//! Public-key cryptography for Tor.

//!

//! In old places, Tor uses RSA; newer Tor public-key cryptography is

//! based on curve25519 and ed25519.

pub mod ed25519;

pub mod keymanip;

pub mod rsa;

/// Re-exporting Curve25519 implementations.

///

/// *TODO*: Eventually we should probably recommend using this code via some

/// key-agreement trait, but for now we are just re-using the APIs from

/// [`x25519_dalek`].

pub mod curve25519 {

    use educe::Educe;

    use crate::util::rng::RngCompat;

    /// A keypair containing a [`StaticSecret`] and its corresponding public key.

    #[allow(clippy::exhaustive_structs)]

    #[educe(Debug)]

    pub struct StaticKeypair {

        /// The secret part of the key.

        #[educe(Debug(ignore))]

        pub secret: StaticSecret,

        /// The public part of this key.

        pub public: PublicKey,

    }

    /// A curve25519 secret key that can only be used once,

    /// and that can never be inspected.

    ///

    /// See [`x25519_dalek::EphemeralSecret`] for more information.

    pub struct EphemeralSecret(x25519_dalek::EphemeralSecret);

    /// A curve25519 secret key that can be used more than once,

    /// and whose value can be inspected.

    ///

    /// See [`x25519_dalek::StaticSecret`] for more information.

    //

    // TODO: We may want eventually want to expose ReusableSecret instead of

    // StaticSecret, for use in places where we need to use a single secret

    // twice in one handshake, but we do not need that secret to be persistent.

    //

    // The trouble here is that if we use ReusableSecret in these cases, we

    // cannot easily construct it for testing purposes.  We could in theory

    // kludge something together using a fake Rng, but that might be more

    // trouble than we want to go looking for.

    #[derive(Clone)]

    pub struct StaticSecret(x25519_dalek::StaticSecret);

    /// A curve15519 public key.

    ///

    /// See [`x25519_dalek::PublicKey`] for more information.

    #[derive(Clone, Copy, Debug, Eq, PartialEq)]

    pub struct PublicKey(x25519_dalek::PublicKey);

    /// A shared secret negotiated using curve25519.

    ///

    /// See [`x25519_dalek::SharedSecret`] for more information

    pub struct SharedSecret(x25519_dalek::SharedSecret);

    impl<'a> From<&'a EphemeralSecret> for PublicKey {

    }

    impl<'a> From<&'a StaticSecret> for PublicKey {

    }

    impl From<[u8; 32]> for StaticSecret {

    }

    impl From<[u8; 32]> for PublicKey {

    }

    impl EphemeralSecret {

        /// Return a new random ephemeral secret key.

        /// Negotiate a shared secret using this secret key and a public key.

    }

    impl StaticSecret {

        /// Return a new random static secret key.

        /// Negotiate a shared secret using this secret key and a public key.

        /// Return the bytes that represent this key.

    }

    impl SharedSecret {

        /// Return the shared secret as an array of bytes.

        /// Return true if both keys contributed to this shared secret.

        ///

        /// See [`x25519_dalek::SharedSecret::was_contributory`] for more information.

    }

    impl PublicKey {

        /// Return this public key as a reference to an array of bytes.

        /// Return this public key as an array of bytes.

    }

}

/// A type for a validatable signature.

///

/// It necessarily includes the signature, the public key, and (a hash

/// of?) the document being checked.

///

/// Having this trait enables us to write code for checking a large number

/// of validatable signatures in a way that permits batch signatures for

/// Ed25519.

///

/// To be used with [`validate_all_sigs`].

pub trait ValidatableSignature {

    /// Check whether this signature is a correct signature for the document.

    fn is_valid(&self) -> bool;

    /// Return this value as a validatable Ed25519 signature, if it is one.

}

/// Check whether all of the signatures in this Vec are valid.

///

/// Return `true` if every signature is valid; return `false` if even

/// one is invalid.

///

/// This function should typically give the same result as just

/// calling `v.iter().all(ValidatableSignature::is_valid))`, while taking

/// advantage of batch verification to whatever extent possible.

///

/// (See [`ed25519::validate_batch`] for caveats.)

        }

    }

    // Find out if the ed25519 batch is valid.

#[cfg(test)]

mod test {

    // @@ begin test lint list maintained by maint/add_warning @@

    #![allow(clippy::bool_assert_comparison)]

    #![allow(clippy::clone_on_copy)]

    #![allow(clippy::dbg_macro)]

    #![allow(clippy::mixed_attributes_style)]

    #![allow(clippy::print_stderr)]

    #![allow(clippy::print_stdout)]

    #![allow(clippy::single_char_pattern)]

    #![allow(clippy::unwrap_used)]

    #![allow(clippy::unchecked_duration_subtraction)]

    #![allow(clippy::useless_vec)]

    #![allow(clippy::needless_pass_by_value)]

    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->

    #[test]

    fn validatable_ed_sig() {

        use super::ed25519::{PublicKey, Signature, ValidatableEd25519Signature};

        use super::ValidatableSignature;

        use hex_literal::hex;

        let pk = PublicKey::from_bytes(&hex!(

            "fc51cd8e6218a1a38da47ed00230f058

             0816ed13ba3303ac5deb911548908025"

        ))

        .unwrap();

        let sig: Signature = hex!(

            "6291d657deec24024827e69c3abe01a3

             0ce548a284743a445e3680d7db5ac3ac

             18ff9b538d16f290ae67f760984dc659

             4a7c15e9716ed28dc027beceea1ec40a"

        )

        .into();

        let valid = ValidatableEd25519Signature::new(pk, sig, &hex!("af82"));

        let invalid = ValidatableEd25519Signature::new(pk, sig, &hex!("af83"));

        assert!(valid.is_valid());

        assert!(!invalid.is_valid());

    }

}