libsodium-compatible sealed boxes
Sealed boxes are designed to anonymously send messages to a recipient given their public key. Only the recipient can decrypt these messages, using their private key. While the recipient can verify the integrity of the message, it cannot verify the identity of the sender.
A message is encrypted using an ephemeral key pair, whose secret part is destroyed right after the encryption process.
Length (in bytes) of a public key.
pub const public_length = 32Length (in bytes) of a secret key.
pub const secret_length = 32Seed (for key pair creation) length in bytes.
pub const seed_length = 32pub const seal_length = Box.public_length + Box.tag_lengthpub fn seal(c: []u8, m: []const u8, public_key: [public_length]u8) (WeakPublicKeyError || IdentityElementError)!voidEncrypt a message m for a recipient whose public key is public_key.
c must be seal_length bytes larger than m, so that the required metadata can be added.
pub fn seal(c: []u8, m: []const u8, public_key: [public_length]u8) (WeakPublicKeyError || IdentityElementError)!void {
debug.assert(c.len == m.len + seal_length);
var ekp = KeyPair.generate();
const nonce = createNonce(ekp.public_key, public_key);
c[0..public_length].* = ekp.public_key;
try Box.seal(c[Box.public_length..], m, nonce, public_key, ekp.secret_key);
crypto.secureZero(u8, ekp.secret_key[0..]);
}pub fn open(m: []u8, c: []const u8, keypair: KeyPair) (IdentityElementError || WeakPublicKeyError || AuthenticationError)!voidDecrypt a message using a key pair.
m must be exactly seal_length bytes smaller than c, as c also includes metadata.
pub fn open(m: []u8, c: []const u8, keypair: KeyPair) (IdentityElementError || WeakPublicKeyError || AuthenticationError)!void {
if (c.len < seal_length) {
return error.AuthenticationFailed;
}
const epk = c[0..public_length];
const nonce = createNonce(epk.*, keypair.public_key);
return Box.open(m, c[public_length..], nonce, epk.*, keypair.secret_key);
}pub const SealedBox = struct {
pub const public_length = Box.public_length;
pub const secret_length = Box.secret_length;
pub const seed_length = Box.seed_length;
pub const seal_length = Box.public_length + Box.tag_length;
/// A key pair.
pub const KeyPair = Box.KeyPair;
fn createNonce(pk1: [public_length]u8, pk2: [public_length]u8) [Box.nonce_length]u8 {
var hasher = Blake2b(Box.nonce_length * 8).init(.{});
hasher.update(&pk1);
hasher.update(&pk2);
var nonce: [Box.nonce_length]u8 = undefined;
hasher.final(&nonce);
return nonce;
}
/// Encrypt a message `m` for a recipient whose public key is `public_key`.
/// `c` must be `seal_length` bytes larger than `m`, so that the required metadata can be added.
pub fn seal(c: []u8, m: []const u8, public_key: [public_length]u8) (WeakPublicKeyError || IdentityElementError)!void {
debug.assert(c.len == m.len + seal_length);
var ekp = KeyPair.generate();
const nonce = createNonce(ekp.public_key, public_key);
c[0..public_length].* = ekp.public_key;
try Box.seal(c[Box.public_length..], m, nonce, public_key, ekp.secret_key);
crypto.secureZero(u8, ekp.secret_key[0..]);
}
/// Decrypt a message using a key pair.
/// `m` must be exactly `seal_length` bytes smaller than `c`, as `c` also includes metadata.
pub fn open(m: []u8, c: []const u8, keypair: KeyPair) (IdentityElementError || WeakPublicKeyError || AuthenticationError)!void {
if (c.len < seal_length) {
return error.AuthenticationFailed;
}
const epk = c[0..public_length];
const nonce = createNonce(epk.*, keypair.public_key);
return Box.open(m, c[public_length..], nonce, epk.*, keypair.secret_key);
}
}