added crypt sodium

Author: brenno-duarte

.gitignore

@@ -1,4 +1,5 @@
 vendor/
 composer.lock
 index.php
-.phpunit.result.cache
+.phpunit.result.cache
+.phpunit.cache

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Released Notes
 
+## v3.0.0 - (2022-11-11)
+
+### Added
+
+- Added PHP 8.2 minimum version
+- Added classes for encryption: OpenSSL and Sodium support
+- Added `PepperTrait` trait to handle the peeper separately from the `SecuryPassword` class
+
+### Changed
+
+- Changed class structure
+
+-----------------------------------------------------------
+
 ## v2.0.0 - (2022-09-21)
 
 ### Added

README.md

@@ -8,7 +8,7 @@ Unlike just using `password_hash`, SecurePassword adds a secret entry (commonly
 
 ## Requirements
 
-PHP >= 8.0
+PHP >= 8.2
 
 ## Installing via Composer
 
@@ -150,6 +150,45 @@ $hash = $password->useArgon2(false, PASSWORD_ARGON2_DEFAULT_MEMORY_COST, PASSWOR
 $hash = $password->useArgon2(true, PASSWORD_ARGON2_DEFAULT_MEMORY_COST, PASSWORD_ARGON2_DEFAULT_TIME_COST, PASSWORD_ARGON2_DEFAULT_THREADS)->createHash('my_password');
 ```
 
+## Using OpenSSL and Sodium encryption
+
+You can use OpenSSL and Sodium encryption using the `Encryption` class:
+
+```php 
+use SecurePassword\Encrypt\Encryption;
+
+$encryption = new Encryption('your-key');
+
+//Encrypt the message
+$encrypt = $encryption->encrypt("This is a text");
+
+echo $encrypt;
+```
+
+You can decrypt token by calling decrypt method:
+
+```php 
+$encryption = new Encryption('your-key');
+
+//Decrypt the message
+$decrypt = $encryption->decrypt($encrypt);
+
+echo $decrypt;
+```
+
+You can pass supported adapter to class like:
+
+Use of OpenSSL
+```php 
+$encryption = new Encryption(new OpenSslEncryption('your-key'));
+```
+Use of Sodium
+```php 
+$encryption = new Encryption(new SodiumEncryption('your-key'));
+```
+
+Default openSSL will use, you can use any one you want.
+
 ## Changing the secret entry (recommended)
 
 It is recommended to change the secret entry (or pepper) that will be added to your password. Use `setPepper` to change.
@@ -159,6 +198,16 @@ $password = new SecurePassword();
 $password->setPepper('new_pepper');
 ```
 
+By default, the `setPepper` method uses OpenSSL encryption. However, you can use Sodium encryption if you want.
+
+```php
+// Use OpenSSL
+$password->setPepper('new_pepper', 'openssl');
+
+// Use Sodium
+$password->setPepper('new_pepper', 'sodium');
+```
+
 ## Getting the ideal encryption cost
 
 Here's a quick little function that will help you determine what cost parameter you should be using for your server to make sure you are within this range.

composer.json

@@ -8,10 +8,10 @@
         "php-password"
     ],
     "require": {
-        "php": ">=8.0"
+        "php": "^8.2"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.5"
+        "phpunit/phpunit": "^10"
     },
     "autoload": {
         "psr-4": {

phpunit.xml

@@ -1,12 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
-<phpunit bootstrap="vendor/autoload.php"
-    colors="true"
-    verbose="true"
-    stopOnFailure="false">
-    <testsuites>
-        <testsuite name="Password Test Suite">
-            <directory>tests</directory>
-        </testsuite>
-    </testsuites>
-</phpunit>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="vendor/autoload.php" colors="true" stopOnFailure="false" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.4/phpunit.xsd" cacheDirectory=".phpunit.cache">
+  <testsuites>
+    <testsuite name="Password Test Suite">
+      <directory>tests</directory>
+    </testsuite>
+  </testsuites>
+</phpunit>

src/Encrypt/Adapter/AbstractAdapterInterface.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace SecurePassword\Encrypt\Adapter;
+
+interface AbstractAdapterInterface
+{
+    /**
+     * Encrypt the message.
+     *
+     * @param mixed $data data to be encrypted
+
+     * @return mixed
+     */
+    public function encrypt(mixed $data): mixed;
+
+    /**
+     * Decrypt the message.
+     *
+     * @param mixed $token encrypted token
+
+     * @return mixed
+     */
+    public function decrypt(mixed $token): mixed;
+}

src/Encrypt/Adapter/OpenSslEncryption.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace SecurePassword\Encrypt\Adapter;
+
+class OpenSslEncryption implements AbstractAdapterInterface
+{
+    /**
+     * Store the cipher iv.
+     *
+     * @var string
+     */
+    private string $iv;
+
+    /**
+     * Store secret key.
+     *
+     * @var string
+     */
+    private string $key;
+
+    /**
+     * Cipher.
+     *
+     * @var string
+     */
+    private string $cipher = 'AES-256-CBC';
+
+    /**
+     * __Construct.
+     *
+     * @since 1.0.0
+     *
+     * @return void
+     */
+    public function __construct(string $key)
+    {
+        if ($key === '') {
+            throw new \InvalidArgumentException('The key should not be empty string.');
+        }
+
+        $this->iv = openssl_random_pseudo_bytes($this->ivBytes($this->cipher));
+        $this->key = hash('sha512', $key);
+    }
+
+    /**
+     * Encrypt the message.
+     *
+     * @param mixed $data => data to be encrypted
+     *
+     * @return token
+     */
+    public function encrypt(mixed $data): mixed
+    {
+        return base64_encode(openssl_encrypt($data, $this->cipher, $this->key, 0, $this->iv).'&&'.bin2hex($this->iv));
+    }
+
+    /**
+     * Decrypt the message.
+     *
+     * @param mixed $token => encrypted token
+
+     * @return mix-data
+     */
+    public function decrypt(mixed $token): mixed
+    {
+        $token = base64_decode($token);
+        list($token, $this->iv) = explode('&&', $token);
+
+        return openssl_decrypt($token, $this->cipher, $this->key, 0, hex2bin($this->iv));
+    }
+
+    /**
+     * Get the length of cipher.
+     *
+     * @param $method
+
+     * @return int
+     */
+    protected function ivBytes(string $method): int
+    {
+        return openssl_cipher_iv_length($method);
+    }
+}

src/Encrypt/Adapter/SodiumEncryption.php

@@ -0,0 +1,80 @@
+<?php
+
+namespace SecurePassword\Encrypt\Adapter;
+
+class SodiumEncryption implements AbstractAdapterInterface
+{
+    /**
+     * Store secret key.
+     *
+     * @var string
+     */
+    private string $key;
+
+    /**
+     * __Construct.
+     *
+     * @param string $key
+     */
+    public function __construct(string $key)
+    {
+        if ($key === '') {
+            throw new \InvalidArgumentException('The key should not be empty string.');
+        }
+
+        if (!function_exists('sodium_crypto_secretbox_keygen')) {
+            throw new \Exception('The sodium php extension does not installed or enabled', 500);
+        }
+
+        //should use user define key.
+        $this->key = substr(hash('sha512', $key), 0, 32);
+    }
+
+    /**
+     * Encrypt the message.
+     *
+     * @param string $data data to be encrypted
+     * 
+     * @return mixed
+     */
+    public function encrypt(mixed $data): mixed
+    {
+        $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+        $token = base64_encode($nonce.sodium_crypto_secretbox($data, $nonce, $this->key).'&&'.$this->key);
+
+        return $token;
+    }
+
+    /**
+     * Decrypt the message.
+     *
+     * @param mixed $token encrypted token
+
+     * @return mixed
+     */
+    public function decrypt(mixed $token): mixed
+    {
+        $decoded = base64_decode($token);
+        list($decoded, $this->key) = explode('&&', $decoded);
+        
+        if ($decoded === false) {
+            throw new \Exception('The decoding failed');
+        }
+
+        if (mb_strlen($decoded, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
+            throw new \Exception('The token was truncated');
+        }
+
+        $nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
+        $ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
+
+        $plain = sodium_crypto_secretbox_open($ciphertext,
+        $nonce, $this->key);
+
+        if ($plain === false) {
+            throw new \Exception('The message was tampered with in transit');
+        }
+
+        return $plain;
+    }
+}

src/Encrypt/Encryption.php

@@ -0,0 +1,44 @@
+<?php
+
+namespace SecurePassword\Encrypt;
+
+use SecurePassword\Encrypt\Adapter\AbstractAdapterInterface;
+
+class Encryption
+{
+    /**
+     * @param AbstractAdapterInterface $adapter
+     */
+    public function __construct(
+        private AbstractAdapterInterface $adapter
+    )
+    {
+        if ($this->adapter === null) {
+            throw new \InvalidArgumentException('The adapter class should not be null.');
+        }
+    }
+
+    /**
+     * Encrypt the message.
+     *
+     * @param mixed $data data to be encrypted
+     *
+     * @return mixed
+     */
+    public function encrypt(mixed $data): mixed
+    {
+        return $this->adapter->encrypt($data);
+    }
+
+    /**
+     * Decrypt the message.
+     *
+     * @param mixed $token encrypted token
+
+     * @return mixed
+     */
+    public function decrypt(mixed $token): mixed
+    {
+        return $this->adapter->decrypt($token);
+    }
+}