FilesExpand file tree

 validations

/

Encryption.php

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

115 lines (93 loc) · 3.67 KB

 validations

/

Encryption.php

Top

File metadata and controls

• Code
• Blame

115 lines (93 loc) · 3.67 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

<?php

namespace CodedMonkey\Dirigent\Encryption;

use Symfony\Component\Filesystem\Filesystem;

readonly class Encryption

{

public function __construct(

#[\SensitiveParameter]

private string $privateKey,

#[\SensitiveParameter]

private string $publicKey,

#[\SensitiveParameter]

private array $rotatedKeys,

) {

}

public static function create(

#[\SensitiveParameter]

?string $privateKey,

#[\SensitiveParameter]

?string $privateKeyPath,

#[\SensitiveParameter]

?string $publicKey,

#[\SensitiveParameter]

?string $publicKeyPath,

#[\SensitiveParameter]

array $rotatedKeys,

#[\SensitiveParameter]

array $rotatedKeyPaths,

): self {

$useFiles = !$privateKey && !$publicKey;

if ($useFiles) {

if ($privateKey || $publicKey || count($rotatedKeys)) {

throw new \RuntimeException('Unable to load encryption from configuration, missing the private or public key.');

}

if (!$privateKeyPath || !$publicKeyPath) {

throw new \RuntimeException('Unable to load encryption from paths, missing the private or public key path.');

}

$filesystem = new Filesystem();

if (!$filesystem->exists($privateKeyPath)) {

throw new \RuntimeException("Private decryption key file \"$privateKeyPath\" does not exist.");

} elseif (!$filesystem->exists($publicKeyPath)) {

throw new \RuntimeException("Public encryption key file \"$publicKeyPath\" does not exist.");

}

foreach ($rotatedKeyPaths as $rotatedKeyPath) {

if (!$filesystem->exists($rotatedKeyPath)) {

throw new \RuntimeException("Rotated key file \"$rotatedKeyPath\" does not exist.");

}

}

$privateKey = $filesystem->readFile($privateKeyPath);

$publicKey = $filesystem->readFile($publicKeyPath);

$rotatedKeys = array_map(

fn (string $rotatedKeyPath): string => $filesystem->readFile($rotatedKeyPath),

$rotatedKeyPaths

);

}

$binaryPrivateKey = sodium_hex2bin($privateKey);

$binaryPublicKey = sodium_hex2bin($publicKey);

$binaryRotatedKeys = array_map(

fn (string $rotatedKey): string => sodium_hex2bin($rotatedKey),

$rotatedKeys,

);

return new self($binaryPrivateKey, $binaryPublicKey, $binaryRotatedKeys);

}

public function seal(#[\SensitiveParameter] string $data): string

{

$binary = sodium_crypto_box_seal($data, $this->publicKey);

return sodium_bin2hex($binary);

}

public function reveal(#[\SensitiveParameter] string $data): string

{

$binary = sodium_hex2bin($data);

$value = sodium_crypto_box_seal_open($binary, $this->privateKey);

if (false !== $value) {

return $value;

}

foreach ($this->rotatedKeys as $rotatedKey) {

$value = sodium_crypto_box_seal_open($binary, $rotatedKey);

if (false !== $value) {

return $value;

}

}

throw new EncryptionException('Unable to decrypt data.');

}

public function validate(): void

{

$value = 'thank you for the music';

$sealedValue = $this->seal($value);

$binary = sodium_hex2bin($sealedValue);

$revealedValue = sodium_crypto_box_seal_open($binary, $this->privateKey);

if (false === $revealedValue) {

throw new EncryptionException('The encryption key is not valid.');

}

}

}