|
1
|
|
|
<?php |
|
|
|
|
|
|
2
|
|
|
|
|
3
|
|
|
/* |
|
4
|
|
|
* crypto library |
|
5
|
|
|
* design choices: |
|
6
|
|
|
* - never return the exceptions from the lower levels |
|
7
|
|
|
* - keys creation from pre generated keys is done with a closure to inject in into a Key object |
|
8
|
|
|
* and not by using the 'insecure' method in the defuse library |
|
9
|
|
|
*/ |
|
10
|
|
|
|
|
11
|
|
|
ar_pinp::allow( 'ar_security_crypt'); |
|
12
|
|
|
|
|
13
|
|
|
use Defuse\Crypto as DC; |
|
14
|
|
|
|
|
15
|
|
|
class ar_security_crypt extends arBase { |
|
16
|
|
|
private $secret; |
|
17
|
|
|
private $method; |
|
18
|
|
|
const USEKEY = 1; |
|
19
|
|
|
const USEPASS = 2; |
|
20
|
|
|
|
|
21
|
|
|
private function keyRawToInternal ( $rawkey ) { |
|
22
|
|
|
static $key; |
|
23
|
|
|
static $func; |
|
24
|
|
|
if ( is_null($key) ) { |
|
25
|
|
|
$key = DC\Key::createNewRandomKey(); |
|
26
|
|
|
$func = function($rawkey) { |
|
27
|
|
|
return new self($rawkey); |
|
|
|
|
|
|
28
|
|
|
}; |
|
29
|
|
|
$func = $func->bindto($key,$key); |
|
30
|
|
|
} |
|
31
|
|
|
return $func($rawkey); |
|
32
|
|
|
} |
|
33
|
|
|
|
|
34
|
|
|
public function __construct() { |
|
35
|
|
|
} |
|
36
|
|
|
|
|
37
|
|
|
public function key($key) { |
|
38
|
|
|
$key = base64_decode($key,true); |
|
39
|
|
|
if ($key === false) { |
|
40
|
|
|
return ar('error')->raiseError('Invalid key encoding',1000); |
|
41
|
|
|
} |
|
42
|
|
|
|
|
43
|
|
|
try { |
|
44
|
|
|
$key = $this->keyRawToInternal($key); |
|
45
|
|
|
} catch (DC\Exception\EnvironmentIsBrokenException $ex) { |
|
46
|
|
|
return ar('error')->raiseError('Invalid key', 1000); |
|
47
|
|
|
} |
|
48
|
|
|
$ret = new self(); |
|
49
|
|
|
// hide key from most error related stackdumps |
|
50
|
|
|
$ret->secret = function() use ($key) { return $key; }; |
|
51
|
|
|
$ret->method=self::USEKEY; |
|
52
|
|
|
return $ret; |
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
public function passphrase($pass) |
|
56
|
|
|
{ |
|
57
|
|
|
$ret = new self(); |
|
58
|
|
|
$ret->method = self::USEPASS; |
|
59
|
|
|
// hide pass from most error related stackdumps |
|
60
|
|
|
$ret->secret = function() use ($pass) { return $pass; }; |
|
61
|
|
|
return $ret; |
|
62
|
|
|
} |
|
63
|
|
|
|
|
64
|
|
|
/* |
|
65
|
|
|
* keybytes are hardcoded to 32 bytes |
|
66
|
|
|
* 3 options: |
|
67
|
|
|
* A) base64 encoded key |
|
68
|
|
|
* B) key in the format for defuse |
|
69
|
|
|
* C) not a key |
|
70
|
|
|
* Only A and C are 'implemented' |
|
71
|
|
|
*/ |
|
72
|
|
|
|
|
73
|
|
|
public function encrypt($data) { |
|
74
|
|
|
if (!isset($this->method)) { |
|
75
|
|
|
return ar('error')->raiseError('use key or passphrase to init crypt engine',1000); |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
if(!is_scalar($data)) { |
|
79
|
|
|
return ar('error')->raiseError('Data should be a scalar datatype',1000); |
|
80
|
|
|
} |
|
81
|
|
|
|
|
82
|
|
|
try { |
|
83
|
|
|
$secret = $this->secret; |
|
84
|
|
|
if ($this->method === self::USEKEY ) { |
|
85
|
|
|
$ciphertext = DC\Crypto::encrypt($data, $secret(), true); |
|
86
|
|
|
} else { |
|
87
|
|
|
$ciphertext = DC\Crypto::encryptWithPassword($data, $secret(), true); |
|
88
|
|
|
|
|
89
|
|
|
} |
|
90
|
|
|
} catch (DC\Exception\EnvironmentIsBrokenException $ex) { |
|
91
|
|
|
return ar('error')->raiseError('enviroment is broken', 1000); |
|
92
|
|
|
} |
|
93
|
|
|
|
|
94
|
|
|
return base64_encode($ciphertext); |
|
95
|
|
|
} |
|
96
|
|
|
|
|
97
|
|
|
public function decrypt($data){ |
|
98
|
|
|
if (!isset($this->method)) { |
|
99
|
|
|
return ar('error')->raiseError('use key or passphrase to init crypt engine',1000); |
|
100
|
|
|
} |
|
101
|
|
|
$data = base64_decode($data,true); |
|
102
|
|
|
|
|
103
|
|
|
if($data === false ) { |
|
104
|
|
|
return ar('error')->raiseError('Invalid data, not properly base64 encoded',1000); |
|
105
|
|
|
} |
|
106
|
|
|
|
|
107
|
|
|
try { |
|
108
|
|
|
$secret = $this->secret; |
|
109
|
|
|
if ($this->method === self::USEKEY ) { |
|
110
|
|
|
$decrypted = DC\Crypto::decrypt($data, $secret(), true); |
|
111
|
|
|
} else { |
|
112
|
|
|
$decrypted = DC\Crypto::decryptWithPassword($data, $secret(), true); |
|
113
|
|
|
} |
|
114
|
|
|
} catch (DC\Exception\EnvironmentIsBrokenException $ex) { |
|
115
|
|
|
return ar('error')->raiseError('enviroment is broken', 1000); |
|
116
|
|
|
} catch ( DC\Exception\WrongKeyOrModifiedCiphertextException $ex) { |
|
117
|
|
|
return ar('error')->raiseError('wrong key of data has been tampered with', 1000); |
|
118
|
|
|
} |
|
119
|
|
|
return $decrypted; |
|
120
|
|
|
} |
|
121
|
|
|
|
|
122
|
|
|
public function generateKey(){ |
|
123
|
|
|
$key = DC\Key::createNewRandomKey(); |
|
124
|
|
|
$bytes = $key->getRawBytes(); |
|
125
|
|
|
return base64_encode($bytes); |
|
126
|
|
|
} |
|
127
|
|
|
|
|
128
|
|
|
} |
|
129
|
|
|
|
Ariadne-CMS /
ariadne
Loading history...
The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file.
The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place.
To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1.