/*
  This file is part of TALER
  (C) 2015, 2020-2022 Taler Systems SA
  TALER is free software; you can redistribute it and/or modify it under the
  terms of the GNU General Public License as published by the Free Software
  Foundation; either version 3, or (at your option) any later version.
  TALER is distributed in the hope that it will be useful, but WITHOUT ANY
  WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
  A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
  You should have received a copy of the GNU General Public License along with
  TALER; see the file COPYING.  If not, see 
*/
/**
 * @file util/test_crypto.c
 * @brief Tests for Taler-specific crypto logic
 * @author Christian Grothoff 
 */
#include "platform.h"
#include "taler_util.h"
/**
 * Test high-level link encryption/decryption API.
 *
 * @return 0 on success
 */
static int
test_high_level (void)
{
  struct TALER_CoinSpendPrivateKeyP coin_priv;
  struct TALER_CoinSpendPublicKeyP coin_pub;
  struct TALER_TransferPrivateKeyP trans_priv;
  struct TALER_TransferPublicKeyP trans_pub;
  struct TALER_TransferSecretP secret;
  struct TALER_TransferSecretP secret2;
  union TALER_DenominationBlindingKeyP bks1;
  union TALER_DenominationBlindingKeyP bks2;
  struct TALER_CoinSpendPrivateKeyP coin_priv1;
  struct TALER_CoinSpendPrivateKeyP coin_priv2;
  struct TALER_PlanchetMasterSecretP ps1;
  struct TALER_PlanchetMasterSecretP ps2;
  struct TALER_ExchangeWithdrawValues alg1;
  struct TALER_ExchangeWithdrawValues alg2;
  GNUNET_CRYPTO_eddsa_key_create (&coin_priv.eddsa_priv);
  GNUNET_CRYPTO_eddsa_key_get_public (&coin_priv.eddsa_priv,
                                      &coin_pub.eddsa_pub);
  GNUNET_CRYPTO_ecdhe_key_create (&trans_priv.ecdhe_priv);
  GNUNET_CRYPTO_ecdhe_key_get_public (&trans_priv.ecdhe_priv,
                                      &trans_pub.ecdhe_pub);
  TALER_link_derive_transfer_secret (&coin_priv,
                                     &trans_priv,
                                     &secret);
  TALER_link_reveal_transfer_secret (&trans_priv,
                                     &coin_pub,
                                     &secret2);
  GNUNET_assert (0 ==
                 GNUNET_memcmp (&secret,
                                &secret2));
  TALER_link_recover_transfer_secret (&trans_pub,
                                      &coin_priv,
                                      &secret2);
  GNUNET_assert (0 ==
                 GNUNET_memcmp (&secret,
                                &secret2));
  TALER_transfer_secret_to_planchet_secret (&secret,
                                            0,
                                            &ps1);
  alg1.cipher = TALER_DENOMINATION_RSA;
  TALER_planchet_setup_coin_priv (&ps1,
                                  &alg1,
                                  &coin_priv1);
  TALER_planchet_blinding_secret_create (&ps1,
                                         &alg1,
                                         &bks1);
  alg2.cipher = TALER_DENOMINATION_RSA;
  TALER_transfer_secret_to_planchet_secret (&secret,
                                            1,
                                            &ps2);
  TALER_planchet_setup_coin_priv (&ps2,
                                  &alg2,
                                  &coin_priv2);
  TALER_planchet_blinding_secret_create (&ps2,
                                         &alg2,
                                         &bks2);
  GNUNET_assert (0 !=
                 GNUNET_memcmp (&ps1,
                                &ps2));
  GNUNET_assert (0 !=
                 GNUNET_memcmp (&coin_priv1,
                                &coin_priv2));
  GNUNET_assert (0 !=
                 GNUNET_memcmp (&bks1,
                                &bks2));
  return 0;
}
static struct TALER_AgeMask age_mask = {
  .bits = 1 | 1 << 8 | 1 << 10 | 1 << 12
          | 1 << 14 | 1 << 16 | 1 << 18 | 1 << 21
};
/**
 * Test the basic planchet functionality of creating a fresh planchet
 * and extracting the respective signature.
 *
 * @return 0 on success
 */
static int
test_planchets_rsa (uint8_t age)
{
  struct TALER_PlanchetMasterSecretP ps;
  struct TALER_CoinSpendPrivateKeyP coin_priv;
  union TALER_DenominationBlindingKeyP bks;
  struct TALER_DenominationPrivateKey dk_priv;
  struct TALER_DenominationPublicKey dk_pub;
  struct TALER_ExchangeWithdrawValues alg_values;
  struct TALER_PlanchetDetail pd;
  struct TALER_BlindedDenominationSignature blind_sig;
  struct TALER_FreshCoin coin;
  struct TALER_CoinPubHashP c_hash;
  struct TALER_AgeCommitmentHash *ach = NULL;
  struct TALER_AgeCommitmentHash ah = {0};
  if (0 < age)
  {
    struct TALER_AgeCommitmentProof acp;
    struct GNUNET_HashCode seed;
    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
                                &seed,
                                sizeof(seed));
    GNUNET_assert (GNUNET_OK ==
                   TALER_age_restriction_commit (&age_mask,
                                                 age,
                                                 &seed,
                                                 &acp));
    TALER_age_commitment_hash (&acp.commitment,
                               &ah);
    ach = &ah;
    TALER_age_commitment_proof_free (&acp);
  }
  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_STRONG,
                              &ps,
                              sizeof (ps));
  GNUNET_log_skip (1, GNUNET_YES);
  GNUNET_assert (GNUNET_SYSERR ==
                 TALER_denom_priv_create (&dk_priv,
                                          &dk_pub,
                                          TALER_DENOMINATION_INVALID));
  GNUNET_log_skip (1, GNUNET_YES);
  GNUNET_assert (GNUNET_SYSERR ==
                 TALER_denom_priv_create (&dk_priv,
                                          &dk_pub,
                                          42));
  GNUNET_assert (GNUNET_OK ==
                 TALER_denom_priv_create (&dk_priv,
                                          &dk_pub,
                                          TALER_DENOMINATION_RSA,
                                          1024));
  alg_values.cipher = TALER_DENOMINATION_RSA;
  TALER_planchet_setup_coin_priv (&ps,
                                  &alg_values,
                                  &coin_priv);
  TALER_planchet_blinding_secret_create (&ps,
                                         &alg_values,
                                         &bks);
  GNUNET_assert (GNUNET_OK ==
                 TALER_planchet_prepare (&dk_pub,
                                         &alg_values,
                                         &bks,
                                         &coin_priv,
                                         ach,
                                         &c_hash,
                                         &pd));
  GNUNET_assert (GNUNET_OK ==
                 TALER_denom_sign_blinded (&blind_sig,
                                           &dk_priv,
                                           false,
                                           &pd.blinded_planchet));
  TALER_planchet_detail_free (&pd);
  GNUNET_assert (GNUNET_OK ==
                 TALER_planchet_to_coin (&dk_pub,
                                         &blind_sig,
                                         &bks,
                                         &coin_priv,
                                         ach,
                                         &c_hash,
                                         &alg_values,
                                         &coin));
  TALER_blinded_denom_sig_free (&blind_sig);
  TALER_denom_sig_free (&coin.sig);
  TALER_denom_priv_free (&dk_priv);
  TALER_denom_pub_free (&dk_pub);
  return 0;
}
/**
 * @brief Function for CS signatures to derive public R_0 and R_1
 *
 * @param nonce withdraw nonce from a client
 * @param denom_priv denomination privkey as long-term secret
 * @param r_pub the resulting R_0 and R_1
 * @return enum GNUNET_GenericReturnValue
 */
static enum GNUNET_GenericReturnValue
derive_r_public (
  const struct TALER_CsNonce *nonce,
  const struct TALER_DenominationPrivateKey *denom_priv,
  struct TALER_DenominationCSPublicRPairP *r_pub)
{
  struct GNUNET_CRYPTO_CsRSecret r[2];
  if (denom_priv->cipher != TALER_DENOMINATION_CS)
  {
    GNUNET_break (0);
    return GNUNET_SYSERR;
  }
  GNUNET_CRYPTO_cs_r_derive (&nonce->nonce,
                             "rw",
                             &denom_priv->details.cs_private_key,
                             r);
  GNUNET_CRYPTO_cs_r_get_public (&r[0],
                                 &r_pub->r_pub[0]);
  GNUNET_CRYPTO_cs_r_get_public (&r[1],
                                 &r_pub->r_pub[1]);
  return GNUNET_OK;
}
/**
 * Test the basic planchet functionality of creating a fresh planchet with CS denomination
 * and extracting the respective signature.
 *
 * @return 0 on success
 */
static int
test_planchets_cs (uint8_t age)
{
  struct TALER_PlanchetMasterSecretP ps;
  struct TALER_CoinSpendPrivateKeyP coin_priv;
  union TALER_DenominationBlindingKeyP bks;
  struct TALER_DenominationPrivateKey dk_priv;
  struct TALER_DenominationPublicKey dk_pub;
  struct TALER_PlanchetDetail pd;
  struct TALER_CoinPubHashP c_hash;
  struct TALER_BlindedDenominationSignature blind_sig;
  struct TALER_FreshCoin coin;
  struct TALER_ExchangeWithdrawValues alg_values;
  struct TALER_AgeCommitmentHash *ach = NULL;
  if (0 < age)
  {
    struct TALER_AgeCommitmentHash ah = {0};
    struct TALER_AgeCommitmentProof acp;
    struct GNUNET_HashCode seed;
    GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_WEAK,
                                &seed,
                                sizeof(seed));
    GNUNET_assert (GNUNET_OK ==
                   TALER_age_restriction_commit (&age_mask,
                                                 age,
                                                 &seed,
                                                 &acp));
    TALER_age_commitment_hash (&acp.commitment,
                               &ah);
    ach = &ah;
    TALER_age_commitment_proof_free (&acp);
  }
  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_STRONG,
                              &ps,
                              sizeof (ps));
  GNUNET_assert (GNUNET_OK ==
                 TALER_denom_priv_create (&dk_priv,
                                          &dk_pub,
                                          TALER_DENOMINATION_CS));
  alg_values.cipher = TALER_DENOMINATION_CS;
  TALER_cs_withdraw_nonce_derive (
    &ps,
    &pd.blinded_planchet.details.cs_blinded_planchet.nonce);
  GNUNET_assert (GNUNET_OK ==
                 derive_r_public (
                   &pd.blinded_planchet.details.cs_blinded_planchet.nonce,
                   &dk_priv,
                   &alg_values.details.cs_values));
  TALER_planchet_setup_coin_priv (&ps,
                                  &alg_values,
                                  &coin_priv);
  TALER_planchet_blinding_secret_create (&ps,
                                         &alg_values,
                                         &bks);
  GNUNET_assert (GNUNET_OK ==
                 TALER_planchet_prepare (&dk_pub,
                                         &alg_values,
                                         &bks,
                                         &coin_priv,
                                         ach,
                                         &c_hash,
                                         &pd));
  GNUNET_assert (GNUNET_OK ==
                 TALER_denom_sign_blinded (&blind_sig,
                                           &dk_priv,
                                           false,
                                           &pd.blinded_planchet));
  TALER_planchet_detail_free (&pd);
  GNUNET_assert (GNUNET_OK ==
                 TALER_planchet_to_coin (&dk_pub,
                                         &blind_sig,
                                         &bks,
                                         &coin_priv,
                                         ach,
                                         &c_hash,
                                         &alg_values,
                                         &coin));
  TALER_blinded_denom_sig_free (&blind_sig);
  TALER_denom_sig_free (&coin.sig);
  TALER_denom_priv_free (&dk_priv);
  TALER_denom_pub_free (&dk_pub);
  return 0;
}
/**
 * Test the basic planchet functionality of creating a fresh planchet
 * and extracting the respective signature.
 * Calls test_planchets_rsa and test_planchets_cs
 *
 * @return 0 on success
 */
static int
test_planchets (uint8_t age)
{
  if (0 != test_planchets_rsa (age))
    return -1;
  return test_planchets_cs (age);
}
static int
test_exchange_sigs (void)
{
  const char *pt = "payto://x-taler-bank/localhost/Account";
  struct TALER_MasterPrivateKeyP priv;
  struct TALER_MasterPublicKeyP pub;
  struct TALER_MasterSignatureP sig;
  json_t *rest;
  GNUNET_CRYPTO_eddsa_key_create (&priv.eddsa_priv);
  rest = json_array ();
  GNUNET_assert (NULL != rest);
  TALER_exchange_wire_signature_make (pt,
                                      NULL,
                                      rest,
                                      rest,
                                      &priv,
                                      &sig);
  GNUNET_CRYPTO_eddsa_key_get_public (&priv.eddsa_priv,
                                      &pub.eddsa_pub);
  if (GNUNET_OK !=
      TALER_exchange_wire_signature_check (pt,
                                           NULL,
                                           rest,
                                           rest,
                                           &pub,
                                           &sig))
  {
    GNUNET_break (0);
    return 1;
  }
  if (GNUNET_OK ==
      TALER_exchange_wire_signature_check (
        "payto://x-taler-bank/localhost/Other",
        NULL,
        rest,
        rest,
        &pub,
        &sig))
  {
    GNUNET_break (0);
    return 1;
  }
  if (GNUNET_OK ==
      TALER_exchange_wire_signature_check (
        pt,
        "http://example.com/",
        rest,
        rest,
        &pub,
        &sig))
  {
    GNUNET_break (0);
    return 1;
  }
  json_decref (rest);
  return 0;
}
static int
test_merchant_sigs (void)
{
  const char *pt = "payto://x-taler-bank/localhost/Account";
  struct TALER_WireSaltP salt;
  struct TALER_MerchantPrivateKeyP priv;
  struct TALER_MerchantPublicKeyP pub;
  struct TALER_MerchantSignatureP sig;
  GNUNET_CRYPTO_eddsa_key_create (&priv.eddsa_priv);
  memset (&salt,
          42,
          sizeof (salt));
  TALER_merchant_wire_signature_make (pt,
                                      &salt,
                                      &priv,
                                      &sig);
  GNUNET_CRYPTO_eddsa_key_get_public (&priv.eddsa_priv,
                                      &pub.eddsa_pub);
  if (GNUNET_OK !=
      TALER_merchant_wire_signature_check (pt,
                                           &salt,
                                           &pub,
                                           &sig))
  {
    GNUNET_break (0);
    return 1;
  }
  if (GNUNET_OK ==
      TALER_merchant_wire_signature_check (
        "payto://x-taler-bank/localhost/Other",
        &salt,
        &pub,
        &sig))
  {
    GNUNET_break (0);
    return 1;
  }
  memset (&salt,
          43,
          sizeof (salt));
  if (GNUNET_OK ==
      TALER_merchant_wire_signature_check (pt,
                                           &salt,
                                           &pub,
                                           &sig))
  {
    GNUNET_break (0);
    return 1;
  }
  return 0;
}
static int
test_contracts (void)
{
  struct TALER_ContractDiffiePrivateP cpriv;
  struct TALER_PurseContractPublicKeyP purse_pub;
  struct TALER_PurseContractPrivateKeyP purse_priv;
  void *econtract;
  size_t econtract_size;
  struct TALER_PurseMergePrivateKeyP mpriv_in;
  struct TALER_PurseMergePrivateKeyP mpriv_out;
  json_t *c;
  GNUNET_CRYPTO_ecdhe_key_create (&cpriv.ecdhe_priv);
  GNUNET_CRYPTO_eddsa_key_create (&purse_priv.eddsa_priv);
  GNUNET_CRYPTO_eddsa_key_get_public (&purse_priv.eddsa_priv,
                                      &purse_pub.eddsa_pub);
  memset (&mpriv_in,
          42,
          sizeof (mpriv_in));
  c = json_pack ("{s:s}", "test", "value");
  GNUNET_assert (NULL != c);
  TALER_CRYPTO_contract_encrypt_for_merge (&purse_pub,
                                           &cpriv,
                                           &mpriv_in,
                                           c,
                                           &econtract,
                                           &econtract_size);
  json_decref (c);
  c = TALER_CRYPTO_contract_decrypt_for_merge (&cpriv,
                                               &purse_pub,
                                               econtract,
                                               econtract_size,
                                               &mpriv_out);
  GNUNET_free (econtract);
  if (NULL == c)
    return 1;
  json_decref (c);
  if (0 != GNUNET_memcmp (&mpriv_in,
                          &mpriv_out))
    return 1;
  return 0;
}
static int
test_attributes (void)
{
  struct TALER_AttributeEncryptionKeyP key;
  void *eattr;
  size_t eattr_size;
  json_t *c;
  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
                              &key,
                              sizeof (key));
  c = json_pack ("{s:s}", "test", "value");
  GNUNET_assert (NULL != c);
  TALER_CRYPTO_kyc_attributes_encrypt (&key,
                                       c,
                                       &eattr,
                                       &eattr_size);
  json_decref (c);
  c = TALER_CRYPTO_kyc_attributes_decrypt (&key,
                                           eattr,
                                           eattr_size);
  GNUNET_free (eattr);
  if (NULL == c)
  {
    GNUNET_break (0);
    return 1;
  }
  GNUNET_assert (0 ==
                 strcmp ("value",
                         json_string_value (json_object_get (c,
                                                             "test"))));
  json_decref (c);
  return 0;
}
int
main (int argc,
      const char *const argv[])
{
  (void) argc;
  (void) argv;
  GNUNET_log_setup ("test-crypto",
                    "WARNING",
                    NULL);
  if (0 != test_high_level ())
    return 1;
  if (0 != test_planchets (0))
    return 2;
  if (0 != test_planchets (13))
    return 3;
  if (0 != test_exchange_sigs ())
    return 4;
  if (0 != test_merchant_sigs ())
    return 5;
  if (0 != test_contracts ())
    return 6;
  if (0 != test_attributes ())
    return 7;
  return 0;
}
/* end of test_crypto.c */