adapt defuse/php-ancryption as internal package adapting Ecotone coding standards

Author: unixslayer

composer.json

@@ -44,6 +44,7 @@
                 "packages/PdoEventSourcing/src"
             ],
             "Ecotone\\JMSConverter\\": "packages/JmsConverter/src",
+            "Ecotone\\PHPEncryption\\": "packages/PHPEncryption/src",
             "Ecotone\\Redis\\": "packages/Redis/src",
             "Ecotone\\Sqs\\": "packages/Sqs/src",
             "Ecotone\\Laravel\\": "packages/Laravel/src",
@@ -94,6 +95,9 @@
             "Test\\Ecotone\\JMSConverter\\": [
                 "packages/JmsConverter/tests"
             ],
+            "Test\\Ecotone\\PHPEncryption\\": [
+                "packages/PHPEncryption/tests/unit"
+            ],
             "Test\\Ecotone\\Redis\\": [
                 "packages/Redis/tests"
             ],
@@ -117,17 +121,18 @@
     },
     "require": {
         "php": "^8.2",
+        "ext-amqp": "*",
+        "ext-openssl": "*",
         "doctrine/dbal": "^3.9|^4.0",
         "doctrine/persistence": "^2.5|^3.4",
-        "defuse/php-encryption": "^2.4",
         "enqueue/amqp-lib": "^0.10.25",
         "enqueue/redis": "^0.10.9",
         "enqueue/sqs": "^0.10.15",
         "enqueue/enqueue": "^0.10.0",
-        "ext-amqp": "*",
         "laminas/laminas-code": "^4",
         "jms/serializer": "^3.32",
         "laravel/framework": "^9.5.2|^10.0|^11.0|^12.0|^13.0",
+        "paragonie/random_compat": "^2.0",
         "prooph/pdo-event-store": "^1.16.3",
         "psr/log": "^2.0|^3.0",
         "queue-interop/queue-interop": "^0.8",
@@ -172,7 +177,8 @@
         "symfony/monolog-bundle": "^3.10",
         "kwn/php-rdkafka-stubs": "^2.2",
         "symfony/var-exporter": "^6.4|^7.0|^8.0",
-        "enqueue/dsn": "^0.10.27"
+        "enqueue/dsn": "^0.10.27",
+        "yoast/phpunit-polyfills": "^4.0.0"
     },
     "conflict": {
         "symfony/doctrine-messenger": ">7.0.5 < 7.1.0",
@@ -212,7 +218,10 @@
     },
     "scripts": {
         "tests:phpstan": "vendor/bin/phpstan",
-        "tests:phpunit": "vendor/bin/phpunit --no-coverage",
+        "tests:phpunit": [
+            "(cd packages/PHPEncryption && tests/before-tests.sh)",
+            "vendor/bin/phpunit --no-coverage"
+        ],
         "tests:behat": "vendor/bin/behat -vvv",
         "tests:ci": [
             "@tests:phpstan",

packages/DataProtection/composer.json

@@ -39,7 +39,7 @@
         "ext-openssl": "*",
         "ecotone/ecotone": "~1.299.2",
         "ecotone/jms-converter": "~1.299.2",
-        "defuse/php-encryption": "^2.4"
+        "ecotone/php-encryption": "~1.299.2"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.5|^10.5|^11.0",

packages/PHPEncryption/.gitattributes

@@ -0,0 +1,7 @@
+tests/          export-ignore
+.coveralls.yml  export-ignore
+.gitattributes  export-ignore
+.gitignore      export-ignore
+behat.yaml      export-ignore
+phpstan.neon    export-ignore
+phpunit.xml     export-ignore

packages/PHPEncryption/.gitignore

@@ -0,0 +1,11 @@
+.idea/
+vendor/
+bin/
+tests/coverage
+!tests/coverage/.gitkeep
+file
+.phpunit.result.cache
+composer.lock
+phpunit.xml
+
+tests/unit/File/big-generated-file

packages/PHPEncryption/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2025 Dariusz Gafka <support@simplycodedsoftware.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+**Scope of the License**
+
+Apache-2.0 Licence applies to non Enterprise Functionalities of the Ecotone Framework.
+Functionalities of the Ecotone Framework referred to as Enterprise functionalities, are not covered under the Apache-2.0 license. These functionalities are provided under a separate Enterprise License.
+For details on the Enterprise License, please refer to the [LICENSE-ENTERPRISE](./LICENSE-ENTERPRISE) file.

packages/PHPEncryption/LICENSE-ENTERPRISE

@@ -0,0 +1,3 @@
+Copyright (c) 2025 Dariusz Gafka <support@simplycodedsoftware.com>
+
+Licence is available at [ecotone.tech/documents/ecotone_enterprise_licence.pdf](https://ecotone.tech/documents/ecotone_enterprise_licence.pdf)

packages/PHPEncryption/README.md

@@ -0,0 +1,63 @@
+# This is Read Only Repository
+To contribute make use of [Ecotone-Dev repository](https://github.com/ecotoneframework/ecotone-dev).
+
+<p align="left"><a href="https://ecotone.tech" target="_blank">
+    <img src="https://github.com/ecotoneframework/ecotone-dev/blob/main/ecotone_small.png?raw=true">
+</a></p>
+
+![Github Actions](https://github.com/ecotoneFramework/ecotone-dev/actions/workflows/split-testing.yml/badge.svg)
+[![Latest Stable Version](https://poser.pugx.org/ecotone/ecotone/v/stable)](https://packagist.org/packages/ecotone/ecotone)
+[![License](https://poser.pugx.org/ecotone/ecotone/license)](https://packagist.org/packages/ecotone/ecotone)
+[![Total Downloads](https://img.shields.io/packagist/dt/ecotone/ecotone)](https://packagist.org/packages/ecotone/ecotone)
+[![PHP Version Require](https://img.shields.io/packagist/dependency-v/ecotone/ecotone/php.svg)](https://packagist.org/packages/ecotone/ecotone)
+
+The roots of Object Oriented Programming (OOP) were mainly about communication using Messages and logic encapsulation.   
+`Ecotone` aims to return to the origins of OOP, by providing tools which allows us to fully move the focus from Objects to Flows, from Data storage to Application Design, from Technicalities to Business logic.  
+Ecotone does that by making Messages first class-citizen in our Applications.
+
+Thanks to being Message-Driven at the foundation level, Ecotone provides architecture which is resilient and scalable by default, making it possible for Developers to focus on business problems instead of technical concerns.      
+Together with declarative configuration and higher level building blocks, it makes the system design explicit, easy to follow and change no matter of Developers experience.
+
+Visit main page [ecotone.tech](https://ecotone.tech) to learn more.
+
+> Ecotone can be used with [Symfony](https://docs.ecotone.tech/modules/symfony-ddd-cqrs-event-sourcing) and [Laravel](https://docs.ecotone.tech/modules/laravel-ddd-cqrs-event-sourcing) frameworks, or any other framework using [Ecotone Lite](https://docs.ecotone.tech/install-php-service-bus#install-ecotone-lite-no-framework).
+> 
+## Getting started
+
+The quickstart [page](https://docs.ecotone.tech/quick-start) of the
+[reference guide](https://docs.ecotone.tech) provides a starting point for using Ecotone.
+Read more on the [Ecotone's Blog](https://blog.ecotone.tech).
+
+## AI-Friendly Documentation
+
+Ecotone provides AI-optimized documentation for use with AI assistants and code editors:
+
+- **MCP Server**: `https://docs.ecotone.tech/~gitbook/mcp` - [Install in VSCode](vscode:mcp/install?%7B%22name%22%3A%22Ecotone%22%2C%22url%22%3A%22https%3A%2F%2Fdocs.ecotone.tech%2F~gitbook%2Fmcp%22%7D)
+- **LLMs.txt**: [ecotone.tech/llms.txt](https://ecotone.tech/llms.txt)
+- **Context7**: Available via [@upstash/context7-mcp](https://github.com/upstash/context7)
+
+Learn more: [AI Integration Guide](https://docs.ecotone.tech/other/ai-integration)
+
+## Feature requests and issue reporting
+
+Use [issue tracking system](https://github.com/ecotoneframework/ecotone-dev/issues) for new feature request and bugs. 
+Please verify that it's not already reported by someone else.
+
+## Contact
+
+If you want to talk or ask questions about Ecotone
+
+- [**Twitter**](https://twitter.com/EcotonePHP)
+- **support@simplycodedsoftware.com**
+- [**Community Channel**](https://discord.gg/GwM2BSuXeg)
+
+## Support Ecotone
+
+If you want to help building and improving Ecotone consider becoming a sponsor:
+
+- [Sponsor Ecotone](https://github.com/sponsors/dgafka)
+- [Contribute to Ecotone](https://github.com/ecotoneframework/ecotone-dev).
+
+## Tags
+
+PHP, DDD, CQRS, Event Sourcing, Symfony, Laravel, Service Bus, Event Driven Architecture, SOA, Events, Commands

packages/PHPEncryption/composer.json

@@ -0,0 +1,81 @@
+{
+    "name": "ecotone/php-encryption",
+    "license": [
+        "Apache-2.0",
+        "proprietary"
+    ],
+    "homepage": "https://docs.ecotone.tech/",
+    "forum": "https://discord.gg/GwM2BSuXeg",
+    "type": "library",
+    "minimum-stability": "dev",
+    "prefer-stable": true,
+    "authors": [
+        {
+            "name": "Dariusz Gafka",
+            "email": "support@simplycodedsoftware.com"
+        }
+    ],
+    "keywords": ["security", "encryption", "AES", "openssl", "cipher", "cryptography", "symmetric key cryptography", "crypto", "encrypt", "authenticated encryption"],
+    "description": "Secure PHP Encryption Library",
+    "autoload": {
+        "psr-4": {
+            "Ecotone\\PHPEncryption\\": "src"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "Test\\Ecotone\\PHPEncryption\\": "tests/unit"
+        }
+    },
+    "scripts": {
+        "tests:phpstan": "vendor/bin/phpstan",
+        "tests:phpunit": [
+            "tests/before-tests.sh",
+            "vendor/bin/phpunit --no-coverage --testdox"
+        ],
+        "tests:ci": [
+            "@tests:phpstan",
+            "@tests:phpunit"
+        ]
+    },
+    "require": {
+        "php": "^8.2",
+        "ext-openssl": "*",
+        "paragonie/random_compat": "^2.0"
+    },
+    "require-dev": {
+        "phpstan/phpstan": "^1.8",
+        "phpunit/phpunit": "^11",
+        "yoast/phpunit-polyfills": "^4.0.0"
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-main": "1.299.1-dev"
+        },
+        "ecotone": {
+            "repository": "php-encryption"
+        },
+        "merge-plugin": {
+            "include": [
+                "../local_packages.json"
+            ]
+        },
+        "license-info": {
+            "Apache-2.0": {
+                "name": "Apache License 2.0",
+                "url": "https://github.com/ecotoneframework/ecotone-dev/blob/main/LICENSE",
+                "description": "Allows to use non Enterprise features of Ecotone. For more information please write to support@simplycodedsoftware.com"
+            },
+            "proprietary": {
+                "name": "Enterprise License",
+                "description": "Allows to use Enterprise features of Ecotone. For more information please write to support@simplycodedsoftware.com"
+            }
+        },
+        "release-time": "2026-02-07 18:38:09"
+    },
+    "config": {
+        "allow-plugins": {
+            "wikimedia/composer-merge-plugin": true
+        }
+    }
+}

packages/PHPEncryption/docs/CryptoDetails.md

@@ -0,0 +1,61 @@
+Cryptography Details
+=====================
+
+Here is a high-level description of how this library works. Any discrepancy
+between this documentation and the actual implementation will be considered
+a security bug.
+
+Let's start with the following definitions:
+
+- HKDF-SHA256(*k*, *n*, *info*, *s*) is the key derivation function specified in
+  RFC 5869 (using the SHA256 hash function). The parameters are:
+    - *k*: The initial keying material.
+    - *n*: The number of output bytes.
+    - *info*: The info string.
+    - *s*: The salt.
+- AES-256-CTR(*m*, *k*, *iv*) is AES-256 encryption in CTR mode. The parameters
+  are:
+    - *m*: An arbitrary-length (possibly zero-length) message.
+    - *k*: A 32-byte key.
+    - *iv*: A 16-byte initialization vector (nonce).
+- PBKDF2-SHA256(*p*, *s*, *i*, *n*) is the password-based key derivation
+  function defined in RFC 2898 (using the SHA256 hash function). The parameters
+  are:
+    - *p*: The password string.
+    - *s*: The salt string.
+    - *i*: The iteration count.
+    - *n*: The output length in bytes.
+- VERSION is the string `"\xDE\xF5\x02\x00"`.
+- AUTHINFO is the string `"Ecotone|V2|KeyForAuthentication"`.
+- ENCRINFO is the string `"Ecotone|V2|KeyForEncryption"`.
+
+To encrypt a message *m* using a 32-byte key *k*, the following steps are taken:
+
+1. Generate a random 32-byte string *salt*.
+2. Derive the 32-byte authentication key *akey* = HKDF-SHA256(*k*, 32, AUTHINFO, *salt*).
+3. Derive the 32-byte encryption key *ekey* = HKDF-SHA256(*k*, 32, ENCRINFO, *salt*).
+4. Generate a random 16-byte initialization vector *iv*.
+5. Compute *c* = AES-256-CTR(*m*, *ekey*, *iv*).
+6. Combine *ctxt* = VERSION || *salt* || *iv* || *c*.
+7. Compute *h* = HMAC-SHA256(*ctxt*, *akey*).
+8. Output *ctxt* || *h*.
+
+Decryption is roughly the reverse process (see the code for details, since the
+security of the decryption routine is highly implementation-dependent).
+
+For encryption using a password *p*, steps 1-3 above are replaced by:
+
+1. Generate a random 32-byte string *salt*.
+2. Compute *k* = PBKDF2-SHA256(SHA256(*p*), *salt*, 100000, 32).
+3. Derive the 32-byte authentication key *akey* = HKDF-SHA256(*k*, 32, AUTHINFO, *salt*)
+4. Derive the 32-byte encryption key *ekey* = HKDF-SHA256(*k*, 32, ENCRINFO, *salt*)
+
+The remainder of the process is the same. Notice the reuse of the same *salt*
+for PBKDF2-SHA256 and HKDF-SHA256. The prehashing of the password in step 2 is
+done to prevent a DoS attack using long passwords.
+
+For `KeyProtectedByPassword`, the serialized key is encrypted according to the
+password encryption defined above. However, the actual password used for
+encryption is the SHA256 hash of the password the user provided. This is done in
+order to provide domain separation between the message encryption in the user's
+application and the internal key encryption done by this library.

packages/PHPEncryption/docs/FAQ.md

@@ -0,0 +1,51 @@
+Frequently Asked Questions
+===========================
+
+How do I use this library to encrypt passwords?
+------------------------------------------------
+
+Passwords should not be encrypted, they should be hashed with a *slow* password
+hashing function that's designed to slow down password guessing attacks. See
+[How to Safely Store Your Users' Passwords in
+2016](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016).
+
+How do I give it the same key every time instead of a new random key?
+----------------------------------------------------------------------
+
+A `Key` object can be saved to a string by calling its `saveToAsciiSafeString()`
+method. You will have to save that string somewhere safe, and then load it back
+into a `Key` object using `Key`'s `loadFromAsciiSafeString` static method.
+
+Where you store the string depends on your application. For example if you are
+using `KeyProtectedByPassword` to encrypt files with a user's login password,
+then you should not store the `Key` at all. If you are protecting sensitive data
+on a server that may be compromised, then you should store it in a hardware
+security module. When in doubt, consult a security expert.
+
+Why is an EnvironmentIsBrokenException getting thrown?
+-------------------------------------------------------
+
+Either you've encountered a bug in this library, or your system doesn't support
+the use of this library. For example, if your system does not have a secure
+random number generator, this library will refuse to run, by throwing that
+exception, instead of falling back to an insecure random number generator.
+
+Why am I getting a BadFormatException when loading a Key from a string?
+------------------------------------------------------------------------
+
+If you're getting this exception, then the string you're giving to
+`loadFromAsciiSafeString()` is *not* the same as the string you got from
+`saveToAsciiSafeString()`. Perhaps your database column isn't wide enough and
+it's truncating the string as you insert it?
+
+Does encrypting hide the length of the plaintext?
+--------------------------------------------------
+
+Encryption does not, and is not intended to, hide the length of the data being
+encrypted. For example, it is not safe to encrypt a field in which only a small
+number of different-length values are possible (e.g. "male" or "female") since
+it would be possible to tell what the plaintext is by looking at the length of
+the ciphertext. In order to do this safely, it is your responsibility to, before
+encrypting, pad the data out to the length of the longest string that will ever
+be encrypted. This way, all plaintexts are the same length, and no information
+about the plaintext can be gleaned from the length of the ciphertext.