/**
* Decrypt a sealed message with our private key
*
* @param string $source Encrypted message (string or resource for a file)
* @param EncryptionSecretKey $privateKey
* @param boolean $raw Don't hex decode the input?
* @return string
* @throws CryptoException\InvalidKey
*/
public static function unseal(string $source, EncryptionSecretKey $privateKey, bool $raw = false) : string
{
if (!$raw) {
$source = \Sodium\hex2bin($source);
}
// Get a box keypair (needed by crypto_box_seal_open)
$secret_key = $privateKey->getRawKeyMaterial();
$public_key = \Sodium\crypto_box_publickey_from_secretkey($secret_key);
$kp = \Sodium\crypto_box_keypair_from_secretkey_and_publickey($secret_key, $public_key);
// Wipe these immediately:
\Sodium\memzero($secret_key);
\Sodium\memzero($public_key);
// Now let's open that sealed box
$message = \Sodium\crypto_box_seal_open($source, $kp);
// Always memzero after retrieving a value
\Sodium\memzero($kp);
if ($message === false) {
throw new CryptoException\InvalidKey('Incorrect secret key for this sealed message');
}
// We have our encrypted message here
return $message;
}