#!/bin/bash

if [ $# -lt 2 ]; then
  echo "This tool requires openssl, awscli, jq and base64."
  echo "One can generate a key using openssl rand -out PlaintextKeyMaterial.bin 32"
  echo "Usage: key-import.sh key-file key-alias"
  exit 0
fi

keyAlias=$2

aws kms create-key --origin EXTERNAL --description "Customer managed key" | jq -cr .KeyMetadata.KeyId > keyid.txt

aws kms get-parameters-for-import --key-id $(cat keyid.txt) \
                                    --wrapping-algorithm RSAES_OAEP_SHA_256 \
                                    --wrapping-key-spec RSA_2048 > import.json

cat import.json | jq -cr .PublicKey | base64 -d > PublicKey.bin
cat import.json  | jq -cr .ImportToken | base64 -d > ImportToken.bin

openssl pkeyutl -encrypt -in $1 -inkey PublicKey.bin -keyform DER \
-pubin -out EncryptedKeyMaterial.bin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

aws kms import-key-material --key-id $(cat keyid.txt) \
                              --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
                              --import-token fileb://ImportToken.bin \
                              --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE

aws kms create-alias --alias-name "alias/$keyAlias" --target-key-id $(cat keyid.txt)
aws kms describe-key --key-id $(cat keyid.txt)

rm -f EncryptedKeyMaterial.bin ImportToken.bin PublicKey.bin import.json keyid.txt