/*
 *
 * Copyright (c) 2013 - 2017 Lijun Liao
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License version 3
 * as published by the Free Software Foundation with the addition of the
 * following permission added to Section 15 as permitted in Section 7(a):
 *
 * FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
 * THE AUTHOR LIJUN LIAO. LIJUN LIAO DISCLAIMS THE WARRANTY OF NON INFRINGEMENT
 * OF THIRD PARTY RIGHTS.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License.
 *
 * You can be released from the requirements of the license by purchasing
 * a commercial license. Buying such a license is mandatory as soon as you
 * develop commercial activities involving the XiPKI software without
 * disclosing the source code of your own applications.
 *
 * For more information, please contact Lijun Liao at this
 * address: lijun.liao@gmail.com
 */

package org.xipki.commons.security.pkcs11.emulator;

import java.io.IOException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.operator.InputDecryptorProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.OutputEncryptor;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfoBuilder;
import org.bouncycastle.pkcs.PKCSException;
import org.bouncycastle.pkcs.jcajce.JcePKCSPBEInputDecryptorProviderBuilder;
import org.bouncycastle.pkcs.jcajce.JcePKCSPBEOutputEncryptorBuilder;
import org.xipki.commons.common.util.ParamUtil;
import org.xipki.commons.security.exception.P11TokenException;

/**
 * @author Lijun Liao
 * @since 2.0.0
 */

class PrivateKeyCryptor {
    private static final ASN1ObjectIdentifier ALGO =
            PKCSObjectIdentifiers.pbeWithSHAAnd2_KeyTripleDES_CBC;
    private static final int ITERATION_COUNT = 2048;

    private OutputEncryptor encryptor;
    private InputDecryptorProvider decryptorProvider;

    PrivateKeyCryptor(final char[] password) throws P11TokenException {
        ParamUtil.requireNonNull("password", password);
        JcePKCSPBEOutputEncryptorBuilder eb = new JcePKCSPBEOutputEncryptorBuilder(ALGO);
        eb.setProvider("BC");
        eb.setIterationCount(ITERATION_COUNT);
        try {
            encryptor = eb.build(password);
        } catch (OperatorCreationException ex) {
            throw new P11TokenException(ex.getMessage(), ex);
        }

        JcePKCSPBEInputDecryptorProviderBuilder db = new JcePKCSPBEInputDecryptorProviderBuilder();
        decryptorProvider = db.build(password);
    }

    PrivateKey decrypt(final PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo)
            throws P11TokenException {
        ParamUtil.requireNonNull("encryptedPrivateKeyInfo", encryptedPrivateKeyInfo);
        PrivateKeyInfo privateKeyInfo;
        synchronized (decryptorProvider) {
            try {
                privateKeyInfo = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(decryptorProvider);
            } catch (PKCSException ex) {
                throw new P11TokenException(ex.getMessage(), ex);
            }
        }

        AlgorithmIdentifier keyAlg = privateKeyInfo.getPrivateKeyAlgorithm();
        ASN1ObjectIdentifier keyAlgOid = keyAlg.getAlgorithm();

        String algoName;
        if (PKCSObjectIdentifiers.rsaEncryption.equals(keyAlgOid)) {
            algoName = "RSA";
        } else if (X9ObjectIdentifiers.id_dsa.equals(keyAlgOid)) {
            algoName = "DSA";
        } else if (X9ObjectIdentifiers.id_ecPublicKey.equals(keyAlgOid)) {
            algoName = "EC";
        } else {
            throw new P11TokenException("unknown private key algorithm " + keyAlgOid.getId());
        }

        try {
            KeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded());
            KeyFactory keyFactory = KeyFactory.getInstance(algoName, "BC");
            return keyFactory.generatePrivate(keySpec);
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException
                | InvalidKeySpecException ex) {
            throw new P11TokenException(ex.getClass().getName() + ": " + ex.getMessage(), ex);
        }
    }

    PKCS8EncryptedPrivateKeyInfo encrypt(final PrivateKey privateKey) {
        ParamUtil.requireNonNull("privateKey", privateKey);
        PrivateKeyInfo privateKeyInfo = PrivateKeyInfo.getInstance(privateKey.getEncoded());
        PKCS8EncryptedPrivateKeyInfoBuilder builder = new PKCS8EncryptedPrivateKeyInfoBuilder(
                privateKeyInfo);
        synchronized (encryptor) {
            return builder.build(encryptor);
        }
    }

}