sodium-javascript/crypto_box.js

/* eslint-disable camelcase */
const { crypto_hash_sha512 } = require('./crypto_hash')
const { crypto_scalarmult, crypto_scalarmult_base } = require('./crypto_scalarmult')
const { randombytes } = require('./randombytes')
const { crypto_generichash_batch } = require('./crypto_generichash')
const { crypto_stream_xsalsa20_MESSAGEBYTES_MAX } = require('./crypto_stream')
const {
  crypto_secretbox_open_easy,
  crypto_secretbox_easy,
  crypto_secretbox_detached,
  crypto_secretbox_open_detached
} = require('./crypto_secretbox')
const xsalsa20 = require('xsalsa20')
const assert = require('nanoassert')

const crypto_box_PUBLICKEYBYTES = 32
const crypto_box_SECRETKEYBYTES = 32
const crypto_box_NONCEBYTES = 24
const crypto_box_ZEROBYTES = 32
const crypto_box_BOXZEROBYTES = 16
const crypto_box_SEALBYTES = 48
const crypto_box_SEEDBYTES = 32
const crypto_box_BEFORENMBYTES = 32
const crypto_box_MACBYTES = 16

const crypto_box_curve25519xsalsa20poly1305_MACBYTES = 16

const crypto_box_MESSAGEBYTES_MAX =
  crypto_stream_xsalsa20_MESSAGEBYTES_MAX -
  crypto_box_curve25519xsalsa20poly1305_MACBYTES

module.exports = {
  crypto_box_easy,
  crypto_box_open_easy,
  crypto_box_keypair,
  crypto_box_seed_keypair,
  crypto_box_seal,
  crypto_box_seal_open,
  crypto_box_PUBLICKEYBYTES,
  crypto_box_SECRETKEYBYTES,
  crypto_box_NONCEBYTES,
  crypto_box_ZEROBYTES,
  crypto_box_BOXZEROBYTES,
  crypto_box_SEALBYTES,
  crypto_box_SEEDBYTES,
  crypto_box_BEFORENMBYTES,
  crypto_box_MACBYTES
}

function crypto_box_keypair (pk, sk) {
  check(pk, crypto_box_PUBLICKEYBYTES)
  check(sk, crypto_box_SECRETKEYBYTES)
  randombytes(sk, 32)
  return crypto_scalarmult_base(pk, sk)
}
function crypto_box_seed_keypair (pk, sk, seed) {
  assert(pk.byteLength === crypto_box_PUBLICKEYBYTES, "pk should be 'crypto_box_PUBLICKEYBYTES' bytes")
  assert(sk.byteLength === crypto_box_SECRETKEYBYTES, "sk should be 'crypto_box_SECRETKEYBYTES' bytes")
  assert(sk.byteLength === crypto_box_SEEDBYTES, "sk should be 'crypto_box_SEEDBYTES' bytes")

  const hash = new Uint8Array(64)
  crypto_hash_sha512(hash, seed, 32)
  sk.set(hash.subarray(0, 32))
  hash.fill(0)

  return crypto_scalarmult_base(pk, sk)
}

function crypto_box_seal (c, m, pk) {
  check(c, crypto_box_SEALBYTES + m.length)
  check(pk, crypto_box_PUBLICKEYBYTES)

  var epk = c.subarray(0, crypto_box_PUBLICKEYBYTES)
  var esk = new Uint8Array(crypto_box_SECRETKEYBYTES)
  crypto_box_keypair(epk, esk)

  var n = new Uint8Array(crypto_box_NONCEBYTES)
  crypto_generichash_batch(n, [epk, pk])

  var s = new Uint8Array(crypto_box_PUBLICKEYBYTES)
  crypto_scalarmult(s, esk, pk)

  var k = new Uint8Array(crypto_box_BEFORENMBYTES)
  var zero = new Uint8Array(16)
  xsalsa20.core_hsalsa20(k, zero, s, xsalsa20.SIGMA)

  crypto_secretbox_easy(c.subarray(epk.length), m, n, k)

  cleanup(esk)
}

function crypto_box_seal_open (m, c, pk, sk) {
  check(c, crypto_box_SEALBYTES)
  check(m, c.length - crypto_box_SEALBYTES)
  check(pk, crypto_box_PUBLICKEYBYTES)
  check(sk, crypto_box_SECRETKEYBYTES)

  var epk = c.subarray(0, crypto_box_PUBLICKEYBYTES)

  var n = new Uint8Array(crypto_box_NONCEBYTES)
  crypto_generichash_batch(n, [epk, pk])

  var s = new Uint8Array(crypto_box_PUBLICKEYBYTES)
  crypto_scalarmult(s, sk, epk)

  var k = new Uint8Array(crypto_box_BEFORENMBYTES)
  var zero = new Uint8Array(16)
  xsalsa20.core_hsalsa20(k, zero, s, xsalsa20.SIGMA)

  return crypto_secretbox_open_easy(m, c.subarray(epk.length), n, k)
}

function crypto_box_beforenm (k, pk, sk) {
  const zero = new Uint8Array(16)
  const s = new Uint8Array(32)

  assert(crypto_scalarmult(s, sk, pk) === 0)

  xsalsa20.core_hsalsa20(k, zero, s, xsalsa20.SIGMA)

  return true
}

function crypto_box_detached_afternm (c, mac, m, n, k) {
  return crypto_secretbox_detached(c, mac, m, n, k)
}

function crypto_box_detached (c, mac, m, n, pk, sk) {
  check(mac, crypto_box_MACBYTES)
  check(n, crypto_box_NONCEBYTES)
  check(pk, crypto_box_PUBLICKEYBYTES)
  check(sk, crypto_box_SECRETKEYBYTES)

  const k = new Uint8Array(crypto_box_BEFORENMBYTES)

  assert(crypto_box_beforenm(k, pk, sk))

  const ret = crypto_box_detached_afternm(c, mac, m, n, k)
  cleanup(k)

  return ret
}

function crypto_box_easy (c, m, n, pk, sk) {
  assert(
    c.length >= m.length + crypto_box_MACBYTES,
    "c should be at least 'm.length + crypto_box_MACBYTES' bytes"
  )
  assert(
    m.length <= crypto_box_MESSAGEBYTES_MAX,
    "m should be at most 'crypto_box_MESSAGEBYTES_MAX' bytes"
  )

  return crypto_box_detached(
    c.subarray(crypto_box_MACBYTES, m.length + crypto_box_MACBYTES),
    c.subarray(0, crypto_box_MACBYTES),
    m,
    n,
    pk,
    sk
  )
}

function crypto_box_open_detached_afternm (m, c, mac, n, k) {
  return crypto_secretbox_open_detached(m, c, mac, n, k)
}

function crypto_box_open_detached (m, c, mac, n, pk, sk) {
  const k = new Uint8Array(crypto_box_BEFORENMBYTES)
  assert(crypto_box_beforenm(k, pk, sk))

  const ret = crypto_box_open_detached_afternm(m, c, mac, n, k)
  cleanup(k)

  return ret
}

function crypto_box_open_easy (m, c, n, pk, sk) {
  assert(
    c.length >= m.length + crypto_box_MACBYTES,
    "c should be at least 'm.length + crypto_box_MACBYTES' bytes"
  )

  return crypto_box_open_detached(
    m,
    c.subarray(crypto_box_MACBYTES, m.length + crypto_box_MACBYTES),
    c.subarray(0, crypto_box_MACBYTES),
    n,
    pk,
    sk
  )
}

function check (buf, len) {
  if (!buf || (len && buf.length < len)) throw new Error('Argument must be a buffer' + (len ? ' of length ' + len : ''))
}

function cleanup (arr) {
  for (let i = 0; i < arr.length; i++) arr[i] = 0
}