cerulean/ceru/subcmds/new/ssh-key

#!/usr/bin/env bash
# Copyright 2025 Emile Clark-Boman
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -euo pipefail

USAGE="${BOLD}${UNDERLINE}${RED}Usage${RESET}
	${BOLD}${GREEN}$THIS new ssh-key [option...]${RESET}

${BOLD}${UNDERLINE}${RED}Description${RESET}
	Generates a new SSH keypair with secure defaults.
	For more advanced usage run the ${BOLD}${MAGENTA}\`ssh-keygen\`${RESET} utility directly.

${BOLD}${UNDERLINE}${RED}Options${RESET}
	${BOLD}${MAGENTA}-h, --help${RESET}               Show this message (^_^)
	${BOLD}${MAGENTA}-o, --out${RESET}                Private key file name to write to (the public key is named identically but ends with ${BOLD}${MAGENTA}.pub${RESET})
	${BOLD}${MAGENTA}-c, --comment${RESET}            A comment or email address to write on the key
	${BOLD}${MAGENTA}-t, --type${RESET}               The cryptographic algorithm to use: ${BOLD}${MAGENTA}ed25519${RESET} or ${BOLD}${MAGENTA}rsa${RESET} ${BOLD}${CYAN}(default: rsa)${RESET}
	${BOLD}${MAGENTA}-r, --rounds${RESET}             The number of key derivation function rounds to apply ${BOLD}${CYAN}(default: 100)${RESET}
	${BOLD}${MAGENTA}-N, --nopasswd${RESET}           Do not encrypt the private key with a password
	${BOLD}${MAGENTA}-H, --hardware-key${RESET}       Enable the use of a secure hardware key peripheral device (ie YubiKey)"

# ==== Argument Values ====
TYPE='rsa'
ROUNDS='100'
BITS=''
COMMENT=''
OUT=''
NOPASSWD=false
HWKEY=false
# ==== Argument Values ====

# parse all args
while [[ $# -gt 0 ]]; do
	ARG="$1"
	case "$ARG" in
		-h|--help)
			throw-usage 0
			;;
		-o|--out)
			shift
			OUT="$1"; shift
			;;
		-c|--comment)
			shift
			COMMENT="$1"; shift
			;;
		-t|--type)
			shift
			TYPE="$1"; shift
			;;
		-r|--rounds)
			shift
			ROUNDS="$1"; shift
			;;
		-b|--bits)
			shift
			BITS="$1"; shift
			;;
		-N|--nopasswd)
			shift
			NOPASSWD=true
			;;
		-H|--hardware-key)
			shift
			HWKEY=true
			;;
		-*)
			throw-badflag 1 "$ARG"
			;;
		*)
			throw-badarg 1 "$ARG"
		  ;;
	esac
done; unset -v ARG

EXTRA=''
# ensure $ROUNDS is a valid numeric
if ! isnumeric "$ROUNDS"; then
	throw-badval 1 "$ROUNDS" '-r|--rounds'
fi

case "$TYPE" in
	ed25519)
		# NOTE: the value of BITS does not matter for Ed25519
		# NOTE: as it operates on a fixed size elliptic curve
		if [[ -n "$BITS" ]]; then
			BITS='256'
		fi
		;;
	rsa)
		if [[ -n "$BITS" ]]; then
			BITS='4096'
		else
			case "$BITS" in
				2048)
					echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: Although ${MAGENTA}2048-bit RSA keys${YELLOW} are considered secure,${RESET}" >&2
					echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: it is the growing opinion that these will not be soon.${RESET}" >&2
					echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: ${GREEN}Consider using a minimum of ${MAGENTA}3072-bit${YELLOW}, or ideally ${MAGENTA}4096-bit.${RESET}" >&2
					;;
				3072|4096|8192) true
					;;
				*)
					throw-badval 1 "$BITS" '-b|--bits'
					;;
			esac
		fi
		;;
	*)
		throw-badval 1 "$TYPE" '-t|--type'
		;;
esac

if ! isnumeric "$BITS"; then
	throw-badval 1 "$BITS" '-b|--bits'
fi

if [[ "$HWKEY" == true ]]; then
	if [[ "$TYPE" == "rsa" ]]; then
		echo -e "${BOLD}${MAGENTA}-H|--hardware-key${RESET} flag is not valid for ${BOLD}${MAGE}rsa${RESET} keys ${BOLD}${CYAN}(use ed25519 instead)${RESET}"
		exit 1
	fi
	TYPE="$TYPE-sk"
fi

if [[ -n "$COMMENT" ]]; then
	EXTRA="$EXTRA -C '$COMMENT'"
fi

# BUG: WARNING: TODO: $OUT permits arbitrary command injection
if [[ -n "$OUT" ]]; then
	EXTRA="$EXTRA -f $OUT"
else
	# fallback to ssh-keygen's default file (for chmod later)
	OUT="~/.ssh/id_$TYPE"
fi

if [[ "$NOPASSWD" == true ]]; then
	EXTRA="$EXTRA -N ''"
fi
# permit error during key generation
set +e
echo -e "${BOLD}${GREEN}[+] ssh-keygen -t $TYPE -a '$ROUNDS' $EXTRA${RESET}"
ssh-keygen -t $TYPE -a "$ROUNDS" $EXTRA
chmod 600 $OUT
chmod 644 $OUT.pub

# reset state
set -e
unset TYPE ROUNDS COMMENT OUT NOPASSWD HWKEY EXTRA