Sodium implementation (#8)

* wip: working on sodium implementation

* feature: initial sodium library implementation in object-oriented code
for #7

* test: message classes

* refactor: remove unused class

* refactor: remove unused uri classes

* test: cipher & init vector

* test: key pair - 100% coverage

* feature: encrypted uri

* tweak: don't pass unused public key

* tweak: remove unused import

* test: fix tests after refactor

* refactor: only use psr standard functionality

* refactor: automatically generate key's bytes

* refactor: secretbox sodium.php

* refactor: secretbox sodium.php

* refactor: secretbox sodium-lib-uri.php

* refactor: secretbox remove unused references

* refactor: no need to pass shared key as it's already in the uri

* test: EncryptedMessage

* test: tests passing

* feature: do not pass key in uri

* test: cipher text geturi

* test: key

* test: EncryptedUri - 100% coverage

* tweak: output shared key with uri

* tweak: use cipher test uri

* stan: remove unused key

Author: Greg Bowler

Diff for: README.md

@@ -35,17 +35,17 @@ The `URIAdapter` class can be used to convert from a `Message` to a URI query st
 $message = "Hello, PHP.Gt!";
 $privateKey = "This can be any string, but a long random string is best.";
 
-$message = new \Gt\Cipher\Message($message, $privateKey);
+$message = new \Gt\Cipher\Message\PlainTextMessage($message, $privateKey);
 // Redirect to receiver.php, possibly on another server:
-header("Location: " . new \Gt\Cipher\UriAdapter($message, "/receiver.php"));
+header("Location: " . new \Gt\Cipher\CipherUri($message, "/receiver.php"));
 ```
 
 `receiver.php`:
 
 ```php
 // This key must be the same on the sender and receiver!
 $privateKey = "This can be any string, but a long random string is best.";
-$cipher = new \Gt\Cipher\EncryptedMessage($_GET["cipher"], $_GET["iv"], $privateKey);
+$cipher = new \Gt\Cipher\Message\EncryptedMessage($_GET["cipher"], $_GET["iv"], $privateKey);
 echo $cipher->getMessage();
 // Output: Hello, PHP.Gt!
 ```

Diff for: composer.json

@@ -4,7 +4,7 @@
 	"type": "library",
 	"require": {
 		"php": ">=8.0",
-		"ext-openssl": "*",
+		"ext-sodium": "*",
 		"phpgt/http": "v1.*"
 	},
 	"require-dev": {

Diff for: composer.lock

@@ -0,0 +1,25 @@
+<?php
+use Gt\Cipher\EncryptedUri;
+use Gt\Cipher\Key;
+use Gt\Cipher\Message\PlainTextMessage;
+
+require("vendor/autoload.php");
+
+$sharedKey = new Key();
+$message = new PlainTextMessage("Cipher test!");
+echo "Message to send: $message", PHP_EOL;
+
+$cipherText = $message->encrypt($sharedKey);
+$uri = $cipherText->getUri("https://cipher-test.g105b.com/");
+echo "Key: $sharedKey", PHP_EOL;
+echo "URI: $uri", PHP_EOL;
+
+// At this point, the remote code at example.com has access to the encrypted
+// message from the URI's query string parameters.
+
+// The following code represents the receiving side of the platform:
+$incomingUri = (string)$uri;
+$encryptedUri = new EncryptedUri($uri);
+$plainTextMessage = $encryptedUri->decryptMessage($sharedKey);
+
+echo "Decrypted: $plainTextMessage", PHP_EOL;

Diff for: sodium-lib-uri.php

@@ -0,0 +1,21 @@
+<?php
+use Gt\Cipher\Key;
+use Gt\Cipher\Message\EncryptedMessage;
+use Gt\Cipher\Message\PlainTextMessage;
+
+require("vendor/autoload.php");
+
+$sharedKey = new Key();
+$message = new PlainTextMessage("Cipher test!");
+echo "Message to send: $message", PHP_EOL;
+
+$cipherText = $message->encrypt($sharedKey);
+
+echo "Shared key: $sharedKey", PHP_EOL;
+echo "IV: ", $message->getIv(), PHP_EOL;
+echo "Cipher: $cipherText", PHP_EOL;
+
+$encryptedMessage = new EncryptedMessage($cipherText, $message->getIv());
+$decrypted = $encryptedMessage->decrypt($sharedKey);
+
+echo "Decrypted: $decrypted", PHP_EOL;

Diff for: sodium-lib.php

@@ -0,0 +1,23 @@
+<?php
+$messageToTransmit = "Cipher test!";
+$sharedKey = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
+$iv = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+
+$encryptedBytes = sodium_crypto_secretbox(
+	$messageToTransmit,
+	$iv,
+	$sharedKey
+);
+$cipher = base64_encode($encryptedBytes);
+
+echo "Shared key: ", base64_encode($sharedKey), PHP_EOL;
+echo "IV: ", base64_encode($iv), PHP_EOL;
+echo "Cipher: ", base64_encode($cipher), PHP_EOL;
+
+$decrypted = sodium_crypto_secretbox_open(
+	$encryptedBytes,
+	$iv,
+	$sharedKey,
+);
+
+echo "Decrypted: $decrypted", PHP_EOL;

Diff for: sodium.php

@@ -0,0 +1,44 @@
+<?php
+namespace Gt\Cipher;
+
+use Gt\Http\Uri;
+use Psr\Http\Message\UriInterface;
+use Stringable;
+
+class CipherText implements Stringable {
+	private string $bytes;
+
+	public function __construct(
+		string $data,
+		private InitVector $iv,
+		private Key $key,
+	) {
+
+		$this->bytes = sodium_crypto_secretbox(
+			$data,
+			$this->iv->getBytes(),
+			$this->key->getBytes(),
+		);
+	}
+
+	public function __toString():string {
+		return base64_encode($this->getBytes());
+	}
+
+	public function getBytes():string {
+		return $this->bytes;
+	}
+
+	public function getUri(string|UriInterface $baseUri = ""):UriInterface {
+		if(!$baseUri instanceof UriInterface) {
+			$baseUri = new Uri($baseUri);
+		}
+
+		$currentQuery = $baseUri->getQuery();
+		parse_str($currentQuery, $queryParams);
+		$queryParams["cipher"] = (string)$this;
+		$queryParams["iv"] = (string)$this->iv;
+
+		return $baseUri->withQuery(http_build_query($queryParams));
+	}
+}

Diff for: src/AbstractMessage.php

@@ -0,0 +1,48 @@
+<?php
+namespace Gt\Cipher;
+
+use Gt\Cipher\Message\DecryptionFailureException;
+use Gt\Cipher\Message\PlainTextMessage;
+use Gt\Http\Uri;
+use Psr\Http\Message\UriInterface;
+
+class EncryptedUri {
+	private string $encryptedBytes;
+	private InitVector $iv;
+
+	public function __construct(
+		string|UriInterface $uri,
+	) {
+		if(!$uri instanceof UriInterface) {
+			$uri = new Uri($uri);
+		}
+
+		parse_str($uri->getQuery(), $queryParams);
+		$cipher = $queryParams["cipher"] ?? null;
+		$iv = $queryParams["iv"] ?? null;
+		if(!$cipher || !is_string($cipher)) {
+			throw new MissingQueryStringException("cipher");
+		}
+		if(!$iv || !is_string($iv)) {
+			throw new MissingQueryStringException("iv");
+		}
+
+		$this->encryptedBytes = base64_decode(str_replace(" ", "+", $cipher));
+		$this->iv = (new InitVector())->withBytes(base64_decode(str_replace(" ", "+", $iv)));
+	}
+
+	public function decryptMessage(Key $key):PlainTextMessage {
+		$decrypted = sodium_crypto_secretbox_open(
+			$this->encryptedBytes,
+			$this->iv->getBytes(),
+			$key->getBytes(),
+		);
+		if($decrypted === false) {
+			throw new DecryptionFailureException("Error decrypting cipher message");
+		}
+		return new PlainTextMessage(
+			$decrypted,
+			$this->iv,
+		);
+	}
+}

Diff for: src/CipherText.php

@@ -7,7 +7,7 @@ class InitVector implements Stringable {
 	private string $bytes;
 
 	public function __construct(
-		int $byteLength = 16
+		int $byteLength = SODIUM_CRYPTO_BOX_NONCEBYTES
 	) {
 		if($byteLength < 1) {
 			throw new CipherException("IV byte length must be greater than 1");
@@ -26,6 +26,6 @@ public function withBytes(string $bytes):self {
 	}
 
 	public function __toString():string {
-		return bin2hex($this->bytes);
+		return base64_encode($this->bytes);
 	}
 }

Diff for: src/EncryptedMessage.php

@@ -0,0 +1,22 @@
+<?php
+namespace Gt\Cipher;
+
+use Stringable;
+
+class Key implements Stringable {
+	protected string $bytes;
+
+	public function __construct(
+		?string $bytes = null
+	) {
+		$this->bytes = $bytes ?? random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
+	}
+
+	public function __toString():string {
+		return base64_encode($this->bytes);
+	}
+
+	public function getBytes():string {
+		return $this->bytes;
+	}
+}

Diff for: src/EncryptedUri.php

@@ -0,0 +1,24 @@
+<?php
+namespace Gt\Cipher\Message;
+
+use Gt\Cipher\InitVector;
+use Stringable;
+
+abstract class AbstractMessage implements Stringable {
+	protected InitVector $iv;
+
+	public function __construct(
+		protected string $data,
+		?InitVector $iv = null,
+	) {
+		$this->iv = $iv ?? new InitVector();
+	}
+
+	public function __toString():string {
+		return $this->data;
+	}
+
+	public function getIv():InitVector {
+		return $this->iv;
+	}
+}

Diff for: src/InitVector.php

@@ -0,0 +1,6 @@
+<?php
+namespace Gt\Cipher\Message;
+
+use Gt\Cipher\CipherException;
+
+class DecryptionFailureException extends CipherException {}