-- |
-- Module      : Crypto.PubKey.Ed448
-- License     : BSD-style
-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>
-- Stability   : experimental
-- Portability : unknown
--
-- Ed448 support
--
-- Internally uses Decaf point compression to omit the cofactor
-- and implementation by Mike Hamburg.  Externally API and
-- data types are compatible with the encoding specified in RFC 8032.
--
{-# LANGUAGE BangPatterns               #-}
{-# LANGUAGE GeneralizedNewtypeDeriving #-}
module Crypto.PubKey.Ed448
    ( SecretKey
    , PublicKey
    , Signature
    -- * Size constants
    , publicKeySize
    , secretKeySize
    , signatureSize
    -- * Smart constructors
    , signature
    , publicKey
    , secretKey
    -- * Methods
    , toPublic
    , sign
    , verify
    , generateSecretKey
    ) where

import           Data.Word
import           Foreign.C.Types
import           Foreign.Ptr

import           Crypto.Error
import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes,
                                            ScrubbedBytes, withByteArray)
import qualified Crypto.Internal.ByteArray as B
import           Crypto.Internal.Compat
import           Crypto.Internal.Imports
import           Crypto.Random

-- | An Ed448 Secret key
newtype SecretKey = SecretKey ScrubbedBytes
    deriving (Int -> SecretKey -> ShowS
[SecretKey] -> ShowS
SecretKey -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [SecretKey] -> ShowS
$cshowList :: [SecretKey] -> ShowS
show :: SecretKey -> String
$cshow :: SecretKey -> String
showsPrec :: Int -> SecretKey -> ShowS
$cshowsPrec :: Int -> SecretKey -> ShowS
Show,SecretKey -> SecretKey -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: SecretKey -> SecretKey -> Bool
$c/= :: SecretKey -> SecretKey -> Bool
== :: SecretKey -> SecretKey -> Bool
$c== :: SecretKey -> SecretKey -> Bool
Eq,SecretKey -> Int
forall p. SecretKey -> Ptr p -> IO ()
forall ba.
(ba -> Int)
-> (forall p a. ba -> (Ptr p -> IO a) -> IO a)
-> (forall p. ba -> Ptr p -> IO ())
-> ByteArrayAccess ba
forall p a. SecretKey -> (Ptr p -> IO a) -> IO a
copyByteArrayToPtr :: forall p. SecretKey -> Ptr p -> IO ()
$ccopyByteArrayToPtr :: forall p. SecretKey -> Ptr p -> IO ()
withByteArray :: forall p a. SecretKey -> (Ptr p -> IO a) -> IO a
$cwithByteArray :: forall p a. SecretKey -> (Ptr p -> IO a) -> IO a
length :: SecretKey -> Int
$clength :: SecretKey -> Int
ByteArrayAccess,SecretKey -> ()
forall a. (a -> ()) -> NFData a
rnf :: SecretKey -> ()
$crnf :: SecretKey -> ()
NFData)

-- | An Ed448 public key
newtype PublicKey = PublicKey Bytes
    deriving (Int -> PublicKey -> ShowS
[PublicKey] -> ShowS
PublicKey -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [PublicKey] -> ShowS
$cshowList :: [PublicKey] -> ShowS
show :: PublicKey -> String
$cshow :: PublicKey -> String
showsPrec :: Int -> PublicKey -> ShowS
$cshowsPrec :: Int -> PublicKey -> ShowS
Show,PublicKey -> PublicKey -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: PublicKey -> PublicKey -> Bool
$c/= :: PublicKey -> PublicKey -> Bool
== :: PublicKey -> PublicKey -> Bool
$c== :: PublicKey -> PublicKey -> Bool
Eq,PublicKey -> Int
forall p. PublicKey -> Ptr p -> IO ()
forall ba.
(ba -> Int)
-> (forall p a. ba -> (Ptr p -> IO a) -> IO a)
-> (forall p. ba -> Ptr p -> IO ())
-> ByteArrayAccess ba
forall p a. PublicKey -> (Ptr p -> IO a) -> IO a
copyByteArrayToPtr :: forall p. PublicKey -> Ptr p -> IO ()
$ccopyByteArrayToPtr :: forall p. PublicKey -> Ptr p -> IO ()
withByteArray :: forall p a. PublicKey -> (Ptr p -> IO a) -> IO a
$cwithByteArray :: forall p a. PublicKey -> (Ptr p -> IO a) -> IO a
length :: PublicKey -> Int
$clength :: PublicKey -> Int
ByteArrayAccess,PublicKey -> ()
forall a. (a -> ()) -> NFData a
rnf :: PublicKey -> ()
$crnf :: PublicKey -> ()
NFData)

-- | An Ed448 signature
newtype Signature = Signature Bytes
    deriving (Int -> Signature -> ShowS
[Signature] -> ShowS
Signature -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [Signature] -> ShowS
$cshowList :: [Signature] -> ShowS
show :: Signature -> String
$cshow :: Signature -> String
showsPrec :: Int -> Signature -> ShowS
$cshowsPrec :: Int -> Signature -> ShowS
Show,Signature -> Signature -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: Signature -> Signature -> Bool
$c/= :: Signature -> Signature -> Bool
== :: Signature -> Signature -> Bool
$c== :: Signature -> Signature -> Bool
Eq,Signature -> Int
forall p. Signature -> Ptr p -> IO ()
forall ba.
(ba -> Int)
-> (forall p a. ba -> (Ptr p -> IO a) -> IO a)
-> (forall p. ba -> Ptr p -> IO ())
-> ByteArrayAccess ba
forall p a. Signature -> (Ptr p -> IO a) -> IO a
copyByteArrayToPtr :: forall p. Signature -> Ptr p -> IO ()
$ccopyByteArrayToPtr :: forall p. Signature -> Ptr p -> IO ()
withByteArray :: forall p a. Signature -> (Ptr p -> IO a) -> IO a
$cwithByteArray :: forall p a. Signature -> (Ptr p -> IO a) -> IO a
length :: Signature -> Int
$clength :: Signature -> Int
ByteArrayAccess,Signature -> ()
forall a. (a -> ()) -> NFData a
rnf :: Signature -> ()
$crnf :: Signature -> ()
NFData)

-- | Try to build a public key from a bytearray
publicKey :: ByteArrayAccess ba => ba -> CryptoFailable PublicKey
publicKey :: forall ba. ByteArrayAccess ba => ba -> CryptoFailable PublicKey
publicKey ba
bs
    | forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
bs forall a. Eq a => a -> a -> Bool
== Int
publicKeySize =
        forall a. a -> CryptoFailable a
CryptoPassed forall a b. (a -> b) -> a -> b
$ Bytes -> PublicKey
PublicKey forall a b. (a -> b) -> a -> b
$ forall bs1 bs2 p.
(ByteArrayAccess bs1, ByteArray bs2) =>
bs1 -> (Ptr p -> IO ()) -> bs2
B.copyAndFreeze ba
bs (\Ptr Any
_ -> forall (m :: * -> *) a. Monad m => a -> m a
return ())
    | Bool
otherwise =
        forall a. CryptoError -> CryptoFailable a
CryptoFailed forall a b. (a -> b) -> a -> b
$ CryptoError
CryptoError_PublicKeySizeInvalid

-- | Try to build a secret key from a bytearray
secretKey :: ByteArrayAccess ba => ba -> CryptoFailable SecretKey
secretKey :: forall ba. ByteArrayAccess ba => ba -> CryptoFailable SecretKey
secretKey ba
bs
    | forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
bs forall a. Eq a => a -> a -> Bool
== Int
secretKeySize = forall a. IO a -> a
unsafeDoIO forall a b. (a -> b) -> a -> b
$ forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray ba
bs forall {p}. p -> IO (CryptoFailable SecretKey)
initialize
    | Bool
otherwise                    = forall a. CryptoError -> CryptoFailable a
CryptoFailed CryptoError
CryptoError_SecretKeyStructureInvalid
  where
        initialize :: p -> IO (CryptoFailable SecretKey)
initialize p
inp = do
            Bool
valid <- forall {m :: * -> *} {p}. Monad m => p -> m Bool
isValidPtr p
inp
            if Bool
valid
                then (forall a. a -> CryptoFailable a
CryptoPassed forall b c a. (b -> c) -> (a -> b) -> a -> c
. ScrubbedBytes -> SecretKey
SecretKey) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
<$> forall bs1 bs2 p.
(ByteArrayAccess bs1, ByteArray bs2) =>
bs1 -> (Ptr p -> IO ()) -> IO bs2
B.copy ba
bs (\Ptr Any
_ -> forall (m :: * -> *) a. Monad m => a -> m a
return ())
                else forall (m :: * -> *) a. Monad m => a -> m a
return forall a b. (a -> b) -> a -> b
$ forall a. CryptoError -> CryptoFailable a
CryptoFailed CryptoError
CryptoError_SecretKeyStructureInvalid
        isValidPtr :: p -> m Bool
isValidPtr p
_ =
            forall (m :: * -> *) a. Monad m => a -> m a
return Bool
True
{-# NOINLINE secretKey #-}

-- | Try to build a signature from a bytearray
signature :: ByteArrayAccess ba => ba -> CryptoFailable Signature
signature :: forall ba. ByteArrayAccess ba => ba -> CryptoFailable Signature
signature ba
bs
    | forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
bs forall a. Eq a => a -> a -> Bool
== Int
signatureSize =
        forall a. a -> CryptoFailable a
CryptoPassed forall a b. (a -> b) -> a -> b
$ Bytes -> Signature
Signature forall a b. (a -> b) -> a -> b
$ forall bs1 bs2 p.
(ByteArrayAccess bs1, ByteArray bs2) =>
bs1 -> (Ptr p -> IO ()) -> bs2
B.copyAndFreeze ba
bs (\Ptr Any
_ -> forall (m :: * -> *) a. Monad m => a -> m a
return ())
    | Bool
otherwise =
        forall a. CryptoError -> CryptoFailable a
CryptoFailed CryptoError
CryptoError_SecretKeyStructureInvalid

-- | Create a public key from a secret key
toPublic :: SecretKey -> PublicKey
toPublic :: SecretKey -> PublicKey
toPublic (SecretKey ScrubbedBytes
sec) = Bytes -> PublicKey
PublicKey forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
<$>
    forall a p. ByteArray a => Int -> (Ptr p -> IO ()) -> a
B.allocAndFreeze Int
publicKeySize forall a b. (a -> b) -> a -> b
$ \Ptr PublicKey
result ->
    forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray ScrubbedBytes
sec              forall a b. (a -> b) -> a -> b
$ \Ptr SecretKey
psec   ->
        Ptr PublicKey -> Ptr SecretKey -> IO ()
decaf_ed448_derive_public_key Ptr PublicKey
result Ptr SecretKey
psec
{-# NOINLINE toPublic #-}

-- | Sign a message using the key pair
sign :: ByteArrayAccess ba => SecretKey -> PublicKey -> ba -> Signature
sign :: forall ba.
ByteArrayAccess ba =>
SecretKey -> PublicKey -> ba -> Signature
sign SecretKey
secret PublicKey
public ba
message =
    Bytes -> Signature
Signature forall a b. (a -> b) -> a -> b
$ forall a p. ByteArray a => Int -> (Ptr p -> IO ()) -> a
B.allocAndFreeze Int
signatureSize forall a b. (a -> b) -> a -> b
$ \Ptr Signature
sig ->
        forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray SecretKey
secret  forall a b. (a -> b) -> a -> b
$ \Ptr SecretKey
sec ->
        forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray PublicKey
public  forall a b. (a -> b) -> a -> b
$ \Ptr PublicKey
pub ->
        forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray ba
message forall a b. (a -> b) -> a -> b
$ \Ptr Word8
msg ->
             Ptr Signature
-> Ptr SecretKey
-> Ptr PublicKey
-> Ptr Word8
-> CSize
-> Word8
-> Ptr Word8
-> Word8
-> IO ()
decaf_ed448_sign Ptr Signature
sig Ptr SecretKey
sec Ptr PublicKey
pub Ptr Word8
msg (forall a b. (Integral a, Num b) => a -> b
fromIntegral Int
msgLen) Word8
0 Ptr Word8
no_context Word8
0
  where
    !msgLen :: Int
msgLen = forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
message

-- | Verify a message
verify :: ByteArrayAccess ba => PublicKey -> ba -> Signature -> Bool
verify :: forall ba.
ByteArrayAccess ba =>
PublicKey -> ba -> Signature -> Bool
verify PublicKey
public ba
message Signature
signatureVal = forall a. IO a -> a
unsafeDoIO forall a b. (a -> b) -> a -> b
$
    forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray Signature
signatureVal forall a b. (a -> b) -> a -> b
$ \Ptr Signature
sig ->
    forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray PublicKey
public       forall a b. (a -> b) -> a -> b
$ \Ptr PublicKey
pub ->
    forall ba p a. ByteArrayAccess ba => ba -> (Ptr p -> IO a) -> IO a
withByteArray ba
message      forall a b. (a -> b) -> a -> b
$ \Ptr Word8
msg -> do
      CInt
r <- Ptr Signature
-> Ptr PublicKey
-> Ptr Word8
-> CSize
-> Word8
-> Ptr Word8
-> Word8
-> IO CInt
decaf_ed448_verify Ptr Signature
sig Ptr PublicKey
pub Ptr Word8
msg (forall a b. (Integral a, Num b) => a -> b
fromIntegral Int
msgLen) Word8
0 Ptr Word8
no_context Word8
0
      forall (m :: * -> *) a. Monad m => a -> m a
return (CInt
r forall a. Eq a => a -> a -> Bool
/= CInt
0)
  where
    !msgLen :: Int
msgLen = forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
message

-- | Generate a secret key
generateSecretKey :: MonadRandom m => m SecretKey
generateSecretKey :: forall (m :: * -> *). MonadRandom m => m SecretKey
generateSecretKey = ScrubbedBytes -> SecretKey
SecretKey forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
<$> forall (m :: * -> *) byteArray.
(MonadRandom m, ByteArray byteArray) =>
Int -> m byteArray
getRandomBytes Int
secretKeySize

-- | A public key is 57 bytes
publicKeySize :: Int
publicKeySize :: Int
publicKeySize = Int
57

-- | A secret key is 57 bytes
secretKeySize :: Int
secretKeySize :: Int
secretKeySize = Int
57

-- | A signature is 114 bytes
signatureSize :: Int
signatureSize :: Int
signatureSize = Int
114

no_context :: Ptr Word8
no_context :: Ptr Word8
no_context = forall a. Ptr a
nullPtr -- not supported yet

foreign import ccall "cryptonite_decaf_ed448_derive_public_key"
    decaf_ed448_derive_public_key :: Ptr PublicKey -- public key
                                  -> Ptr SecretKey -- secret key
                                  -> IO ()

foreign import ccall "cryptonite_decaf_ed448_sign"
    decaf_ed448_sign :: Ptr Signature -- signature
                     -> Ptr SecretKey -- secret
                     -> Ptr PublicKey -- public
                     -> Ptr Word8     -- message
                     -> CSize         -- message len
                     -> Word8         -- prehashed
                     -> Ptr Word8     -- context
                     -> Word8         -- context len
                     -> IO ()

foreign import ccall "cryptonite_decaf_ed448_verify"
    decaf_ed448_verify :: Ptr Signature -- signature
                       -> Ptr PublicKey -- public
                       -> Ptr Word8     -- message
                       -> CSize         -- message len
                       -> Word8         -- prehashed
                       -> Ptr Word8     -- context
                       -> Word8         -- context len
                       -> IO CInt