#!/usr/bin/env bash

ssh_config_val() {
    local field="$1"
    local val

    if [[ -z "$field" ]]; then
        echo "usage: ssh_config_val <config name>" >&2
        return 2
    fi

    echo $(sshd -T | grep -i "^$field " | head -1 | awk '{print $2}')
}

check_ssh_files() {
    printf "%-6s %-20s %-6s %s\n" "STATUS" "KEY" "PERMS" "PATH"
    for key in hostkey hostcertificate trustedusercakeys; do
        path=$(ssh_config_val "$key")
        if [[ -z "$path" ]]; then
            printf "%-7s %-20s %-6s %s\n" "⚠️" "$key" "-" "(not configured)"
            continue
        fi

        if [[ -e "$path" ]]; then
            perms=$(stat -c '%a' "$path")
            printf "%-7s %-20s %-6s %s\n" "✅" "$key" "$perms" "$path"
        else
            printf "%-7s %-20s %-6s %s\n" "❌" "$key" "-" "$path (missing)"
        fi
    done
}

ssh_fingerprint() {
	local field="$1"
	local ca_path

	if [[ -z "$field" ]]; then
        echo "usage: ssh_fingerprint <trusteduserca|hostcertificate|...>" >&2
        return 2
    fi

    cfg_path=$(ssh_config_val $field)

    if [[ -z "$cfg_path" ]]; then
        echo "error: sshd field '$field' not found or empty" >&2
        return 1
    fi

    if [[ ! -r "$cfg_path" ]]; then
        echo "error: file not readable: $cfg_path" >&2
        return 1
    fi

    ssh-keygen -lf "$cfg_path" | awk '{ print $2 }'
}

check_ssh_files

echo ""
echo "Host certificate fingerprint"
ssh_fingerprint hostkey