// Copyright 2015 Joyent, Inc.

var assert = require('assert-plus'); var crypto = require('crypto'); var sshpk = require('sshpk'); var utils = require('./utils');

var HASH_ALGOS = utils.HASH_ALGOS; var PK_ALGOS = utils.PK_ALGOS; var InvalidAlgorithmError = utils.InvalidAlgorithmError; var HttpSignatureError = utils.HttpSignatureError; var validateAlgorithm = utils.validateAlgorithm;

///— Exported API

module.exports = {

/**
 * Verify RSA/DSA signature against public key.  You are expected to pass in
 * an object that was returned from `parse()`.
 *
 * @param {Object} parsedSignature the object you got from `parse`.
 * @param {String} pubkey RSA/DSA private key PEM.
 * @return {Boolean} true if valid, false otherwise.
 * @throws {TypeError} if you pass in bad arguments.
 * @throws {InvalidAlgorithmError}
 */
verifySignature: function verifySignature(parsedSignature, pubkey) {
  assert.object(parsedSignature, 'parsedSignature');
  if (typeof (pubkey) === 'string' || Buffer.isBuffer(pubkey))
    pubkey = sshpk.parseKey(pubkey);
  assert.ok(sshpk.Key.isKey(pubkey, [1, 1]), 'pubkey must be a sshpk.Key');

  var alg = validateAlgorithm(parsedSignature.algorithm);
  if (alg[0] === 'hmac' || alg[0] !== pubkey.type)
    return (false);

  var v = pubkey.createVerify(alg[1]);
  v.update(parsedSignature.signingString);
  return (v.verify(parsedSignature.params.signature, 'base64'));
},

/**
 * Verify HMAC against shared secret.  You are expected to pass in an object
 * that was returned from `parse()`.
 *
 * @param {Object} parsedSignature the object you got from `parse`.
 * @param {String} secret HMAC shared secret.
 * @return {Boolean} true if valid, false otherwise.
 * @throws {TypeError} if you pass in bad arguments.
 * @throws {InvalidAlgorithmError}
 */
verifyHMAC: function verifyHMAC(parsedSignature, secret) {
  assert.object(parsedSignature, 'parsedHMAC');
  assert.string(secret, 'secret');

  var alg = validateAlgorithm(parsedSignature.algorithm);
  if (alg[0] !== 'hmac')
    return (false);

  var hashAlg = alg[1].toUpperCase();

  var hmac = crypto.createHmac(hashAlg, secret);
  hmac.update(parsedSignature.signingString);

  /*
   * Now double-hash to avoid leaking timing information - there's
   * no easy constant-time compare in JS, so we use this approach
   * instead. See for more info:
   * https://www.isecpartners.com/blog/2011/february/double-hmac-
   * verification.aspx
   */
  var h1 = crypto.createHmac(hashAlg, secret);
  h1.update(hmac.digest());
  h1 = h1.digest();
  var h2 = crypto.createHmac(hashAlg, secret);
  h2.update(new Buffer(parsedSignature.params.signature, 'base64'));
  h2 = h2.digest();

  /* Node 0.8 returns strings from .digest(). */
  if (typeof (h1) === 'string')
    return (h1 === h2);
  /* And node 0.10 lacks the .equals() method on Buffers. */
  if (Buffer.isBuffer(h1) && !h1.equals)
    return (h1.toString('binary') === h2.toString('binary'));

  return (h1.equals(h2));
}

};