Composer/CoreLibs-Composer-All
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

CoreLibs add Security\SymmetricEncryption

Browse Source
This commit is contained in:
Clemens Schwaighofer
2023-05-24 16:00:49 +09:00
parent b16ff4c613
commit c010673705
9 changed files with 424 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/ACL/Login.php
View File

@@ -68,7 +68,7 @@ declare(strict_types=1);
namespace CoreLibs\ACL; namespace CoreLibs\ACL;
use CoreLibs\Check\Password; use CoreLibs\Security\Password;
use CoreLibs\Convert\Json; use CoreLibs\Convert\Json;
class Login class Login

6
src/Basic.php
View File

@@ -1164,7 +1164,7 @@ class Basic
public function passwordSet(string $password): string public function passwordSet(string $password): string
{ {
trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordSet()', E_USER_DEPRECATED); trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordSet()', E_USER_DEPRECATED);
return \CoreLibs\Check\Password::passwordSet($password); return \CoreLibs\Security\Password::passwordSet($password);
} }
/** /**
@@ -1177,7 +1177,7 @@ class Basic
public function passwordVerify(string $password, string $hash): bool public function passwordVerify(string $password, string $hash): bool
{ {
trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordVerify()', E_USER_DEPRECATED); trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordVerify()', E_USER_DEPRECATED);
return \CoreLibs\Check\Password::passwordVerify($password, $hash); return \CoreLibs\Security\Password::passwordVerify($password, $hash);
} }
/** /**
@@ -1189,7 +1189,7 @@ class Basic
public function passwordRehashCheck(string $hash): bool public function passwordRehashCheck(string $hash): bool
{ {
trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordRehashCheck()', E_USER_DEPRECATED); trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordRehashCheck()', E_USER_DEPRECATED);
return \CoreLibs\Check\Password::passwordRehashCheck($hash); return \CoreLibs\Security\Password::passwordRehashCheck($hash);
} }
// *** BETTER PASSWORD OPTIONS END *** // *** BETTER PASSWORD OPTIONS END ***

39
src/Check/Password.php
View File

@@ -1,6 +1,8 @@
<?php <?php
/* /*
* NOTE: this is deprecated and all moved \CoreLibs\Security\Password
*
* core password set, check and rehash check wrapper functions * core password set, check and rehash check wrapper functions
*/ */
@@ -8,6 +10,8 @@ declare(strict_types=1);
namespace CoreLibs\Check; namespace CoreLibs\Check;
use CoreLibs\Security\Password as PasswordNew;
class Password class Password
{ {
/** /**
@@ -15,13 +19,16 @@ class Password
* *
* @param string $password password * @param string $password password
* @return string hashed password * @return string hashed password
* @deprecated v9.0 Moved to \CoreLibs\Security\Password::passwordSet
*/ */
public static function passwordSet(string $password): string public static function passwordSet(string $password): string
{ {
// always use the PHP default for the password trigger_error(
// password options ca be set in the password init, 'Method ' . __METHOD__ . ' is deprecated, use '
// but should be kept as default . '\CoreLibs\Security\Password::passwordSet',
return password_hash($password, PASSWORD_DEFAULT); E_USER_DEPRECATED
);
return PasswordNew::passwordSet($password);
} }
/** /**
@@ -30,14 +37,16 @@ class Password
* @param string $password password * @param string $password password
* @param string $hash password hash * @param string $hash password hash
* @return bool true or false * @return bool true or false
* @deprecated v9.0 Moved to \CoreLibs\Security\Password::passwordVerify
*/ */
public static function passwordVerify(string $password, string $hash): bool public static function passwordVerify(string $password, string $hash): bool
{ {
if (password_verify($password, $hash)) { trigger_error(
return true; 'Method ' . __METHOD__ . ' is deprecated, use '
} else { . '\CoreLibs\Security\Password::passwordVerify',
return false; E_USER_DEPRECATED
} );
return PasswordNew::passwordVerify($password, $hash);
} }
/** /**
@@ -45,14 +54,16 @@ class Password
* *
* @param string $hash password hash * @param string $hash password hash
* @return bool true or false * @return bool true or false
* @deprecated v9.0 Moved to \CoreLibs\Security\Password::passwordRehashCheck
*/ */
public static function passwordRehashCheck(string $hash): bool public static function passwordRehashCheck(string $hash): bool
{ {
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) { trigger_error(
return true; 'Method ' . __METHOD__ . ' is deprecated, use '
} else { . '\CoreLibs\Security\Password::passwordRehashCheck',
return false; E_USER_DEPRECATED
} );
return PasswordNew::passwordRehashCheck($hash);
} }
} }

2
src/Output/Form/Generate.php
View File

@@ -1954,7 +1954,7 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
if ($this->table_array[$key]['value']) { if ($this->table_array[$key]['value']) {
// use the better new passwordSet instead of crypt based // use the better new passwordSet instead of crypt based
$this->table_array[$key]['value'] = $this->table_array[$key]['value'] =
\CoreLibs\Check\Password::passwordSet($this->table_array[$key]['value']); \CoreLibs\Security\Password::passwordSet($this->table_array[$key]['value']);
$this->table_array[$key]['HIDDEN_value'] = $this->table_array[$key]['value']; $this->table_array[$key]['HIDDEN_value'] = $this->table_array[$key]['value'];
} else { } else {
// $this->table_array[$key]['HIDDEN_value'] = // $this->table_array[$key]['HIDDEN_value'] =

61
src/Security/CreateKey.php Normal file
View File

@@ -0,0 +1,61 @@
<?php
/**
* very simple symmetric encryption
* better use: https://paragonie.com/project/halite
*
* this is for creating secret keys for
* Security\SymmetricEncryption
*/
declare(strict_types=1);
namespace CoreLibs\Security;
class CreateKey
{
/**
* Create a random key that is a hex string
*
* @return string Hex string key for encrypting
*/
public static function generateRandomKey(): string
{
return self::bin2hex(self::randomKey());
}
/**
* create a random string as binary to encrypt data
* to store it in clear text in some .env file use bin2hex
*
* @return string Binary string for encryption
*/
public static function randomKey(): string
{
return random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
}
/**
* convert binary key to hex string
*
* @param string $hex_key Convert binary key string to hex
* @return string
*/
public static function bin2hex(string $hex_key): string
{
return sodium_bin2hex($hex_key);
}
/**
* convert hex string to binary key
*
* @param string $string_key Convery hex key string to binary
* @return string
*/
public static function hex2bin(string $string_key): string
{
return sodium_hex2bin($string_key);
}
}
// __END__

59
src/Security/Password.php Normal file
View File

@@ -0,0 +1,59 @@
<?php
/*
* core password set, check and rehash check wrapper functions
*/
declare(strict_types=1);
namespace CoreLibs\Security;
class Password
{
/**
* creates the password hash
*
* @param string $password password
* @return string hashed password
*/
public static function passwordSet(string $password): string
{
// always use the PHP default for the password
// password options ca be set in the password init,
// but should be kept as default
return password_hash($password, PASSWORD_DEFAULT);
}
/**
* checks if the entered password matches the hash
*
* @param string $password password
* @param string $hash password hash
* @return bool true or false
*/
public static function passwordVerify(string $password, string $hash): bool
{
if (password_verify($password, $hash)) {
return true;
} else {
return false;
}
}
/**
* checks if the password needs to be rehashed
*
* @param string $hash password hash
* @return bool true or false
*/
public static function passwordRehashCheck(string $hash): bool
{
if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
return true;
} else {
return false;
}
}
}
// __END__

96
src/Security/SymmetricEncryption.php Normal file
View File

@@ -0,0 +1,96 @@
<?php
/**
* very simple symmetric encryption
* Better use: https://paragonie.com/project/halite
*
* current code is just to encrypt and decrypt
*
* must use a valid encryption key created with
* Secruty\CreateKey class
*/
declare(strict_types=1);
namespace CoreLibs\Security;
use CoreLibs\Security\CreateKey;
use SodiumException;
class SymmetricEncryption
{
/**
* Encrypt a message
*
* @param string $message Message to encrypt
* @param string $key Encryption key (as hex string)
* @return string
* @throws \RangeException
*/
public static function encrypt(string $message, string $key): string
{
try {
$key = CreateKey::hex2bin($key);
} catch (SodiumException $e) {
throw new \Exception('Invalid hex key');
}
if (mb_strlen($key, '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
throw new \RangeException(
'Key is not the correct size (must be '
. 'SODIUM_CRYPTO_SECRETBOX_KEYBYTES bytes long).'
);
}
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$cipher = base64_encode(
$nonce
. sodium_crypto_secretbox(
$message,
$nonce,
$key
)
);
sodium_memzero($message);
sodium_memzero($key);
return $cipher;
}
/**
* Decrypt a message
*
* @param string $encrypted Message encrypted with safeEncrypt()
* @param string $key Encryption key (as hex string)
* @return string
* @throws \Exception
*/
public static function decrypt(string $encrypted, string $key): string
{
try {
$key = CreateKey::hex2bin($key);
} catch (SodiumException $e) {
throw new \Exception('Invalid hex key');
}
$decoded = base64_decode($encrypted);
$nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
$ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
$plain = false;
try {
$plain = sodium_crypto_secretbox_open(
$ciphertext,
$nonce,
$key
);
} catch (SodiumException $e) {
throw new \Exception('Invalid ciphertext (too short)');
}
if (!is_string($plain)) {
throw new \Exception('Invalid Key');
}
sodium_memzero($ciphertext);
sodium_memzero($key);
return $plain;
}
}
// __END__

12
test/phpunit/Check/CoreLibsCheckPasswordTest.php → test/phpunit/Security/CoreLibsSecurityPasswordTest.php
View File

@@ -7,11 +7,11 @@ namespace tests;
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
/** /**
* Test class for Check\Password * Test class for Security\Password
* @coversDefaultClass \CoreLibs\Check\Password * @coversDefaultClass \CoreLibs\Security\Password
* @testdox \CoreLibs\Check\Password method tests * @testdox \CoreLibs\Security\Password method tests
*/ */
final class CoreLibsCheckPasswordTest extends TestCase final class CoreLibsSecurityPasswordTest extends TestCase
{ {
public function passwordProvider(): array public function passwordProvider(): array
{ {
@@ -46,7 +46,7 @@ final class CoreLibsCheckPasswordTest extends TestCase
{ {
$this->assertEquals( $this->assertEquals(
$expected, $expected,
\CoreLibs\Check\Password::passwordVerify($input, \CoreLibs\Check\Password::passwordSet($input_hash)) \CoreLibs\Security\Password::passwordVerify($input, \CoreLibs\Security\Password::passwordSet($input_hash))
); );
} }
@@ -65,7 +65,7 @@ final class CoreLibsCheckPasswordTest extends TestCase
{ {
$this->assertEquals( $this->assertEquals(
$expected, $expected,
\CoreLibs\Check\Password::passwordRehashCheck($input) \CoreLibs\Security\Password::passwordRehashCheck($input)
); );
} }
} }

172
test/phpunit/Security/CoreLibsSecuritySymmetricEncryption.php Normal file
View File

@@ -0,0 +1,172 @@
<?php
declare(strict_types=1);
namespace tests;
use PHPUnit\Framework\TestCase;
use CoreLibs\Security\CreateKey;
use CoreLibs\Security\SymmetricEncryption;
/**
* Test class for Security\SymmetricEncryption and Security\CreateKey
* @coversDefaultClass \CoreLibs\Security\SymmetricEncryption
* @testdox \CoreLibs\Security\SymmetricEncryption method tests
*/
final class CoreLibsSecuritySymmetricEncryption extends TestCase
{
/**
* Undocumented function
*
* @return array
*/
public function providerEncryptDecryptSuccess(): array
{
return [
'valid string' => [
'input' => 'I am a secret',
'expected' => 'I am a secret',
],
];
}
/**
* test encrypt/decrypt produce correct output
*
* @covers ::generateRandomKey
* @covers ::encrypt
* @covers ::decrypt
* @dataProvider providerEncryptDecryptSuccess
* @testdox encrypt/decrypt $input must be $expected [$_dataName]
*
* @param string $input
* @param string $expected
* @return void
*/
public function testEncryptDecryptSuccess(string $input, string $expected): void
{
$key = CreateKey::generateRandomKey();
$encrypted = SymmetricEncryption::encrypt($input, $key);
$decrypted = SymmetricEncryption::decrypt($encrypted, $key);
$this->assertEquals(
$expected,
$decrypted
);
}
/**
* Undocumented function
*
* @return array
*/
public function providerEncryptFailed(): array
{
return [
'wrong decryption key' => [
'input' => 'I am a secret',
'excpetion_message' => 'Invalid Key'
],
];
}
/**
* Test decryption with wrong key
*
* @covers ::generateRandomKey
* @covers ::encrypt
* @covers ::decrypt
* @dataProvider providerEncryptFailed
* @testdox decrypt with wrong key $input throws $exception_message [$_dataName]
*
* @param string $input
* @param string $exception_message
* @return void
*/
public function testEncryptFailed(string $input, string $exception_message): void
{
$key = CreateKey::generateRandomKey();
$encrypted = SymmetricEncryption::encrypt($input, $key);
$wrong_key = CreateKey::generateRandomKey();
$this->expectExceptionMessage($exception_message);
SymmetricEncryption::decrypt($encrypted, $wrong_key);
}
/**
* Undocumented function
*
* @return array
*/
public function providerWrongKey(): array
{
return [
'not hex key' => [
'key' => 'not_a_hex_key',
'exception_message' => 'Invalid hex key'
],
'too short hex key' => [
'key' => '1cabd5cba9e042f12522f4ff2de5c31d233b',
'excpetion_message' => 'Key is not the correct size (must be '
. 'SODIUM_CRYPTO_SECRETBOX_KEYBYTES bytes long).'
],
];
}
/**
* test invalid key provided to decrypt or encrypt
*
* @covers ::encrypt
* @covers ::decrypt
* @dataProvider providerWrongKey
* @testdox wrong key $key throws $exception_message [$_dataName]
*
* @param string $key
* @param string $exception_message
* @return void
*/
public function testWrongKey(string $key, string $exception_message): void
{
$this->expectExceptionMessage($exception_message);
SymmetricEncryption::encrypt('test', $key);
// we must encrypt valid thing first so we can fail with the wrong kjey
$enc_key = CreateKey::generateRandomKey();
$encrypted = SymmetricEncryption::encrypt('test', $enc_key);
$this->expectExceptionMessage($exception_message);
SymmetricEncryption::decrypt($encrypted, $key);
}
/**
* Undocumented function
*
* @return array
*/
public function providerWrongCiphertext(): array
{
return [
'too short ciphertext' => [
'input' => 'short',
'exception_message' => 'Invalid ciphertext (too short)'
],
];
}
/**
* Undocumented function
*
* @covers ::decrypt
* @dataProvider providerWrongCiphertext
* @testdox too short ciphertext $input throws $exception_message [$_dataName]
*
* @param string $input
* @param string $exception_message
* @return void
*/
public function testWrongCiphertext(string $input, string $exception_message): void
{
$key = CreateKey::generateRandomKey();
$this->expectExceptionMessage($exception_message);
SymmetricEncryption::decrypt($input, $key);
}
}
// __END__