/**
   SSLDHPrivateKey.java

   Copyright (C) 1999, Claymore Systems, Inc.
   All 3
   Rights Reserved.

   ekr@rtfm.com  Sun May  9 16:31:12 1999

   This package is a SSLv3/TLS implementation written by Eric Rescorla
   <ekr@rtfm.com> and licensed by Claymore Systems, Inc.

   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
   are met:
   1. Redistributions of source code must retain the above copyright
      notice, this list of conditions and the following disclaimer.
   2. Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.
   3. All advertising materials mentioning features or use of this software
      must display the following acknowledgement:
      This product includes software developed by Claymore Systems, Inc.
   4. Neither the name of Claymore Systems, Inc. nor the name of Eric
      Rescorla may be used to endorse or promote products derived from this
      software without specific prior written permission.

   THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
   ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   SUCH DAMAGE.

   $Id: SSLDHPrivateKey.java,v 1.1.1.1 2003/05/09 20:36:14 gawor Exp $

*/


package COM.claymoresystems.ptls;

import java.security.SecureRandom;
import java.math.BigInteger;

import COM.claymoresystems.crypto.DHPrivateKey;
import COM.claymoresystems.crypto.DHPublicKey;

public class SSLDHPrivateKey extends DHPrivateKey
{
     private SecureRandom rand;
     private static int PRIME_CERTAINTY=80;
     
     public void initPrivateKey(BigInteger g_,BigInteger p_,SecureRandom rand_){
       g=g_;
       p=p_;
       rand=rand_;
       generatePrivate();
     }

/** Generate a DH private key.

    We generate the parameters in one of two modes:
    1. If sg is false, then we simply generate a large p
       and check that it's a generator using the trick of
       checking the p % 24 == 11 (From Phil Karn via OpenSSL).

    2. If sg is true, then we generate Sophie-Germain primes
       according to the procedures
       of RFC2412, except that our p is chosen randomly rather
       than via pi. 
    
    The text from RFC2412 describing the virtues of this procedure
    follows:

   The primes for groups 1 and 2 were selected to have certain
   properties.  The high order 64 bits are forced to 1.  This helps the
   classical remainder algorithm, because the trial quotient digit can
   always be taken as the high order word of the dividend, possibly +1.
   The low order 64 bits are forced to 1.  This helps the Montgomery-
   style remainder algorithms, because the multiplier digit can always
   be taken to be the low order word of the dividend.  The middle bits
   are taken from the binary expansion of pi.  This guarantees that they
   are effectively random, while avoiding any suspicion that the primes
   have secretly been selected to be weak.

   Because both primes are based on pi, there is a large section of
   overlap in the hexadecimal representations of the two primes.  The
   primes are chosen to be Sophie Germain primes (i.e., (P-1)/2 is also
   prime), to have the maximum strength against the square-root attack
   on the discrete logarithm problem.

   The starting trial numbers were repeatedly incremented by 2^64 until
   suitable primes were located.

   Because these two primes are congruent to 7 (mod 8), 2 is a quadratic
   residue of each prime.  All powers of 2 will also be quadratic
   residues.  This prevents an opponent from learning the low order bit
   of the Diffie-Hellman exponent (AKA the subgroup confinement
   problem).  Using 2 as a generator is efficient for some modular
   exponentiation algorithms.  [Note that 2 is technically not a
   generator in the number theory sense, because it omits half of the
   possible residues mod P.  From a cryptographic viewpoint, this is a
   virtue.]
*/    
     public void initPrivateKey(SecureRandom rand_,int keylength,boolean sg){
       BigInteger p_tmp=null;
       BigInteger q;
       BigInteger padd=null;
       BigInteger twofer=new BigInteger("24");
       BigInteger eleven=new BigInteger("11");
       BigInteger zero=new BigInteger("0");
       
       if((keylength%8)!=0)
	 throw new InternalError("keylength must be a multiple of 8");

       if(keylength<768)
	 throw new InternalError("Keylength must be minimum 768");

       int l=keylength/8; // length in bytes
       byte[] p_bytes=new byte[l];

       if(sg){
	 rand_.nextBytes(p_bytes);
	 
	 // Set the top and bottom 64 bits to 1
	 for(int i=0;i<8;i++){
	   p_bytes[i]=(byte)0xff;
	   p_bytes[l-(i+1)]=(byte)0xff;
	 }
	 
	 // We'll Increment by 2^64
	 BigInteger padd_tmp=new BigInteger("0");
	 padd=padd_tmp.setBit(64);
	 p_tmp=new BigInteger(1,p_bytes);
       }
       
       g=new BigInteger("2");
       
       do {
	 BigInteger p_hold;

	 // Generate Sophie-Germain primes
	 if(sg){
	   p_hold=p_tmp.add(padd);;
	   p_tmp=p_hold;

	   // Quickly check if p is prime
	   if(!p_tmp.isProbablePrime(2))
	     continue;
	   SSLDebug.debug(SSLDebug.DEBUG_CRYPTO,"p passes quick check");
	   q=p_tmp.shiftRight(1);
	   if(!q.isProbablePrime(PRIME_CERTAINTY))
	     continue;
	   SSLDebug.debug(SSLDebug.DEBUG_CRYPTO,"q is prime");	   
	 }
	 else{
	   rand_.nextBytes(p_bytes);
	   p_bytes[0]|=(byte)0x80;
	   p_bytes[l-1]|=1;
	   
	   p_tmp=new BigInteger(1,p_bytes);

	   // Arrange that p % 24==11
	   BigInteger md=p_tmp.mod(twofer);
	   BigInteger tmp=p_tmp.subtract(md);
	   p_tmp=eleven.add(tmp);
	 }

	 SSLDebug.debug(SSLDebug.DEBUG_CRYPTO,"p candidate",
	   p_tmp.toByteArray());
	 
	 if(!p_tmp.isProbablePrime(PRIME_CERTAINTY)){
	   SSLDebug.debug(SSLDebug.DEBUG_CRYPTO,"p not prime");
	   continue;
	 }

	 break;
       } while(true);
       
       rand=rand_;
       p=p_tmp;

       BigInteger mod24=p.mod(twofer);
       SSLDebug.debug(SSLDebug.DEBUG_CRYPTO,"P is prime"+
         p.isProbablePrime(PRIME_CERTAINTY)+"mod 24="+mod24);
       SSLDebug.debug(SSLDebug.DEBUG_CRYPTO,
	 "p",p.toByteArray());

       generatePrivate();
     }
     
     public byte[] keyAgree(DHPublicKey pub,boolean check){
       BigInteger pY;
       BigInteger pg;
       BigInteger pp;

       if(check){
	 pp=pub.getp();
	 pg=pub.getg();

	 if(pg!=null || pp != null){
	   if(g.compareTo(pg)!=0)
	     throw new Error("DH parameters don't match (g)");
	   if(p.compareTo(pp)!=0)
	     throw new Error("DH parameters don't match (p)");
	 }
       }
       
       pY=pub.getY();

       return toBytes(pY.modPow(X,p));
     }
       
     private void generatePrivate(){
       int bits=p.bitLength();
       int bytelen=bits/8;
       int bitr=bits%8;
       int shift;

       if(bitr>0) bytelen++;
       
       byte[] buf=new byte[bytelen];

       // We want to make a number with the high bit low and
       // the others preserved
       rand.nextBytes(buf);

       shift=(bitr>0)?8-bitr:1;
       buf[0] &= (byte)(0xff>>shift);

       X=new BigInteger(1,buf);
       SSLDebug.debug(SSLDebug.DEBUG_CRYPTO,"DH private",buf);
       Y=g.modPow(X,p);
     }
}