package cybersecurity

import (
	"crypto/ed25519"
	"crypto/rand"

	"golang.org/x/crypto/nacl/box"
)

// Identity holds a dual keypair for a messaging participant:
// an Ed25519 keypair for signing and a X25519 keypair for key exchange.
type Identity struct {
	SignPub  []byte // Ed25519 public key (32 bytes)
	SignPriv []byte // Ed25519 private key (64 bytes)
	KexPub  []byte // X25519 public key (32 bytes)
	KexPriv []byte // X25519 private key (32 bytes)
}

// GenerateIdentity creates a new Identity with freshly generated Ed25519 and X25519 keypairs.
// Ed25519 keys are used for signing; X25519 keys for key exchange (sealed box).
func GenerateIdentity() (Identity, error) {
	// Ed25519 keypair for message signing
	signPub, signPriv, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		return Identity{}, err
	}

	// X25519 keypair for key exchange (nacl/box uses Curve25519 internally)
	kexPub, kexPriv, err := box.GenerateKey(rand.Reader)
	if err != nil {
		return Identity{}, err
	}

	return Identity{
		SignPub:  []byte(signPub),
		SignPriv: []byte(signPriv),
		KexPub:  kexPub[:],
		KexPriv: kexPriv[:],
	}, nil
}