#!/bin/sh

# This uses the public/private keys on a PIV device, like a CAC or Yubikey.
# It  uses a PIN stored in a file.
# It uses OpenSSL with PKCS11 enabled via OpenSC.

[ "$#" -ne 1 ] && echo "cluster_passphrase_command usage: $0 \"%d\"" 1>&2 && exit 1
# No need for %R or -R since we are not prompting for a PIN

DIR="$1"
[ ! -e "$DIR" ] && echo "$DIR does not exist" 1>&2 && exit 1
[ ! -d "$DIR" ] && echo "$DIR is not a directory" 1>&2 && exit 1

# File that stores the PIN to unlock the PIV
# Set it here or pass in as an environment variable.
#PIV_PIN_FILE=''
[ ! "$PIV_PIN_FILE" ] && echo 'PIV_PIN_FILE undefined' 1>&2 && exit 1
[ ! -e "$PIV_PIN_FILE" ] && echo "$PIV_PIN_FILE does not exist" 1>&2 && exit 1
[ -d "$PIV_PIN_FILE" ] && echo "$PIV_PIN_FILE is a directory" 1>&2 && exit 1

# PIV slot 3 is the "Key Management" slot
PIV_SLOT='0:3'

# File containing the passphrased encrypted with the PIV_SLOT's public key
KEY_FILE="$DIR/pivpass.key"


# ----------------------------------------------------------------------


# Create a passphrased encrypted with the PIV_SLOT's public key?
if [ ! -e "$KEY_FILE" ]
then	# The 'postgres' operating system user must have permission to
	# access the PIV device.

	openssl rand -hex 32 |
	if ! openssl rsautl -engine pkcs11 -keyform engine -encrypt \
		-inkey "$PIV_SLOT" -passin file:"$PIV_PIN_FILE" -out "$KEY_FILE"
	then	exit 1
	fi

	# Warn the user to save the passphrase in a safe place
	cat 1>&2 <<END

WARNING:  The PIV device can be locked and require a reset if too many PIN
attempts fail.  It is recommended to run this command manually and save
the passphrase in a secure location for possible recovery.
END

fi

# Decrypt the passphrased encrypted with the PIV_SLOT's public key
if ! openssl rsautl -engine pkcs11 -keyform engine -decrypt \
	-inkey "$PIV_SLOT" -passin file:"$PIV_PIN_FILE" -in "$KEY_FILE"
then	exit 1
fi

exit 0