#!/usr/bin/env bash
# onx-dkim-keygen — RSA DKIM anahtar çifti üretir (openssl)
# stdin: {"domain":"example.com","selector":"onox2026","key_size":2048}
# stdout: {"domain":"…","selector":"…","fingerprint":"…","public_key_pem":"…","private_key_pem":"…","dns_txt_payload":"v=DKIM1; k=rsa; p=…"}

set -euo pipefail
SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
source "${SCRIPT_DIR}/_lib/common.sh"

require_root
require_cmd openssl

onx_json_input

DOMAIN=$(onx_json_field "domain")
SELECTOR=$(onx_json_field "selector")
KEY_SIZE=$(onx_json_field "key_size" "2048")

# Doğrulama
if [[ -z "$DOMAIN" ]]; then
    onx_die 1 "Eksik alan: domain"
fi
if [[ -z "$SELECTOR" ]]; then
    onx_die 1 "Eksik alan: selector"
fi
onx_validate_domain "$DOMAIN"

# Selector güvenlik kontrolü (alphanumerik + tire/alt çizgi)
if ! [[ "$SELECTOR" =~ ^[a-zA-Z0-9_-]+$ ]]; then
    onx_die 1 "Geçersiz selector formatı"
fi

# Key size doğrulama
if ! [[ "$KEY_SIZE" =~ ^(1024|2048|4096)$ ]]; then
    onx_die 1 "Geçersiz key_size; 1024, 2048 veya 4096 olmalı"
fi

DKIM_DIR="/etc/onox/dkim/${DOMAIN}"
mkdir -p "$DKIM_DIR"
chmod 700 "$DKIM_DIR"

PRIVATE_KEY="${DKIM_DIR}/${SELECTOR}.private"
PUBLIC_KEY="${DKIM_DIR}/${SELECTOR}.pub"

# Özel anahtar üret
openssl genrsa -out "$PRIVATE_KEY" "$KEY_SIZE" 2>/dev/null
chmod 600 "$PRIVATE_KEY"

# Genel anahtar çıkar
openssl rsa -in "$PRIVATE_KEY" -pubout -out "$PUBLIC_KEY" 2>/dev/null

# Parmak izi
FINGERPRINT=$(openssl rsa -in "$PRIVATE_KEY" -pubout -outform DER 2>/dev/null | openssl dgst -sha256 -hex | awk '{print $2}')

# DNS TXT payload — başlık/son satırları ve boşlukları kaldır
DNS_PAYLOAD=$(grep -v "^-----" "$PUBLIC_KEY" | tr -d '\n')

# PEM değerleri JSON için escape et
PRIVATE_PEM=$(cat "$PRIVATE_KEY" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))" 2>/dev/null || echo "\"(raw)\"")
PUBLIC_PEM=$(cat "$PUBLIC_KEY" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))" 2>/dev/null || echo "\"(raw)\"")

cat <<JSON
{
  "domain": "${DOMAIN}",
  "selector": "${SELECTOR}",
  "key_size": ${KEY_SIZE},
  "fingerprint": "${FINGERPRINT}",
  "public_key_pem": ${PUBLIC_PEM},
  "private_key_pem": ${PRIVATE_PEM},
  "private_key_path": "${PRIVATE_KEY}",
  "public_key_path": "${PUBLIC_KEY}",
  "dns_txt_payload": "v=DKIM1; k=rsa; p=${DNS_PAYLOAD}"
}
JSON
exit 0
