#!/bin/bash -x

PAYLOAD=$1
OUTPUT=$2

if [ ! -f $PAYLOAD ]; then
	echo "Can't read PAYLOAD";
	exit 1;
fi

KEYLOC="/tmp/keys"
T=`mktemp -d`

# Build enough of the container to create the Prefix and Software headers.
# (reuse HW key for SW key P)
./create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \
                   -p $KEYLOC/hw_key_a.key \
                    --payload $PAYLOAD --imagefile $OUTPUT \
                    --dumpPrefixHdr $T/prefix_hdr --dumpSwHdr $T/software_hdr

# Sign the Prefix header.
openssl dgst -SHA512 -sign $KEYLOC/hw_key_a.key $T/prefix_hdr > $T/hw_key_a.sig
openssl dgst -SHA512 -sign $KEYLOC/hw_key_b.key $T/prefix_hdr > $T/hw_key_b.sig
openssl dgst -SHA512 -sign $KEYLOC/hw_key_c.key $T/prefix_hdr > $T/hw_key_c.sig

# Sign the Software header.
openssl dgst -SHA512 -sign $KEYLOC/hw_key_a.key $T/software_hdr > $T/sw_key_p.sig

# Build the full container with signatures.
./create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \
                   -p $KEYLOC/hw_key_a.key \
                   -A $T/hw_key_a.sig -B $T/hw_key_b.sig -C $T/hw_key_c.sig \
                   -P $T/sw_key_p.sig \
                    --payload $PAYLOAD --imagefile $OUTPUT

rm -rf $T