/* rsassa_pkcs1v15.c */
/*
    This file is part of the ARM-Crypto-Lib.
    Copyright (C) 2006-2012 Daniel Otte (daniel.otte@rub.de)

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include "rsa_basic.h"
#include "bigint.h"
#include "rsassa_pkcs1v15.h"

#include "cli.h"

const uint8_t md5_prefix[] =
{ 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
  0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00,
  0x04, 0x10
};

const pkcs1v15_algo_prefix_t pkcs1v15_md5_prefix = {
	18, md5_prefix
};

const uint8_t sha1_prefix[] =
{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
  0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
};

const pkcs1v15_algo_prefix_t pkcs1v15_sha1_prefix = {
	15, sha1_prefix
};

const uint8_t sha224_prefix[] =
{ 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
  0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,
  0x00, 0x04, 0x1c
};

const pkcs1v15_algo_prefix_t pkcs1v15_sha224_prefix = {
	19, sha224_prefix
};

const uint8_t sha256_prefix[] =
{ 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
  0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
  0x00, 0x04, 0x20
};

const pkcs1v15_algo_prefix_t pkcs1v15_sha256_prefix = {
	19, sha256_prefix
};

const uint8_t sha384_prefix[] =
{ 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
  0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
  0x00, 0x04, 0x30
};

const pkcs1v15_algo_prefix_t pkcs1v15_sha384_prefix = {
	19, sha384_prefix
};

const uint8_t sha512_prefix[] =
{ 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
  0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
  0x00, 0x04, 0x40
};

const pkcs1v15_algo_prefix_t pkcs1v15_sha512_prefix = {
	19, sha512_prefix
};
/*

MD2:     (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 02 05 00 04 10
MD5:     (0x)30 20 30 0c 06 08 2a 86 48 86 f7 0d 02 05 05 00 04 10
SHA-1:   (0x)30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14
SHA-224: (0x)30 2d 30 0d 06 09 60 86 48 01 65 03 04 02 04 05 00 04 1c
SHA-256: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
SHA-384: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 02 05 00 04 30
SHA-512: (0x)30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40

*/

static
uint8_t emsa_pkcs1v15_encode(void* dest, uint16_t dest_length_B, const void* hash,
		uint16_t hash_length_B, const pkcs1v15_algo_prefix_t* algo_prefix){
	uint16_t ps_length;

	if(dest_length_B < algo_prefix->length + hash_length_B + 3 + 8){
		return 1;
	}
	ps_length = dest_length_B - (algo_prefix->length + hash_length_B + 3);
	((uint8_t*)dest)[0] = 0x00;
	((uint8_t*)dest)[1] = 0x01;
	((uint8_t*)dest)[2 + ps_length] = 0x00;
	memset((uint8_t*)dest + 2, 0xff, ps_length);
	memcpy((uint8_t*)dest + 3 + ps_length, algo_prefix->data, algo_prefix->length);
	memcpy((uint8_t*)dest + 3 + ps_length + algo_prefix->length, hash, hash_length_B);
	return 0;
}

uint8_t rsa_sign_pkcs1v15(void* dest, uint16_t* out_length_B, const void* hash,
		uint16_t hash_length_B, const rsa_privatekey_t* key,
		const pkcs1v15_algo_prefix_t* algo_prefix){
	uint8_t r;
	uint16_t modulus_length;
	bigint_t x;
	modulus_length = bigint_get_first_set_bit(&key->modulus) / 8 + 1;
	r = emsa_pkcs1v15_encode(dest, modulus_length, hash, hash_length_B, algo_prefix);
	if(r){
		return r;
	}
	x.wordv = dest;
	rsa_os2ip(&x, NULL, modulus_length);
	rsa_dec(&x, key);
	rsa_i2osp(NULL, &x, out_length_B);

	return 0;
}


uint8_t rsa_verify_pkcs1v15(const void* signature, uint16_t signature_length_B,
		const void* hash, uint16_t hash_length_B, const rsa_publickey_t* key,
		const pkcs1v15_algo_prefix_t* algo_prefix){
	uint16_t modulus_length;
	uint16_t signature_em_length, ps_length;
	bigint_t x;

	modulus_length = bigint_get_first_set_bit(&key->modulus) / 8 + 1;
#if PREFERE_HEAP
	uint8_t *buffer;
	buffer = malloc(bigint_length_B(&key->modulus));
	if(!buffer){
		return 0x80;
	}
#else
	uint8_t buffer[bigint_length_B(&key->modulus)];
#endif
/*
	cli_putstr("\r\nDBG: signature_length_B: 0x");
	cli_hexdump_rev(&signature_length_B, 2);
	cli_putstr("\r\nDBG: modulus_length_B: 0x");
	cli_hexdump_rev(&modulus_length, 2);
*/
	x.wordv = (bigint_word_t*)buffer;
	rsa_os2ip(&x, signature, signature_length_B);
	rsa_enc(&x, key);
	rsa_i2osp(NULL, &x, &signature_em_length);
/*
	cli_putstr("\r\nDBG: signature_em_length_B: 0x");
	cli_hexdump_rev(&signature_em_length, 2);
*/
	if(signature_em_length + 1 != modulus_length){
		return 1;
	}
	if(memcmp(buffer + modulus_length - hash_length_B - 1, hash, hash_length_B)){
		return 2;
	}
	ps_length = modulus_length - (algo_prefix->length + hash_length_B + 3);
	if((int16_t)ps_length < 8){
		return 3;
	}
	if(memcmp(buffer + 2 + ps_length, algo_prefix->data, algo_prefix->length)){
		return 4;
	}
	if(buffer[0] != 1){
		return 6;
	}
	if(buffer[1 + ps_length] != 0){
		return 7;
	}
	do{
		if(buffer[ps_length] != 0xff){
			return 8;
		}
	}while(--ps_length);
#if PREFERE_HEAP
	free(buffer);
#endif

	return 0;
}