/*
 * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package com.sun.crypto.provider;

import java.util.Arrays;
import java.security.*;
import java.security.spec.*;
import javax.crypto.*;
import javax.crypto.spec.*;

This class acts as the base class for AES KeyWrap algorithms as defined
in 
"Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping"
/**
 * This class acts as the base class for AES KeyWrap algorithms as defined
 * in <a href=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf>
 * "Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping"
 */
class KWUtil {

    static final int BLKSIZE = 16;
    static final int SEMI_BLKSIZE = BLKSIZE >> 1;
    static final int MIN_INPUTLEN = BLKSIZE + SEMI_BLKSIZE;

    /*
     * The wrapping function W as defined in section 6.1 of NIST SP 800-38F as
     * well as sec 2.2.1 of RFC 3394.
     * @param firstSemiblk the first semi block value to overwrite the input
     *         with
     * @param in input bytes
     * @param inLen length of the to-be-processed bytes
     * @param cipher the initialized cipher object used
     * @return the processed output length, i.e. same as {@code inLen}.
     */
    static final int W(byte[] icvIn, byte[] in, int inLen,
            SymmetricCipher cipher) {
        assert((inLen >= MIN_INPUTLEN) && ((inLen % SEMI_BLKSIZE) == 0)) :
                ("Invalid data length for W: " + inLen);
        assert(icvIn.length == SEMI_BLKSIZE) : "Invalid ICV buffer size";

        // overwrite the first block of in with the icv semiblock
        System.arraycopy(icvIn, 0, in, 0, SEMI_BLKSIZE);

        int n = inLen / SEMI_BLKSIZE - 1;

        byte[] buffer = new byte[BLKSIZE];
        byte[] out = in; // in-place
        for (int j = 0; j < 6; j++) {
            for (int i = 1; i <= n; i++) {
                int T = i + j*n;
                System.arraycopy(out, 0, buffer, 0, SEMI_BLKSIZE);
                System.arraycopy(out, i << 3, buffer, SEMI_BLKSIZE, 8);
                cipher.encryptBlock(buffer, 0, buffer, 0);
                for (int k = 1; T != 0; k++) {
                    byte v = (byte) T;
                    buffer[SEMI_BLKSIZE - k] ^= v;
                    T >>>= SEMI_BLKSIZE;
                }
                System.arraycopy(buffer, 0, out, 0, SEMI_BLKSIZE);
                System.arraycopy(buffer, SEMI_BLKSIZE, out, i << 3,
                        SEMI_BLKSIZE);
            }
        }
        // for W, output length is same as input length
        return inLen;
    }

    /*
     * The unwrapping function W^-1 as defined in section 6.1 of NIST SP
     * 800-38F as well as sec 2.2.2 of RFC 3394.
     * - separated out the initial value from the remaining recovered data
     * - no output buffer argument since we cannot write out the recovered
     *   data until the initial value and padding bytes are verified.
     * @param in input bytes, i.e. the to-be-processed data
     * @param inLen length of the to-be-processed bytes
     * @param ivOut buffer for holding the recovered ICV semiblock
     * @param cipher the initialized cipher object used
     * @return the recovered data length, i.e. {@code (inLen - icvOut.length)}
     */
    static final int W_INV(byte[] in, int inLen, byte[] icvOut,
            SymmetricCipher cipher) {

        assert((inLen >= MIN_INPUTLEN) && ((inLen % SEMI_BLKSIZE) == 0)) :
                ("Invalid data length for W_INV: " + inLen);
        assert(icvOut.length == SEMI_BLKSIZE) : "Invalid ICV buffer size";

        byte[] buffer = new byte[BLKSIZE];
        System.arraycopy(in, 0, buffer, 0, SEMI_BLKSIZE);
        System.arraycopy(in, SEMI_BLKSIZE, in, 0, inLen - SEMI_BLKSIZE);
        int n = (inLen - SEMI_BLKSIZE) / SEMI_BLKSIZE;

        for (int j = 5; j >= 0; j--) {
            for (int i = n; i > 0; i--) {
                int T = i + n*j;
                int idx = (i-1) << 3;
                System.arraycopy(in, idx, buffer, SEMI_BLKSIZE, SEMI_BLKSIZE);
                for (int k = 1; T != 0; k++) {
                    byte v = (byte) T;
                    buffer[SEMI_BLKSIZE - k] ^= v;
                    T >>>= SEMI_BLKSIZE;
                }
                cipher.decryptBlock(buffer, 0, buffer, 0);
                System.arraycopy(buffer, SEMI_BLKSIZE, in, idx, SEMI_BLKSIZE);
            }
        }
        System.arraycopy(buffer, 0, icvOut, 0, SEMI_BLKSIZE);
        Arrays.fill(buffer, (byte)0);
        return inLen - SEMI_BLKSIZE;
    }
}