/*

 * Copyright (c) 2007-2009 Nokia Corporation and/or its subsidiary(-ies).

 * All rights reserved.

 * This component and the accompanying materials are made available

 * under the terms of the License "Eclipse Public License v1.0"

 * which accompanies this distribution, and is available

 * at the URL "http://www.eclipse.org/legal/epl-v10.html".

 *

 * Initial Contributors:

 * Nokia Corporation - initial contribution.

 *

 * Contributors:

 *

 * Description: 

 * DSA Keypair implementation

 * DSA keypair generation implementation

 *

 */

 /**

  @file

 */

 #include "dsakeypairgenimpl.h"

 #include "pluginconfig.h"

 #include "keypair.h"

 #include "common/inlines.h"    // For TClassSwap

 #include "mont.h"

 #include "sha1impl.h"

 #include <random.h>

 #include <securityerr.h>

 const TUint KShaSize = 20;

 const TUint KMinPrimeLength = 512;

 const TUint KMaxPrimeLength = 1024;

 const TUint KPrimeLengthMultiple = 64;

 using namespace SoftwareCrypto;

 /* CDSAPrimeCertificate */

 CDSAPrimeCertificate* CDSAPrimeCertificate::NewL(const TDesC8& aSeed, TUint aCounter)

 	{

 	CDSAPrimeCertificate* self = NewLC(aSeed, aCounter);

 	CleanupStack::Pop();

 	return self;

 	}

 CDSAPrimeCertificate* CDSAPrimeCertificate::NewLC(const TDesC8& aSeed, TUint aCounter)

 	{

 	CDSAPrimeCertificate* self = new(ELeave) CDSAPrimeCertificate(aCounter);

 	CleanupStack::PushL(self);

 	self->ConstructL(aSeed);

 	return self;

 	}

 const TDesC8& CDSAPrimeCertificate::Seed() const

 	{

 	return *iSeed;

 	}

 TUint CDSAPrimeCertificate::Counter() const

 	{

 	return iCounter;

 	}

 CDSAPrimeCertificate::~CDSAPrimeCertificate() 

 	{

 	delete const_cast<HBufC8*>(iSeed);

 	}

 void CDSAPrimeCertificate::ConstructL(const TDesC8& aSeed)

 	{

 	iSeed = aSeed.AllocL();

 	}

 CDSAPrimeCertificate::CDSAPrimeCertificate(TUint aCounter) 

 	: iCounter(aCounter)

 	{

 	}

 CDSAPrimeCertificate::CDSAPrimeCertificate() 

 	{

 	}

 /* CDSAKeyPairGenImpl */

 CDSAKeyPairGenImpl::CDSAKeyPairGenImpl()

 	{

 	}

 CDSAKeyPairGenImpl::~CDSAKeyPairGenImpl()

 	{

 	delete iPrimeCertificate;

 	}

 CDSAKeyPairGenImpl* CDSAKeyPairGenImpl::NewL()

 	{

 	CDSAKeyPairGenImpl* self = CDSAKeyPairGenImpl::NewLC();

 	CleanupStack::Pop(self);

 	return self;

 	}

 CDSAKeyPairGenImpl* CDSAKeyPairGenImpl::NewLC()

 	{

 	CDSAKeyPairGenImpl* self = new(ELeave) CDSAKeyPairGenImpl();

 	CleanupStack::PushL(self);

 	self->ConstructL();

 	return self;

 	}

 void CDSAKeyPairGenImpl::ConstructL(void)

 	{

 	CKeyPairGenImpl::ConstructL();

 	}

 CExtendedCharacteristics* CDSAKeyPairGenImpl::CreateExtendedCharacteristicsL()

 	{

 	// All Symbian software plug-ins have unlimited concurrency, cannot be reserved

 	// for exclusive use and are not CERTIFIED to be standards compliant.

 	return CExtendedCharacteristics::NewL(KMaxTInt, EFalse);

 	}

 const CExtendedCharacteristics* CDSAKeyPairGenImpl::GetExtendedCharacteristicsL()

 	{

 	return CDSAKeyPairGenImpl::CreateExtendedCharacteristicsL();

 	}

 TUid CDSAKeyPairGenImpl::ImplementationUid() const

 	{

 	return KCryptoPluginDsaKeyPairGenUid;

 	}

 void CDSAKeyPairGenImpl::Reset()

 	{

 	// does nothing in this plugin

 	}

 TBool CDSAKeyPairGenImpl::ValidPrimeLength(TUint aPrimeBits)

 	{

 	return (aPrimeBits >= KMinPrimeLength &&

 			aPrimeBits <= KMaxPrimeLength &&

 			aPrimeBits % KPrimeLengthMultiple == 0);

 	}

 TBool CDSAKeyPairGenImpl::GeneratePrimesL(const TDesC8& aSeed,

 										 TUint& aCounter, 

 										 RInteger& aP, 

 										 TUint aL, 

 										 RInteger& aQ, 

 										 TBool aUseInputCounter)

 	{

 	//This follows the steps in FIPS 186-2 

 	//See DSS Appendix 2.2

 	//Note. Step 1 is performed prior to calling GeneratePrimesL, so that this

 	//routine can be used for both generation and validation.

 	//Step 1.  Choose an arbitrary sequence of at least 160 bits and call it

 	//SEED.  Let g be the length of SEED in bits.

 	if(!ValidPrimeLength(aL))

 		{

 		User::Leave(KErrNotSupported);

 		}

 	CSHA1Impl* sha1 = CSHA1Impl::NewL();

 	CleanupStack::PushL(sha1);

 	HBufC8* seedBuf = aSeed.AllocLC();

 	TPtr8 seed = seedBuf->Des();

 	TUint gBytes = aSeed.Size();

 	//Note that the DSS's g = BytesToBits(gBytes) ie. the number of random bits

 	//in the seed.  

 	//This function has made the assumption (for ease of computation) that g%8

 	//is 0.  Ie the seed is a whole number of random bytes.

 	TBuf8<KShaSize> U; 

 	TBuf8<KShaSize> temp; 

 	const TUint n = (aL-1)/160;

 	const TUint b = (aL-1)%160;

 	HBufC8* Wbuf = HBufC8::NewMaxLC((n+1) * KShaSize);

 	TUint8* W = const_cast<TUint8*>(Wbuf->Ptr());

 	U.Copy(sha1->Final(seed));

 	//Step 2. U = SHA-1[SEED] XOR SHA-1[(SEED+1) mod 2^g]

 	for(TInt i=gBytes - 1, carry=ETrue; i>=0 && carry; i--)

 		{

 		//!++(TUint) adds one to the current word which if it overflows to zero

 		//sets carry to 1 thus letting the loop continue.  It's a poor man's

 		//multi-word addition.  Swift eh?

 		carry = !++(seed[i]);

 		}

 	temp.Copy(sha1->Final(seed));

 	XorBuf(const_cast<TUint8*>(U.Ptr()), temp.Ptr(), KShaSize);

 	//Step 3. Form q from U by setting the most significant bit (2^159)

 	//and the least significant bit to 1.

 	U[0] |= 0x80;

 	U[KShaSize-1] |= 1;

 	aQ = RInteger::NewL(U);

 	CleanupStack::PushL(aQ);

 	//Step 4. Use a robust primality testing algo to test if q is prime

 	//The robust part is the calling codes problem.  This will use whatever

 	//random number generator you set for the thread.  To attempt FIPS 186-2

 	//compliance, set a FIPS 186-2 compliant RNG.

 	if( !aQ.IsPrimeL() )

 		{

 		//Step 5. If not exit and get a new seed

 		CleanupStack::PopAndDestroy(4, sha1);

 		return EFalse;

 		}

 	TUint counterEnd = aUseInputCounter ? aCounter+1 : 4096;

 	//Step 6. Let counter = 0 and offset = 2

 	//Note 1. that the DSS speaks of SEED + offset + k because they always

 	//refer to a constant SEED.  We update our seed as we go so the offset

 	//variable has already been added to seed in the previous iterations.

 	//Note 2. We've already added 1 to our seed, so the first time through this

 	//the offset in DSS speak will be 2.

 	for(TUint counter=0; counter < counterEnd; counter++)

 		{

 		//Step 7. For k=0, ..., n let

 		// Vk = SHA-1[(SEED + offset + k) mod 2^g]

 		//I'm storing the Vk's inside of a big W buffer.

 		for(TUint k=0; k<=n; k++)

 			{

 			for(TInt i=gBytes-1, carry=ETrue; i>=0 && carry; i--)

 				{

 				carry = !++(seed[i]);

 				}

 			if(!aUseInputCounter || counter == aCounter)

 				{

 				TPtr8 Wptr(W+(n-k)*KShaSize, gBytes);

 				Wptr.Copy(sha1->Final(seed));

 				}

 			}

 		if(!aUseInputCounter || counter == aCounter)

 			{

 			//Step 8. Let W be the integer...  and let X = W + 2^(L-1)

 			const_cast<TUint8&>((*Wbuf)[KShaSize - 1 - b/8]) |= 0x80;

 			TPtr8 Wptr(W + KShaSize - 1 - b/8, aL/8, aL/8);

 			RInteger X = RInteger::NewL(Wptr);

 			CleanupStack::PushL(X);

 			//Step 9. Let c = X mod 2q and set p = X - (c-1)

 			RInteger twoQ = aQ.TimesL(TInteger::Two());

 			CleanupStack::PushL(twoQ);

 			RInteger c = X.ModuloL(twoQ);

 			CleanupStack::PushL(c);

 			--c;

 			aP = X.MinusL(c);

 			CleanupStack::PopAndDestroy(3, &X); //twoQ, c, X

 			CleanupStack::PushL(aP);

 			//Step 10 and 11: if p >= 2^(L-1) and p is prime

 			if( aP.Bit(aL-1) && aP.IsPrimeL() )

 				{

 				aCounter = counter;

 				CleanupStack::Pop(2, &aQ);

 				CleanupStack::PopAndDestroy(3, sha1);

 				return ETrue;

 				}

 			CleanupStack::PopAndDestroy(&aP);

 			}

 		}

 	CleanupStack::PopAndDestroy(4, &sha1);

 	return EFalse;

 	}

 void CDSAKeyPairGenImpl::GenerateKeyPairL(TInt aKeySize, 

 										const CCryptoParams& aKeyParameters,

 										CKeyPair*& aKeyPair)

 	{

 	//This is the first step of DSA prime generation.  The remaining steps are

 	//performed in CDSAParameters::GeneratePrimesL

 	//Step 1.  Choose an arbitrary sequence of at least 160 bits and call it

 	//SEED.  Let g be the length of SEED in bits.	

 	TBuf8<KShaSize> seed(KShaSize);

 	TUint c;

 	RInteger p;

 	RInteger q;

 	do 

 		{

 	    TRAPD(err, GenerateRandomBytesL(seed));

 	    if((err != KErrNone) && (err != KErrNotSecure))

 	        User::Leave(err);

 		}

 	while(!GeneratePrimesL(seed, c, p, aKeySize, q));

 	//Double PushL will not fail as GeneratePrimesL uses the CleanupStack

 	//(at least one push and pop ;)

 	CleanupStack::PushL(p);

 	CleanupStack::PushL(q);

 	iPrimeCertificate = CDSAPrimeCertificate::NewL(seed, c);

 	// aKeyParameters isn't const here anymore

 	CCryptoParams& paramRef=const_cast<CCryptoParams&>(aKeyParameters);

 	paramRef.AddL(c, KDsaKeyGenerationCounterUid);

 	paramRef.AddL(seed, KDsaKeyGenerationSeedUid);

 	CMontgomeryStructure* montP = CMontgomeryStructure::NewLC(p);

 	--p;

 	// e = (p-1)/q

 	RInteger e = p.DividedByL(q);

 	CleanupStack::PushL(e);

 	--p; //now it's p-2 :)

 	RInteger h;

 	const TInteger* g = 0;

 	do

 		{

 		// find a random h | 1 < h < p-1

 		h = RInteger::NewRandomL(TInteger::Two(), p);

 		CleanupStack::PushL(h);

 		// g = h^e mod p

 		g = &(montP->ExponentiateL(h, e));

 		CleanupStack::PopAndDestroy(&h); 

 		}

 	while( *g <= TInteger::One() );

 	CleanupStack::PopAndDestroy(&e);

 	++p; //reincrement p to original value

 	++p;

 	RInteger g1 = RInteger::NewL(*g); //take a copy of montP's g

 	CleanupStack::PushL(g1);

 	--q;

 	// select random x | 0 < x < q

 	RInteger x = RInteger::NewRandomL(TInteger::One(), q);

 	CleanupStack::PushL(x);

 	++q;

 	//

 	// create the keys parameters

 	CCryptoParams* privateKeyParameters = CCryptoParams::NewLC();

 	privateKeyParameters->AddL(p, KDsaKeyParameterPUid);

 	privateKeyParameters->AddL(q, KDsaKeyParameterQUid);

 	privateKeyParameters->AddL(g1, KDsaKeyParameterGUid);

 	privateKeyParameters->AddL(x, KDsaKeyParameterXUid);

 	TKeyProperty privateKeyProperties = {KDSAKeyPairGeneratorUid, 

 										 KCryptoPluginDsaKeyPairGenUid,

 									     KDsaPrivateKeyUid, 

 									     KNonEmbeddedKeyUid};

 	CCryptoParams* publicKeyParameters = CCryptoParams::NewLC();

 	publicKeyParameters->AddL(p, KDsaKeyParameterPUid);

 	publicKeyParameters->AddL(q, KDsaKeyParameterQUid);

 	publicKeyParameters->AddL(g1, KDsaKeyParameterGUid);

 	RInteger y = RInteger::NewL(montP->ExponentiateL(*g, x));

 	CleanupStack::PushL(y);

 	publicKeyParameters->AddL(y, KDsaKeyParameterYUid);

 	TKeyProperty publicKeyProperties = {KDSAKeyPairGeneratorUid,

 										KCryptoPluginDsaKeyPairGenUid, 

 										KDsaPublicKeyUid,

 										KNonEmbeddedKeyUid};

 	//

 	// create the private key

 	//

 	CKey* privateKey = CKey::NewL(privateKeyProperties, *privateKeyParameters);

 	CleanupStack::PushL(privateKey);

 	//

 	// create the public key

 	//

 	CKey* publicKey = CKey::NewL(publicKeyProperties, *publicKeyParameters);

 	CleanupStack::PushL(publicKey);

 	aKeyPair = CKeyPair::NewL(publicKey, privateKey);

 	//publicKey, publicKeyParameters, y, privateKey, privateKeyParameters, x, g1, montP, q, p

 	CleanupStack::Pop(2, privateKey);

 	CleanupStack::PopAndDestroy(8, &p);	

 	}