<?php

class SSHKey
{

	public static function getPrivateKey(?bool &$regen = false): ?string
	{
		$privKey = Property::get("rebootcontrol-private-key");
		if (!$privKey) {
			$rsaKey = openssl_pkey_new([
				'private_key_bits' => 2048,
				'private_key_type' => OPENSSL_KEYTYPE_RSA]);
			if (!openssl_pkey_export( openssl_pkey_get_private($rsaKey), $privKey)) {
				$regen = false;
				return null;
			}
			Property::set("rebootcontrol-private-key", $privKey);
			if (Module::isAvailable('sysconfig')) {
				ConfigTgz::rebuildAllConfigs();
			}
			$regen = true;
		}
		return $privKey;
	}

	public static function getPublicKey(): ?string
	{
		$pkImport = openssl_pkey_get_private(self::getPrivateKey());
		if ($pkImport === false)
			return null;
		return self::sshEncodePublicKey($pkImport);
	}

	private static function sshEncodePublicKey($privKey): ?string
	{
		$keyInfo = openssl_pkey_get_details($privKey);
		if ($keyInfo === false)
			return null;
		$buffer  = pack("N", 7) . "ssh-rsa" .
			self::sshEncodeBuffer($keyInfo['rsa']['e']) .
			self::sshEncodeBuffer($keyInfo['rsa']['n']);
		return "ssh-rsa " . base64_encode($buffer);
	}

	private static function sshEncodeBuffer(string $buffer): string
	{
		$len = strlen($buffer);
		// Prefix with extra null byte if the MSB is set, to ensure
		// nobody will ever interpret this as a negative number
		if (ord($buffer[0]) & 0x80) {
			$len++;
			$buffer = "\x00" . $buffer;
		}
		return pack("Na*", $len, $buffer);
	}

}