// Copyright 2019 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package wycheproof

import (
	"crypto/rsa"
	"testing"
)

func TestRsaPss(t *testing.T) {
	// KeyJwk Public key in JWK format
	type KeyJwk struct {
	}

	// Notes a description of the labels used in the test vectors
	type Notes struct {
	}

	// SignatureTestVector
	type SignatureTestVector struct {

		// A brief description of the test case
		Comment string `json:"comment,omitempty"`

		// A list of flags
		Flags []string `json:"flags,omitempty"`

		// The message to sign
		Msg string `json:"msg,omitempty"`

		// Test result
		Result string `json:"result,omitempty"`

		// A signature for msg
		Sig string `json:"sig,omitempty"`

		// Identifier of the test case
		TcId int `json:"tcId,omitempty"`
	}

	// RsassaPkcs1TestGroup
	type RsassaPkcs1TestGroup struct {

		// The private exponent
		D string `json:"d,omitempty"`

		// The public exponent
		E string `json:"e,omitempty"`

		// ASN encoding of the sequence [n, e]
		KeyAsn string `json:"keyAsn,omitempty"`

		// ASN encoding of the public key
		KeyDer string `json:"keyDer,omitempty"`

		// Public key in JWK format
		KeyJwk *KeyJwk `json:"keyJwk,omitempty"`

		// Pem encoded public key
		KeyPem string `json:"keyPem,omitempty"`

		// the size of the modulus in bits
		KeySize int `json:"keySize,omitempty"`

		// The modulus of the key
		N string `json:"n,omitempty"`

		// The salt length
		SLen int `json:"sLen,omitempty"`

		// the hash function used for the message
		Sha   string                 `json:"sha,omitempty"`
		Tests []*SignatureTestVector `json:"tests,omitempty"`
		Type  interface{}            `json:"type,omitempty"`
	}

	// Root
	type Root struct {

		// the primitive tested in the test file
		Algorithm string `json:"algorithm,omitempty"`

		// the version of the test vectors.
		GeneratorVersion string `json:"generatorVersion,omitempty"`

		// additional documentation
		Header []string `json:"header,omitempty"`

		// a description of the labels used in the test vectors
		Notes *Notes `json:"notes,omitempty"`

		// the number of test vectors in this test
		NumberOfTests int                     `json:"numberOfTests,omitempty"`
		Schema        interface{}             `json:"schema,omitempty"`
		TestGroups    []*RsassaPkcs1TestGroup `json:"testGroups,omitempty"`
	}

	flagsShouldPass := map[string]bool{
		// A signature using a weaker hash than the EC params is not a security risk, as long as the hash is secure.
		// https://www.imperialviolet.org/2014/05/25/strengthmatching.html
		"WeakHash": true,
	}

	// filesOverrideToPassZeroSLen is a map of all test files
	// and which TcIds that should be overridden to pass if the
	// rsa.PSSOptions.SaltLength is zero.
	// These tests expect a failure with a PSSOptions.SaltLength: 0
	// and a signature that uses a different salt length. However,
	// a salt length of 0 is defined as rsa.PSSSaltLengthAuto which
	// works deterministically to auto-detect the length when
	// verifying, so these tests actually pass as they should.
	filesOverrideToPassZeroSLen := map[string][]int{
		"rsa_pss_2048_sha1_mgf1_20_test.json":   []int{46, 47},
		"rsa_pss_2048_sha256_mgf1_0_test.json":  []int{67, 68},
		"rsa_pss_2048_sha256_mgf1_32_test.json": []int{67, 68},
		"rsa_pss_3072_sha256_mgf1_32_test.json": []int{67, 68},
		"rsa_pss_4096_sha256_mgf1_32_test.json": []int{67, 68},
		"rsa_pss_4096_sha512_mgf1_32_test.json": []int{136, 137},
		// "rsa_pss_misc_test.json": nil,  // TODO: This ones seems to be broken right now, but can enable later on.
	}

	if !boringcryptoEnabled {
		// boringcrypto doesn't support the truncated SHA-512 hashes, so only
		// test them if boringcrypto isn't enabled.
		filesOverrideToPassZeroSLen["rsa_pss_2048_sha512_256_mgf1_28_test.json"] = []int{13, 14, 15}
		filesOverrideToPassZeroSLen["rsa_pss_2048_sha512_256_mgf1_32_test.json"] = []int{13, 14}
	}

	for f := range filesOverrideToPassZeroSLen {
		var root Root
		readTestVector(t, f, &root)
		for _, tg := range root.TestGroups {
			pub := decodePublicKey(tg.KeyDer).(*rsa.PublicKey)
			ch := parseHash(tg.Sha)
			h := ch.New()
			opts := &rsa.PSSOptions{
				Hash:       ch,
				SaltLength: rsa.PSSSaltLengthAuto,
			}
			// Run all the tests twice: the first time with the salt length
			// as PSSSaltLengthAuto, and the second time with the salt length
			// explictily set to tg.SLen.
			for i := 0; i < 2; i++ {
				for _, sig := range tg.Tests {
					h.Reset()
					h.Write(decodeHex(sig.Msg))
					hashed := h.Sum(nil)
					err := rsa.VerifyPSS(pub, ch, hashed, decodeHex(sig.Sig), opts)
					want := shouldPass(sig.Result, sig.Flags, flagsShouldPass)
					if opts.SaltLength == 0 {
						for _, id := range filesOverrideToPassZeroSLen[f] {
							if sig.TcId == id {
								want = true
								break
							}
						}
					}
					if (err == nil) != want {
						t.Errorf("file: %v, tcid: %d, type: %s, opts.SaltLength: %v, comment: %q, wanted success: %t", f, sig.TcId, sig.Result, opts.SaltLength, sig.Comment, want)
					}
				}
				// Update opts.SaltLength for the second run of the tests.
				opts.SaltLength = tg.SLen
			}
		}
	}
}