encrypt method

PqEnvelope encrypt(
  1. Uint8List recipientPublicKey,
  2. Uint8List plaintext, {
  3. PqForgeProfile? profile,
  4. Uint8List? aad,
  5. Map<String, Object?> metadata = const {},
  6. Uint8List? signerSecretKey,
  7. PqSignatureAlgorithm? signatureAlgorithm,
  8. String? signerKeyId,
})

Implementation

PqEnvelope encrypt(
  Uint8List recipientPublicKey,
  Uint8List plaintext, {
  PqForgeProfile? profile,
  Uint8List? aad,
  Map<String, Object?> metadata = const {},
  Uint8List? signerSecretKey,
  PqSignatureAlgorithm? signatureAlgorithm,
  String? signerKeyId,
}) {
  final selected = profile ?? this.profile;
  // Reserved markers (hybridKex, aeadSuite, recipients…) are written only by
  // the async/streaming paths that implement those features; rejecting them
  // here keeps a sync envelope from impersonating one.
  requireWritableEnvelopeMetadata(metadata);
  final encapsulated = PqKemPrimitives.encapsulate(
    selected.kem,
    recipientPublicKey,
  );
  final key = _kemDemKey(
    selected,
    encapsulated.sharedSecret,
    encapsulated.ciphertext,
  );
  final nonce = PqBytes.randomBytes(pqForgeDefaultAeadNonceBytes);
  final payload = PqSymmetricPrimitives.aesGcmEncrypt(
    key: key,
    nonce: nonce,
    plaintext: plaintext,
    aad: aad ?? encapsulated.ciphertext,
  );
  return assembleSealedEnvelope(
    profile: selected,
    kemCiphertext: encapsulated.ciphertext,
    nonce: nonce,
    payload: payload,
    aad: aad,
    metadata: metadata,
    signerSecretKey: signerSecretKey,
    signatureAlgorithm: signatureAlgorithm,
    signerKeyId: signerKeyId,
  );
}