/*

 * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ec;

import java.security.InvalidAlgorithmParameterException;

import java.security.InvalidKeyException;

import java.security.NoSuchAlgorithmException;

import java.security.Key;

import java.security.SecureRandom;

import java.security.ProviderException;

import java.security.interfaces.XECPrivateKey;

import java.security.interfaces.XECPublicKey;

import java.security.spec.AlgorithmParameterSpec;

import java.security.spec.NamedParameterSpec;

import javax.crypto.KeyAgreementSpi;

import javax.crypto.SecretKey;

import javax.crypto.ShortBufferException;

import javax.crypto.spec.SecretKeySpec;

import java.util.function.Function;

public class XDHKeyAgreement extends KeyAgreementSpi {

    private byte[] privateKey;

    private byte[] secret;

    private XECOperations ops;

    private XECParameters lockedParams = null;

    XDHKeyAgreement() {

        // do nothing

    }

    XDHKeyAgreement(AlgorithmParameterSpec paramSpec) {

        lockedParams = XECParameters.get(ProviderException::new, paramSpec);

    }

    @Override

    protected void engineInit(Key key, SecureRandom random)

            throws InvalidKeyException {

        initImpl(key);

    }

    @Override

    protected void engineInit(Key key, final AlgorithmParameterSpec params,

                              SecureRandom random) throws InvalidKeyException,

        InvalidAlgorithmParameterException {

        initImpl(key);

        // the private key parameters must match params, if present

        if (params != null) {

            XECParameters xecParams = XECParameters.get(

                InvalidAlgorithmParameterException::new, params);

            if (!xecParams.oidEquals(this.ops.getParameters())) {

                throw new InvalidKeyException(

                    "Incorrect private key parameters"

                );

            }

        }

    }

    private

    <T extends Throwable>

    void checkLockedParams(Function<String, T> exception,

                           XECParameters params) throws T {

        if (lockedParams != null && lockedParams != params) {

            throw exception.apply("Parameters must be " +

            lockedParams.getName());

        }

    }

    private void initImpl(Key key) throws InvalidKeyException {

        if (!(key instanceof XECPrivateKey)) {

            throw new InvalidKeyException

            ("Unsupported key type");

        }

        XECPrivateKey privateKey = (XECPrivateKey) key;

        XECParameters xecParams = XECParameters.get(

            InvalidKeyException::new, privateKey.getParams());

        checkLockedParams(InvalidKeyException::new, xecParams);

        this.ops = new XECOperations(xecParams);

        this.privateKey = privateKey.getScalar().orElseThrow(

            () -> new InvalidKeyException("No private key value")

        );

        secret = null;

    }

    @Override

    protected Key engineDoPhase(Key key, boolean lastPhase)

            throws InvalidKeyException, IllegalStateException {

        if (this.privateKey == null) {

            throw new IllegalStateException("Not initialized");

        }

        if (this.secret != null) {

            throw new IllegalStateException("Phase already executed");

        }

        if (!lastPhase) {

            throw new IllegalStateException

                ("Only two party agreement supported, lastPhase must be true");

        }

        if (!(key instanceof XECPublicKey)) {

            throw new InvalidKeyException

                ("Unsupported key type");

        }

        XECPublicKey publicKey = (XECPublicKey) key;

        // Ensure public key parameters are compatible with private key

        XECParameters xecParams = XECParameters.get(InvalidKeyException::new,

            publicKey.getParams());

        if (!ops.getParameters().oidEquals(xecParams)) {

            throw new InvalidKeyException(

            "Public key parameters are not compatible with private key.");

        }

        // The privateKey may be modified to a value that is equivalent for

        // the purposes of this algorithm.

        byte[] computedSecret = ops.encodedPointMultiply(

            this.privateKey,

            publicKey.getU());

        // test for contributory behavior

        if (allZero(computedSecret)) {

            throw new InvalidKeyException("Point has small order");

        }

        this.secret = computedSecret;

        return null;

    }

    /*

     * Constant-time check for an all-zero array

     */

    private boolean allZero(byte[] arr) {

        byte orValue = (byte) 0;

        for (int i = 0; i < arr.length; i++) {

            orValue |= arr[i];

        }

        return orValue == (byte) 0;

    }

    @Override

    protected byte[] engineGenerateSecret() throws IllegalStateException {

        if (secret == null) {

            throw new IllegalStateException("Not initialized correctly");

        }

        byte[] result = secret;

        secret = null;

        return result;

    }

    @Override

    protected int engineGenerateSecret(byte[] sharedSecret, int offset)

        throws IllegalStateException, ShortBufferException {

        if (secret == null) {

            throw new IllegalStateException("Not initialized correctly");

        }

        int secretLen = this.secret.length;

        if (secretLen > sharedSecret.length - offset) {

            throw new ShortBufferException("Need " + secretLen

                + " bytes, only " + (sharedSecret.length - offset)

                + " available");

        }

        System.arraycopy(this.secret, 0, sharedSecret, offset, secretLen);

        secret = null;

        return secretLen;

    }

    @Override

    protected SecretKey engineGenerateSecret(String algorithm)

            throws IllegalStateException, NoSuchAlgorithmException,

            InvalidKeyException {

        if (algorithm == null) {

            throw new NoSuchAlgorithmException("Algorithm must not be null");

        }

        if (!(algorithm.equals("TlsPremasterSecret"))) {

            throw new NoSuchAlgorithmException(

                    "Only supported for algorithm TlsPremasterSecret");

        }

        return new SecretKeySpec(engineGenerateSecret(), algorithm);

    }

    static class X25519 extends XDHKeyAgreement {

        public X25519() {

            super(NamedParameterSpec.X25519);

        }

    }

    static class X448 extends XDHKeyAgreement {

        public X448() {

            super(NamedParameterSpec.X448);

        }

    }

}