#!/bin/sh -eu
# DESCRIPTION: génère une clef OpenPGP primaire pour $uid et une clef secondaire par $subkey_caps
# SYNTAX: $uid
# ENV: $gpg_options
# ENV: $subkey_caps
tool=$(readlink -e "${0%/*}/..")
. "$tool"/remote/lib.sh

uid="$1"
install -d -m 700 \
 var/pub/openpgp
install -d -m 700 \
 var/sec \
 var/sec/openpgp
if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg
 then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF
		$(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
		EOF
 fi
if ! "$tool"/remote/gpg --list-keys -- "$uid" >/dev/null
 then
	"$tool"/remote/gpg --batch --gen-key
		# DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
		Key-Type: RSA
		Key-Length: 4096
		Key-Usage: sign
		Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
		Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
		$(cat -)
		%commit
		EOF
 fi
caps=$(
	"$tool"/remote/gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
	 -- "$uid" |
	sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
 )
for cap in ${subkey_caps:-}
 do
	test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
	printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save |
	"$tool"/remote/gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \
	 --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF
		$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
		EOF
 done