#!/usr/bin/env bash

set -eu -o pipefail

if [ ${#} -ne 2 ]; then
	echo "Check if certificate and private key match."
	echo ""
	echo "Usage:"
	echo "    ${0} [certificate] [privatekey]"
	exit 1
fi

TMP="$(mktemp -d)"

# Checking internal consistency of private key
openssl rsa -in "${2}" -check -noout

# Checking spkisha256 hash
hashkey=$(openssl pkey -in "${2}" -pubout -outform der | sha256sum)
hashcrt=$(openssl x509 -in "${1}" -pubkey | openssl pkey -pubin -pubout -outform der | sha256sum)
if [[ "${hashkey}" = "${hashcrt}" ]]; then
	echo "SPKI SHA256 hash matches"
else
	echo "SPKI SHA256 hash does not match"
fi

# check test signature
openssl x509 -in "${1}" -noout -pubkey >"${TMP}/pubkey.pem"
dd if=/dev/urandom of="${TMP}/rnd" bs=32 count=1 status=none
openssl pkeyutl -sign -inkey "${2}" -in "${TMP}/rnd" -out "${TMP}/sig"
openssl pkeyutl -verify -pubin -inkey "${TMP}/pubkey.pem" -in "${TMP}/rnd" -sigfile "${TMP}/sig"

rm -rf "${TMP}"
