// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "net/quic/crypto/channel_id.h"

#include <keythi.h>
#include <pk11pub.h>
#include <sechash.h>

using base::StringPiece;

namespace net {

// static
bool ChannelIDVerifier::Verify(StringPiece key,
                               StringPiece signed_data,
                               StringPiece signature) {
  return VerifyRaw(key, signed_data, signature, true);
}

// static
bool ChannelIDVerifier::VerifyRaw(StringPiece key,
                                  StringPiece signed_data,
                                  StringPiece signature,
                                  bool is_channel_id_signature) {
  if (key.size() != 32 * 2 ||
      signature.size() != 32 * 2) {
    return false;
  }

  SECKEYPublicKey public_key;
  memset(&public_key, 0, sizeof(public_key));

  // DER encoding of the object identifier (OID) of the named curve P-256
  // (1.2.840.10045.3.1.7). See RFC 6637 Section 11.
  static const unsigned char p256_oid[] = {
    0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
  };
  public_key.keyType = ecKey;
  public_key.u.ec.DEREncodedParams.type = siBuffer;
  public_key.u.ec.DEREncodedParams.data = const_cast<unsigned char*>(p256_oid);
  public_key.u.ec.DEREncodedParams.len = sizeof(p256_oid);

  unsigned char key_buf[65];
  key_buf[0] = 0x04;
  memcpy(&key_buf[1], key.data(), key.size());
  public_key.u.ec.publicValue.type = siBuffer;
  public_key.u.ec.publicValue.data = key_buf;
  public_key.u.ec.publicValue.len = sizeof(key_buf);

  SECItem signature_item = {
    siBuffer,
    reinterpret_cast<unsigned char*>(const_cast<char*>(signature.data())),
    static_cast<unsigned int>(signature.size())
  };

  unsigned char hash_buf[SHA256_LENGTH];
  SECItem hash_item = { siBuffer, hash_buf, sizeof(hash_buf) };

  HASHContext* sha256 = HASH_Create(HASH_AlgSHA256);
  if (!sha256) {
    return false;
  }
  HASH_Begin(sha256);
  if (is_channel_id_signature) {
    HASH_Update(sha256, reinterpret_cast<const unsigned char*>(kContextStr),
                strlen(kContextStr) + 1);
    HASH_Update(sha256,
                reinterpret_cast<const unsigned char*>(kClientToServerStr),
                strlen(kClientToServerStr) + 1);
  }
  HASH_Update(sha256,
              reinterpret_cast<const unsigned char*>(signed_data.data()),
              signed_data.size());
  HASH_End(sha256, hash_buf, &hash_item.len, sizeof(hash_buf));
  HASH_Destroy(sha256);

  return PK11_Verify(&public_key, &signature_item, &hash_item, NULL) ==
         SECSuccess;
}

}  // namespace net