// Copyright 2017 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package google.registry.rde;

import static com.google.common.base.Preconditions.checkArgument;
import static org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags.AES_128;
import static org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;

import google.registry.util.ImprovedOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.NoSuchAlgorithmException;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.util.Collection;
import javax.annotation.WillNotClose;
import org.bouncycastle.openpgp.PGPEncryptedDataGenerator;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.operator.jcajce.JcePGPDataEncryptorBuilder;
import org.bouncycastle.openpgp.operator.jcajce.JcePublicKeyKeyEncryptionMethodGenerator;

/**
 * OpenPGP encryption service that wraps an {@link OutputStream}.
 *
 * <p>This uses 128-bit AES (Rijndael) as the symmetric encryption algorithm. This is the only key
 * strength ICANN allows. The other valid algorithms are TripleDES and CAST5 per RFC 4880. It's
 * probably for the best that we're not using AES-256 since it's been weakened over the years to
 * potentially being worse than AES-128.
 *
 * <p>The key for the symmetric algorithm is generated by a random number generator which SHOULD
 * come from {@code /dev/random} (see: {@link sun.security.provider.NativePRNG}) but Java doesn't
 * offer any guarantees that {@link SecureRandom} isn't pseudo-random.
 *
 * <p>The asymmetric algorithm is whatever one is associated with the {@link PGPPublicKey} object
 * you provide. That should be either RSA or DSA, per the ICANN escrow spec. The underlying
 * {@link PGPEncryptedDataGenerator} class uses PGP Cipher Feedback Mode to chain blocks. No
 * integrity packet is used.
 *
 * @see <a href="http://tools.ietf.org/html/rfc4880">RFC 4880 (OpenPGP Message Format)</a>
 * @see <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES (Wikipedia)</a>
 */
public class RydePgpEncryptionOutputStream extends ImprovedOutputStream {

  private static final int BUFFER_SIZE = 64 * 1024;

  /**
   * The symmetric encryption algorithm to use. Do not change this value without checking the
   * RFCs to make sure the encryption algorithm and strength combination is allowed.
   *
   * @see org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags
   */
  private static final int CIPHER = AES_128;

  /**
   * This option adds an additional checksum to the OpenPGP message. From what I can tell, this is
   * meant to fix a bug that made a certain type of message tampering possible. GPG will actually
   * complain on the command line when decrypting a message without this feature.
   *
   * <p>However I'm reasonably certain that this is not required if you have a signature (and
   * remember to use it!) and the ICANN requirements document do not mention this. So we're going
   * to leave it out.
   */
  private static final boolean USE_INTEGRITY_PACKET = false;

  /**
   * The source of random bits. This should not be changed at Google because it uses dev random
   * in production, and the testing environment is configured to make this go fast and not drain
   * system entropy.
   *
   * @see SecureRandom#getInstance(String)
   */
  private static final String RANDOM_SOURCE = "NativePRNG";

  /**
   * Creates a new instance that encrypts data for the owner of {@code receiverKey}.
   *
   * @param os is the upstream {@link OutputStream} which is not closed by this object
   * @throws IllegalArgumentException if {@code publicKey} is invalid
   * @throws RuntimeException to rethrow {@link PGPException} and {@link IOException}
   */
  public RydePgpEncryptionOutputStream(
      @WillNotClose OutputStream os,
      Collection<PGPPublicKey> receiverKeys) {
    super("RydePgpEncryptionOutputStream", createDelegate(os, receiverKeys));
  }

  private static OutputStream createDelegate(
      OutputStream os, Collection<PGPPublicKey> receiverKeys) {
    try {
      PGPEncryptedDataGenerator encryptor = new PGPEncryptedDataGenerator(
          new JcePGPDataEncryptorBuilder(CIPHER)
              .setWithIntegrityPacket(USE_INTEGRITY_PACKET)
              .setSecureRandom(SecureRandom.getInstance(RANDOM_SOURCE))
              .setProvider(PROVIDER_NAME));
      checkArgument(!receiverKeys.isEmpty(), "Must give at least one receiver key");
      receiverKeys.forEach(
          key -> encryptor.addMethod(new JcePublicKeyKeyEncryptionMethodGenerator(key)));
      return encryptor.open(os, new byte[BUFFER_SIZE]);
    } catch (NoSuchAlgorithmException e) {
      throw new ProviderException(e);
    } catch (IOException | PGPException e) {
      throw new RuntimeException(e);
    }
  }
}