/**
* Generate a key pair for public key digital signatures
*
* @param string $secret_key
* @return SignatureKeyPair
*/
public static function generateSignatureKeyPair(string &$secret_key = '') : SignatureKeyPair
{
// Encryption keypair
$kp = \Sodium\crypto_sign_keypair();
$secret_key = \Sodium\crypto_sign_secretkey($kp);
// Let's wipe our $kp variable
\Sodium\memzero($kp);
return new SignatureKeyPair(new SignatureSecretKey($secret_key));
}
/**
* Returns a new set of keys for message encryption and signing.
*
* @param string $seed The seed to use to create repeatable keys.
* @param string $hashKey The key to hash the key with.
* @return array
*/
public static function generateKeys($seed = null, $hashKey = '')
{
# The keys are being generated from a seed.
if ($seed !== null) {
# Generate some repeatable hashes to create keys against for recovery
$encrHash = Hash::hash($seed, $hashKey, Constants::BOX_SEEDBYTES);
$signHash = Hash::hash($seed, $hashKey, Constants::SIGN_SEEDBYTES);
# Build recoverable pre-seeded key pairs.
$seeds = ['encr' => \Sodium\crypto_box_keypair($encrHash), 'sign' => \Sodium\crypto_sign_keypair($signHash)];
} else {
# Build un-recoverable key pairs.
$seeds = ['encr' => \Sodium\crypto_box_keypair(), 'sign' => \Sodium\crypto_sign_keypair()];
}
# Return the two generated key pairs to the client.
return ['encr' => ['pri' => Helpers::bin2hex(\Sodium\crypto_box_secretkey($seeds['encr'])), 'pub' => Helpers::bin2hex(\Sodium\crypto_box_publickey($seeds['encr']))], 'sign' => ['pri' => Helpers::bin2hex(\Sodium\crypto_sign_secretkey($seeds['sign'])), 'pub' => Helpers::bin2hex(\Sodium\crypto_sign_publickey($seeds['sign']))]];
}
/**
* Generate a key
*
* @param int $type
* @param &string $secret_key - Reference to optional variable to store secret key in
* @return array|Key
*/
public static function generate($type = self::CRYPTO_SECRETBOX, &$secret_key = null)
{
// Set this to true to flag a key as a signing key
$signing = false;
/**
* Are we doing public key cryptography?
*/
if (($type & self::ASYMMETRIC) !== 0) {
/**
* Are we doing encryption or digital signing?
*/
if (($type & self::ENCRYPTION) !== 0) {
// Encryption keypair
$kp = \Sodium\crypto_box_keypair();
$secret_key = \Sodium\crypto_box_secretkey($kp);
$public_key = \Sodium\crypto_box_publickey($kp);
} elseif (($type & self::SIGNATURE) !== 0) {
// Digital signature keypair
$signing = true;
$kp = \Sodium\crypto_sign_keypair();
$secret_key = \Sodium\crypto_sign_secretkey($kp);
$public_key = \Sodium\crypto_sign_publickey($kp);
} else {
throw new CryptoException\InvalidFlags('Must specify encryption or authentication');
}
// Let's wipe our $kp variable
\Sodium\memzero($kp);
// Let's return an array with two keys
return [new ASecretKey($secret_key, $signing), new APublicKey($public_key, $signing)];
} elseif ($type & self::SECRET_KEY !== 0) {
/**
* Are we doing encryption or authentication?
*/
if ($type & self::ENCRYPTION !== 0) {
$secret_key = \random_bytes(\Sodium\CRYPTO_SECRETBOX_KEYBYTES);
} elseif ($type & self::SIGNATURE !== 0) {
$signing = true;
// ...let it throw, let it throw!
$secret_key = \random_bytes(\Sodium\CRYPTO_AUTH_KEYBYTES);
}
return new SecretKey($secret_key, $signing);
} else {
throw new CryptoException\InvalidFlags('Must specify symmetric-key or asymmetric-key');
}
}