You are here

class LockrAes256CbcSha256KeyWrapper in Lockr 7.2

Same name and namespace in other branches
  1. 7.3 vendor/lockr/lockr/src/KeyWrapper/LockrAes256CbcSha256KeyWrapper.php \Lockr\KeyWrapper\LockrAes256CbcSha256KeyWrapper

Hierarchy

Expanded class hierarchy of LockrAes256CbcSha256KeyWrapper

File

vendor/lockr/lockr-client/src/KeyWrapper/LockrAes256CbcSha256KeyWrapper.php, line 4

Namespace

Lockr\KeyWrapper
View source
class LockrAes256CbcSha256KeyWrapper implements KeyWrapperInterface {
  const PREFIX = '$1$';
  const METHOD = 'aes-256-cbc';
  const KEY_LEN = 32;
  const IV_LEN = 16;
  const HMAC_LEN = 32;

  /**
   * {@inheritdoc}
   */
  public static function enabled() {
    return function_exists('openssl_encrypt');
  }

  /**
   * {@inheritdoc}
   */
  public static function encrypt($plaintext, $key = null) {
    if (is_null($key)) {
      $key = random_bytes(self::KEY_LEN);
    }
    $iv = random_bytes(self::IV_LEN);
    return self::doEncrypt($plaintext, $key, $iv);
  }

  /**
   * {@inheritdoc}
   */
  public static function reencrypt($plaintext, $wrapping_key) {
    $wrapping_key = substr($wrapping_key, strlen(self::PREFIX));
    $wrapping_key = base64_decode($wrapping_key);
    $iv = random_bytes(self::IV_LEN);
    return self::doEncrypt($plaintext, $wrapping_key, $iv);
  }

  /**
   * {@inheritdoc}
   */
  public static function decrypt($ciphertext, $wrapping_key) {
    $wrapping_key = substr($wrapping_key, strlen(self::PREFIX));
    $wrapping_key = base64_decode($wrapping_key);
    $key_data = hash('sha512', $wrapping_key, true);
    $enc_key = substr($key_data, 0, self::KEY_LEN);
    $hmac_key = substr($key_data, self::KEY_LEN);
    $ciphertext = base64_decode($ciphertext);
    $iv = substr($ciphertext, 0, self::IV_LEN);
    $hmac0 = substr($ciphertext, -self::HMAC_LEN);
    $ciphertext = substr($ciphertext, self::IV_LEN, -self::HMAC_LEN);
    $hmac1 = self::hmac($iv, $ciphertext, $hmac_key);
    if (!hash_equals($hmac0, $hmac1)) {
      return false;
    }
    $plaintext = openssl_decrypt($ciphertext, self::METHOD, $enc_key, OPENSSL_RAW_DATA, $iv);
    return $plaintext;
  }
  protected static function doEncrypt($plaintext, $key, $iv) {
    $key_data = hash('sha512', $key, true);
    $enc_key = substr($key_data, 0, self::KEY_LEN);
    $hmac_key = substr($key_data, self::KEY_LEN);
    $ciphertext = openssl_encrypt($plaintext, self::METHOD, $enc_key, OPENSSL_RAW_DATA, $iv);
    $hmac = self::hmac($iv, $ciphertext, $hmac_key);
    return [
      'ciphertext' => base64_encode($iv . $ciphertext . $hmac),
      'encoded' => self::PREFIX . base64_encode($key),
    ];
  }
  protected static function hmac($iv, $ciphertext, $key) {
    $data = self::PREFIX . self::METHOD . $iv . $ciphertext;
    return hash_hmac('sha256', $data, $key, true);
  }

}

Members

Namesort descending Modifiers Type Description Overrides
LockrAes256CbcSha256KeyWrapper::decrypt public static function Decrypt the given ciphertext using encoded. Overrides KeyWrapperInterface::decrypt
LockrAes256CbcSha256KeyWrapper::doEncrypt protected static function
LockrAes256CbcSha256KeyWrapper::enabled public static function Overrides KeyWrapperInterface::enabled
LockrAes256CbcSha256KeyWrapper::encrypt public static function Encrypt the given plaintext. Overrides KeyWrapperInterface::encrypt
LockrAes256CbcSha256KeyWrapper::hmac protected static function
LockrAes256CbcSha256KeyWrapper::HMAC_LEN constant
LockrAes256CbcSha256KeyWrapper::IV_LEN constant
LockrAes256CbcSha256KeyWrapper::KEY_LEN constant
LockrAes256CbcSha256KeyWrapper::METHOD constant
LockrAes256CbcSha256KeyWrapper::PREFIX constant
LockrAes256CbcSha256KeyWrapper::reencrypt public static function Encrypt the given plaintext using the same initial state as defined by encoded. Overrides KeyWrapperInterface::reencrypt