-- SPDX-FileCopyrightText: 2020 Serokell
--
-- SPDX-License-Identifier: MPL-2.0

-- | Public-key authenticated encryption.
--
-- It is best to import this module qualified:
--
-- @
-- import qualified NaCl.Box as Box
--
-- encrypted = Box.'create' pk sk nonce message
-- decrypted = Box.'open' pk sk nonce encrypted
-- @
--
-- This is @crypto_box_*@ from NaCl.
module NaCl.Box
  ( PublicKey
  , toPublicKey
  , SecretKey
  , toSecretKey
  , keypair

  , Nonce
  , toNonce

  , create
  , open
  ) where

import Data.ByteArray (ByteArray, ByteArrayAccess)
import System.IO.Unsafe (unsafePerformIO)

import NaCl.Box.Internal (Nonce, PublicKey, SecretKey, keypair, toNonce, toPublicKey, toSecretKey)

import qualified NaCl.Box.Internal as I


-- | Encrypt a message.
--
-- @
-- encrypted = Box.create pk sk nonce message
-- @
--
-- *   @pk@ is the receiver’s public key, used for encryption.
--     @sk@ is the sender’s secret key, used for authentication.
--
--     These are generated using 'keypair' and are supposed to be exchanged
--     in advance. Both parties need to know their own secret key and the other’s
--     public key.
--
-- *   @nonce@ is an extra noise that ensures that if you encrypt the same
--     message with the same key multiple times, you will get different ciphertexts,
--     which is required for
--     <https://en.wikipedia.org/wiki/Semantic_security semantic security>.
--     There are two standard ways of getting it:
--
--     1. /Use a counter/. In this case you keep a counter of encrypted messages,
--     which means that the nonce will be new for each new message.
--
--     2. /Random/. You generate a random nonce every time you encrypt a message.
--     Since the nonce is large enough, the chances of you using the same
--     nonce twice are negligible. For useful helpers, see @Crypto.Sodium.Random@,
--     in <https://hackage.haskell.org/package/crypto-sodium crypto-sodium>.
--
--     In either case, you need to be able to provide the same nonce when decrypting,
--     so you should be able to recover it by computation (e.g. in the case of
--     a counter) or you should store it alongside the encrypted data. The nonce
--     is not secret, so it is perfectly ok to store it in plaintext.
--
-- *   @message@ is the data you are encrypting.
--
-- This function adds authentication data, so if anyone modifies the cyphertext,
-- 'open' will refuse to decrypt it.
create
  ::  ( ByteArrayAccess pkBytes, ByteArrayAccess skBytes
      , ByteArrayAccess nonceBytes
      , ByteArrayAccess ptBytes, ByteArray ctBytes
      )
  => PublicKey pkBytes  -- ^ Receiver’s public key
  -> SecretKey skBytes  -- ^ Sender’s secret key
  -> Nonce nonceBytes  -- ^ Nonce
  -> ptBytes -- ^ Plaintext message
  -> ctBytes
create :: PublicKey pkBytes
-> SecretKey skBytes -> Nonce nonceBytes -> ptBytes -> ctBytes
create PublicKey pkBytes
pk SecretKey skBytes
sk Nonce nonceBytes
nonce ptBytes
msg =
  -- This IO is safe, because it is pure.
  IO ctBytes -> ctBytes
forall a. IO a -> a
unsafePerformIO (IO ctBytes -> ctBytes) -> IO ctBytes -> ctBytes
forall a b. (a -> b) -> a -> b
$ PublicKey pkBytes
-> SecretKey skBytes -> Nonce nonceBytes -> ptBytes -> IO ctBytes
forall pkBytes skBytes nonce pt ct.
(ByteArrayAccess pkBytes, ByteArrayAccess skBytes,
 ByteArrayAccess nonce, ByteArrayAccess pt, ByteArray ct) =>
PublicKey pkBytes
-> SecretKey skBytes -> Nonce nonce -> pt -> IO ct
I.create PublicKey pkBytes
pk SecretKey skBytes
sk Nonce nonceBytes
nonce ptBytes
msg


-- | Decrypt a message.
--
-- @
-- decrypted = Box.open sk pk nonce encrypted
-- @
--
-- * @sk@ is the receiver’s secret key, used for description.
-- * @pk@ is the sender’s public key, used for authentication.
-- * @nonce@ is the same that was used for encryption.
-- * @encrypted@ is the output of 'create'.
--
-- This function will return @Nothing@ if the encrypted message was tampered
-- with after it was encrypted.
open
  ::  ( ByteArrayAccess skBytes, ByteArrayAccess pkBytes
      , ByteArrayAccess nonceBytes
      , ByteArray ptBytes, ByteArrayAccess ctBytes
      )
  => SecretKey skBytes  -- ^ Receiver’s secret key
  -> PublicKey pkBytes  -- ^ Sender’s public key
  -> Nonce nonceBytes  -- ^ Nonce
  -> ctBytes -- ^ Encrypted message (cyphertext)
  -> Maybe ptBytes
open :: SecretKey skBytes
-> PublicKey pkBytes
-> Nonce nonceBytes
-> ctBytes
-> Maybe ptBytes
open SecretKey skBytes
sk PublicKey pkBytes
pk Nonce nonceBytes
nonce ctBytes
ct =
  -- This IO is safe, because it is pure.
  IO (Maybe ptBytes) -> Maybe ptBytes
forall a. IO a -> a
unsafePerformIO (IO (Maybe ptBytes) -> Maybe ptBytes)
-> IO (Maybe ptBytes) -> Maybe ptBytes
forall a b. (a -> b) -> a -> b
$ SecretKey skBytes
-> PublicKey pkBytes
-> Nonce nonceBytes
-> ctBytes
-> IO (Maybe ptBytes)
forall skBytes pkBytes nonce pt ct.
(ByteArrayAccess skBytes, ByteArrayAccess pkBytes,
 ByteArrayAccess nonce, ByteArray pt, ByteArrayAccess ct) =>
SecretKey skBytes
-> PublicKey pkBytes -> Nonce nonce -> ct -> IO (Maybe pt)
I.open SecretKey skBytes
sk PublicKey pkBytes
pk Nonce nonceBytes
nonce ctBytes
ct