/*

 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.provider;

import java.math.BigInteger;

import java.security.AlgorithmParameterGeneratorSpi;

import java.security.AlgorithmParameters;

import java.security.InvalidAlgorithmParameterException;

import java.security.NoSuchAlgorithmException;

import java.security.NoSuchProviderException;

import java.security.InvalidParameterException;

import java.security.MessageDigest;

import java.security.SecureRandom;

import java.security.ProviderException;

import java.security.spec.AlgorithmParameterSpec;

import java.security.spec.InvalidParameterSpecException;

import java.security.spec.DSAParameterSpec;

import java.security.spec.DSAGenParameterSpec;

import static sun.security.util.SecurityProviderConstants.DEF_DSA_KEY_SIZE;

import static sun.security.util.SecurityProviderConstants.getDefDSASubprimeSize;

/**

 * This class generates parameters for the DSA algorithm.

 *

 * @author Jan Luehe

 *

 *

 * @see java.security.AlgorithmParameters

 * @see java.security.spec.AlgorithmParameterSpec

 * @see DSAParameters

 *

 * @since 1.2

 */

public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {

    // the length of prime P, subPrime Q, and seed in bits

    private int valueL = -1;

    private int valueN = -1;

    private int seedLen = -1;

    // the source of randomness

    private SecureRandom random;

    public DSAParameterGenerator() {

    }

    /**

     * Initializes this parameter generator for a certain strength

     * and source of randomness.

     *

     * @param strength the strength (size of prime) in bits

     * @param random the source of randomness

     */

    @Override

    protected void engineInit(int strength, SecureRandom random) {

        if ((strength != 2048) && (strength != 3072) &&

            ((strength < 512) || (strength > 1024) || (strength % 64 != 0))) {

            throw new InvalidParameterException(

                "Unexpected strength (size of prime): " + strength +

                ". Prime size should be 512-1024, 2048, or 3072");

        }

        this.valueL = strength;

        this.valueN = getDefDSASubprimeSize(strength);

        this.seedLen = valueN;

        this.random = random;

    }

    /**

     * Initializes this parameter generator with a set of

     * algorithm-specific parameter generation values.

     *

     * @param genParamSpec the set of algorithm-specific parameter

     *        generation values

     * @param random the source of randomness

     *

     * @exception InvalidAlgorithmParameterException if the given parameter

     * generation values are inappropriate for this parameter generator

     */

    @Override

    protected void engineInit(AlgorithmParameterSpec genParamSpec,

            SecureRandom random) throws InvalidAlgorithmParameterException {

        if (!(genParamSpec instanceof DSAGenParameterSpec)) {

            throw new InvalidAlgorithmParameterException("Invalid parameter");

        }

        DSAGenParameterSpec dsaGenParams = (DSAGenParameterSpec)genParamSpec;

        // directly initialize using the already validated values

        this.valueL = dsaGenParams.getPrimePLength();

        this.valueN = dsaGenParams.getSubprimeQLength();

        this.seedLen = dsaGenParams.getSeedLength();

        this.random = random;

    }

    /**

     * Generates the parameters.

     *

     * @return the new AlgorithmParameters object

     */

    @Override

    protected AlgorithmParameters engineGenerateParameters() {

        AlgorithmParameters algParams = null;

        try {

            if (this.random == null) {

                this.random = new SecureRandom();

            }

            if (valueL == -1) {

                engineInit(DEF_DSA_KEY_SIZE, this.random);

            }

            BigInteger[] pAndQ = generatePandQ(this.random, valueL,

                                               valueN, seedLen);

            BigInteger paramP = pAndQ[0];

            BigInteger paramQ = pAndQ[1];

            BigInteger paramG = generateG(paramP, paramQ);

            DSAParameterSpec dsaParamSpec =

                new DSAParameterSpec(paramP, paramQ, paramG);

            algParams = AlgorithmParameters.getInstance("DSA", "SUN");

            algParams.init(dsaParamSpec);

        } catch (InvalidParameterSpecException e) {

            // this should never happen

            throw new RuntimeException(e.getMessage());

        } catch (NoSuchAlgorithmException e) {

            // this should never happen, because we provide it

            throw new RuntimeException(e.getMessage());

        } catch (NoSuchProviderException e) {

            // this should never happen, because we provide it

            throw new RuntimeException(e.getMessage());

        }

        return algParams;

    }

    /*

     * Generates the prime and subprime parameters for DSA,

     * using the provided source of randomness.

     * This method will generate new seeds until a suitable

     * seed has been found.

     *

     * @param random the source of randomness to generate the

     * seed

     * @param valueL the size of <code>p</code>, in bits.

     * @param valueN the size of <code>q</code>, in bits.

     * @param seedLen the length of <code>seed</code>, in bits.

     *

     * @return an array of BigInteger, with <code>p</code> at index 0 and

     * <code>q</code> at index 1, the seed at index 2, and the counter value

     * at index 3.

     */

    private static BigInteger[] generatePandQ(SecureRandom random, int valueL,

                                              int valueN, int seedLen) {

        String hashAlg = null;

        if (valueN == 160) {

            hashAlg = "SHA";

        } else if (valueN == 224) {

            hashAlg = "SHA-224";

        } else if (valueN == 256) {

            hashAlg = "SHA-256";

        }

        MessageDigest hashObj = null;

        try {

            hashObj = MessageDigest.getInstance(hashAlg);

        } catch (NoSuchAlgorithmException nsae) {

            // should never happen

            nsae.printStackTrace();

        }

        /* Step 3, 4: Useful variables */

        int outLen = hashObj.getDigestLength()*8;

        int n = (valueL - 1) / outLen;

        int b = (valueL - 1) % outLen;

        byte[] seedBytes = new byte[seedLen/8];

        BigInteger twoSl = BigInteger.TWO.pow(seedLen);

        int primeCertainty = -1;

        if (valueL <= 1024) {

            primeCertainty = 80;

        } else if (valueL == 2048) {

            primeCertainty = 112;

        } else if (valueL == 3072) {

            primeCertainty = 128;

        }

        if (primeCertainty < 0) {

            throw new ProviderException("Invalid valueL: " + valueL);

        }

        BigInteger resultP, resultQ, seed = null;

        int counter;

        while (true) {

            do {

                /* Step 5 */

                random.nextBytes(seedBytes);

                seed = new BigInteger(1, seedBytes);

                /* Step 6 */

                BigInteger U = new BigInteger(1, hashObj.digest(seedBytes)).

                    mod(BigInteger.TWO.pow(valueN - 1));

                /* Step 7 */

                resultQ = BigInteger.TWO.pow(valueN - 1)

                            .add(U)

                            .add(BigInteger.ONE)

                            .subtract(U.mod(BigInteger.TWO));

            } while (!resultQ.isProbablePrime(primeCertainty));

            /* Step 10 */

            BigInteger offset = BigInteger.ONE;

            /* Step 11 */

            for (counter = 0; counter < 4*valueL; counter++) {

                BigInteger[] V = new BigInteger[n + 1];

                /* Step 11.1 */

                for (int j = 0; j <= n; j++) {

                    BigInteger J = BigInteger.valueOf(j);

                    BigInteger tmp = (seed.add(offset).add(J)).mod(twoSl);

                    byte[] vjBytes = hashObj.digest(toByteArray(tmp));

                    V[j] = new BigInteger(1, vjBytes);

                }

                /* Step 11.2 */

                BigInteger W = V[0];

                for (int i = 1; i < n; i++) {

                    W = W.add(V[i].multiply(BigInteger.TWO.pow(i * outLen)));

                }

                W = W.add((V[n].mod(BigInteger.TWO.pow(b)))

                               .multiply(BigInteger.TWO.pow(n * outLen)));

                /* Step 11.3 */

                BigInteger twoLm1 = BigInteger.TWO.pow(valueL - 1);

                BigInteger X = W.add(twoLm1);

                /* Step 11.4, 11.5 */

                BigInteger c = X.mod(resultQ.multiply(BigInteger.TWO));

                resultP = X.subtract(c.subtract(BigInteger.ONE));

                /* Step 11.6, 11.7 */

                if (resultP.compareTo(twoLm1) > -1

                    && resultP.isProbablePrime(primeCertainty)) {

                    /* Step 11.8 */

                    BigInteger[] result = {resultP, resultQ, seed,

                                           BigInteger.valueOf(counter)};

                    return result;

                }

                /* Step 11.9 */

                offset = offset.add(BigInteger.valueOf(n)).add(BigInteger.ONE);

             }

        }

    }

    /*

     * Generates the <code>g</code> parameter for DSA.

     *

     * @param p the prime, <code>p</code>.

     * @param q the subprime, <code>q</code>.

     *

     * @param the <code>g</code>

     */

    private static BigInteger generateG(BigInteger p, BigInteger q) {

        BigInteger h = BigInteger.ONE;

        /* Step 1 */

        BigInteger pMinusOneOverQ = (p.subtract(BigInteger.ONE)).divide(q);

        BigInteger resultG = BigInteger.ONE;

        while (resultG.compareTo(BigInteger.TWO) < 0) {

            /* Step 3 */

            resultG = h.modPow(pMinusOneOverQ, p);

            h = h.add(BigInteger.ONE);

        }

        return resultG;

    }

    /*

     * Converts the result of a BigInteger.toByteArray call to an exact

     * signed magnitude representation for any positive number.

     */

    private static byte[] toByteArray(BigInteger bigInt) {

        byte[] result = bigInt.toByteArray();

        if (result[0] == 0) {

            byte[] tmp = new byte[result.length - 1];

            System.arraycopy(result, 1, tmp, 0, tmp.length);

            result = tmp;

        }

        return result;

    }

}