diff --git a/src/Keys/AsymmetricPublicKey.php b/src/Keys/AsymmetricPublicKey.php index 40e72eb..afbcb2d 100644 --- a/src/Keys/AsymmetricPublicKey.php +++ b/src/Keys/AsymmetricPublicKey.php @@ -11,9 +11,6 @@ Util }; use FG\ASN1\Exception\ParserException; -use Mdanter\Ecc\EccFactory; -use ParagonIE\EasyECC\EasyECC; -use ParagonIE\EasyECC\ECDSA\ConstantTimeMath; use ParagonIE\EasyECC\ECDSA\PublicKey; use ParagonIE\Paseto\Protocol\{ Version1, @@ -148,7 +145,7 @@ public static function v4(string $keyMaterial): self * @return string * * @throws TypeError - * @throws ParserException + * @throws PasetoException */ public function encode(): string { @@ -158,11 +155,15 @@ public function encode(): string } elseif (Binary::safeStrlen($this->key) === 98) { Base64UrlSafe::encodeUnpadded(Hex::decode($this->key)); } - return Base64UrlSafe::encodeUnpadded( - Hex::decode( - Version3::getPublicKeyCompressed($this->key) - ) - ); + try { + return Base64UrlSafe::encodeUnpadded( + Hex::decode( + Version3::getPublicKeyCompressed($this->key) + ) + ); + } catch (ParserException $ex) { + throw new PasetoException("ASN.1 Parser Exception", 0, $ex); + } } return Base64UrlSafe::encodeUnpadded($this->key); } diff --git a/src/Parser.php b/src/Parser.php index ddbae39..b36a6eb 100644 --- a/src/Parser.php +++ b/src/Parser.php @@ -19,8 +19,10 @@ SymmetricKey }; use ParagonIE\ConstantTime\Binary; -use ParagonIE\Paseto\Parsing\NonExpiringSupport; -use ParagonIE\Paseto\Parsing\PasetoMessage; +use ParagonIE\Paseto\Parsing\{ + NonExpiringSupport, + PasetoMessage +}; use ParagonIE\Paseto\Rules\NotExpired; use ParagonIE\Paseto\Traits\RegisteredClaims; use function get_class, diff --git a/src/Protocol/Version1.php b/src/Protocol/Version1.php index ad7915f..1d210fd 100644 --- a/src/Protocol/Version1.php +++ b/src/Protocol/Version1.php @@ -421,6 +421,7 @@ public static function aeadEncrypt( OPENSSL_RAW_DATA, Binary::safeSubstr($nonce, 16, 16) ); + Util::wipe($encKey); if (!is_string($ciphertext)) { throw new PasetoException( 'Encryption failed.', @@ -434,6 +435,7 @@ public static function aeadEncrypt( $authKey, true ); + Util::wipe($authKey); // PASETO Version 1 - Encrypt - Step 9: return (new PasetoMessage( @@ -511,8 +513,11 @@ public static function aeadDecrypt( $authKey, true ); + Util::wipe($authKey); + // PASETO Version 1 - Decrypt - Step 8: if (!hash_equals($calc, $mac)) { + Util::wipe($encKey); throw new SecurityException( 'Invalid MAC for given ciphertext.', ExceptionCode::INVALID_MAC @@ -528,6 +533,7 @@ public static function aeadDecrypt( OPENSSL_RAW_DATA, Binary::safeSubstr($nonce, 16, 16) ); + Util::wipe($encKey); if (!is_string($plaintext)) { throw new PasetoException( 'Encryption failed.', diff --git a/src/Protocol/Version3.php b/src/Protocol/Version3.php index 83913ce..5037711 100644 --- a/src/Protocol/Version3.php +++ b/src/Protocol/Version3.php @@ -540,6 +540,7 @@ public static function aeadDecrypt( // PASETO Version 3 - Decrypt - Step 8: if (!hash_equals($calc, $mac)) { + Util::wipe($encKey); throw new SecurityException( 'Invalid MAC for given ciphertext.', ExceptionCode::INVALID_MAC diff --git a/src/Protocol/Version4.php b/src/Protocol/Version4.php index 6030464..4677195 100644 --- a/src/Protocol/Version4.php +++ b/src/Protocol/Version4.php @@ -405,6 +405,7 @@ public static function aeadEncrypt( $nonce2, $encKey ); + Util::wipe($encKey); if (!is_string($ciphertext)) { throw new PasetoException( 'Encryption failed.', @@ -416,7 +417,6 @@ public static function aeadEncrypt( Util::preAuthEncode($header, $nonce, $ciphertext, $footer, $implicit), $authKey ); - Util::wipe($encKey); Util::wipe($authKey); // PASETO Version 4 - Encrypt - Step 8: @@ -496,6 +496,7 @@ public static function aeadDecrypt( Util::preAuthEncode($header, $nonce, $ciphertext, $footer, $implicit), $authKey ); + Util::wipe($authKey); // PASETO Version 4 - Decrypt - Step 8: if (!hash_equals($calc, $mac)) { throw new SecurityException( @@ -511,6 +512,7 @@ public static function aeadDecrypt( $nonce2, $encKey ); + Util::wipe($encKey); if (!is_string($plaintext)) { throw new PasetoException( 'Encryption failed.', diff --git a/src/Purpose.php b/src/Purpose.php index 0b716c5..76a0e38 100644 --- a/src/Purpose.php +++ b/src/Purpose.php @@ -106,7 +106,7 @@ final class Purpose * * @var array */ - private static $sendingKeyToPurpose; + private static $sendingKeyToPurpose = []; /** * Inverse of EXPECTED_RECEIVING_KEYS, evaluated and statically cached at @@ -114,7 +114,7 @@ final class Purpose * * @var array */ - private static $receivingKeyToPurpose; + private static $receivingKeyToPurpose = []; /** * @var string diff --git a/src/ReceivingKeyRing.php b/src/ReceivingKeyRing.php index db40cab..2843729 100644 --- a/src/ReceivingKeyRing.php +++ b/src/ReceivingKeyRing.php @@ -2,8 +2,10 @@ declare(strict_types=1); namespace ParagonIE\Paseto; -use ParagonIE\Paseto\Exception\InvalidKeyException; -use ParagonIE\Paseto\Exception\PasetoException; +use ParagonIE\Paseto\Exception\{ + InvalidKeyException, + PasetoException +}; use ParagonIE\Paseto\Traits\MultiKeyTrait; class ReceivingKeyRing implements KeyRingInterface, ReceivingKey diff --git a/src/Rules/ForAudience.php b/src/Rules/ForAudience.php index 11fd9f0..ca75aa2 100644 --- a/src/Rules/ForAudience.php +++ b/src/Rules/ForAudience.php @@ -18,7 +18,7 @@ class ForAudience implements ValidationRuleInterface /** @var string $failure */ protected $failure = 'OK'; - /** @var string $issuer */ + /** @var string $audience */ protected $audience; /** diff --git a/src/SendingKeyRing.php b/src/SendingKeyRing.php index 34af2b0..cd076ba 100644 --- a/src/SendingKeyRing.php +++ b/src/SendingKeyRing.php @@ -3,10 +3,14 @@ namespace ParagonIE\Paseto; use Exception; -use ParagonIE\Paseto\Exception\InvalidKeyException; -use ParagonIE\Paseto\Exception\PasetoException; -use ParagonIE\Paseto\Keys\AsymmetricSecretKey; -use ParagonIE\Paseto\Keys\SymmetricKey; +use ParagonIE\Paseto\Exception\{ + InvalidKeyException, + PasetoException +}; +use ParagonIE\Paseto\Keys\{ + AsymmetricSecretKey, + SymmetricKey +}; use ParagonIE\Paseto\Traits\MultiKeyTrait; class SendingKeyRing implements KeyRingInterface, SendingKey diff --git a/src/Util.php b/src/Util.php index 9b0a9bf..1e90b33 100644 --- a/src/Util.php +++ b/src/Util.php @@ -131,7 +131,7 @@ public static function HKDF( } $digest_length = Binary::safeStrlen( - hash_hmac($hash, '', '', true) + hash($hash, '', true) ); // Sanity-check the desired output length.