/**
* See Key::generate()
*
* @param type $type
* @param type $secret_key
*/
public static function generate($type = self::CRYPTO_BOX, &$secret_key = null)
{
if ($type & self::ASYMMETRIC === 0) {
$type &= self::ASYMMETRIC;
}
return parent::generate($type, $secret_key);
}
public function testSeal()
{
\touch(__DIR__ . '/tmp/paragon_avatar.sealed.png');
\chmod(__DIR__ . '/tmp/paragon_avatar.sealed.png', 0777);
\touch(__DIR__ . '/tmp/paragon_avatar.opened.png');
\chmod(__DIR__ . '/tmp/paragon_avatar.opened.png', 0777);
list($secretkey, $publickey) = Key::generate(Key::CRYPTO_BOX);
File::sealFile(__DIR__ . '/tmp/paragon_avatar.png', __DIR__ . '/tmp/paragon_avatar.sealed.png', $publickey);
File::unsealFile(__DIR__ . '/tmp/paragon_avatar.sealed.png', __DIR__ . '/tmp/paragon_avatar.opened.png', $secretkey);
$this->assertEquals(\hash_file('sha256', __DIR__ . '/tmp/paragon_avatar.png'), \hash_file('sha256', __DIR__ . '/tmp/paragon_avatar.opened.png'));
}
/**
* See Key::generate()
*
* @param type $type
* @param type $secret_key
*/
public static function generate($type = self::CRYPTO_SECRETBOX, &$secret_key = null)
{
if ($type & self::ASYMMETRIC !== 0) {
$type ^= self::ASYMMETRIC;
}
if ($type & self::PUBLIC_KEY !== 0) {
$type ^= self::PUBLIC_KEY;
}
// Force secret key
$type &= self::SECRET_KEY;
return parent::generate($type, $secret_key);
}
/**
* Generate a keypair
*
* @param array $type
*/
public static function generateKeys($type = Key::CRYPTO_BOX)
{
if ($type & Key::ASYMMETRIC === 0) {
throw new CryptoAlert\InvalidFlags();
}
switch ($type) {
case Key::ENCRYPTION:
case Key::SIGNATURE:
case Key::CRYPTO_SIGN:
case Key::CRYPTO_BOX:
$keys = Key::generate($type);
return new KeyPair(...$keys);
default:
throw new CryptoAlert\InvalidKey();
}
}
public function testSealFail()
{
\touch(__DIR__ . '/tmp/paragon_avatar.seal_fail.png');
\chmod(__DIR__ . '/tmp/paragon_avatar.seal_fail.png', 0777);
\touch(__DIR__ . '/tmp/paragon_avatar.open_fail.png');
\chmod(__DIR__ . '/tmp/paragon_avatar.open_fail.png', 0777);
list($secretkey, $publickey) = Key::generate(Key::CRYPTO_BOX);
File::sealFile(__DIR__ . '/tmp/paragon_avatar.png', __DIR__ . '/tmp/paragon_avatar.seal_fail.png', $publickey);
$fp = \fopen(__DIR__ . '/tmp/paragon_avatar.seal_fail.png', 'ab');
\fwrite($fp, \Sodium\randombytes_buf(1));
fclose($fp);
try {
File::unsealFile(__DIR__ . '/tmp/paragon_avatar.seal_fail.png', __DIR__ . '/tmp/paragon_avatar.opened.png', $secretkey);
throw new \Exception('ERROR: THIS SHOULD ALWAYS FAIL');
} catch (CryptoException\InvalidMessage $e) {
$this->assertTrue($e instanceof CryptoException\InvalidMessage);
}
}
/**
* Generate an encryption key
*
* @param array $type
*/
public static function generateKeys($type = Key::CRYPTO_SECRETBOX)
{
if ($type & Key::ASYMMETRIC !== 0) {
throw new CryptoAlert\InvalidFlags();
}
$secret = '';
switch ($type) {
case Key::ENCRYPTION:
case Key::CRYPTO_AUTH:
case Key::CRYPTO_SECRETBOX:
return [Key::generate($type, $secret), $secret];
default:
throw new CryptoAlert\InvalidKey();
}
}
/**
* Seal a (file handle)
*
* @param $input
* @param $output
* @param \ParagonIE\Halite\Contract\CryptoKeyInterface $publickey
*/
public static function sealResource($input, $output, \ParagonIE\Halite\Contract\CryptoKeyInterface $publickey)
{
// Input validation
if (!\is_resource($input)) {
throw new \ParagonIE\Halite\Alerts\InvalidType('Expected input handle to be a resource');
}
if (!\is_resource($output)) {
throw new \ParagonIE\Halite\Alerts\InvalidType('Expected output handle to be a resource');
}
if (!$publickey->isPublicKey()) {
throw new CryptoAlert\InvalidKey('Especter a public key');
}
if (!$publickey->isAsymmetricKey()) {
throw new CryptoAlert\InvalidKey('Expected a key intended for asymmetric-key cryptography');
}
// Generate a new keypair for this encryption
list($eph_secret, $eph_public) = Key::generate(Key::CRYPTO_BOX);
// Calculate the shared secret key
$key = Asymmetric::getSharedSecret($eph_secret, $publickey, true);
// Destroy the secre tkey after we have the shared secret
unset($eph_secret);
$config = self::getConfig(Halite::HALITE_VERSION, 'seal');
// Generate a nonce as per crypto_box_seal
$nonce = \Sodium\crypto_generichash($eph_public->get() . $publickey->get(), null, \Sodium\CRYPTO_STREAM_NONCEBYTES);
// Generate a random HKDF salt
$hkdfsalt = \Sodium\randombytes_buf($config['HKDF_SALT_LEN']);
// Split the keys
list($encKey, $authKey) = self::splitKeys($key, $hkdfsalt);
// We no longer need the original key after we split it
unset($key);
$mac = \hash_init('sha256', HASH_HMAC, $authKey);
// We no longer need to retain this after we've set up the hash context
unset($authKey);
$written = \fwrite($output, Halite::HALITE_VERSION, Halite::VERSION_TAG_LEN);
if ($written === false) {
throw new FileAlert\AccessDenied('Could not write to the file');
}
$written &= \fwrite($output, $eph_public->get(), \Sodium\CRYPTO_BOX_PUBLICKEYBYTES);
if ($written === false) {
throw new FileAlert\AccessDenied('Could not write to the file');
}
$written &= \fwrite($output, $hkdfsalt, Halite::HKDF_SALT_LEN);
if ($written === false) {
throw new FileAlert\AccessDenied('Could not write to the file');
}
\hash_update($mac, Halite::HALITE_VERSION);
\hash_update($mac, $eph_public->get());
\hash_update($mac, $hkdfsalt);
unset($eph_public);
return self::streamEncrypt($input, $output, new Key($encKey), $nonce, $mac, $config);
}
/**
* Generate a new keypair
*
* @param int $type Key flags
* @return array [Key $secret, Key $public]
* @throws CryptoAlert\InvalidKey
*/
public static function generate($type = Key::CRYPTO_BOX)
{
if (($type & Key::ASYMMETRIC) === 0) {
throw new CryptoAlert\InvalidKey('An asymmetric key type must be passed to KeyPair::generate()');
}
if (($type & Key::ENCRYPTION) !== 0) {
return Key::generate(Key::CRYPTO_BOX);
} elseif (($type & Key::SIGNATURE) !== 0) {
return Key::generate(Key::CRYPTO_SIGN);
}
throw new CryptoAlert\InvalidKey('You must specify encryption or authentication flags.');
}
