backup bash cli

ceru/subcmds/new/ssh-key

@@ -1,182 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 2025-2026 _cry64 (Emile Clark-Boman)
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -euo pipefail
-
-# ===== CONFIGURATION =====
-DEFAULT_TYPE='ecdsa'
-DEFAULT_ROUNDS='100'
-DEFAULT_BITS_ECDSA='521'
-DEFAULT_BITS_RSA='4096'
-DEFAULT_BITS_ED25519='NULL'
-# ===== CONFIGURATION =====
-
-USAGE="${BOLD}${UNDERLINE}${RED}Usage${RESET}
-	${BOLD}${GREEN}$THIS new ssh-key [option...]${RESET}
-
-${BOLD}${UNDERLINE}${RED}Description${RESET}
-	Generates a new SSH keypair with secure defaults.
-	For more advanced usage run the ${BOLD}${MAGENTA}\`ssh-keygen\`${RESET} utility directly.
-
-${BOLD}${UNDERLINE}${RED}Key Sizes${RESET}
-	Key sizes are specified in bits via the ${BOLD}${MAGENTA}-b|--bits${RESET} flag.
-	• ${BOLD}${CYAN}ECDSA keys${RESET} can only operate on elliptic curves of size: ${BOLD}${CYAN}256, 384, or 521 bits${RESET}
-	• ${BOLD}${CYAN}Ed25519 keys${RESET} have a ${BOLD}${MAGENTA}fixed length${RESET} so the key size is ignored
-	• ${BOLD}${CYAN}RSA keys${RESET} have been intentionally restricted to: ${BOLD}${CYAN}2048, 3072, 4096, or 8192 bits${RESET}
-
-${BOLD}${UNDERLINE}${RED}Options${RESET}
-	${BOLD}${MAGENTA}-h, --help${RESET}               Show this message (^_^)
-	${BOLD}${MAGENTA}-o, --out${RESET}                Private key file name to write to (the public key is named identically but ends with ${BOLD}${MAGENTA}.pub${RESET})
-	${BOLD}${MAGENTA}-c, --comment${RESET}            A comment or email address to write on the key
-	${BOLD}${MAGENTA}-t, --type${RESET}               The cryptographic algorithm to use: ${BOLD}${MAGENTA}ecdsa, ed25519, rsa${RESET} ${BOLD}${CYAN}(default: $DEFAULT_TYPE)${RESET}
-	${BOLD}${MAGENTA}-r, --rounds${RESET}             The number of KDF rounds to apply ${BOLD}${CYAN}(default: $DEFAULT_ROUNDS)${RESET}
-	${BOLD}${MAGENTA}-b, --bits${RESET}               The key size in bits ${BOLD}${MAGENTA}(see \"Key Sizes\" above) ${CYAN}(defaults: ecdsa=$DEFAULT_BITS_ECDSA, rsa=$DEFAULT_BITS_RSA, ed25519=$DEFAULT_BITS_ED25519)${RESET}
-	${BOLD}${MAGENTA}-N, --nopasswd${RESET}           Do not encrypt the private key with a password
-	${BOLD}${MAGENTA}-H, --hardware-key${RESET}       Enable the use of a secure hardware key peripheral device (ie YubiKey)"
-
-# ==== Argument Values ====
-TYPE="$DEFAULT_TYPE"
-ROUNDS="$DEFAULT_ROUNDS"
-BITS=''
-COMMENT=''
-OUT=''
-NOPASSWD=''
-HWKEY=false
-# ==== Argument Values ====
-
-# parse all args
-while [[ $# -gt 0 ]]; do
-	ARG="$1"
-	case "$ARG" in
-		-h|--help)
-			throw-usage 0
-			;;
-		-o|--out)
-			shift
-			OUT="$1"; shift
-			;;
-		-c|--comment)
-			shift
-			COMMENT="$1"; shift
-			;;
-		-t|--type)
-			shift
-			# NOTE: ${1,,} is $1 in lowercase
-			TYPE="${1,,}"; shift 
-			;;
-		-r|--rounds)
-			shift
-			ROUNDS="$1"; shift
-			;;
-		-b|--bits)
-			shift
-			BITS="$1"; shift
-			;;
-		-N|--nopasswd)
-			shift
-			NOPASSWD="-N ''"
-			;;
-		-H|--hardware-key)
-			shift
-			HWKEY=true
-			;;
-		-*)
-			throw-badflag 1 "$ARG"
-			;;
-		*)
-			throw-badarg 1 "$ARG"
-		  ;;
-	esac
-done; unset -v ARG
-
-# ensure $ROUNDS is a valid numeric
-if ! isnumeric "$ROUNDS"; then
-	throw-badval 1 "$ROUNDS" '-r|--rounds'
-fi
-
-case "$TYPE" in
-	ecdsa)
-		if [[ -z "$BITS" ]]; then
-			BITS='521'
-		else
-			# NOTE: ECDSA keys can only operate on elliptic curves
-			# NOTE: of sizes: 256, 384 or 521 bits
-			case "$BITS" in
-				256|384|512) true
-					;;
-				*)
-					throw-badval 1 "$BITS" '-b|--bits'
-					;;
-			esac
-		fi
-		;;
-	ed25519)
-		# NOTE: the value of BITS does not matter for Ed25519
-		# NOTE: as it operates on a fixed size elliptic curve
-		if [[ -z "$BITS" ]]; then
-			BITS='256'
-		fi
-		;;
-	rsa)
-		if [[ -z "$BITS" ]]; then
-			BITS='4096'
-		else
-			case "$BITS" in
-				2048)
-					echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: Although ${MAGENTA}2048-bit RSA keys${YELLOW} are considered secure,${RESET}" >&2
-					echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: it is the growing opinion that these will not be soon.${RESET}" >&2
-					echo -e "${BOLD}${UNDERLINE}${YELLOW}WARNING${RESET}${BOLD}: ${GREEN}Consider using a minimum of ${MAGENTA}3072-bit${YELLOW}, or ideally ${MAGENTA}4096-bit.${RESET}" >&2
-					;;
-				3072|4096|8192) true
-					;;
-				*)
-					throw-badval 1 "$BITS" '-b|--bits'
-					;;
-			esac
-		fi
-		;;
-	*)
-		throw-badval 1 "$TYPE" '-t|--type'
-		;;
-esac
-
-if ! isnumeric "$BITS"; then
-	throw-badval 1 "$BITS" '-b|--bits'
-fi
-
-if [[ "$HWKEY" == true ]]; then
-	if [[ "$TYPE" == "rsa" ]]; then
-		echo -e "${BOLD}${MAGENTA}-H|--hardware-key${RESET} flag is not valid for ${BOLD}${MAGENTA}RSA keys${RESET} ${BOLD}${CYAN}(use Ed25519 instead)${RESET}"
-		exit 1
-	fi
-	TYPE="$TYPE-sk"
-fi
-
-if [[ -z "$OUT" ]]; then
-	# fallback to ssh-keygen's default file (for chmod later)
-	OUT="$HOME/.ssh/id_$TYPE"
-fi
-
-# permit error during key generation
-set +e
-echo -e "${BOLD}${GREEN}[+] ssh-keygen -t $TYPE -a$ROUNDS -b$BITS -C '$COMMENT' -f '$OUT' $NOPASSWD${RESET}"
-ssh-keygen -t $TYPE -a "$ROUNDS" -b "$BITS" -C "$COMMENT" -f "$OUT" $NOPASSWD
-chmod 600 $OUT
-chmod 644 $OUT.pub
-# reset state
-set -e
-
-unset TYPE ROUNDS BITS COMMENT OUT NOPASSWD HWKEY \
-			DEFAULT_TYPE DEFAULT_ROUNDS DEFAULT_BITS_ECDSA DEFAULT_BITS_RSA DEFAULT_BITS_ED25519