package keys

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/sha256"
	"encoding/json"
	"errors"

	"github.com/theupdateframework/go-tuf/data"
	. "gopkg.in/check.v1"
)

type DeprecatedECDSASuite struct{}

var _ = Suite(DeprecatedECDSASuite{})

type deprecatedEcdsaSigner struct {
	*ecdsa.PrivateKey
}

type deprecatedEcdsaPublic struct {
	PublicKey data.HexBytes `json:"public"`
}

func (s deprecatedEcdsaSigner) PublicData() *data.PublicKey {
	pub := s.Public().(*ecdsa.PublicKey)
	keyValBytes, _ := json.Marshal(deprecatedEcdsaPublic{
		PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)})
	return &data.PublicKey{
		Type:       data.KeyTypeECDSA_SHA2_P256,
		Scheme:     data.KeySchemeECDSA_SHA2_P256,
		Algorithms: data.HashAlgorithms,
		Value:      keyValBytes,
	}
}

func (s deprecatedEcdsaSigner) SignMessage(message []byte) ([]byte, error) {
	hash := sha256.Sum256(message)
	return s.PrivateKey.Sign(rand.Reader, hash[:], crypto.SHA256)
}

func (s deprecatedEcdsaSigner) ContainsID(id string) bool {
	return s.PublicData().ContainsID(id)
}

func (deprecatedEcdsaSigner) MarshalPrivateKey() (*data.PrivateKey, error) {
	return nil, errors.New("not implemented for test")
}

func (deprecatedEcdsaSigner) UnmarshalPrivateKey(key *data.PrivateKey) error {
	return errors.New("not implemented for test")
}

func generatedDeprecatedSigner() (*deprecatedEcdsaSigner, error) {
	privkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return nil, err
	}
	return &deprecatedEcdsaSigner{privkey}, nil
}

func (DeprecatedECDSASuite) TestSignVerifyDeprecatedFormat(c *C) {
	// Create an ecdsa key with a deprecated format.
	signer, err := generatedDeprecatedSigner()
	c.Assert(err, IsNil)
	msg := []byte("foo")
	sig, err := signer.SignMessage(msg)
	c.Assert(err, IsNil)

	pub := signer.PublicKey

	keyValBytes, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)})
	c.Assert(err, IsNil)
	publicData := &data.PublicKey{
		Type:       data.KeyTypeECDSA_SHA2_P256,
		Scheme:     data.KeySchemeECDSA_SHA2_P256,
		Algorithms: data.HashAlgorithms,
		Value:      keyValBytes,
	}

	deprecatedEcdsa := NewDeprecatedEcdsaVerifier()
	err = deprecatedEcdsa.UnmarshalPublicKey(publicData)
	c.Assert(err, IsNil)
	c.Assert(deprecatedEcdsa.Verify(msg, sig), IsNil)
}

func (DeprecatedECDSASuite) TestECDSAVerifyMismatchMessage(c *C) {
	signer, err := generatedDeprecatedSigner()
	c.Assert(err, IsNil)
	msg := []byte("foo")
	sig, err := signer.SignMessage(msg)
	c.Assert(err, IsNil)
	publicData := signer.PublicData()
	deprecatedEcdsa := NewDeprecatedEcdsaVerifier()
	err = deprecatedEcdsa.UnmarshalPublicKey(publicData)
	c.Assert(err, IsNil)
	c.Assert(deprecatedEcdsa.Verify([]byte("notfoo"), sig), ErrorMatches, "tuf: deprecated ecdsa signature verification failed")
}

func (DeprecatedECDSASuite) TestECDSAVerifyMismatchPubKey(c *C) {
	signer, err := generatedDeprecatedSigner()
	c.Assert(err, IsNil)
	msg := []byte("foo")
	sig, err := signer.SignMessage(msg)
	c.Assert(err, IsNil)

	signerNew, err := generatedDeprecatedSigner()
	c.Assert(err, IsNil)
	deprecatedEcdsa := NewDeprecatedEcdsaVerifier()
	err = deprecatedEcdsa.UnmarshalPublicKey(signerNew.PublicData())
	c.Assert(err, IsNil)
	c.Assert(deprecatedEcdsa.Verify([]byte("notfoo"), sig), ErrorMatches, "tuf: deprecated ecdsa signature verification failed")
}

func (DeprecatedECDSASuite) TestMarshalUnmarshalPublicKey(c *C) {
	signer, err := generatedDeprecatedSigner()
	c.Assert(err, IsNil)

	pub := signer.PublicData()

	deprecatedEcdsa := NewDeprecatedEcdsaVerifier()
	err = deprecatedEcdsa.UnmarshalPublicKey(pub)
	c.Assert(err, IsNil)

	c.Assert(deprecatedEcdsa.MarshalPublicKey(), DeepEquals, pub)
}