#!/bin/bash -e
# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
#
# Copyright (c) 2017 Red Hat, Inc.
# Author: Nathaniel McCallum <npmccallum@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

[ $# -eq 1 -a "$1" == "--summary" ] && exit 1

if [ -t 0 ]; then
    echo >&2
    echo "Usage: clevis decrypt tang < JWE > PLAINTEXT" >&2
    echo >&2
    exit 1
fi

read -d . hdr

if ! jhd=`jose b64 dec -i- <<< "$hdr"`; then
    echo "Error decoding JWE protected header!" >&2
    exit 1
fi

if [ "`jose fmt -j- -Og clevis -g pin -u- <<< "$jhd"`" != "tang" ]; then
    echo "JWE pin mismatch!" >&2
    exit 1
fi

if ! clt=`jose fmt -j- -Og epk -Oo- <<< "$jhd"`; then
    echo "JWE missing required 'epk' header parameter!" >&2
    exit 1
fi

if ! kid=`jose fmt -j- -Og kid -Su- <<< "$jhd"`; then
    echo "JWE missing required 'kid' header parameter!" >&2
    exit 1
fi

if ! srv=`jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
        | jose jwk thp -i- -f "$kid"`; then
    echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
    exit 1
fi

if ! url=`jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd"`; then
    echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
    exit 1
fi

if ! crv=`jose fmt -j- -Og crv -Su- <<< "$clt"`; then
    echo "Unable to determine EPK's curve!" >&2
    exit 1
fi

if ! eph=`jose jwk gen -i "{\"alg\":\"ECMR\",\"crv\":\"$crv\"}"`; then
    echo "Error generating ephemeral key!" >&2
    exit 1
fi

xfr=`jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph"`

url="$url/rec/$kid"
ct="Content-Type: application/jwk+json"
if ! rep=`curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr"`; then
    echo "Error communicating with the server!" >&2
    exit 1
fi

if ! rep=`jose fmt -j- -Og kty -q EC -EUUg crv -q "$crv" -EUUo- <<< "$rep"`; then
    echo "Received invalid server reply!" >&2
    exit 1
fi

tmp=`jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$eph$srv"`
rep=`jose jwk pub -i- <<< "$rep"`
jwk=`jose jwk exc -l- -r- <<< "$rep$tmp"`
exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; cat)