#!/bin/sh
# SPDX-License-Identifier: MIT

SHARE_DIR="/usr/share/armadillo-twin-agent"
SE_PEM_DIR="/var/log/armadillo-twin-agent"
SE050_CERT="$SE_PEM_DIR/device_cert.pem"
SE050_KEY="$SE_PEM_DIR/refkey.pem"
AWS_ROOTCA="$SHARE_DIR/AmazonRootCA1.pem"
PKCS11_LIB="/usr/lib/plug-and-trust/libsss_pkcs11.so"
KEY_LABEL="sss:100100F0"
PIN=""

error() {
	printf "error: %s\n" "$@" >&2
	exit 1
}

export OPENSSL_CONF=/etc/plug-and-trust/openssl11_sss_se050.cnf
export EX_SSS_BOOT_SSS_PORT="$(device-info --se-param)"
if [ -z "$EX_SSS_BOOT_SSS_PORT" ]; then
	if [ -n "$RC_SERVICE" ]; then
		rc_file="/etc/runlevels/default/armadillo-twin-agentd"
		[ -f "$rc_file" ] && persist_file -d "$rc_file"
		rc_service armadillo-twin-agentd stop
	fi
	error "Secure Element is not found"
fi

get_se050_keys() {
	if [ -e "$SE050_CERT" ] && [ -e "$SE050_KEY" ]; then
		return
	fi
	se05x_getkey 0xF0000111 "$SE050_CERT.tmp" "$EX_SSS_BOOT_SSS_PORT" || return
	se05x_getkey 0xF0000110 "$SE050_KEY.tmp" "$EX_SSS_BOOT_SSS_PORT" || return
	sync "$SE050_CERT.tmp" "$SE050_KEY.tmp" || return
	mv "$SE050_CERT.tmp" "$SE050_CERT" || return
	mv "$SE050_KEY.tmp" "$SE050_KEY"
}

sn=$(device-info -s)

# setup cert
[ -d "$SE_PEM_DIR" ] || mkdir -p "$SE_PEM_DIR"
while [ ! -e "$AWS_ROOTCA" ]
do
	wget https://www.amazontrust.com/repository/AmazonRootCA1.pem -O "$AWS_ROOTCA" \
		 && break
	sleep 5 # countermeasures for load on AWS
done
get_se050_keys || error "could not get SE050 key/certificate"

unset OPENSSL_CONF
exec armadillo-twin-agent \
	--thing_name "$sn" \
	--ca_file "$AWS_ROOTCA" \
	--cert "$SE050_CERT" \
	--key "$SE050_KEY" \
	--pkcs11_lib "$PKCS11_LIB" \
	--key_label "$KEY_LABEL" \
	--pin "$PIN"
