#! /bin/sh

umask 077

if [ $# -ne 3 ]; then
    echo "Usage: keyfile rsa|dsa|ecdsa bits" 2>&1; exit 1
fi

KEY_OUT=$1; shift
PKEY=$1; shift

case $PKEY in
    [rd]sa|[RD]SA)
    	case $1 in
	    1024|2048) DGST=sha1;;
	    3072|4096) DGST=sha256;;
	    *) echo "$PKEY bits '$1' not 1024|2048|3072|4096" >&2; exit 1;;
	esac
	case $PKEY in
	    rsa|RSA) KEY_CMD=genrsa;   KEY_ARGS="$1";;
	    dsa|DSA) KEY_CMD=dsaparam; KEY_ARGS="-genkey $1";;
    	esac;;
    ec|EC|ecdsa|ECDSA)
    	KEY_CMD="ecparam"
	case $1 in
	    128) KEY_ARGS="-genkey -name prime256v1"; DGST=sha256;;
	    192) KEY_ARGS="-genkey -name secp384r1"; DGST=sha384;;
	    256) KEY_ARGS="-genkey -name secp521r1"; DGST=sha512;;
	    *) echo "ECDSA security level '$1' not 128|192|256" >&2; exit 1;;
	esac;;
    *) echo "Unknown public key type: $PKEY_TYPE" >&2; exit 1;;
esac


openssl "$KEY_CMD" -out "$KEY_OUT" $KEY_ARGS || exit 1

# Can't use strength appropriate digest, OpenSSL TLS does not support
# SHA2 X.509 cert signatures.
#
# echo $DGST

echo sha1