functions.in
. alt-signer-functions

if [ "$#" -ne 2 ]; then
	printf 'Usage: %s <module> <key-nickname>\n' "${0##*/}" >&2
	exit 1
fi

type_input="$1"; shift
nickname="$1"; shift

validate_nickname "$nickname"

case "$type_input" in
	module)
		efikeygen_flag=--module
		;;
	*)
		echo >&2 'unsupported input file type'
		exit 1
		;;
esac

check_db

cn_prefix="${ALT_SIGNER_KEYGEN_COMMON_NAME_PREFIX-O=ALT Linux,OU=Kernel out-of-tree Module Signer,CN=}"
cn="$cn_prefix$nickname"

ca_nick="${ALT_SIGNER_CA_NICKNAME:-CA}"

# shellcheck disable=SC2310
if ! show_cert "$nickname" >/dev/null 2>&1; then
	efikeygen \
		--dbdir "$dbdir" \
		--algorithm rsa4096 \
		"$efikeygen_flag" \
		--signer="$ca_nick" \
		--common-name "$cn" \
		--nickname "$nickname" \
		>&2
fi

show_cert "$nickname"
