// Copyright 2017 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
///////////////////////////////////////////////////////////////////////////////

#include "tink/subtle/ecies_hkdf_recipient_kem_boringssl.h"

#include <memory>
#include <utility>

#include "absl/memory/memory.h"
#include "absl/status/status.h"
#include "openssl/bn.h"
#include "openssl/ec.h"
#include "openssl/evp.h"
#include "tink/internal/ec_util.h"
#include "tink/internal/ssl_unique_ptr.h"
#include "tink/subtle/common_enums.h"
#include "tink/subtle/hkdf.h"
#include "tink/util/errors.h"
#include "tink/util/secret_data.h"

namespace crypto {
namespace tink {
namespace subtle {

// static
util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
EciesHkdfRecipientKemBoringSsl::New(EllipticCurveType curve,
                                    util::SecretData priv_key) {
  switch (curve) {
    case EllipticCurveType::NIST_P256:
    case EllipticCurveType::NIST_P384:
    case EllipticCurveType::NIST_P521:
      return EciesHkdfNistPCurveRecipientKemBoringSsl::New(curve,
                                                           std::move(priv_key));
    case EllipticCurveType::CURVE25519:
      return EciesHkdfX25519RecipientKemBoringSsl::New(curve,
                                                       std::move(priv_key));
    default:
      return util::Status(absl::StatusCode::kUnimplemented,
                          "Unsupported elliptic curve");
  }
}

// static
util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
EciesHkdfNistPCurveRecipientKemBoringSsl::New(EllipticCurveType curve,
                                              util::SecretData priv_key) {
  auto status = internal::CheckFipsCompatibility<
      EciesHkdfNistPCurveRecipientKemBoringSsl>();
  if (!status.ok()) return status;

  if (priv_key.empty()) {
    return util::Status(absl::StatusCode::kInvalidArgument, "empty priv_key");
  }
  auto status_or_ec_group = internal::EcGroupFromCurveType(curve);
  if (!status_or_ec_group.ok()) return status_or_ec_group.status();
  // TODO(przydatek): consider refactoring internal/ec_util,
  //     so that the saved group can be used for KEM operations.
  return {absl::WrapUnique(new EciesHkdfNistPCurveRecipientKemBoringSsl(
      curve, std::move(priv_key), std::move(status_or_ec_group.value())))};
}

EciesHkdfNistPCurveRecipientKemBoringSsl::
    EciesHkdfNistPCurveRecipientKemBoringSsl(
        EllipticCurveType curve, util::SecretData priv_key_value,
        internal::SslUniquePtr<EC_GROUP> ec_group)
    : curve_(curve),
      priv_key_value_(std::move(priv_key_value)),
      ec_group_(std::move(ec_group)) {}

util::StatusOr<util::SecretData>
EciesHkdfNistPCurveRecipientKemBoringSsl::GenerateKey(
    absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt,
    absl::string_view hkdf_info, uint32_t key_size_in_bytes,
    EcPointFormat point_format) const {
  auto status_or_ec_point =
      internal::EcPointDecode(curve_, point_format, kem_bytes);
  if (!status_or_ec_point.ok()) {
    return ToStatusF(absl::StatusCode::kInvalidArgument,
                     "Invalid KEM bytes: %s",
                     status_or_ec_point.status().message());
  }
  internal::SslUniquePtr<EC_POINT> pub_key =
      std::move(status_or_ec_point.value());
  internal::SslUniquePtr<BIGNUM> priv_key(
      BN_bin2bn(priv_key_value_.data(), priv_key_value_.size(), nullptr));
  auto shared_secret_or =
      internal::ComputeEcdhSharedSecret(curve_, priv_key.get(), pub_key.get());
  if (!shared_secret_or.ok()) {
    return shared_secret_or.status();
  }
  util::SecretData shared_secret = shared_secret_or.value();
  return Hkdf::ComputeEciesHkdfSymmetricKey(
      hash, kem_bytes, shared_secret, hkdf_salt, hkdf_info, key_size_in_bytes);
}

EciesHkdfX25519RecipientKemBoringSsl::EciesHkdfX25519RecipientKemBoringSsl(
    internal::SslUniquePtr<EVP_PKEY> private_key)
    : private_key_(std::move(private_key)) {}

// static
util::StatusOr<std::unique_ptr<EciesHkdfRecipientKemBoringSsl>>
EciesHkdfX25519RecipientKemBoringSsl::New(EllipticCurveType curve,
                                          util::SecretData priv_key) {
  auto status =
      internal::CheckFipsCompatibility<EciesHkdfX25519RecipientKemBoringSsl>();
  if (!status.ok()) return status;

  if (curve != CURVE25519) {
    return util::Status(absl::StatusCode::kInvalidArgument,
                        "curve is not CURVE25519");
  }
  if (priv_key.size() != internal::X25519KeyPubKeySize()) {
    return util::Status(absl::StatusCode::kInvalidArgument,
                        "pubx has unexpected length");
  }

  internal::SslUniquePtr<EVP_PKEY> ssl_priv_key(EVP_PKEY_new_raw_private_key(
      /*type=*/EVP_PKEY_X25519, /*unused=*/nullptr, /*in=*/priv_key.data(),
      /*len=*/internal::Ed25519KeyPrivKeySize()));
  if (ssl_priv_key == nullptr) {
    return util::Status(absl::StatusCode::kInternal,
                        "EVP_PKEY_new_raw_private_key failed");
  }

  return {absl::WrapUnique(
      new EciesHkdfX25519RecipientKemBoringSsl(std::move(ssl_priv_key)))};
}

crypto::tink::util::StatusOr<util::SecretData>
EciesHkdfX25519RecipientKemBoringSsl::GenerateKey(
    absl::string_view kem_bytes, HashType hash, absl::string_view hkdf_salt,
    absl::string_view hkdf_info, uint32_t key_size_in_bytes,
    EcPointFormat point_format) const {
  if (point_format != EcPointFormat::COMPRESSED) {
    return util::Status(
        absl::StatusCode::kInvalidArgument,
        "X25519 only supports compressed elliptic curve points");
  }

  if (kem_bytes.size() != internal::X25519KeyPubKeySize()) {
    return util::Status(absl::StatusCode::kInvalidArgument,
                        "kem_bytes has unexpected size");
  }

  internal::SslUniquePtr<EVP_PKEY> peer_key(EVP_PKEY_new_raw_public_key(
      /*type=*/EVP_PKEY_X25519, /*unused=*/nullptr,
      /*in=*/reinterpret_cast<const uint8_t*>(kem_bytes.data()),
      /*len=*/internal::Ed25519KeyPubKeySize()));
  if (peer_key == nullptr) {
    return util::Status(absl::StatusCode::kInternal,
                        "EVP_PKEY_new_raw_public_key failed");
  }

  util::StatusOr<util::SecretData> shared_secret =
      internal::ComputeX25519SharedSecret(private_key_.get(), peer_key.get());
  if (!shared_secret.ok()) {
    return shared_secret.status();
  }

  return Hkdf::ComputeEciesHkdfSymmetricKey(
      hash, kem_bytes, *shared_secret, hkdf_salt, hkdf_info, key_size_in_bytes);
}

}  // namespace subtle
}  // namespace tink
}  // namespace crypto