- pipeline fix

- remove defuse legacy as it does not apply

Author: unixslayer

composer.json

@@ -125,6 +125,7 @@
         "ext-openssl": "*",
         "doctrine/dbal": "^3.9|^4.0",
         "doctrine/persistence": "^2.5|^3.4",
+        "defuse/php-encryption": "^2.4",
         "enqueue/amqp-lib": "^0.10.25",
         "enqueue/redis": "^0.10.9",
         "enqueue/sqs": "^0.10.15",

packages/DataProtection/composer.json

@@ -39,7 +39,7 @@
         "ext-openssl": "*",
         "ecotone/ecotone": "~1.299.2",
         "ecotone/jms-converter": "~1.299.2",
-        "ecotone/php-encryption": "~1.299.2"
+        "defuse/php-encryption": "^2.4"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.5|^10.5|^11.0",

packages/PHPEncryption/composer.json

@@ -44,7 +44,7 @@
         "paragonie/random_compat": "^2.0"
     },
     "require-dev": {
-        "phpstan/phpstan": "^1.8",
+        "phpstan/phpstan": "^2.1",
         "phpunit/phpunit": "^11",
         "yoast/phpunit-polyfills": "^4.0.0"
     },

packages/PHPEncryption/docs/CryptoDetails.md

@@ -26,8 +26,8 @@ Let's start with the following definitions:
     - *i*: The iteration count.
     - *n*: The output length in bytes.
 - VERSION is the string `"\xDE\xF5\x02\x00"`.
-- AUTHINFO is the string `"Ecotone|V2|KeyForAuthentication"`.
-- ENCRINFO is the string `"Ecotone|V2|KeyForEncryption"`.
+- AUTHINFO is the string `"Ecotone|KeyForAuthentication"`.
+- ENCRINFO is the string `"Ecotone|KeyForEncryption"`.
 
 To encrypt a message *m* using a 32-byte key *k*, the following steps are taken:
 

packages/PHPEncryption/src/Core.php

@@ -38,28 +38,20 @@
  */
 final class Core
 {
-    public const int HEADER_VERSION_SIZE = 4;
-    public const int MINIMUM_CIPHERTEXT_SIZE = 84;
-
-    public const string CURRENT_VERSION = "\xDE\xF5\x02\x00";
-
-    public const string CIPHER_METHOD = 'aes-256-ctr';
-    public const int BLOCK_BYTE_SIZE = 16;
-    public const int KEY_BYTE_SIZE = 32;
-    public const int SALT_BYTE_SIZE = 32;
-    public const int MAC_BYTE_SIZE = 32;
-    public const string HASH_FUNCTION_NAME = 'sha256';
-    public const string ENCRYPTION_INFO_STRING = 'Ecotone|V2|KeyForEncryption';
-    public const string AUTHENTICATION_INFO_STRING = 'Ecotone|V2|KeyForAuthentication';
-    public const int BUFFER_BYTE_SIZE = 1048576;
-
-    public const string LEGACY_CIPHER_METHOD = 'aes-128-cbc';
-    public const int LEGACY_BLOCK_BYTE_SIZE = 16;
-    public const int LEGACY_KEY_BYTE_SIZE = 16;
-    public const string LEGACY_HASH_FUNCTION_NAME = 'sha256';
-    public const int LEGACY_MAC_BYTE_SIZE = 32;
-    public const string LEGACY_ENCRYPTION_INFO_STRING = 'Ecotone|KeyForEncryption';
-    public const string LEGACY_AUTHENTICATION_INFO_STRING = 'Ecotone|KeyForAuthentication';
+    public const HEADER_VERSION_SIZE = 4;
+    public const MINIMUM_CIPHERTEXT_SIZE = 84;
+
+    public const CURRENT_VERSION = "\xDE\xF5\x02\x00";
+
+    public const CIPHER_METHOD = 'aes-256-ctr';
+    public const BLOCK_BYTE_SIZE = 16;
+    public const KEY_BYTE_SIZE = 32;
+    public const SALT_BYTE_SIZE = 32;
+    public const MAC_BYTE_SIZE = 32;
+    public const HASH_FUNCTION_NAME = 'sha256';
+    public const ENCRYPTION_INFO_STRING = 'Ecotone|KeyForEncryption';
+    public const AUTHENTICATION_INFO_STRING = 'Ecotone|KeyForAuthentication';
+    public const BUFFER_BYTE_SIZE = 1048576;
 
     /*
      * V2.0 Format: VERSION (4 bytes) || SALT (32 bytes) || IV (16 bytes) ||
@@ -78,7 +70,6 @@ final class Core
     public static function incrementCounter(string $ctr, int $inc): string
     {
         self::ensureTrue(self::strlen($ctr) === self::BLOCK_BYTE_SIZE, 'Trying to increment a nonce of the wrong size.');
-        self::ensureTrue(is_int($inc), 'Trying to increment nonce by a non-integer.');
         self::ensureTrue($inc > 0, 'Trying to increment a nonce by a nonpositive amount'); // The caller is probably re-using CTR-mode keystream if they increment by 0.
         self::ensureTrue($inc <= PHP_INT_MAX - 255, 'Integer overflow may occur');
 
@@ -141,7 +132,7 @@ public static function HKDF(string $hash, string $ikm, int $length, string $info
         $digest_length = self::strlen(hash_hmac($hash, '', '', true));
 
         // Sanity-check the desired output length.
-        self::ensureTrue(! empty($length) && is_int($length) && $length >= 0 && $length <= 255 * $digest_length, 'Bad output length requested of HDKF.');
+        self::ensureTrue(! empty($length) && $length >= 0 && $length <= 255 * $digest_length, 'Bad output length requested of HDKF.');
 
         // "if [salt] not provided, is set to a string of HashLen zeroes."
         if (is_null($salt)) {

packages/PHPEncryption/src/Crypto.php

@@ -5,14 +5,15 @@
 use Ecotone\PHPEncryption\Exception\CryptoException;
 use Ecotone\PHPEncryption\Exception\EnvironmentIsBrokenException;
 use Ecotone\PHPEncryption\Exception\WrongKeyOrModifiedCiphertextException;
-use SensitiveParameter;
-use Throwable;
 
 use function hash_hmac;
 use function is_string;
 use function openssl_decrypt;
 use function openssl_encrypt;
 
+use SensitiveParameter;
+use Throwable;
+
 /**
  * licence Apache-2.0
  */
@@ -58,61 +59,6 @@ public static function decryptWithPassword(string $ciphertext, #[SensitiveParame
         return self::decryptInternal($ciphertext, KeyOrPassword::createFromPassword($password), $raw_binary);
     }
 
-    /**
-     * Decrypts a legacy ciphertext produced by version 1 of this library.
-     *
-     * @throws WrongKeyOrModifiedCiphertextException|EnvironmentIsBrokenException
-     */
-    public static function legacyDecrypt(string $ciphertext, #[SensitiveParameter] string $key): string
-    {
-        RuntimeTests::runtimeTest();
-
-        // Extract the HMAC from the front of the ciphertext.
-        if (Core::strlen($ciphertext) <= Core::LEGACY_MAC_BYTE_SIZE) {
-            throw new WrongKeyOrModifiedCiphertextException('Ciphertext is too short.');
-        }
-
-        $hmac = Core::substr($ciphertext, 0, Core::LEGACY_MAC_BYTE_SIZE);
-        Core::ensureTrue(is_string($hmac));
-
-        $messageCiphertext = Core::substr($ciphertext, Core::LEGACY_MAC_BYTE_SIZE);
-        Core::ensureTrue(is_string($messageCiphertext));
-
-        // Regenerate the same authentication sub-key.
-        $akey = Core::HKDF(
-            hash: Core::LEGACY_HASH_FUNCTION_NAME,
-            ikm: $key,
-            length: Core::LEGACY_KEY_BYTE_SIZE,
-            info: Core::LEGACY_AUTHENTICATION_INFO_STRING,
-        );
-
-        if (self::verifyHMAC($hmac, $messageCiphertext, $akey)) {
-            // Regenerate the same encryption sub-key.
-            $ekey = Core::HKDF(
-                hash: Core::LEGACY_HASH_FUNCTION_NAME,
-                ikm: $key,
-                length: Core::LEGACY_KEY_BYTE_SIZE,
-                info: Core::LEGACY_ENCRYPTION_INFO_STRING,
-            );
-
-            // Extract the IV from the ciphertext.
-            if (Core::strlen($messageCiphertext) <= Core::LEGACY_BLOCK_BYTE_SIZE) {
-                throw new WrongKeyOrModifiedCiphertextException('Ciphertext is too short.');
-            }
-
-            $iv = Core::substr($messageCiphertext, 0, Core::LEGACY_BLOCK_BYTE_SIZE);
-            Core::ensureTrue(is_string($iv));
-
-            $actualCiphertext = Core::substr($messageCiphertext, Core::LEGACY_BLOCK_BYTE_SIZE);
-            Core::ensureTrue(is_string($actualCiphertext));
-
-            // Do the decryption.
-            return self::plainDecrypt($actualCiphertext, $ekey, $iv, Core::LEGACY_CIPHER_METHOD);
-        }
-
-        throw new WrongKeyOrModifiedCiphertextException('Integrity check failed.');
-    }
-
     /**
      * Encrypts a string with either a key or a password.
      *

packages/PHPEncryption/src/Encoding.php

@@ -5,20 +5,21 @@
 use Ecotone\PHPEncryption\Exception\BadFormatException;
 use Ecotone\PHPEncryption\Exception\CryptoException;
 use Ecotone\PHPEncryption\Exception\EnvironmentIsBrokenException;
-use SensitiveParameter;
 
 use function hash;
 use function ord;
 use function pack;
 
+use SensitiveParameter;
+
 /**
  * licence Apache-2.0
  */
 final class Encoding
 {
-    public const int CHECKSUM_BYTE_SIZE = 32;
-    public const string CHECKSUM_HASH_ALGO = 'sha256';
-    public const int SERIALIZE_HEADER_BYTES = 4;
+    public const CHECKSUM_BYTE_SIZE = 32;
+    public const CHECKSUM_HASH_ALGO = 'sha256';
+    public const SERIALIZE_HEADER_BYTES = 4;
 
     /**
      * Converts a byte string to a hexadecimal string without leaking information through side channels.

packages/PHPEncryption/src/File.php

@@ -40,7 +40,7 @@ final class File
     /**
      * Encrypts the input file, saving the ciphertext to the output file.
      *
-     * @throws IOException
+     * @throws IOException|EnvironmentIsBrokenException
      */
     public static function encryptFile(string $inputFilename, string $outputFilename, Key $key): void
     {
@@ -50,7 +50,7 @@ public static function encryptFile(string $inputFilename, string $outputFilename
     /**
      * Encrypts a file with a password, using a slow key derivation function to make password cracking more expensive.
      *
-     * @throws IOException
+     * @throws IOException|EnvironmentIsBrokenException
      */
     public static function encryptFileWithPassword(string $inputFilename, string $outputFilename, #[SensitiveParameter] string $password): void
     {
@@ -64,7 +64,7 @@ public static function encryptFileWithPassword(string $inputFilename, string $ou
     /**
      * Decrypts the input file, saving the plaintext to the output file.
      *
-     * @throws IOException
+     * @throws CryptoException|EnvironmentIsBrokenException|IOException|WrongKeyOrModifiedCiphertextException
      */
     public static function decryptFile(string $inputFilename, string $outputFilename, Key $key): void
     {
@@ -74,7 +74,7 @@ public static function decryptFile(string $inputFilename, string $outputFilename
     /**
      * Decrypts a file with a password, using a slow key derivation function to make password cracking more expensive.
      *
-     * @throws IOException
+     * @throws CryptoException|EnvironmentIsBrokenException|IOException|WrongKeyOrModifiedCiphertextException
      */
     public static function decryptFileWithPassword(string $inputFilename, string $outputFilename, #[SensitiveParameter] string $password): void
     {
@@ -84,7 +84,7 @@ public static function decryptFileWithPassword(string $inputFilename, string $ou
     /**
      * Takes two resource handles and encrypts the contents of the first, writing the ciphertext into the second.
      *
-     * @throws EnvironmentIsBrokenException|IOException
+     * @throws CryptoException|EnvironmentIsBrokenException|IOException|WrongKeyOrModifiedCiphertextException
      */
     public static function encryptResource($inputHandle, $outputHandle, Key $key): void
     {
@@ -94,7 +94,7 @@ public static function encryptResource($inputHandle, $outputHandle, Key $key): v
     /**
      * Encrypts the contents of one resource handle into another with a password, using a slow key derivation function to make password cracking more expensive.
      *
-     * @throws EnvironmentIsBrokenException|IOException
+     * @throws CryptoException|EnvironmentIsBrokenException|IOException|WrongKeyOrModifiedCiphertextException
      */
     public static function encryptResourceWithPassword($inputHandle, $outputHandle, #[SensitiveParameter] string $password): void
     {
@@ -124,7 +124,7 @@ public static function decryptResourceWithPassword($inputHandle, $outputHandle,
     /**
      * Encrypts a file with either a key or a password.
      *
-     * @throws IOException|EnvironmentIsBrokenException
+     * @throws CryptoException|EnvironmentIsBrokenException|IOException|WrongKeyOrModifiedCiphertextException
      */
     private static function encryptFileInternal(string $inputFilename, string $outputFilename, KeyOrPassword $secret): void
     {

packages/PHPEncryption/src/Key.php

@@ -12,8 +12,8 @@
  */
 final class Key
 {
-    public const string KEY_CURRENT_VERSION = "\xDE\xF0\x00\x00";
-    public const int KEY_BYTE_SIZE = 32;
+    public const KEY_CURRENT_VERSION = "\xDE\xF0\x00\x00";
+    public const KEY_BYTE_SIZE = 32;
 
     private string $key_bytes;
 
@@ -46,7 +46,7 @@ public static function createNewRandomKey(): self
      *
      * @throws CryptoException|EnvironmentIsBrokenException|BadFormatException
      */
-    public static function loadFromAsciiSafeString(#[SensitiveParameter]string $saved_key_string, bool $do_not_trim = false): self
+    public static function loadFromAsciiSafeString(#[SensitiveParameter] string $saved_key_string, bool $do_not_trim = false): self
     {
         if (! $do_not_trim) {
             $saved_key_string = Encoding::trimTrailingWhitespace($saved_key_string);

packages/PHPEncryption/src/KeyOrPassword.php

@@ -14,9 +14,9 @@
  */
 final class KeyOrPassword
 {
-    public const int PBKDF2_ITERATIONS = 100000;
-    public const int SECRET_TYPE_KEY = 1;
-    public const int SECRET_TYPE_PASSWORD = 2;
+    public const PBKDF2_ITERATIONS = 100000;
+    public const SECRET_TYPE_KEY = 1;
+    public const SECRET_TYPE_PASSWORD = 2;
 
     private int $secret_type;
     private Key|string $secret;