// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef DEVICE_FIDO_MAC_CREDENTIAL_METADATA_H_
#define DEVICE_FIDO_MAC_CREDENTIAL_METADATA_H_

#include <memory>
#include <string>
#include <vector>

#include "base/component_export.h"
#include "base/containers/span.h"
#include "base/macros.h"
#include "base/optional.h"
#include "base/strings/string_piece_forward.h"
#include "crypto/aead.h"
#include "crypto/hmac.h"
#include "crypto/symmetric_key.h"

namespace device {

class PublicKeyCredentialUserEntity;

namespace fido {
namespace mac {

// CredentialMetadata generates credential IDs from the associated user entity
// (user ID, name and display name) by encrypting them under a key tied to the
// current Chrome profile. This gives us separation of credentials per Chrome
// profile. It also guarantees that account metadata in the OS keychain is
// rendered unusable after the Chrome profile and the associated encryption key
// have been deleted, in order to limit leakage of account metadata, such as
// the list of RPs with registered credentials, into the OS keychain.
//
// Credential IDs have following format
//    | version  |    nonce   | AEAD(pt=CBOR(user_entity), |
//    | (1 byte) | (12 bytes) |      nonce=nonce,          |
//    |          |            |      ad=(version, rpID))   |
// with version as 0x00, a random 12-byte nonce, and using AES-256-GCM as the
// AEAD.
//
// CredentialMetadata also encodes the user ID and RP ID for storage in the OS
// keychain by computing their HMAC.
//
// TODO(martinkr): We currently do not store profile icon URLs.
class COMPONENT_EXPORT(DEVICE_FIDO) CredentialMetadata {
 public:
  // Generate a new random secret to use with the public interface of
  // CredentialMetadata. Chrome stores this secret in the Profile Prefs.
  static std::string GenerateRandomSecret();

  // UserEntity loosely corresponds to a PublicKeyCredentialUserEntity
  // (https://www.w3.org/TR/webauthn/#sctn-user-credential-params). Values of
  // this type should be moved whenever possible.
  struct UserEntity {
   public:
    static UserEntity FromPublicKeyCredentialUserEntity(
        const PublicKeyCredentialUserEntity&);

    UserEntity(std::vector<uint8_t> id_,
               std::string name_,
               std::string display_);
    UserEntity(const UserEntity&);
    UserEntity(UserEntity&&);
    UserEntity& operator=(UserEntity&&);
    ~UserEntity();

    PublicKeyCredentialUserEntity ToPublicKeyCredentialUserEntity();

    std::vector<uint8_t> id;
    std::string name;
    std::string display_name;
  };

  // SealCredentialId encrypts the given UserEntity into a credential id.
  static base::Optional<std::vector<uint8_t>> SealCredentialId(
      const std::string& secret,
      const std::string& rp_id,
      const UserEntity& user);

  // UnsealCredentialId attempts to decrypt a UserEntity from a given credential
  // id.
  static base::Optional<UserEntity> UnsealCredentialId(
      const std::string& secret,
      const std::string& rp_id,
      base::span<const uint8_t> credential_id);

  // EncodeRpIdAndUserId encodes the concatenation of RP ID and user ID for
  // storage in the macOS keychain.
  static base::Optional<std::string> EncodeRpIdAndUserId(
      const std::string& secret,
      const std::string& rp_id,
      base::span<const uint8_t> user_id);

  // EncodeRpId encodes the given RP ID for storage in the macOS keychain.
  static base::Optional<std::string> EncodeRpId(const std::string& secret,
                                                const std::string& rp_id);

  // DecodeRpId attempts to decode a given RP ID from the keychain. This can be
  // used to test whether a set of credential metadata was created under the
  // given secret without knowing the RP ID (which would be required to unseal
  // a credential ID).
  static base::Optional<std::string> DecodeRpId(const std::string& secret,
                                                const std::string& ciphertext);

 private:
  enum Algorithm : uint8_t {
    kAes256Gcm = 0,
    kHmacSha256 = 1,
    kAes256GcmSiv = 2,
  };
  static constexpr uint8_t kVersion = 0x00;

  // MakeAad returns the concatenation of |kVersion| and |rp_id|,
  // which is used as the additional authenticated data (AAD) input to the AEAD.
  static std::string MakeAad(const std::string& rp_id);

  // Derives keys from the caller-provided secret to avoid using the same key
  // for different algorithms.
  static std::string DeriveKey(base::StringPiece secret, Algorithm alg);
  static base::Optional<crypto::Aead::AeadAlgorithm> ToAeadAlgorithm(
      Algorithm alg);

  CredentialMetadata(const std::string& secret);
  ~CredentialMetadata();

  base::Optional<std::string> Seal(Algorithm alg,
                                   base::span<const uint8_t> nonce,
                                   base::span<const uint8_t> plaintext,
                                   base::StringPiece authenticated_data) const;
  base::Optional<std::string> Unseal(
      Algorithm alg,
      base::span<const uint8_t> nonce,
      base::span<const uint8_t> ciphertext,
      base::StringPiece authenticated_data) const;
  base::Optional<std::string> HmacForStorage(base::StringPiece data) const;

  // Used to derive keys for the HMAC and AEAD operations. Chrome picks
  // different secrets for each user profile. This ensures that credentials are
  // logically tied to the Chrome user profile under which they were created.
  const std::string& secret_;

  DISALLOW_COPY_AND_ASSIGN(CredentialMetadata);
};

}  // namespace mac
}  // namespace fido
}  // namespace device

#endif  // DEVICE_FIDO_MAC_CREDENTIAL_METADATA_H_