package packet

import (
	"bytes"
	"io"
	"math/big"

	"github.com/keybase/go-crypto/openpgp/ecdh"
	"github.com/keybase/go-crypto/openpgp/errors"
	"github.com/keybase/go-crypto/openpgp/s2k"
)

// ECDHKdfParams generates KDF parameters sequence for given
// PublicKey. See https://tools.ietf.org/html/rfc6637#section-8
func ECDHKdfParams(pub *PublicKey) []byte {
	buf := new(bytes.Buffer)
	oid := pub.ec.oid
	buf.WriteByte(byte(len(oid)))
	buf.Write(oid)
	buf.WriteByte(18) // ECDH TYPE
	pub.ecdh.serialize(buf)
	buf.WriteString("Anonymous Sender    ")
	buf.Write(pub.Fingerprint[:])
	return buf.Bytes()
}

func decryptKeyECDH(priv *PrivateKey, X, Y *big.Int, C []byte) (out []byte, err error) {
	ecdhpriv, ok := priv.PrivateKey.(*ecdh.PrivateKey)
	if !ok {
		return nil, errors.InvalidArgumentError("bad internal ECDH key")
	}

	Sx := ecdhpriv.DecryptShared(X, Y)

	kdfParams := ECDHKdfParams(&priv.PublicKey)
	hash, ok := s2k.HashIdToHash(byte(priv.ecdh.KdfHash))
	if !ok {
		return nil, errors.InvalidArgumentError("invalid hash id in private key")
	}

	key := ecdhpriv.KDF(Sx, kdfParams, hash)
	keySize := CipherFunction(priv.ecdh.KdfAlgo).KeySize()

	decrypted, err := ecdh.AESKeyUnwrap(key[:keySize], C)
	if err != nil {
		return nil, err
	}

	// We have to "read ahead" to discover real length of the
	// encryption key and properly unpad buffer.
	cipherFunc := CipherFunction(decrypted[0])
	// +3 bytes = 1-byte cipher id and checksum 2-byte checksum.
	out = ecdh.UnpadBuffer(decrypted, cipherFunc.KeySize()+3)
	if out == nil {
		return nil, errors.InvalidArgumentError("invalid padding while ECDH")
	}
	return out, nil
}

func serializeEncryptedKeyECDH(w io.Writer, rand io.Reader, header [10]byte, pub *PublicKey, keyBlock []byte) error {
	ecdhpub := pub.PublicKey.(*ecdh.PublicKey)
	kdfParams := ECDHKdfParams(pub)

	hash, ok := s2k.HashIdToHash(byte(pub.ecdh.KdfHash))
	if !ok {
		return errors.InvalidArgumentError("invalid hash id in private key")
	}

	kdfKeySize := CipherFunction(pub.ecdh.KdfAlgo).KeySize()
	Vx, Vy, C, err := ecdhpub.Encrypt(rand, kdfParams, keyBlock, hash, kdfKeySize)
	if err != nil {
		return err
	}

	mpis, mpiBitLen := ecdh.Marshal(ecdhpub.Curve, Vx, Vy)

	packetLen := len(header) /* header length in bytes */
	packetLen += 2 /* mpi length in bits */ + len(mpis)
	packetLen += 1 /* ciphertext size in bytes */ + len(C)

	err = serializeHeader(w, packetTypeEncryptedKey, packetLen)
	if err != nil {
		return err
	}

	_, err = w.Write(header[:])
	if err != nil {
		return err
	}

	_, err = w.Write([]byte{byte(mpiBitLen >> 8), byte(mpiBitLen)})
	if err != nil {
		return err
	}

	_, err = w.Write(mpis[:])
	if err != nil {
		return err
	}

	w.Write([]byte{byte(len(C))})
	w.Write(C[:])
	return nil
}