var sjcl = require('./sjcl');
var RNCryptor = {};
/*
    Takes password string and salt WordArray
    Returns key bitArray
*/
RNCryptor.KeyForPassword = function (password, salt) {
    var hmacSHA1 = function (key) {
        var hasher = new sjcl.misc.hmac(key, sjcl.hash.sha1);
        this.encrypt = function () {
            return hasher.encrypt.apply(hasher, arguments);
        };
    };
    return sjcl.misc.pbkdf2(password, salt, 10000, 32 * 8, hmacSHA1);
};
/*
  Takes password string and plaintext base64
  options:
    iv
    encryption_salt
    html_salt
  Returns ciphertext base64
*/
RNCryptor.Encrypt = function (password, plaintextBase64, options) {
    var plaintext = sjcl.codec.base64.toBits(plaintextBase64);
    options = options || {};
    var encryption_salt = options["encryption_salt"] || sjcl.random.randomWords(8 / 4); // FIXME: Need to seed PRNG
    var encryption_key = RNCryptor.KeyForPassword(password, encryption_salt);
    var hmac_salt = options["hmac_salt"] || sjcl.random.randomWords(8 / 4);
    var hmac_key = RNCryptor.KeyForPassword(password, hmac_salt);
    var iv = options["iv"] || sjcl.random.randomWords(16 / 4);
    var version = sjcl.codec.hex.toBits("03");
    var options = sjcl.codec.hex.toBits("01");
    var message = sjcl.bitArray.concat(version, options);
    message = sjcl.bitArray.concat(message, encryption_salt);
    message = sjcl.bitArray.concat(message, hmac_salt);
    message = sjcl.bitArray.concat(message, iv);
    var aes = new sjcl.cipher.aes(encryption_key);
    sjcl.beware["CBC mode is dangerous because it doesn't protect message integrity."]();
    var encrypted = sjcl.mode.cbc.encrypt(aes, plaintext, iv);
    message = sjcl.bitArray.concat(message, encrypted);
    var hmac = new sjcl.misc.hmac(hmac_key).encrypt(message);
    message = sjcl.bitArray.concat(message, hmac);
    return sjcl.codec.base64.fromBits(message);
};
/*
  Takes password string and message (ciphertext) base64
  options:
    iv
    encryption_salt
    html_salt
  Returns plaintext base64
*/
RNCryptor.Decrypt = function (password, messageBase64, options) {
    var message = sjcl.codec.base64.toBits(messageBase64);
    options = options || {};
    var version = sjcl.bitArray.extract(message, 0 * 8, 8);
    var options = sjcl.bitArray.extract(message, 1 * 8, 8);
    var encryption_salt = sjcl.bitArray.bitSlice(message, 2 * 8, 10 * 8);
    var encryption_key = RNCryptor.KeyForPassword(password, encryption_salt);
    var hmac_salt = sjcl.bitArray.bitSlice(message, 10 * 8, 18 * 8);
    var hmac_key = RNCryptor.KeyForPassword(password, hmac_salt);
    var iv = sjcl.bitArray.bitSlice(message, 18 * 8, 34 * 8);
    var ciphertext_end = sjcl.bitArray.bitLength(message) - (32 * 8);
    var ciphertext = sjcl.bitArray.bitSlice(message, 34 * 8, ciphertext_end);
    var hmac = sjcl.bitArray.bitSlice(message, ciphertext_end);
    var expected_hmac = new sjcl.misc.hmac(hmac_key).encrypt(sjcl.bitArray.bitSlice(message, 0, ciphertext_end));
    // .equal is of consistent time
    if (!sjcl.bitArray.equal(hmac, expected_hmac)) {
        throw new sjcl.exception.corrupt("HMAC mismatch or bad password.");
    }
    var aes = new sjcl.cipher.aes(encryption_key);
    sjcl.beware["CBC mode is dangerous because it doesn't protect message integrity."]();
    var decrypted = sjcl.mode.cbc.decrypt(aes, ciphertext, iv);
    return sjcl.codec.base64.fromBits(decrypted);
};
module.exports = RNCryptor;
//# sourceMappingURL=rncryptor.js.map