#!/usr/bin/env bash

export MOKISKIP=0
MYCD="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd)"

if [ ! -r public_key.der ] && [ ! -r private_key.priv ]; then
	openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config x509.cnf -outform DER -out public_key.der -keyout private_key.priv
	chmod -v 0600 private_key.priv
	chmod -v 0644 public_key.der
elif [ ! -r public_key.der ];then
	openssl req -x509 -utf8 -sha256 -days 36500 -batch -config x509.cnf -key private_key.priv -outform DER -out public_key.der
	chmod -v 0644 public_key.der
else
	printf "Nothing to do in terms of key creation.\\n"
fi

printf "================\n"
openssl x509 -inform DER -noout -subject -issuer -issuer_hash -dates -serial -fingerprint -ocsp_uri -ext "subjectAltName,subjectKeyIdentifier" -in public_key.der|sed 's/^/    /'
OSLRET="${PIPESTATUS[0]}"
printf "================\n"
[ "$OSLRET" -ne 0 ]&&exit 1
read -rp "Is this OK? [y/N] " PROEMT
case "$PROEMT" in
	# we are kartoffels, so we check for "j" as well (as in "JA!")
	"y"|"Y"|"j"|"J") ;;
	*) exit 2 ;;
esac

if [ -r public_key.der ];then
	printf "Importing new public key to MOK import store..."
	MOKIRET="$(sudo mokutil --import public_key.der 2>&1)"
	case "$?" in
		0)
			if printf "%b" "$MOKIRET"|grep -P 'SKIP:.*already enrolled' >/dev/null;then
				printf " SKIPPED (already enrolled).\\n"
				export MOKISKIP=1
			else
				printf " OK.\\n"
			fi
		;;
		*) printf " FAILED!\\n";exit 1;;
	esac
else
	printf "Public key cannot be read!\\n" >&2
	exit 1
fi

(printf "LISTING NEW KEYS\\n================\\n";sudo mokutil --list-new)|less
[ "$MOKISKIP" -eq 0 ]&&[ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1
read -rp "Was this key OK? [y/N] " PROEMT
case "$PROEMT" in
	"y"|"Y"|"j"|"J") ;;
	*)
		printf "Deleting key from MOK import store..."
		sudo mokutil --revoke-import
		case "$?" in
			0) printf " OK.\\n";;
			*) printf " FAILED!\\n";exit 1;;
		esac
		exit 127
	;;
esac
[ "$MOKISKIP" -eq 0 ]&&printf "\\n---- NOTICE ----\\nYou should reboot soon to finish the MOK import in UEFI.\\n\\n"

read -rp "Continue to sign NVIDIA kernel modules? [y/N] " PROEMT
case "$PROEMT" in
	"y"|"Y"|"j"|"J") "$MYCD"/signko ;;
	*) exit 0 ;;
esac