From ce69a91f59ffb8fd19353d01d72459c63794191a Mon Sep 17 00:00:00 2001 From: Paragon Initiative Enterprises Date: Wed, 8 May 2024 08:57:18 -0400 Subject: [PATCH 1/2] Use SensitiveParameter --- src/Asymmetric/Crypto.php | 14 ++++++++++++++ src/Asymmetric/EncryptionSecretKey.php | 7 +++++-- src/Asymmetric/SecretKey.php | 7 +++++-- src/Asymmetric/SignatureSecretKey.php | 7 +++++-- src/Cookie.php | 8 ++++++-- src/EncryptionKeyPair.php | 6 ++++-- src/Password.php | 10 ++++++++++ src/SignatureKeyPair.php | 6 ++++-- src/Symmetric/AuthenticationKey.php | 6 ++++-- src/Symmetric/EncryptionKey.php | 6 ++++-- 10 files changed, 61 insertions(+), 16 deletions(-) diff --git a/src/Asymmetric/Crypto.php b/src/Asymmetric/Crypto.php index 3f9362c..42c8baa 100644 --- a/src/Asymmetric/Crypto.php +++ b/src/Asymmetric/Crypto.php @@ -84,7 +84,9 @@ final private function __construct() * @throws TypeError */ public static function encrypt( + #[\SensitiveParameter] HiddenString $plaintext, + #[\SensitiveParameter] EncryptionSecretKey $ourPrivateKey, EncryptionPublicKey $theirPublicKey, string|bool $encoding = Halite::ENCODE_BASE64URLSAFE @@ -118,9 +120,12 @@ public static function encrypt( * @throws TypeError */ public static function encryptWithAD( + #[\SensitiveParameter] HiddenString $plaintext, + #[\SensitiveParameter] EncryptionSecretKey $ourPrivateKey, EncryptionPublicKey $theirPublicKey, + #[\SensitiveParameter] string $additionalData = '', string|bool $encoding = Halite::ENCODE_BASE64URLSAFE ): string { @@ -163,6 +168,7 @@ public static function encryptWithAD( */ public static function decrypt( string $ciphertext, + #[\SensitiveParameter] EncryptionSecretKey $ourPrivateKey, EncryptionPublicKey $theirPublicKey, string|bool $encoding = Halite::ENCODE_BASE64URLSAFE @@ -198,8 +204,10 @@ public static function decrypt( */ public static function decryptWithAD( string $ciphertext, + #[\SensitiveParameter] EncryptionSecretKey $ourPrivateKey, EncryptionPublicKey $theirPublicKey, + #[\SensitiveParameter] string $additionalData = '', string|bool $encoding = Halite::ENCODE_BASE64URLSAFE ): HiddenString { @@ -241,6 +249,7 @@ public static function decryptWithAD( * @throws TypeError */ public static function getSharedSecret( + #[\SensitiveParameter] EncryptionSecretKey $privateKey, EncryptionPublicKey $publicKey, bool $get_as_object = false, @@ -291,6 +300,7 @@ public static function getSharedSecret( * @throws TypeError */ public static function seal( + #[\SensitiveParameter] HiddenString $plaintext, EncryptionPublicKey $publicKey, string|bool $encoding = Halite::ENCODE_BASE64URLSAFE @@ -321,6 +331,7 @@ public static function seal( */ public static function sign( string $message, + #[\SensitiveParameter] SignatureSecretKey $privateKey, string|bool $encoding = Halite::ENCODE_BASE64URLSAFE ): string { @@ -355,6 +366,7 @@ public static function sign( */ public static function signAndEncrypt( HiddenString $message, + #[\SensitiveParameter] SignatureSecretKey $secretKey, PublicKey $recipientPublicKey, string|bool $encoding = Halite::ENCODE_BASE64URLSAFE @@ -393,6 +405,7 @@ public static function signAndEncrypt( */ public static function unseal( string $ciphertext, + #[\SensitiveParameter] EncryptionSecretKey $privateKey, string|bool $encoding = Halite::ENCODE_BASE64URLSAFE ): HiddenString { @@ -505,6 +518,7 @@ public static function verify( public static function verifyAndDecrypt( string $ciphertext, SignaturePublicKey $senderPublicKey, + #[\SensitiveParameter] SecretKey $givenSecretKey, string|bool $encoding = Halite::ENCODE_BASE64URLSAFE ): HiddenString { diff --git a/src/Asymmetric/EncryptionSecretKey.php b/src/Asymmetric/EncryptionSecretKey.php index ede9f8b..c361ab1 100644 --- a/src/Asymmetric/EncryptionSecretKey.php +++ b/src/Asymmetric/EncryptionSecretKey.php @@ -28,8 +28,11 @@ final class EncryptionSecretKey extends SecretKey * @throws InvalidKey * @throws TypeError */ - public function __construct(HiddenString $keyMaterial, ?HiddenString $pk = null) - { + public function __construct( + #[\SensitiveParameter] + HiddenString $keyMaterial, + ?HiddenString $pk = null + ) { if (Binary::safeStrlen($keyMaterial->getString()) !== SODIUM_CRYPTO_BOX_SECRETKEYBYTES) { throw new InvalidKey( sprintf( diff --git a/src/Asymmetric/SecretKey.php b/src/Asymmetric/SecretKey.php index 6da48fa..ee8d7f6 100644 --- a/src/Asymmetric/SecretKey.php +++ b/src/Asymmetric/SecretKey.php @@ -24,8 +24,11 @@ class SecretKey extends Key * * @throws TypeError */ - public function __construct(HiddenString $keyMaterial, ?HiddenString $pk = null) - { + public function __construct( + #[\SensitiveParameter] + HiddenString $keyMaterial, + ?HiddenString $pk = null + ) { parent::__construct($keyMaterial); if (!is_null($pk)) { $this->cachedPublicKey = $pk->getString(); diff --git a/src/Asymmetric/SignatureSecretKey.php b/src/Asymmetric/SignatureSecretKey.php index f834f6c..355db43 100644 --- a/src/Asymmetric/SignatureSecretKey.php +++ b/src/Asymmetric/SignatureSecretKey.php @@ -33,8 +33,11 @@ final class SignatureSecretKey extends SecretKey * @throws InvalidKey * @throws TypeError */ - public function __construct(HiddenString $keyMaterial, ?HiddenString $pk = null) - { + public function __construct( + #[\SensitiveParameter] + HiddenString $keyMaterial, + ?HiddenString $pk = null + ) { if (Binary::safeStrlen($keyMaterial->getString()) !== SODIUM_CRYPTO_SIGN_SECRETKEYBYTES) { throw new InvalidKey( sprintf( diff --git a/src/Cookie.php b/src/Cookie.php index c905f15..beb493b 100644 --- a/src/Cookie.php +++ b/src/Cookie.php @@ -86,8 +86,10 @@ public function __debugInfo() * @throws SodiumException * @throws TypeError */ - public function fetch(string $name) - { + public function fetch( + #[\SensitiveParameter] + string $name + ) { if (!isset($_COOKIE[$name])) { return null; } @@ -165,7 +167,9 @@ protected static function getConfig(string $stored): SymmetricConfig * @psalm-suppress MixedArgument */ public function store( + #[\SensitiveParameter] string $name, + #[\SensitiveParameter] $value, int $expire = 0, string $path = '/', diff --git a/src/EncryptionKeyPair.php b/src/EncryptionKeyPair.php index 4b675d5..182c855 100644 --- a/src/EncryptionKeyPair.php +++ b/src/EncryptionKeyPair.php @@ -131,8 +131,10 @@ public function __construct(Key ...$keys) * @throws InvalidKey * @throws \TypeError */ - protected function setupKeyPair(EncryptionSecretKey $secret): void - { + protected function setupKeyPair( + #[\SensitiveParameter] + EncryptionSecretKey $secret + ): void { $this->secretKey = $secret; $this->publicKey = $this->secretKey->derivePublicKey(); } diff --git a/src/Password.php b/src/Password.php index 8acd6d5..ba8dda9 100644 --- a/src/Password.php +++ b/src/Password.php @@ -64,9 +64,12 @@ final class Password * @throws TypeError */ public static function hash( + #[\SensitiveParameter] HiddenString $password, + #[\SensitiveParameter] EncryptionKey $secretKey, string $level = KeyFactory::INTERACTIVE, + #[\SensitiveParameter] string $additionalData = '' ): string { $kdfLimits = KeyFactory::getSecurityLevels($level); @@ -105,9 +108,12 @@ public static function hash( * @throws TypeError */ public static function needsRehash( + #[\SensitiveParameter] string $stored, + #[\SensitiveParameter] EncryptionKey $secretKey, string $level = KeyFactory::INTERACTIVE, + #[\SensitiveParameter] string $additionalData = '' ): bool { $config = self::getConfig($stored); @@ -203,9 +209,13 @@ protected static function getConfig(string $stored): SymmetricConfig * @throws TypeError */ public static function verify( + #[\SensitiveParameter] HiddenString $password, + #[\SensitiveParameter] string $stored, + #[\SensitiveParameter] EncryptionKey $secretKey, + #[\SensitiveParameter] string $additionalData = '' ): bool { $config = self::getConfig($stored); diff --git a/src/SignatureKeyPair.php b/src/SignatureKeyPair.php index d36386d..721b9e9 100644 --- a/src/SignatureKeyPair.php +++ b/src/SignatureKeyPair.php @@ -157,8 +157,10 @@ public function getEncryptionKeyPair(): EncryptionKeyPair * @throws InvalidKey * @throws SodiumException */ - protected function setupKeyPair(SignatureSecretKey $secret): void - { + protected function setupKeyPair( + #[\SensitiveParameter] + SignatureSecretKey $secret + ): void { $this->secretKey = $secret; $this->publicKey = $this->secretKey->derivePublicKey(); } diff --git a/src/Symmetric/AuthenticationKey.php b/src/Symmetric/AuthenticationKey.php index 3ef8f51..a53a69b 100644 --- a/src/Symmetric/AuthenticationKey.php +++ b/src/Symmetric/AuthenticationKey.php @@ -27,8 +27,10 @@ final class AuthenticationKey extends SecretKey * @throws InvalidKey * @throws TypeError */ - public function __construct(HiddenString $keyMaterial) - { + public function __construct( + #[\SensitiveParameter] + HiddenString $keyMaterial + ) { if (Binary::safeStrlen($keyMaterial->getString()) !== SODIUM_CRYPTO_AUTH_KEYBYTES) { throw new InvalidKey( sprintf( diff --git a/src/Symmetric/EncryptionKey.php b/src/Symmetric/EncryptionKey.php index 2443980..ea8fee2 100644 --- a/src/Symmetric/EncryptionKey.php +++ b/src/Symmetric/EncryptionKey.php @@ -25,8 +25,10 @@ final class EncryptionKey extends SecretKey * @throws InvalidKey * @throws TypeError */ - public function __construct(HiddenString $keyMaterial) - { + public function __construct( + #[\SensitiveParameter] + HiddenString $keyMaterial + ) { if (Binary::safeStrlen($keyMaterial->getString()) !== SODIUM_CRYPTO_STREAM_KEYBYTES) { throw new InvalidKey( sprintf( From d34609d79505f6e9314c1ecea354ffed5ed29058 Mon Sep 17 00:00:00 2001 From: Paragon Initiative Enterprises Date: Wed, 8 May 2024 08:58:43 -0400 Subject: [PATCH 2/2] Update CHANGELOG, CI config --- .github/workflows/ci.yml | 2 +- .github/workflows/psalm.yml | 2 +- CHANGELOG.md | 6 ++++++ psalm.xml | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ca9460..7eba2b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,7 +28,7 @@ jobs: coverage: none - name: Install Composer dependencies - uses: "ramsey/composer-install@v2" + uses: "ramsey/composer-install@v3" - name: PHPUnit tests run: vendor/bin/phpunit \ No newline at end of file diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml index f5bd5c5..489eb95 100644 --- a/.github/workflows/psalm.yml +++ b/.github/workflows/psalm.yml @@ -26,7 +26,7 @@ jobs: coverage: none - name: Install Composer dependencies - uses: "ramsey/composer-install@v2" + uses: "ramsey/composer-install@v3" with: composer-options: --no-dev diff --git a/CHANGELOG.md b/CHANGELOG.md index b4a7cc4..1a3daf2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## Version 5.1.2 (2024-05-08) + +* Use `#[SensitiveParameter]` annotation on some inputs + * This is defense in depth; we already wrapped most in `HiddenString` +* Updated dependencies + ## Version 5.1.1 (2024-04-19) * Support both sodium_compat v1 and v2. diff --git a/psalm.xml b/psalm.xml index 5d159e6..132ad1c 100644 --- a/psalm.xml +++ b/psalm.xml @@ -11,6 +11,7 @@ +