From c010673705e6076b24ebecf6dcfe6b844c99fe18 Mon Sep 17 00:00:00 2001
From: Clemens Schwaighofer <clemens.schwaighofer@egplusww.com>
Date: Wed, 24 May 2023 16:00:49 +0900
Subject: [PATCH] CoreLibs add Security\SymmetricEncryption

---
 src/ACL/Login.php                             |   2 +-
 src/Basic.php                                 |   6 +-
 src/Check/Password.php                        |  39 ++--
 src/Output/Form/Generate.php                  |   2 +-
 src/Security/CreateKey.php                    |  61 +++++++
 src/Security/Password.php                     |  59 ++++++
 src/Security/SymmetricEncryption.php          |  96 ++++++++++
 .../CoreLibsSecurityPasswordTest.php}         |  12 +-
 .../CoreLibsSecuritySymmetricEncryption.php   | 172 ++++++++++++++++++
 9 files changed, 424 insertions(+), 25 deletions(-)
 create mode 100644 src/Security/CreateKey.php
 create mode 100644 src/Security/Password.php
 create mode 100644 src/Security/SymmetricEncryption.php
 rename test/phpunit/{Check/CoreLibsCheckPasswordTest.php => Security/CoreLibsSecurityPasswordTest.php} (78%)
 create mode 100644 test/phpunit/Security/CoreLibsSecuritySymmetricEncryption.php

diff --git a/src/ACL/Login.php b/src/ACL/Login.php
index 92a8702..e657ee1 100644
--- a/src/ACL/Login.php
+++ b/src/ACL/Login.php
@@ -68,7 +68,7 @@ declare(strict_types=1);
 
 namespace CoreLibs\ACL;
 
-use CoreLibs\Check\Password;
+use CoreLibs\Security\Password;
 use CoreLibs\Convert\Json;
 
 class Login
diff --git a/src/Basic.php b/src/Basic.php
index a9a70c5..7e1882e 100644
--- a/src/Basic.php
+++ b/src/Basic.php
@@ -1164,7 +1164,7 @@ class Basic
 	public function passwordSet(string $password): string
 	{
 		trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordSet()', E_USER_DEPRECATED);
-		return \CoreLibs\Check\Password::passwordSet($password);
+		return \CoreLibs\Security\Password::passwordSet($password);
 	}
 
 	/**
@@ -1177,7 +1177,7 @@ class Basic
 	public function passwordVerify(string $password, string $hash): bool
 	{
 		trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordVerify()', E_USER_DEPRECATED);
-		return \CoreLibs\Check\Password::passwordVerify($password, $hash);
+		return \CoreLibs\Security\Password::passwordVerify($password, $hash);
 	}
 
 	/**
@@ -1189,7 +1189,7 @@ class Basic
 	public function passwordRehashCheck(string $hash): bool
 	{
 		trigger_error('Method ' . __METHOD__ . ' is deprecated, use \CoreLibs\Check\Password::passwordRehashCheck()', E_USER_DEPRECATED);
-		return \CoreLibs\Check\Password::passwordRehashCheck($hash);
+		return \CoreLibs\Security\Password::passwordRehashCheck($hash);
 	}
 
 	// *** BETTER PASSWORD OPTIONS END ***
diff --git a/src/Check/Password.php b/src/Check/Password.php
index 1475064..f1f588b 100644
--- a/src/Check/Password.php
+++ b/src/Check/Password.php
@@ -1,6 +1,8 @@
 <?php
 
 /*
+ * NOTE: this is deprecated and all moved \CoreLibs\Security\Password
+ *
  * core password set, check and rehash check wrapper functions
  */
 
@@ -8,6 +10,8 @@ declare(strict_types=1);
 
 namespace CoreLibs\Check;
 
+use CoreLibs\Security\Password as PasswordNew;
+
 class Password
 {
 	/**
@@ -15,13 +19,16 @@ class Password
 	 *
 	 * @param  string $password password
 	 * @return string           hashed password
+	 * @deprecated v9.0 Moved to \CoreLibs\Security\Password::passwordSet
 	 */
 	public static function passwordSet(string $password): string
 	{
-		// always use the PHP default for the password
-		// password options ca be set in the password init,
-		// but should be kept as default
-		return password_hash($password, PASSWORD_DEFAULT);
+		trigger_error(
+			'Method ' . __METHOD__ . ' is deprecated, use '
+				. '\CoreLibs\Security\Password::passwordSet',
+			E_USER_DEPRECATED
+		);
+		return PasswordNew::passwordSet($password);
 	}
 
 	/**
@@ -30,14 +37,16 @@ class Password
 	 * @param  string $password password
 	 * @param  string $hash     password hash
 	 * @return bool             true or false
+	 * @deprecated v9.0 Moved to \CoreLibs\Security\Password::passwordVerify
 	 */
 	public static function passwordVerify(string $password, string $hash): bool
 	{
-		if (password_verify($password, $hash)) {
-			return true;
-		} else {
-			return false;
-		}
+		trigger_error(
+			'Method ' . __METHOD__ . ' is deprecated, use '
+				. '\CoreLibs\Security\Password::passwordVerify',
+			E_USER_DEPRECATED
+		);
+		return PasswordNew::passwordVerify($password, $hash);
 	}
 
 	/**
@@ -45,14 +54,16 @@ class Password
 	 *
 	 * @param  string $hash password hash
 	 * @return bool         true or false
+	 * @deprecated v9.0 Moved to \CoreLibs\Security\Password::passwordRehashCheck
 	 */
 	public static function passwordRehashCheck(string $hash): bool
 	{
-		if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
-			return true;
-		} else {
-			return false;
-		}
+		trigger_error(
+			'Method ' . __METHOD__ . ' is deprecated, use '
+				. '\CoreLibs\Security\Password::passwordRehashCheck',
+			E_USER_DEPRECATED
+		);
+		return PasswordNew::passwordRehashCheck($hash);
 	}
 }
 
diff --git a/src/Output/Form/Generate.php b/src/Output/Form/Generate.php
index 65555bc..90daccc 100644
--- a/src/Output/Form/Generate.php
+++ b/src/Output/Form/Generate.php
@@ -1954,7 +1954,7 @@ class Generate extends \CoreLibs\DB\Extended\ArrayIO
 				if ($this->table_array[$key]['value']) {
 					// use the better new passwordSet instead of crypt based
 					$this->table_array[$key]['value'] =
-						\CoreLibs\Check\Password::passwordSet($this->table_array[$key]['value']);
+						\CoreLibs\Security\Password::passwordSet($this->table_array[$key]['value']);
 					$this->table_array[$key]['HIDDEN_value'] = $this->table_array[$key]['value'];
 				} else {
 					// $this->table_array[$key]['HIDDEN_value'] =
diff --git a/src/Security/CreateKey.php b/src/Security/CreateKey.php
new file mode 100644
index 0000000..add2773
--- /dev/null
+++ b/src/Security/CreateKey.php
@@ -0,0 +1,61 @@
+<?php
+
+/**
+ * very simple symmetric encryption
+ * better use: https://paragonie.com/project/halite
+ *
+ * this is for creating secret keys for
+ * Security\SymmetricEncryption
+ */
+
+declare(strict_types=1);
+
+namespace CoreLibs\Security;
+
+class CreateKey
+{
+	/**
+	 * Create a random key that is a hex string
+	 *
+	 * @return string Hex string key for encrypting
+	 */
+	public static function generateRandomKey(): string
+	{
+		return self::bin2hex(self::randomKey());
+	}
+
+	/**
+	 * create a random string as binary to encrypt data
+	 * to store it in clear text in some .env file use bin2hex
+	 *
+	 * @return string Binary string for encryption
+	 */
+	public static function randomKey(): string
+	{
+		return random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
+	}
+
+	/**
+	 * convert binary key to hex string
+	 *
+	 * @param  string $hex_key Convert binary key string to hex
+	 * @return string
+	 */
+	public static function bin2hex(string $hex_key): string
+	{
+		return sodium_bin2hex($hex_key);
+	}
+
+	/**
+	 * convert hex string to binary key
+	 *
+	 * @param  string $string_key Convery hex key string to binary
+	 * @return string
+	 */
+	public static function hex2bin(string $string_key): string
+	{
+		return sodium_hex2bin($string_key);
+	}
+}
+
+// __END__
diff --git a/src/Security/Password.php b/src/Security/Password.php
new file mode 100644
index 0000000..984fa5c
--- /dev/null
+++ b/src/Security/Password.php
@@ -0,0 +1,59 @@
+<?php
+
+/*
+ * core password set, check and rehash check wrapper functions
+ */
+
+declare(strict_types=1);
+
+namespace CoreLibs\Security;
+
+class Password
+{
+	/**
+	 * creates the password hash
+	 *
+	 * @param  string $password password
+	 * @return string           hashed password
+	 */
+	public static function passwordSet(string $password): string
+	{
+		// always use the PHP default for the password
+		// password options ca be set in the password init,
+		// but should be kept as default
+		return password_hash($password, PASSWORD_DEFAULT);
+	}
+
+	/**
+	 * checks if the entered password matches the hash
+	 *
+	 * @param  string $password password
+	 * @param  string $hash     password hash
+	 * @return bool             true or false
+	 */
+	public static function passwordVerify(string $password, string $hash): bool
+	{
+		if (password_verify($password, $hash)) {
+			return true;
+		} else {
+			return false;
+		}
+	}
+
+	/**
+	 * checks if the password needs to be rehashed
+	 *
+	 * @param  string $hash password hash
+	 * @return bool         true or false
+	 */
+	public static function passwordRehashCheck(string $hash): bool
+	{
+		if (password_needs_rehash($hash, PASSWORD_DEFAULT)) {
+			return true;
+		} else {
+			return false;
+		}
+	}
+}
+
+// __END__
diff --git a/src/Security/SymmetricEncryption.php b/src/Security/SymmetricEncryption.php
new file mode 100644
index 0000000..cd99f58
--- /dev/null
+++ b/src/Security/SymmetricEncryption.php
@@ -0,0 +1,96 @@
+<?php
+
+/**
+ * very simple symmetric encryption
+ * Better use: https://paragonie.com/project/halite
+ *
+ * current code is just to encrypt and decrypt
+ *
+ * must use a valid encryption key created with
+ * Secruty\CreateKey class
+ */
+
+declare(strict_types=1);
+
+namespace CoreLibs\Security;
+
+use CoreLibs\Security\CreateKey;
+use SodiumException;
+
+class SymmetricEncryption
+{
+	/**
+	 * Encrypt a message
+	 *
+	 * @param  string $message Message to encrypt
+	 * @param  string $key     Encryption key (as hex string)
+	 * @return string
+	 * @throws \RangeException
+	 */
+	public static function encrypt(string $message, string $key): string
+	{
+		try {
+			$key = CreateKey::hex2bin($key);
+		} catch (SodiumException $e) {
+			throw new \Exception('Invalid hex key');
+		}
+		if (mb_strlen($key, '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+			throw new \RangeException(
+				'Key is not the correct size (must be '
+					. 'SODIUM_CRYPTO_SECRETBOX_KEYBYTES bytes long).'
+			);
+		}
+		$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+
+		$cipher = base64_encode(
+			$nonce
+			. sodium_crypto_secretbox(
+				$message,
+				$nonce,
+				$key
+			)
+		);
+		sodium_memzero($message);
+		sodium_memzero($key);
+		return $cipher;
+	}
+
+	/**
+	 * Decrypt a message
+	 *
+	 * @param  string $encrypted Message encrypted with safeEncrypt()
+	 * @param  string $key       Encryption key (as hex string)
+	 * @return string
+	 * @throws \Exception
+	 */
+	public static function decrypt(string $encrypted, string $key): string
+	{
+		try {
+			$key = CreateKey::hex2bin($key);
+		} catch (SodiumException $e) {
+			throw new \Exception('Invalid hex key');
+		}
+		$decoded = base64_decode($encrypted);
+		$nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
+		$ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
+
+		$plain = false;
+		try {
+			$plain = sodium_crypto_secretbox_open(
+				$ciphertext,
+				$nonce,
+				$key
+			);
+		} catch (SodiumException $e) {
+			throw new \Exception('Invalid ciphertext (too short)');
+		}
+		if (!is_string($plain)) {
+			throw new \Exception('Invalid Key');
+		}
+		sodium_memzero($ciphertext);
+		sodium_memzero($key);
+		return $plain;
+	}
+}
+
+// __END__
diff --git a/test/phpunit/Check/CoreLibsCheckPasswordTest.php b/test/phpunit/Security/CoreLibsSecurityPasswordTest.php
similarity index 78%
rename from test/phpunit/Check/CoreLibsCheckPasswordTest.php
rename to test/phpunit/Security/CoreLibsSecurityPasswordTest.php
index ce6a749..80adec6 100644
--- a/test/phpunit/Check/CoreLibsCheckPasswordTest.php
+++ b/test/phpunit/Security/CoreLibsSecurityPasswordTest.php
@@ -7,11 +7,11 @@ namespace tests;
 use PHPUnit\Framework\TestCase;
 
 /**
- * Test class for Check\Password
- * @coversDefaultClass \CoreLibs\Check\Password
- * @testdox \CoreLibs\Check\Password method tests
+ * Test class for Security\Password
+ * @coversDefaultClass \CoreLibs\Security\Password
+ * @testdox \CoreLibs\Security\Password method tests
  */
-final class CoreLibsCheckPasswordTest extends TestCase
+final class CoreLibsSecurityPasswordTest extends TestCase
 {
 	public function passwordProvider(): array
 	{
@@ -46,7 +46,7 @@ final class CoreLibsCheckPasswordTest extends TestCase
 	{
 		$this->assertEquals(
 			$expected,
-			\CoreLibs\Check\Password::passwordVerify($input, \CoreLibs\Check\Password::passwordSet($input_hash))
+			\CoreLibs\Security\Password::passwordVerify($input, \CoreLibs\Security\Password::passwordSet($input_hash))
 		);
 	}
 
@@ -65,7 +65,7 @@ final class CoreLibsCheckPasswordTest extends TestCase
 	{
 		$this->assertEquals(
 			$expected,
-			\CoreLibs\Check\Password::passwordRehashCheck($input)
+			\CoreLibs\Security\Password::passwordRehashCheck($input)
 		);
 	}
 }
diff --git a/test/phpunit/Security/CoreLibsSecuritySymmetricEncryption.php b/test/phpunit/Security/CoreLibsSecuritySymmetricEncryption.php
new file mode 100644
index 0000000..9e2773d
--- /dev/null
+++ b/test/phpunit/Security/CoreLibsSecuritySymmetricEncryption.php
@@ -0,0 +1,172 @@
+<?php
+
+declare(strict_types=1);
+
+namespace tests;
+
+use PHPUnit\Framework\TestCase;
+use CoreLibs\Security\CreateKey;
+use CoreLibs\Security\SymmetricEncryption;
+
+/**
+ * Test class for Security\SymmetricEncryption and Security\CreateKey
+ * @coversDefaultClass \CoreLibs\Security\SymmetricEncryption
+ * @testdox \CoreLibs\Security\SymmetricEncryption method tests
+ */
+final class CoreLibsSecuritySymmetricEncryption extends TestCase
+{
+	/**
+	 * Undocumented function
+	 *
+	 * @return array
+	 */
+	public function providerEncryptDecryptSuccess(): array
+	{
+		return [
+			'valid string' => [
+				'input' => 'I am a secret',
+				'expected' => 'I am a secret',
+			],
+		];
+	}
+
+	/**
+	 * test encrypt/decrypt produce correct output
+	 *
+	 * @covers ::generateRandomKey
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerEncryptDecryptSuccess
+	 * @testdox encrypt/decrypt $input must be $expected [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $expected
+	 * @return void
+	 */
+	public function testEncryptDecryptSuccess(string $input, string $expected): void
+	{
+		$key = CreateKey::generateRandomKey();
+		$encrypted = SymmetricEncryption::encrypt($input, $key);
+		$decrypted = SymmetricEncryption::decrypt($encrypted, $key);
+
+		$this->assertEquals(
+			$expected,
+			$decrypted
+		);
+	}
+
+	/**
+	 * Undocumented function
+	 *
+	 * @return array
+	 */
+	public function providerEncryptFailed(): array
+	{
+		return [
+			'wrong decryption key' => [
+				'input' => 'I am a secret',
+				'excpetion_message' => 'Invalid Key'
+			],
+		];
+	}
+
+	/**
+	 * Test decryption with wrong key
+	 *
+	 * @covers ::generateRandomKey
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerEncryptFailed
+	 * @testdox decrypt with wrong key $input throws $exception_message [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testEncryptFailed(string $input, string $exception_message): void
+	{
+		$key = CreateKey::generateRandomKey();
+		$encrypted = SymmetricEncryption::encrypt($input, $key);
+		$wrong_key = CreateKey::generateRandomKey();
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::decrypt($encrypted, $wrong_key);
+	}
+
+	/**
+	 * Undocumented function
+	 *
+	 * @return array
+	 */
+	public function providerWrongKey(): array
+	{
+		return [
+			'not hex key' => [
+				'key' => 'not_a_hex_key',
+				'exception_message' => 'Invalid hex key'
+			],
+			'too short hex key' => [
+				'key' => '1cabd5cba9e042f12522f4ff2de5c31d233b',
+				'excpetion_message' => 'Key is not the correct size (must be '
+					. 'SODIUM_CRYPTO_SECRETBOX_KEYBYTES bytes long).'
+			],
+		];
+	}
+
+	/**
+	 * test invalid key provided to decrypt or encrypt
+	 *
+	 * @covers ::encrypt
+	 * @covers ::decrypt
+	 * @dataProvider providerWrongKey
+	 * @testdox wrong key $key throws $exception_message [$_dataName]
+	 *
+	 * @param  string $key
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testWrongKey(string $key, string $exception_message): void
+	{
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::encrypt('test', $key);
+		// we must encrypt valid thing first so we can fail with the wrong kjey
+		$enc_key = CreateKey::generateRandomKey();
+		$encrypted = SymmetricEncryption::encrypt('test', $enc_key);
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::decrypt($encrypted, $key);
+	}
+
+	/**
+	 * Undocumented function
+	 *
+	 * @return array
+	 */
+	public function providerWrongCiphertext(): array
+	{
+		return [
+			'too short ciphertext' => [
+				'input' => 'short',
+				'exception_message' => 'Invalid ciphertext (too short)'
+			],
+		];
+	}
+
+	/**
+	 * Undocumented function
+	 *
+	 * @covers ::decrypt
+	 * @dataProvider providerWrongCiphertext
+	 * @testdox too short ciphertext $input throws $exception_message [$_dataName]
+	 *
+	 * @param  string $input
+	 * @param  string $exception_message
+	 * @return void
+	 */
+	public function testWrongCiphertext(string $input, string $exception_message): void
+	{
+		$key = CreateKey::generateRandomKey();
+		$this->expectExceptionMessage($exception_message);
+		SymmetricEncryption::decrypt($input, $key);
+	}
+}
+
+// __END__