/*
 * Copyright (C) 2017 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License
 */

package com.android.server.backup.utils;

import static com.android.server.backup.RefactoredBackupManagerService.TAG;

import android.util.Slog;

import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;

import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;

/**
 * Passwords related utility methods.
 */
public class PasswordUtils {
    // Configuration of PBKDF2 that we use for generating pw hashes and intermediate keys
    public static final int PBKDF2_HASH_ROUNDS = 10000;
    private static final int PBKDF2_KEY_SIZE = 256;     // bits
    public static final int PBKDF2_SALT_SIZE = 512;    // bits
    public static final String ENCRYPTION_ALGORITHM_NAME = "AES-256";

    /**
     * Creates {@link SecretKey} instance from given parameters.
     *
     * @param algorithm - key generation algorithm.
     * @param pw - password.
     * @param salt - salt.
     * @param rounds - number of rounds to run in key generation.
     * @return {@link SecretKey} instance or null in case of an error.
     */
    public static SecretKey buildPasswordKey(String algorithm, String pw, byte[] salt, int rounds) {
        return buildCharArrayKey(algorithm, pw.toCharArray(), salt, rounds);
    }

    /**
     * Generates {@link SecretKey} instance from given parameters and returns it's hex
     * representation.
     *
     * @param algorithm - key generation algorithm.
     * @param pw - password.
     * @param salt - salt.
     * @param rounds - number of rounds to run in key generation.
     * @return Hex representation of the generated key, or null if generation failed.
     */
    public static String buildPasswordHash(String algorithm, String pw, byte[] salt, int rounds) {
        SecretKey key = buildPasswordKey(algorithm, pw, salt, rounds);
        if (key != null) {
            return byteArrayToHex(key.getEncoded());
        }
        return null;
    }

    /**
     * Creates hex string representation of the byte array.
     */
    public static String byteArrayToHex(byte[] data) {
        StringBuilder buf = new StringBuilder(data.length * 2);
        for (int i = 0; i < data.length; i++) {
            buf.append(Byte.toHexString(data[i], true));
        }
        return buf.toString();
    }

    /**
     * Creates byte array from it's hex string representation.
     */
    public static byte[] hexToByteArray(String digits) {
        final int bytes = digits.length() / 2;
        if (2 * bytes != digits.length()) {
            throw new IllegalArgumentException("Hex string must have an even number of digits");
        }

        byte[] result = new byte[bytes];
        for (int i = 0; i < digits.length(); i += 2) {
            result[i / 2] = (byte) Integer.parseInt(digits.substring(i, i + 2), 16);
        }
        return result;
    }

    /**
     * Generates {@link SecretKey} instance from given parameters and returns it's checksum.
     *
     * Current implementation returns the key in its primary encoding format.
     *
     * @param algorithm - key generation algorithm.
     * @param pwBytes - password.
     * @param salt - salt.
     * @param rounds - number of rounds to run in key generation.
     * @return Hex representation of the generated key, or null if generation failed.
     */
    public static byte[] makeKeyChecksum(String algorithm, byte[] pwBytes, byte[] salt,
            int rounds) {
        char[] mkAsChar = new char[pwBytes.length];
        for (int i = 0; i < pwBytes.length; i++) {
            mkAsChar[i] = (char) pwBytes[i];
        }

        Key checksum = buildCharArrayKey(algorithm, mkAsChar, salt, rounds);
        return checksum.getEncoded();
    }

    private static SecretKey buildCharArrayKey(String algorithm, char[] pwArray, byte[] salt,
            int rounds) {
        try {
            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(algorithm);
            KeySpec ks = new PBEKeySpec(pwArray, salt, rounds, PBKDF2_KEY_SIZE);
            return keyFactory.generateSecret(ks);
        } catch (InvalidKeySpecException e) {
            Slog.e(TAG, "Invalid key spec for PBKDF2!");
        } catch (NoSuchAlgorithmException e) {
            Slog.e(TAG, "PBKDF2 unavailable!");
        }
        return null;
    }
}