// NewYubiKey takes the key and initial OTP and returns an
// authenticator.
func NewYubiKey(key []byte, initialOTP string) (*Authenticator, error) {
	pub, otp, err := yubikey.ParseOTPString(initialOTP)
	if err != nil {
		return nil, err
	}

	tmpKey := yubikey.NewKey(key)
	token, err := otp.Parse(tmpKey)
	if err != nil {
		return nil, err
	}
	util.Zero(tmpKey[:])

	config := &YubiKeyConfig{
		Counter: getTokenCounter(token),
		Key:     key,
		Public:  pub,
	}
	defer util.Zero(config.Key[:])

	auth := &Authenticator{
		Type:   TypeYubiKey,
		Last:   initialOTP,
		Secret: config.Bytes(),
	}

	return auth, nil
}

// UnmarshalSecretStore decrypts and parses the secret store contained
// in the input byte slice.
func UnmarshalSecretStore(in, passphrase []byte, m secret.ScryptMode) (*SecretStore, bool) {
	if len(in) < saltSize {
		return nil, false
	}

	salt := in[:saltSize]
	enc := in[saltSize:]
	key := secret.DeriveKeyStrength(passphrase, salt, m)
	if key == nil {
		return nil, false
	}
	defer util.Zero(key[:])

	data, ok := secret.Decrypt(key, enc)
	if !ok {
		util.Errorf("decrypt fails")
		return nil, false
	}
	defer util.Zero(data)

	var store SecretStore
	err := json.Unmarshal(data, &store)
	if err != nil {
		util.Errorf("encrypt fails")
		return nil, false
	}

	store.passphrase = make([]byte, len(passphrase))
	copy(store.passphrase, passphrase)
	return &store, true
}

// MarshalSecretStore serialises and encrypts the data store to a byte
// slice suitable for writing to disk.
func MarshalSecretStore(s *SecretStore, m secret.ScryptMode) ([]byte, bool) {
	if !s.Valid() {
		return nil, false
	}

	out, err := json.Marshal(s)
	if err != nil {
		return nil, false
	}
	defer util.Zero(out)

	salt := util.RandBytes(saltSize)
	if salt == nil {
		return nil, false
	}

	key := secret.DeriveKeyStrength(s.passphrase, salt, m)
	if key == nil {
		return nil, false
	}
	defer util.Zero(key[:])

	enc, ok := secret.Encrypt(key, out)
	if !ok {
		return nil, false
	}
	defer s.Zero()

	enc = append(salt, enc...)
	return enc, true
}

// Zero clears out the secret. The discussion for the util.Zero
// function contains a more in-depth discussion on the security of
// this.
func (r *SecretRecord) Zero() {
	if r == nil {
		return
	}

	util.Zero(r.Secret)
	for k := range r.Metadata {
		util.Zero(r.Metadata[k])
	}
}

func loadStore(path string, m secret.ScryptMode) *store.SecretStore {
	passphrase, err := util.PassPrompt("Secrets passphrase> ")
	if err != nil {
		util.Errorf("Failed to read passphrase: %v", err)
		return nil
	}

	var passwords *store.SecretStore
	if ok, _ := util.Exists(path); ok {
		defer util.Zero(passphrase)
		fileData, err := util.ReadFile(path)
		if err != nil {
			util.Errorf("%v", err)
			return nil
		}
		var ok bool
		passwords, ok = store.UnmarshalSecretStore(fileData, passphrase, m)
		if !ok {
			return nil
		}
		return passwords
	}
	util.Errorf("could not find %s", path)
	return nil
}

func initStore(path string, m secret.ScryptMode) error {
	passphrase, err := util.PassPrompt("Secrets passphrase> ")
	if err != nil {
		util.Errorf("Failed to read passphrase: %v", err)
		return err
	}

	if len(passphrase) == 0 {
		return fmt.Errorf("No passphrase provided.")
	}

	defer util.Zero(passphrase)
	passwords := store.NewSecretStore(passphrase)
	if passwords == nil {
		return fmt.Errorf("failed to create store")
	}

	fmt.Println("creating store...")
	fileData, ok := store.MarshalSecretStore(passwords, m)
	if !ok {
		return fmt.Errorf("failed to marshal store")
	}

	err = util.WriteFile(fileData, path)
	if err != nil {
		return err
	}

	passwords, ok = store.UnmarshalSecretStore(fileData, passphrase, m)
	if !ok {
		err = fmt.Errorf("failed to unmarshal store")
	}
	return err
}

func storeSingleSecret(label string) error {
	r, ok := session.Store.Store[label]
	if ok {
		answer, err := util.ReadLine(label + " exists. Overwrite secret (y/n)? ")
		if err != nil {
			return err
		}
		answer = strings.ToLower(answer)
		if answer != "y" && answer != "yes" {
			fmt.Println("Not overwriting.")
			return nil
		}
	} else {
		r = new(store.SecretRecord)
	}

	password, err := readpass.PasswordPromptBytes("New password: ")
	if err != nil {
		return err
	} else if len(password) == 0 {
		return errors.New("no password entered")
	}

	util.Zero(r.Secret)
	r.Secret = password
	r.Timestamp = time.Now().Unix()
	session.Store.Timestamp = r.Timestamp
	session.Store.Store[label] = r
	session.Dirty = true
	return nil
}

// UnmarshalPrivate parses a byte slice into a private key.
func UnmarshalPrivate(in []byte) (*PrivateKey, error) {
	priv := PrivateKey{
		D: new([32]byte),
		S: new([64]byte),
		PublicKey: &PublicKey{
			E: new([32]byte),
			V: new([32]byte),
		},
	}

	var mkey struct {
		D []byte
		S []byte
		E []byte
		V []byte
	}

	dec := tlv.NewDecoder(in)
	err := dec.Decode(&mkey.D)
	if err != nil {
		return nil, err
	}
	err = dec.Decode(&mkey.S)
	if err != nil {
		return nil, err
	}
	err = dec.Decode(&mkey.E)
	if err != nil {
		return nil, err
	}
	err = dec.Decode(&mkey.V)
	if err != nil {
		return nil, err
	}

	copy(priv.D[:], mkey.D)
	copy(priv.S[:], mkey.S)
	copy(priv.E[:], mkey.E)
	copy(priv.V[:], mkey.V)

	util.Zero(mkey.D)
	util.Zero(mkey.S)
	util.Zero(mkey.E)
	util.Zero(mkey.V)
	return &priv, nil
}

func TestPeerLookup(t *testing.T) {
	bob.PeerLookup = func(k *[ed25519.PublicKeySize]byte) bool {
		return false
	}

	conn := testio.NewBufferConn()
	sk, _, err := bob.NewSession()
	if err != nil {
		t.Fatalf("%v", err)
	}

	conn.WritePeer(sk[:])
	_, err = carol.Dial(conn)
	if err != nil {
		t.Fatalf("%v", err)
	}

	var csk [SessionKeySize]byte
	_, err = conn.ReadClient(csk[:])
	if err != nil {
		t.Fatalf("%v", err)
	}

	_, ok := bob.VerifySessionKey(&csk)
	if ok {
		t.Fatal("carol should not be trusted by bob")
	}

	bob.PeerLookup = func(k *[ed25519.PublicKeySize]byte) bool {
		return true
	}

	conn = testio.NewBufferConn()
	sk, _, err = bob.NewSession()
	if err != nil {
		t.Fatalf("%v", err)
	}

	conn.WritePeer(sk[:])
	_, err = carol.Dial(conn)
	if err != nil {
		t.Fatalf("%v", err)
	}

	util.Zero(csk[:])
	_, err = conn.ReadClient(csk[:])
	if err != nil {
		t.Fatalf("%v", err)
	}

	_, ok = bob.VerifySessionKey(&csk)
	if !ok {
		t.Fatal("carol should be trusted by bob")
	}

	bob.PeerLookup = nil
}

// DecryptAndVerify decrypts the message and verifies its signature.
func DecryptAndVerify(priv *PrivateKey, pub *PublicKey, enc []byte) ([]byte, bool) {
	if !priv.Valid() || !pub.Valid() {
		return nil, false
	}

	if len(enc) < overhead {
		return nil, false
	}

	out, ok := decrypt(priv, enc)
	if !ok {
		return nil, false
	}

	var m, s []byte
	dec := tlv.NewDecoder(out)
	err := dec.Decode(&m)
	if err != nil {
		return nil, false
	}

	err = dec.Decode(&s)
	if err != nil {
		util.Zero(m)
		return nil, false
	}

	if dec.Length() != 0 {
		util.Zero(m)
		return nil, false
	}

	if len(s) != ed25519.SignatureSize {
		util.Zero(m)
		return nil, false
	}

	if !Verify(pub, m, s) {
		util.Zero(m)
		return nil, false
	}

	return m, true
}

// GenerateKey returns a randomly generated secretbox key. Typically,
// you should use DeriveKey to get a key from a passphrase
// instead. Returns nil on failure.
func GenerateKey() *[KeySize]byte {
	var key [KeySize]byte
	rb := util.RandBytes(KeySize)
	if rb == nil || len(rb) != KeySize {
		return nil
	}
	defer util.Zero(rb)

	copy(key[:], rb)
	return &key
}

// DeriveKey applies Scrypt with very strong parameters to generate an
// encryption key from a passphrase and salt.
func DeriveKey(passphrase []byte, salt []byte) *[KeySize]byte {
	rawKey, err := scrypt.Key(passphrase, salt, scryptParams.N, scryptParams.r, scryptParams.p, KeySize)
	if err != nil {
		return nil
	}

	var key [KeySize]byte
	copy(key[:], rawKey)
	util.Zero(rawKey)
	return &key
}

// Decrypt opens the secured message using the private key.
func Decrypt(priv *PrivateKey, enc []byte) (message []byte, ok bool) {
	out, ok := decrypt(priv, enc)
	if !ok {
		return nil, false
	}
	defer util.Zero(out)

	var m []byte
	dec := tlv.NewDecoder(out)
	err := dec.Decode(&m)
	if err != nil {
		return nil, false
	}

	if dec.Length() != 0 {
		util.Zero(m)
		return nil, false
	}

	return m, true
}

// DeriveKeyStrength applies Scrypt using the given work parameters
// to generate an encryption key from a passphrase and salt.
func DeriveKeyStrength(passphrase []byte, salt []byte, m ScryptMode) *[KeySize]byte {
	s := scryptMode[m]
	rawKey, err := scrypt.Key(passphrase, salt, s.N, s.r, s.p, KeySize)
	if err != nil {
		return nil
	}

	var key [KeySize]byte
	copy(key[:], rawKey)
	util.Zero(rawKey)
	return &key
}

func loadStore(path string) *store.KeyStore {
	// If keystore is newly created, we'll want to write it to
	// disk before leaving this function.
	var flush bool
	if exists, _ := util.Exists(path); !exists {
		flush = true
	}

	passphrase, err := util.PassPrompt("keystore passphrase> ")
	if err != nil {
		util.Errorf("%v", err)
		return nil
	}
	defer util.Zero(passphrase)

	keystore, ok := store.LoadKeyStore(path, true)
	if !ok {
		fmt.Printf("error in LoadKeyStore")
		return nil
	}
	if !keystore.Valid(false) {
		fmt.Println("keystore not valid")
		return nil
	}

	if !flush {
		if !keystore.Unlock(passphrase) {
			return nil
		}
		return keystore
	}

	if !keystore.LockWith(passphrase) {
		util.Errorf("Failed to set initial passphrase.")
		return nil
	} else if !keystore.Unlock(passphrase) {
		util.Errorf("Flushing keystore failed.")
		return nil
	}

	out, err := keystore.Dump()
	if err != nil {
		log.Printf("WARNING: failed to dump keystore: %v", err)
		return nil
	}
	err = ioutil.WriteFile(path, out, 0644)
	if err != nil {
		log.Printf("WARNING: failed to write keystore: %v", err)
	}

	return keystore
}

// UnlockKey recovers the secured private key with the passphrase.
func UnlockKey(locked, passphrase []byte) (*PrivateKey, bool) {
	if len(locked) <= saltSize {
		return nil, false
	}
	salt := locked[:saltSize]
	locked = locked[saltSize:]

	key := secret.DeriveKey(passphrase, salt)
	defer util.Zero(key[:])

	out, ok := secret.Decrypt(key, locked)
	if !ok {
		return nil, false
	}
	defer util.Zero(out)

	priv, err := UnmarshalPrivate(out)
	if err != nil {
		return nil, false
	}
	return priv, true
}

func editEntry(ps *store.SecretStore, cfg *config) error {
	title := cfg.Args[0]
	if !ps.Has(title) {
		return errors.New("entry not found")
	}

	tmp, err := ioutil.TempFile("", "cu_journal")
	if err != nil {
		return err
	}
	fileName := tmp.Name()
	tmp.Close()
	defer os.Remove(fileName)
	err = ioutil.WriteFile(fileName, ps.Store[title].Secret, 0600)

	defer func() {
		err := os.Remove(fileName)
		if err != nil {
			fmt.Println("*** WARNING ***")
			fmt.Println("FAILED TO REMOVE TEMPORARY FILE", fileName)
			fmt.Println("You should remove this yourself.")
			fmt.Printf("\nThe reason: %v\n", err)
		}
	}()

	editor := cfg.Editor
	if editor == "" {
		editor = defaultEditor
	}

	args := strings.Split(editor, " ")
	args = append(args, fileName)
	cmd := exec.Command(args[0], args[1:]...)
	cmd.Stdin = os.Stdin
	cmd.Stdout = os.Stdout
	cmd.Stderr = os.Stderr

	err = cmd.Run()
	if err != nil {
		return err
	}

	fileData, err := ioutil.ReadFile(fileName)
	if err != nil {
		return err
	}
	util.Zero(ps.Store[title].Secret)
	ps.Store[title].Secret = fileData

	return nil
}

// LockKey secures the private key with the passphrase, using Scrypt
// and NaCl's secretbox.
func LockKey(priv *PrivateKey, passphrase []byte) ([]byte, bool) {
	out, err := MarshalPrivate(priv)
	if err != nil {
		return nil, false
	}
	defer util.Zero(out)

	salt := util.RandBytes(saltSize)
	if salt == nil {
		return nil, false
	}

	key := secret.DeriveKey(passphrase, salt)
	defer util.Zero(key[:])

	out, ok := secret.Encrypt(key, out)
	if !ok {
		return nil, false
	}

	out = append(salt, out...)
	return out, true
}

// EncryptFile securely stores the encoded blob under the filename.
func EncryptFile(filename string, passphrase, encoded []byte) (err error) {
	salt := util.RandBytes(SaltSize)
	if salt == nil {
		err = errors.New("password: failed to generate new salt")
		return
	}
	defer util.Zero(encoded)

	key := DeriveKey(passphrase, salt)
	data, ok := Encrypt(key, encoded)
	if !ok {
		data = nil
		err = errors.New("password: failed to encrypt data")
		return
	}

	data = append(salt, data...)
	err = ioutil.WriteFile(filename, data, 0600)
	return
}

// ValidateYubiKey takes an Authenticator that is presumed to be a
// YubiKey authenticator and attempts to validate the given OTP
// using it. The YubiKey authenticator will always need to be updated
// when successful to account for changes in the counter, and to
// update the last OTP.
func ValidateYubiKey(auth *Authenticator, otp string) (bool, error) {
	if (auth == nil) || (auth.Type != TypeYubiKey) {
		return false, ErrInvalidAuthenticator
	}

	if auth.Last == otp {
		return false, ErrValidationFail
	}

	config, err := ParseYubiKeyConfig(auth.Secret)
	if err != nil {
		return false, ErrInvalidAuthenticator
	}

	tmpKey := yubikey.NewKey(config.Key)
	defer util.Zero(tmpKey[:])

	pub, ykOTP, err := yubikey.ParseOTPString(otp)
	if err != nil {
		return false, ErrValidationFail
	}

	if !bytes.Equal(pub, config.Public) {
		return false, ErrValidationFail
	}

	userToken, err := ykOTP.Parse(tmpKey)
	if err != nil {
		return false, ErrValidationFail
	}

	if getTokenCounter(userToken) < config.Counter {
		return false, ErrValidationFail
	}

	config.Counter = getTokenCounter(userToken)
	auth.Last = otp
	auth.Secret = config.Bytes()

	return true, nil
}