move some common methods to Utilities

Author: codemasher

examples/create-description.php

@@ -9,7 +9,7 @@
 
 use chillerlan\OAuth\Core\{
 	ClientCredentials, CSRFToken, OAuth1Interface, OAuth2Interface,
-	OAuthInterface, PKCE, TokenInvalidate, TokenRefresh, UserInfo
+	PKCE, TokenInvalidate, TokenRefresh, UserInfo, Utilities
 };
 
 /**
@@ -31,7 +31,7 @@
 	'|----------|------|--------|-----|------|------|------|----|----|----|',
 ];
 
-foreach(getProviders(__DIR__.'/../src/Providers') as $p){
+foreach(Utilities::getProviders() as $p){
 	/** @var \OAuthExampleProviderFactory $factory */
 	$provider = $factory->getProvider($p['fqcn'], OAuthExampleProviderFactory::STORAGE_MEMORY);
 
@@ -85,34 +85,3 @@
 }
 
 exit;
-
-function getProviders(string $providerDir):array{
-	$providerDir = realpath($providerDir);
-	$providers   = [];
-
-	/** @var \SplFileInfo $e */
-	foreach(new IteratorIterator(new DirectoryIterator($providerDir)) as $e){
-
-		if($e->getExtension() !== 'php'){
-			continue;
-		}
-
-		$class = 'chillerlan\\OAuth\\Providers\\'.substr($e->getFilename(), 0, -4);
-
-		try{
-			$r = new ReflectionClass($class);
-
-			if(!$r->implementsInterface(OAuthInterface::class) || $r->isAbstract()){
-				continue;
-			}
-
-			$providers[hash('crc32b', $r->getShortName())] = ['name' => $r->getShortName(), 'fqcn' => $class];
-		}
-		catch(Throwable){
-			continue;
-		}
-
-	}
-
-	return $providers;
-}

src/Core/Utilities.php

@@ -0,0 +1,143 @@
+<?php
+/**
+ * Class Utilities
+ *
+ * @created      10.04.2024
+ * @author       smiley <smiley@chillerlan.net>
+ * @copyright    2024 smiley
+ * @license      MIT
+ */
+declare(strict_types=1);
+
+namespace chillerlan\OAuth\Core;
+
+use DirectoryIterator;
+use InvalidArgumentException;
+use ReflectionClass;
+use RuntimeException;
+use function hash;
+use function random_bytes;
+use function realpath;
+use function sodium_base642bin;
+use function sodium_bin2base64;
+use function sodium_bin2hex;
+use function sodium_crypto_secretbox;
+use function sodium_crypto_secretbox_keygen;
+use function sodium_crypto_secretbox_open;
+use function sodium_hex2bin;
+use function sodium_memzero;
+use function substr;
+use function trim;
+use const SODIUM_BASE64_VARIANT_ORIGINAL;
+use const SODIUM_CRYPTO_SECRETBOX_NONCEBYTES;
+
+/**
+ * Common utilities for use with the OAuth providers
+ */
+class Utilities{
+
+	final public const ENCRYPT_FORMAT_BINARY = 0b00;
+	final public const ENCRYPT_FORMAT_BASE64 = 0b01;
+	final public const ENCRYPT_FORMAT_HEX    = 0b10;
+
+	/**
+	 * Fetches a list of provider classes in the given directory
+	 */
+	public static function getProviders(string|null $providerDir = null, string|null $namespace = null):array{
+		$providerDir = realpath($providerDir ?? __DIR__.'/../Providers');
+		$namespace   = trim(($namespace ?? 'chillerlan\\OAuth\\Providers'), '\\');
+		$providers   = [];
+
+		if($providerDir === false){
+			throw new InvalidArgumentException('invalid $providerDir');
+		}
+
+		/** @var \SplFileInfo $e */
+		foreach(new DirectoryIterator($providerDir) as $e){
+
+			if($e->getExtension() !== 'php'){
+				continue;
+			}
+
+			$r = new ReflectionClass($namespace.'\\'.substr($e->getFilename(), 0, -4));
+
+			if(!$r->implementsInterface(OAuthInterface::class) || $r->isAbstract()){
+				continue;
+			}
+
+			$providers[hash('crc32b', $r->getShortName())] = [
+				'name' => $r->getShortName(),
+				'fqcn' => $r->getName(),
+				'path' => $e->getRealPath(),
+			];
+
+		}
+
+		return $providers;
+	}
+
+	/**
+	 * Creates a new cryptographically secure random encryption key (in hexadecimal or format)
+	 */
+	public static function createEncryptionKey():string{
+		return sodium_bin2hex(sodium_crypto_secretbox_keygen());
+	}
+
+	/**
+	 * encrypts the given $data with $key, $format output [binary, base64, hex]
+	 *
+	 * @see \sodium_crypto_secretbox()
+	 * @see \sodium_bin2base64()
+	 * @see \sodium_bin2hex()
+	 */
+	public static function encrypt(string $data, string $keyHex, int $format = self::ENCRYPT_FORMAT_HEX):string{
+		$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+		$box   = sodium_crypto_secretbox($data, $nonce, sodium_hex2bin($keyHex));
+
+		$out = match($format){
+			self::ENCRYPT_FORMAT_BINARY => $nonce.$box,
+			self::ENCRYPT_FORMAT_BASE64 => sodium_bin2base64($nonce.$box, SODIUM_BASE64_VARIANT_ORIGINAL),
+			self::ENCRYPT_FORMAT_HEX    => sodium_bin2hex($nonce.$box),
+		};
+
+		sodium_memzero($data);
+		sodium_memzero($keyHex);
+		sodium_memzero($nonce);
+		sodium_memzero($box);
+
+		return $out;
+	}
+
+	/**
+	 * decrypts the given $encrypted data with $key from $format input [binary, base64, hex]
+	 *
+	 * @see \sodium_crypto_secretbox_open()
+	 * @see \sodium_base642bin()
+	 * @see \sodium_hex2bin()
+	 */
+	public static function decrypt(string $encrypted, string $keyHex, int $format = self::ENCRYPT_FORMAT_HEX):string{
+
+		$bin = match($format){
+			self::ENCRYPT_FORMAT_BINARY => $encrypted,
+			self::ENCRYPT_FORMAT_BASE64 => sodium_base642bin($encrypted, SODIUM_BASE64_VARIANT_ORIGINAL),
+			self::ENCRYPT_FORMAT_HEX    => sodium_hex2bin($encrypted),
+		};
+
+		$nonce = substr($bin, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+		$box   = substr($bin, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+		$data  = sodium_crypto_secretbox_open($box, $nonce, sodium_hex2bin($keyHex));
+
+		sodium_memzero($encrypted);
+		sodium_memzero($keyHex);
+		sodium_memzero($bin);
+		sodium_memzero($nonce);
+		sodium_memzero($box);
+
+		if($data === false){
+			throw new RuntimeException('decryption failed'); // @codeCoverageIgnore
+		}
+
+		return $data;
+	}
+
+}

src/OAuthOptionsTrait.php

@@ -12,8 +12,7 @@
 namespace chillerlan\OAuth;
 
 use chillerlan\OAuth\Storage\OAuthStorageException;
-use function is_dir, is_writable, max, min, realpath, sprintf, strlen, trim;
-use const SODIUM_CRYPTO_SECRETBOX_KEYBYTES;
+use function is_dir, is_writable, max, min, preg_match, realpath, sprintf, strtolower, trim;
 
 /**
  * The settings for the OAuth provider
@@ -43,7 +42,7 @@ trait OAuthOptionsTrait{
 	protected bool $useStorageEncryption = false;
 
 	/**
-	 * The encryption key to use
+	 * The encryption key (hexadecimal) to use
 	 *
 	 * @see \sodium_crypto_secretbox_keygen()
 	 * @see \chillerlan\OAuth\Storage\FileStorage
@@ -103,8 +102,9 @@ trait OAuthOptionsTrait{
 	 * sets an encryption key
 	 */
 	protected function set_storageEncryptionKey(string $storageEncryptionKey):void{
+		$storageEncryptionKey = strtolower($storageEncryptionKey);
 
-		if(strlen($storageEncryptionKey) !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES){
+		if(!preg_match('/^[a-f0-9]{64}$/', $storageEncryptionKey)){
 			throw new OAuthStorageException('invalid encryption key');
 		}
 

src/Storage/FileStorage.php

@@ -11,11 +11,11 @@
 
 namespace chillerlan\OAuth\Storage;
 
-use chillerlan\OAuth\Core\AccessToken;
 use chillerlan\OAuth\OAuthOptions;
+use chillerlan\OAuth\Core\{AccessToken, Utilities};
 use chillerlan\Settings\SettingsContainerInterface;
-use DirectoryIterator;
 use Psr\Log\{LoggerInterface, NullLogger};
+use DirectoryIterator;
 use function dirname, file_exists, file_get_contents, file_put_contents, hash, implode,
 	is_dir, is_file, mkdir, sprintf, str_starts_with, substr, trim, unlink;
 use const DIRECTORY_SEPARATOR;
@@ -31,7 +31,7 @@
  */
 class FileStorage extends OAuthStorageAbstract{
 
-	final protected const ENCRYPT_FORMAT = self::ENCRYPT_FORMAT_BINARY;
+	final protected const ENCRYPT_FORMAT = Utilities::ENCRYPT_FORMAT_BINARY;
 
 	/**
 	 * OAuthStorageAbstract constructor.
@@ -114,7 +114,7 @@ public function clearAllAccessTokens():static{
 	public function storeCSRFState(string $state, string $provider):static{
 
 		if($this->options->useStorageEncryption === true){
-			$state = $this->encrypt($state, $this->options->storageEncryptionKey);
+			$state = $this->encrypt($state);
 		}
 
 		$this->saveFile($state, $this::KEY_STATE, $provider);
@@ -133,7 +133,7 @@ public function getCSRFState(string $provider):string{
 		}
 
 		if($this->options->useStorageEncryption === true){
-			return $this->decrypt($state, $this->options->storageEncryptionKey);
+			return $this->decrypt($state);
 		}
 
 		return $state;
@@ -170,7 +170,7 @@ public function clearAllCSRFStates():static{
 	public function storeCodeVerifier(string $verifier, string $provider):static{
 
 		if($this->options->useStorageEncryption === true){
-			$verifier = $this->encrypt($verifier, $this->options->storageEncryptionKey);
+			$verifier = $this->encrypt($verifier);
 		}
 
 		$this->saveFile($verifier, $this::KEY_VERIFIER, $provider);
@@ -189,7 +189,7 @@ public function getCodeVerifier(string $provider):string{
 		}
 
 		if($this->options->useStorageEncryption === true){
-			return $this->decrypt($verifier, $this->options->storageEncryptionKey);
+			return $this->decrypt($verifier);
 		}
 
 		return $verifier;

src/Storage/OAuthStorageAbstract.php

@@ -12,12 +12,10 @@
 namespace chillerlan\OAuth\Storage;
 
 use chillerlan\OAuth\OAuthOptions;
-use chillerlan\OAuth\Core\AccessToken;
+use chillerlan\OAuth\Core\{AccessToken, Utilities};
 use chillerlan\Settings\SettingsContainerInterface;
 use Psr\Log\{LoggerInterface, NullLogger};
-use function random_bytes, sodium_base642bin, sodium_bin2base64, sodium_bin2hex, sodium_crypto_secretbox,
-	sodium_crypto_secretbox_open, sodium_hex2bin, sodium_memzero, substr, trim;
-use const SODIUM_BASE64_VARIANT_ORIGINAL, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES;
+use function trim;
 
 /**
  * Implements an abstract OAuth storage adapter
@@ -28,11 +26,7 @@ abstract class OAuthStorageAbstract implements OAuthStorageInterface{
 	final protected const KEY_STATE    = 'STATE';
 	final protected const KEY_VERIFIER = 'VERIFIER';
 
-	final protected const ENCRYPT_FORMAT_BINARY = 0b00;
-	final protected const ENCRYPT_FORMAT_BASE64 = 0b01;
-	final protected const ENCRYPT_FORMAT_HEX    = 0b10;
-
-	protected const ENCRYPT_FORMAT = self::ENCRYPT_FORMAT_HEX;
+	protected const ENCRYPT_FORMAT = Utilities::ENCRYPT_FORMAT_HEX;
 
 	/**
 	 * OAuthStorageAbstract constructor.
@@ -89,7 +83,7 @@ public function toStorage(AccessToken $token):mixed{
 		$tokenJSON = $token->toJSON();
 
 		if($this->options->useStorageEncryption === true){
-			return $this->encrypt($tokenJSON, $this->options->storageEncryptionKey);
+			return $this->encrypt($tokenJSON);
 		}
 
 		return $tokenJSON;
@@ -101,67 +95,24 @@ public function toStorage(AccessToken $token):mixed{
 	public function fromStorage(mixed $data):AccessToken{
 
 		if($this->options->useStorageEncryption === true){
-			$data = $this->decrypt($data, $this->options->storageEncryptionKey);
+			$data = $this->decrypt($data);
 		}
 
 		return (new AccessToken)->fromJSON($data);
 	}
 
 	/**
-	 * encrypts the given $data with $key
-	 *
-	 * @see \sodium_crypto_secretbox()
-	 * @see \sodium_bin2base64()
-	 * @see \sodium_bin2hex()
+	 * encrypts the given $data
 	 */
-	protected function encrypt(string $data, string $key):string{
-		$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
-		$box   = sodium_crypto_secretbox($data, $nonce, $key);
-
-		$out = match($this::ENCRYPT_FORMAT){
-			$this::ENCRYPT_FORMAT_BINARY => $nonce.$box,
-			$this::ENCRYPT_FORMAT_BASE64 => sodium_bin2base64($nonce.$box, SODIUM_BASE64_VARIANT_ORIGINAL),
-			$this::ENCRYPT_FORMAT_HEX    => sodium_bin2hex($nonce.$box),
-		};
-
-		sodium_memzero($data);
-		sodium_memzero($key);
-		sodium_memzero($nonce);
-		sodium_memzero($box);
-
-		return $out;
+	protected function encrypt(string $data):string{
+		return Utilities::encrypt($data, $this->options->storageEncryptionKey, $this::ENCRYPT_FORMAT);
 	}
 
 	/**
-	 * decrypts the given $encrypted data with $key
-	 *
-	 * @see \sodium_crypto_secretbox_open()
-	 * @see \sodium_base642bin()
-	 * @see \sodium_hex2bin()
+	 * decrypts the given $encrypted data
 	 */
-	protected function decrypt(string $encrypted, string $key):string{
-
-		$bin = match($this::ENCRYPT_FORMAT){
-			$this::ENCRYPT_FORMAT_BINARY => $encrypted,
-			$this::ENCRYPT_FORMAT_BASE64 => sodium_base642bin($encrypted, SODIUM_BASE64_VARIANT_ORIGINAL),
-			$this::ENCRYPT_FORMAT_HEX    => sodium_hex2bin($encrypted),
-		};
-
-		$nonce = substr($bin, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
-		$box   = substr($bin, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
-		$data  = sodium_crypto_secretbox_open($box, $nonce, $key);
-
-		sodium_memzero($encrypted);
-		sodium_memzero($key);
-		sodium_memzero($bin);
-		sodium_memzero($nonce);
-		sodium_memzero($box);
-
-		if($data === false){
-			throw new OAuthStorageException('decryption failed'); // @codeCoverageIgnore
-		}
-
-		return $data;
+	protected function decrypt(string $encrypted):string{
+		return Utilities::decrypt($encrypted, $this->options->storageEncryptionKey, $this::ENCRYPT_FORMAT);
 	}
 
 }