// Copyright 2019 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package wycheproof

import (
	"crypto/ecdsa"
	"math/big"
	"testing"

	"golang.org/x/crypto/cryptobyte"
	"golang.org/x/crypto/cryptobyte/asn1"
)

func TestECDSA(t *testing.T) {
	type ASNSignatureTestVector struct {
		// A brief description of the test case
		Comment string `json:"comment"`
		// A list of flags
		Flags []string `json:"flags"`
		// The message to sign
		Msg string `json:"msg"`
		// Test result
		Result string `json:"result"`
		// An ASN.1 encoded signature for msg
		Sig string `json:"sig"`
		// Identifier of the test case
		TcID int `json:"tcId"`
	}

	type ECPublicKey struct {
		// The EC group used by this public key
		Curve interface{} `json:"curve"`
	}

	type ECDSATestGroup struct {
		// Unencoded EC public key
		Key *ECPublicKey `json:"key"`
		// DER encoded public key
		KeyDER string `json:"keyDer"`
		// the hash function used for ECDSA
		SHA   string                    `json:"sha"`
		Tests []*ASNSignatureTestVector `json:"tests"`
	}

	type Root struct {
		TestGroups []*ECDSATestGroup `json:"testGroups"`
	}

	flagsShouldPass := map[string]bool{
		// An encoded ASN.1 integer missing a leading zero is invalid, but
		// accepted by some implementations.
		"MissingZero": false,
		// A signature using a weaker hash than the EC params is not a security
		// risk, as long as the hash is secure.
		// https://www.imperialviolet.org/2014/05/25/strengthmatching.html
		"WeakHash": true,
	}

	// supportedCurves is a map of all elliptic curves supported
	// by crypto/elliptic, which can subsequently be parsed and tested.
	supportedCurves := map[string]bool{
		"secp224r1": true,
		"secp256r1": true,
		"secp384r1": true,
		"secp521r1": true,
	}

	var root Root
	readTestVector(t, "ecdsa_test.json", &root)
	for _, tg := range root.TestGroups {
		curve := tg.Key.Curve.(string)
		if !supportedCurves[curve] {
			continue
		}
		pub := decodePublicKey(tg.KeyDER).(*ecdsa.PublicKey)
		h := parseHash(tg.SHA).New()
		for _, sig := range tg.Tests {
			h.Reset()
			h.Write(decodeHex(sig.Msg))
			hashed := h.Sum(nil)
			sigBytes := decodeHex(sig.Sig)
			got := ecdsa.VerifyASN1(pub, hashed, sigBytes)
			if want := shouldPass(sig.Result, sig.Flags, flagsShouldPass); got != want {
				t.Errorf("tcid: %d, type: %s, comment: %q, VerifyASN1 wanted success: %t", sig.TcID, sig.Result, sig.Comment, want)
			}

			var r, s big.Int
			var inner cryptobyte.String
			input := cryptobyte.String(sigBytes)
			if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
				!input.Empty() ||
				!inner.ReadASN1Integer(&r) ||
				!inner.ReadASN1Integer(&s) ||
				!inner.Empty() {
				continue
			}
			got = ecdsa.Verify(pub, hashed, &r, &s)
			if want := shouldPass(sig.Result, sig.Flags, flagsShouldPass); got != want {
				t.Errorf("tcid: %d, type: %s, comment: %q, Verify wanted success: %t", sig.TcID, sig.Result, sig.Comment, want)
			}
		}
	}
}