// Copyright 2021 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "cryptohome/cryptorecovery/fake_recovery_mediator_crypto.h"

#include <algorithm>
#include <optional>
#include <utility>
#include <vector>

#include <base/logging.h>
#include <base/memory/ptr_util.h>
#include <base/stl_util.h>
#include <brillo/secure_blob.h>
#include <libhwsec-foundation/crypto/aes.h>
#include <libhwsec-foundation/crypto/big_num_util.h>
#include <libhwsec-foundation/crypto/ecdh_hkdf.h>
#include <libhwsec-foundation/crypto/elliptic_curve.h>
#include <libhwsec-foundation/crypto/error_util.h>
#include <libhwsec-foundation/crypto/rsa.h>
#include <libhwsec-foundation/crypto/secure_blob_util.h>

#include "cryptohome/cryptohome_common.h"
#include "cryptohome/cryptorecovery/recovery_crypto.h"
#include "cryptohome/cryptorecovery/recovery_crypto_hsm_cbor_serialization.h"
#include "cryptohome/cryptorecovery/recovery_crypto_util.h"

using ::hwsec_foundation::AesGcmDecrypt;
using ::hwsec_foundation::AesGcmEncrypt;
using ::hwsec_foundation::CreateBigNumContext;
using ::hwsec_foundation::CreateSecureRandomBlob;
using ::hwsec_foundation::EllipticCurve;
using ::hwsec_foundation::GenerateEcdhHkdfSymmetricKey;
using ::hwsec_foundation::kAesGcm256KeySize;
using ::hwsec_foundation::ScopedBN_CTX;
using ::hwsec_foundation::SecureBlobToBigNum;
using ::hwsec_foundation::VerifyRsaSignatureSha256;

namespace cryptohome {
namespace cryptorecovery {
namespace {

brillo::SecureBlob GetMediatorShareHkdfInfo() {
  return brillo::SecureBlob(RecoveryCrypto::kMediatorShareHkdfInfoValue);
}

brillo::SecureBlob GetRequestPayloadPlainTextHkdfInfo() {
  return brillo::SecureBlob(
      RecoveryCrypto::kRequestPayloadPlainTextHkdfInfoValue);
}

brillo::SecureBlob GetResponsePayloadPlainTextHkdfInfo() {
  return brillo::SecureBlob(
      RecoveryCrypto::kResponsePayloadPlainTextHkdfInfoValue);
}

bool GetRecoveryRequestFromProto(
    const CryptoRecoveryRpcRequest& recovery_request_proto,
    RecoveryRequest* recovery_request) {
  if (!recovery_request_proto.has_cbor_cryptorecoveryrequest()) {
    LOG(ERROR)
        << "No cbor_cryptorecoveryrequest field in recovery_request_proto";
    return false;
  }
  brillo::SecureBlob recovery_request_cbor(
      recovery_request_proto.cbor_cryptorecoveryrequest().begin(),
      recovery_request_proto.cbor_cryptorecoveryrequest().end());
  if (!DeserializeRecoveryRequestFromCbor(recovery_request_cbor,
                                          recovery_request)) {
    LOG(ERROR) << "Unable to deserialize Recovery Request";
    return false;
  }
  return true;
}

bool GenerateRecoveryRequestProto(
    const RecoveryResponse& response,
    CryptoRecoveryRpcResponse* recovery_response) {
  brillo::SecureBlob recovery_response_cbor;
  if (!SerializeRecoveryResponseToCbor(response, &recovery_response_cbor)) {
    LOG(ERROR) << "Failed to serialize Recovery Response to cbor";
    return false;
  }
  recovery_response->set_protocol_version(1);
  recovery_response->set_cbor_cryptorecoveryresponse(
      recovery_response_cbor.data(), recovery_response_cbor.size());
  return true;
}

}  // namespace

// Hardcoded fake mediator and epoch public and private keys. Do not use them in
// production! Keys were generated at random using
// EllipticCurve::GenerateKeysAsSecureBlobs method and converted to hex.
static const char kFakeMediatorPublicKeyHex[] =
    "041C66FD08151D1C34EA5003F7C24557D2E4802535AA4F65EDBE3CD495CFE060387D00D5D2"
    "5D859B26C5134F1AD00F2230EAB72A47F46DF23407CF68FB18C509DE";
static const char kFakeMediatorPrivateKeyHex[] =
    "B7A01DA624ECF448D9F7E1B07236EA2930A17C9A31AD60E43E01A8FEA934AB1C";
static const char kFakeEpochPrivateKeyHex[] =
    "2DC064DBE7473CE2E617C689E3D1D71568E1B09EA6CEC5CB4463A66C06F1B535";
static const char kFakeEpochPublicKeyHex[] =
    "045D8393CDEF671228CB0D8454BBB6F2AAA18E05834BB6DBBD05721FC81ED3BED33D08A8EF"
    "D44F6786CAE7ADEB8E26A355CD9714F59C78F063A3CA3A7D74877A8A";

std::unique_ptr<FakeRecoveryMediatorCrypto>
FakeRecoveryMediatorCrypto::Create() {
  ScopedBN_CTX context = CreateBigNumContext();
  if (!context.get()) {
    LOG(ERROR) << "Failed to allocate BN_CTX structure";
    return nullptr;
  }
  std::optional<EllipticCurve> ec =
      EllipticCurve::Create(RecoveryCrypto::kCurve, context.get());
  if (!ec) {
    LOG(ERROR) << "Failed to create EllipticCurve";
    return nullptr;
  }
  return base::WrapUnique(new FakeRecoveryMediatorCrypto(std::move(*ec)));
}

FakeRecoveryMediatorCrypto::FakeRecoveryMediatorCrypto(EllipticCurve ec)
    : ec_(std::move(ec)) {}

// static
bool FakeRecoveryMediatorCrypto::GetFakeMediatorPublicKey(
    brillo::SecureBlob* mediator_pub_key) {
  if (!brillo::SecureBlob::HexStringToSecureBlob(kFakeMediatorPublicKeyHex,
                                                 mediator_pub_key)) {
    LOG(ERROR) << "Failed to convert hex to SecureBlob";
    return false;
  }
  return true;
}

// static
bool FakeRecoveryMediatorCrypto::GetFakeMediatorPrivateKey(
    brillo::SecureBlob* mediator_priv_key) {
  if (!brillo::SecureBlob::HexStringToSecureBlob(kFakeMediatorPrivateKeyHex,
                                                 mediator_priv_key)) {
    LOG(ERROR) << "Failed to convert hex to SecureBlob";
    return false;
  }
  return true;
}

// static
bool FakeRecoveryMediatorCrypto::GetFakeEpochPublicKey(
    brillo::SecureBlob* epoch_pub_key) {
  if (!brillo::SecureBlob::HexStringToSecureBlob(kFakeEpochPublicKeyHex,
                                                 epoch_pub_key)) {
    LOG(ERROR) << "Failed to convert hex to SecureBlob";
    return false;
  }
  return true;
}

// static
bool FakeRecoveryMediatorCrypto::GetFakeEpochPrivateKey(
    brillo::SecureBlob* epoch_priv_key) {
  if (!brillo::SecureBlob::HexStringToSecureBlob(kFakeEpochPrivateKeyHex,
                                                 epoch_priv_key)) {
    LOG(ERROR) << "Failed to convert hex to SecureBlob";
    return false;
  }
  return true;
}

// static
bool FakeRecoveryMediatorCrypto::GetFakeEpochResponse(
    CryptoRecoveryEpochResponse* epoch_response) {
  brillo::SecureBlob epoch_pub_key;
  if (!GetFakeEpochPublicKey(&epoch_pub_key)) {
    LOG(ERROR) << "Failed to get fake epoch public key";
    return false;
  }
  brillo::SecureBlob epoch_metadata_cbor;
  cbor::Value::MapValue meta_data_cbor;
  meta_data_cbor.emplace("meta_data_cbor_key", "meta_data_cbor_value");
  if (!SerializeCborForTesting(cbor::Value(meta_data_cbor),
                               &epoch_metadata_cbor)) {
    LOG(ERROR) << "Failed to create epoch_metadata_cbor";
    return false;
  }
  epoch_response->set_protocol_version(1);
  epoch_response->set_epoch_pub_key(epoch_pub_key.data(), epoch_pub_key.size());
  epoch_response->set_epoch_meta_data(epoch_metadata_cbor.data(),
                                      epoch_metadata_cbor.size());
  return true;
}

bool FakeRecoveryMediatorCrypto::DecryptMediatorShare(
    const brillo::SecureBlob& mediator_priv_key,
    const RecoveryCrypto::EncryptedMediatorShare& encrypted_mediator_share,
    brillo::SecureBlob* mediator_share) const {
  ScopedBN_CTX context = CreateBigNumContext();
  if (!context.get()) {
    LOG(ERROR) << "Failed to allocate BN_CTX structure";
    return false;
  }

  crypto::ScopedBIGNUM mediator_priv_key_bn =
      SecureBlobToBigNum(mediator_priv_key);
  if (!mediator_priv_key_bn) {
    LOG(ERROR) << "Failed to convert mediator_priv_key to BIGNUM";
    return false;
  }
  crypto::ScopedEC_POINT ephemeral_pub_key = ec_.SecureBlobToPoint(
      encrypted_mediator_share.ephemeral_pub_key, context.get());
  if (!ephemeral_pub_key) {
    LOG(ERROR) << "Failed to convert ephemeral_pub_key SecureBlob to EC_POINT";
    return false;
  }
  crypto::ScopedEC_POINT shared_secret_point = ComputeEcdhSharedSecretPoint(
      ec_, *ephemeral_pub_key, *mediator_priv_key_bn);
  if (!shared_secret_point) {
    LOG(ERROR) << "Failed to compute shared_secret_point";
    return false;
  }
  brillo::SecureBlob aes_gcm_key;
  if (!GenerateEcdhHkdfSymmetricKey(
          ec_, *shared_secret_point, encrypted_mediator_share.ephemeral_pub_key,
          GetMediatorShareHkdfInfo(),
          /*hkdf_salt=*/brillo::SecureBlob(), RecoveryCrypto::kHkdfHash,
          kAesGcm256KeySize, &aes_gcm_key)) {
    LOG(ERROR) << "Failed to generate ECDH+HKDF recipient key for mediator "
                  "share decryption";
    return false;
  }

  if (!AesGcmDecrypt(encrypted_mediator_share.encrypted_data,
                     /*ad=*/std::nullopt, encrypted_mediator_share.tag,
                     aes_gcm_key, encrypted_mediator_share.iv,
                     mediator_share)) {
    LOG(ERROR) << "Failed to perform AES-GCM decryption";
    return false;
  }

  return true;
}

bool FakeRecoveryMediatorCrypto::DecryptHsmPayloadPlainText(
    const brillo::SecureBlob& mediator_priv_key,
    const HsmPayload& hsm_payload,
    brillo::SecureBlob* plain_text) const {
  ScopedBN_CTX context = CreateBigNumContext();
  if (!context.get()) {
    LOG(ERROR) << "Failed to allocate BN_CTX structure";
    return false;
  }

  brillo::SecureBlob publisher_pub_key_blob;
  if (!GetBytestringValueFromCborMapByKeyForTesting(hsm_payload.associated_data,
                                                    kPublisherPublicKey,
                                                    &publisher_pub_key_blob)) {
    LOG(ERROR) << "Unable to deserialize publisher_pub_key from hsm_payload";
    return false;
  }
  crypto::ScopedBIGNUM mediator_priv_key_bn =
      SecureBlobToBigNum(mediator_priv_key);
  if (!mediator_priv_key_bn) {
    LOG(ERROR) << "Failed to convert mediator_priv_key to BIGNUM";
    return false;
  }
  crypto::ScopedEC_POINT publisher_pub_key =
      ec_.SecureBlobToPoint(publisher_pub_key_blob, context.get());
  if (!publisher_pub_key) {
    LOG(ERROR) << "Failed to convert publisher_pub_key_blob to EC_POINT";
    return false;
  }
  crypto::ScopedEC_POINT shared_secret_point = ComputeEcdhSharedSecretPoint(
      ec_, *publisher_pub_key, *mediator_priv_key_bn);
  if (!shared_secret_point) {
    LOG(ERROR) << "Failed to compute shared_secret_point";
    return false;
  }
  brillo::SecureBlob aes_gcm_key;
  if (!GenerateEcdhHkdfSymmetricKey(
          ec_, *shared_secret_point, publisher_pub_key_blob,
          GetMediatorShareHkdfInfo(),
          /*hkdf_salt=*/brillo::SecureBlob(), RecoveryCrypto::kHkdfHash,
          kAesGcm256KeySize, &aes_gcm_key)) {
    LOG(ERROR) << "Failed to generate ECDH+HKDF recipient key for HSM "
                  "plaintext decryption";
    return false;
  }

  if (!AesGcmDecrypt(hsm_payload.cipher_text, hsm_payload.associated_data,
                     hsm_payload.tag, aes_gcm_key, hsm_payload.iv,
                     plain_text)) {
    LOG(ERROR) << "Failed to perform AES-GCM decryption";
    return false;
  }

  return true;
}

bool FakeRecoveryMediatorCrypto::DecryptRequestPayloadPlainText(
    const brillo::SecureBlob& epoch_priv_key,
    const RequestPayload& request_payload,
    brillo::SecureBlob* plain_text) const {
  ScopedBN_CTX context = CreateBigNumContext();
  if (!context.get()) {
    LOG(ERROR) << "Failed to allocate BN_CTX structure";
    return false;
  }

  brillo::SecureBlob salt;
  if (!GetBytestringValueFromCborMapByKeyForTesting(
          request_payload.associated_data, kRequestPayloadSalt, &salt)) {
    LOG(ERROR) << "Unable to deserialize salt from request_payload";
    return false;
  }
  HsmPayload hsm_payload;
  if (!GetHsmPayloadFromRequestAdForTesting(request_payload.associated_data,
                                            &hsm_payload)) {
    LOG(ERROR) << "Unable to deserialize hsm_payload from request_payload";
    return false;
  }
  brillo::SecureBlob channel_pub_key_blob;
  if (!GetBytestringValueFromCborMapByKeyForTesting(hsm_payload.associated_data,
                                                    kChannelPublicKey,
                                                    &channel_pub_key_blob)) {
    LOG(ERROR) << "Unable to deserialize channel_pub_key from "
                  "hsm_payload.associated_data";
    return false;
  }

  crypto::ScopedBIGNUM epoch_priv_key_bn = SecureBlobToBigNum(epoch_priv_key);
  if (!epoch_priv_key_bn) {
    LOG(ERROR) << "Failed to convert epoch_priv_key to BIGNUM";
    return false;
  }
  crypto::ScopedEC_POINT channel_pub_key =
      ec_.SecureBlobToPoint(channel_pub_key_blob, context.get());
  if (!channel_pub_key) {
    LOG(ERROR) << "Failed to convert channel_pub_key_blob to EC_POINT";
    return false;
  }
  crypto::ScopedEC_POINT shared_secret_point =
      ComputeEcdhSharedSecretPoint(ec_, *channel_pub_key, *epoch_priv_key_bn);
  if (!shared_secret_point) {
    LOG(ERROR) << "Failed to compute shared_secret_point";
    return false;
  }
  brillo::SecureBlob aes_gcm_key;
  if (!GenerateEcdhHkdfSymmetricKey(
          ec_, *shared_secret_point, channel_pub_key_blob,
          GetRequestPayloadPlainTextHkdfInfo(), salt, RecoveryCrypto::kHkdfHash,
          kAesGcm256KeySize, &aes_gcm_key)) {
    LOG(ERROR) << "Failed to generate ECDH+HKDF recipient key for request "
                  "payload decryption";
    return false;
  }

  if (!AesGcmDecrypt(request_payload.cipher_text,
                     request_payload.associated_data, request_payload.tag,
                     aes_gcm_key, request_payload.iv, plain_text)) {
    LOG(ERROR) << "Failed to perform AES-GCM decryption of request_payload";
    return false;
  }

  return true;
}

bool FakeRecoveryMediatorCrypto::MediateHsmPayload(
    const brillo::SecureBlob& mediator_priv_key,
    const brillo::SecureBlob& epoch_pub_key,
    const brillo::SecureBlob& epoch_priv_key,
    const brillo::SecureBlob& ephemeral_pub_inv_key,
    const HsmPayload& hsm_payload,
    CryptoRecoveryRpcResponse* recovery_response_proto) const {
  ScopedBN_CTX context = CreateBigNumContext();
  if (!context.get()) {
    LOG(ERROR) << "Failed to allocate BN_CTX structure";
    return false;
  }

  brillo::SecureBlob hsm_plain_text_cbor;
  if (!DecryptHsmPayloadPlainText(mediator_priv_key, hsm_payload,
                                  &hsm_plain_text_cbor)) {
    LOG(ERROR) << "Unable to decrypt hsm_plain_text_cbor in hsm_payload";
    return false;
  }

  HsmPlainText hsm_plain_text;
  if (!DeserializeHsmPlainTextFromCbor(hsm_plain_text_cbor, &hsm_plain_text)) {
    LOG(ERROR) << "Unable to deserialize hsm_plain_text_cbor";
    return false;
  }

  crypto::ScopedBIGNUM mediator_share_bn =
      SecureBlobToBigNum(hsm_plain_text.mediator_share);
  if (!mediator_share_bn) {
    LOG(ERROR) << "Failed to convert SecureBlob to BIGNUM";
    return false;
  }
  crypto::ScopedEC_POINT dealer_pub_point =
      ec_.SecureBlobToPoint(hsm_plain_text.dealer_pub_key, context.get());
  if (!dealer_pub_point) {
    LOG(ERROR) << "Failed to convert SecureBlob to EC_POINT";
    return false;
  }
  // Performs scalar multiplication of dealer_pub_key and mediator_share.
  brillo::SecureBlob mediator_dh;
  crypto::ScopedEC_POINT mediator_dh_point =
      ec_.Multiply(*dealer_pub_point, *mediator_share_bn, context.get());
  if (!mediator_dh_point) {
    LOG(ERROR) << "Failed to perform scalar multiplication";
    return false;
  }
  // Perform addition of mediator_dh_point and ephemeral_pub_inv_key.
  crypto::ScopedEC_POINT ephemeral_pub_inv_point =
      ec_.SecureBlobToPoint(ephemeral_pub_inv_key, context.get());
  if (!ephemeral_pub_inv_point) {
    LOG(ERROR) << "Failed to convert SecureBlob to EC_POINT";
    return false;
  }
  crypto::ScopedEC_POINT mediated_point =
      ec_.Add(*mediator_dh_point, *ephemeral_pub_inv_point, context.get());
  if (!mediated_point) {
    LOG(ERROR) << "Failed to add mediator_dh_point and ephemeral_pub_inv_point";
    return false;
  }
  if (!ec_.PointToSecureBlob(*mediated_point, &mediator_dh, context.get())) {
    LOG(ERROR) << "Failed to convert EC_POINT to SecureBlob";
    return false;
  }

  brillo::SecureBlob salt =
      CreateSecureRandomBlob(RecoveryCrypto::kHkdfSaltLength);
  ResponsePayload response_payload;
  HsmResponseAssociatedData response_ad;
  response_ad.response_payload_salt = salt;
  if (!SerializeHsmResponseAssociatedDataToCbor(
          response_ad, &response_payload.associated_data)) {
    LOG(ERROR) << "Unable to serialize response payload associated data";
    return false;
  }

  brillo::SecureBlob response_plain_text_cbor;
  HsmResponsePlainText response_plain_text;
  response_plain_text.mediated_point = mediator_dh;
  response_plain_text.dealer_pub_key = hsm_plain_text.dealer_pub_key;
  response_plain_text.key_auth_value = hsm_plain_text.key_auth_value;
  if (!SerializeHsmResponsePlainTextToCbor(response_plain_text,
                                           &response_plain_text_cbor)) {
    LOG(ERROR) << "Unable to serialize response plain text";
    return false;
  }

  brillo::SecureBlob channel_pub_key_blob;
  if (!GetBytestringValueFromCborMapByKeyForTesting(hsm_payload.associated_data,
                                                    kChannelPublicKey,
                                                    &channel_pub_key_blob)) {
    LOG(ERROR) << "Unable to deserialize channel_pub_key from hsm_payload";
    return false;
  }

  crypto::ScopedBIGNUM epoch_priv_key_bn = SecureBlobToBigNum(epoch_priv_key);
  if (!epoch_priv_key_bn) {
    LOG(ERROR) << "Failed to convert epoch_priv_key to BIGNUM";
    return false;
  }
  crypto::ScopedEC_POINT channel_pub_key =
      ec_.SecureBlobToPoint(channel_pub_key_blob, context.get());
  if (!channel_pub_key) {
    LOG(ERROR) << "Failed to convert channel_pub_key_blob to EC_POINT";
    return false;
  }
  crypto::ScopedEC_POINT shared_secret_point =
      ComputeEcdhSharedSecretPoint(ec_, *channel_pub_key, *epoch_priv_key_bn);
  if (!shared_secret_point) {
    LOG(ERROR) << "Failed to compute shared_secret_point";
    return false;
  }
  brillo::SecureBlob aes_gcm_key;
  // The static nature of `channel_pub_key` (G*s) and `epoch_pub_key` (G*r)
  // requires the need to utilize a randomized salt value in the HKDF
  // computation.
  if (!GenerateEcdhHkdfSymmetricKey(ec_, *shared_secret_point, epoch_pub_key,
                                    GetResponsePayloadPlainTextHkdfInfo(), salt,
                                    RecoveryCrypto::kHkdfHash,
                                    kAesGcm256KeySize, &aes_gcm_key)) {
    LOG(ERROR)
        << "Failed to generate ECDH+HKDF recipient key for Recovery Request "
           "plaintext encryption";
    return false;
  }

  if (!AesGcmEncrypt(response_plain_text_cbor, response_payload.associated_data,
                     aes_gcm_key, &response_payload.iv, &response_payload.tag,
                     &response_payload.cipher_text)) {
    LOG(ERROR) << "Failed to perform AES-GCM encryption of response_payload";
    return false;
  }

  RecoveryResponse recovery_response;
  recovery_response.response_payload = std::move(response_payload);
  recovery_response.error_code = 0;
  if (!GenerateRecoveryRequestProto(recovery_response,
                                    recovery_response_proto)) {
    LOG(ERROR) << "Failed to generate Recovery Response proto";
    return false;
  }
  return true;
}

bool FakeRecoveryMediatorCrypto::MediateRequestPayload(
    const brillo::SecureBlob& epoch_pub_key,
    const brillo::SecureBlob& epoch_priv_key,
    const brillo::SecureBlob& mediator_priv_key,
    const CryptoRecoveryRpcRequest& recovery_request_proto,
    CryptoRecoveryRpcResponse* recovery_response_proto) const {
  ScopedBN_CTX context = CreateBigNumContext();
  if (!context.get()) {
    LOG(ERROR) << "Failed to allocate BN_CTX structure";
    return false;
  }
  // Parse out the rsa_signature in Recovery Request
  RecoveryRequest recovery_request;
  if (!GetRecoveryRequestFromProto(recovery_request_proto, &recovery_request)) {
    LOG(ERROR) << "Couldn't get recovery request from recovery_request_proto";
    return false;
  }
  // Parse out the rsa_public_key, which is in Hsm Associated Data. Hsm
  // Associated Data is in Hsm Payload, and it is in the Associated Data of
  // Request Payload
  RequestPayload request_payload;
  if (!DeserializeRecoveryRequestPayloadFromCbor(
          recovery_request.request_payload, &request_payload)) {
    LOG(ERROR) << "Failed to deserialize Request payload.";
    return false;
  }
  HsmPayload hsm_payload;
  if (!GetHsmPayloadFromRequestAdForTesting(request_payload.associated_data,
                                            &hsm_payload)) {
    LOG(ERROR) << "Unable to extract hsm_payload from request_payload";
    return false;
  }
  HsmAssociatedData hsm_associated_data;
  if (!DeserializeHsmAssociatedDataFromCbor(hsm_payload.associated_data,
                                            &hsm_associated_data)) {
    LOG(ERROR) << "Unable to deserialize hsm_associated_data_cbor";
    return false;
  }

  // If the recovery request is sent from devices with TPM2.0, no RSA signature
  // is attached to be verified and the public key wrapped in AD1 would be
  // empty.
  if (!hsm_associated_data.rsa_public_key.empty() ||
      !recovery_request.rsa_signature.empty()) {
    // Verify RSA signature with RSA public key and request payload
    if (!VerifyRsaSignatureSha256(recovery_request.request_payload,
                                  recovery_request.rsa_signature,
                                  hsm_associated_data.rsa_public_key)) {
      LOG(ERROR)
          << "Unable to initiate verifying rsa signature in request_payload";
      return false;
    }
  }

  brillo::SecureBlob request_plain_text_cbor;
  if (!DecryptRequestPayloadPlainText(epoch_priv_key, request_payload,
                                      &request_plain_text_cbor)) {
    LOG(ERROR) << "Unable to decrypt plain text in request_payload";
    return false;
  }

  RecoveryRequestPlainText plain_text;
  if (!DeserializeRecoveryRequestPlainTextFromCbor(request_plain_text_cbor,
                                                   &plain_text)) {
    LOG(ERROR)
        << "Unable to deserialize Recovery Request request_plain_text_cbor";
    return false;
  }

  if (!MediateHsmPayload(mediator_priv_key, epoch_pub_key, epoch_priv_key,
                         plain_text.ephemeral_pub_inv_key, hsm_payload,
                         recovery_response_proto)) {
    LOG(ERROR) << "Unable to mediate hsm_payload";
    return false;
  }

  return true;
}

}  // namespace cryptorecovery
}  // namespace cryptohome