Add SensitiveParameter attributes

src/Box.php

@@ -11,6 +11,7 @@
 
 use LengthException;
 use LogicException;
+use SensitiveParameter;
 use SodiumException;
 
 /**
@@ -39,8 +40,11 @@ class Box
  *
  * @throws LengthException if nonce is set has not the required length
  */
- public function __construct(string $secretKey, string $publicKey, string $nonce = null)
- {
+ public function __construct(
+ #[SensitiveParameter] string $secretKey,
+ #[SensitiveParameter] string $publicKey,
+ #[SensitiveParameter] string $nonce = null
+ ) {
  $this->secretKey = $secretKey;
  $this->publicKey = $publicKey;
  if ($nonce !== null) {
@@ -56,7 +60,7 @@ public function __construct(string $secretKey, string $publicKey, string $nonce
  *
  * @throws LengthException if nonce has not the required length
  */
- protected function validateNonce(string $nonce) : void
+ protected function validateNonce(#[SensitiveParameter] string $nonce) : void
  {
  $length = \mb_strlen($nonce, '8bit');
  if ($length !== \SODIUM_CRYPTO_BOX_NONCEBYTES) {
@@ -76,7 +80,7 @@ protected function validateNonce(string $nonce) : void
  *
  * @return string
  */
- protected function getNonce(?string $nonce) : string
+ protected function getNonce(#[SensitiveParameter] ?string $nonce) : string
  {
  if ($nonce !== null) {
  $this->validateNonce($nonce);
@@ -117,8 +121,10 @@ protected function getKeyPair() : string
  *
  * @return string
  */
- public function encrypt(string $message, string $nonce = null) : string
- {
+ public function encrypt(
+ #[SensitiveParameter] string $message,
+ #[SensitiveParameter] string $nonce = null
+ ) : string {
  return \sodium_crypto_box(
  $message,
  $this->getNonce($nonce),
@@ -140,8 +146,10 @@ public function encrypt(string $message, string $nonce = null) : string
  *
  * @return false|string
  */
- public function decrypt(string $ciphertext, string $nonce = null) : false | string
- {
+ public function decrypt(
+ #[SensitiveParameter] string $ciphertext,
+ #[SensitiveParameter] string $nonce = null
+ ) : false | string {
  return \sodium_crypto_box_open(
  $ciphertext,
  $this->getNonce($nonce),

src/BoxSeal.php

@@ -9,6 +9,7 @@
  */
 namespace Framework\Crypto;
 
+use SensitiveParameter;
 use SodiumException;
 
 /**
@@ -32,8 +33,10 @@ class BoxSeal
  *
  * @return string
  */
- public static function encrypt(string $message, string $publicKey) : string
- {
+ public static function encrypt(
+ #[SensitiveParameter] string $message,
+ #[SensitiveParameter] string $publicKey
+ ) : string {
  return \sodium_crypto_box_seal($message, $publicKey);
  }
 
@@ -50,8 +53,10 @@ public static function encrypt(string $message, string $publicKey) : string
  * @return false|string The message or false if the ciphertext could not be
  * decrypted
  */
- public static function decrypt(string $ciphertext, string $keyPair) : false | string
- {
+ public static function decrypt(
+ #[SensitiveParameter] string $ciphertext,
+ #[SensitiveParameter] string $keyPair
+ ) : false | string {
  return \sodium_crypto_box_seal_open($ciphertext, $keyPair);
  }
 }

src/BoxTrait.php

@@ -10,6 +10,7 @@
 namespace Framework\Crypto;
 
 use Exception;
+use SensitiveParameter;
 use SodiumException;
 
 /**
@@ -52,7 +53,7 @@ public static function makeNonce() : string
  *
  * @return string
  */
- public static function makeSecretKey(string $keyPair) : string
+ public static function makeSecretKey(#[SensitiveParameter] string $keyPair) : string
  {
  return \sodium_crypto_box_secretkey($keyPair);
  }
@@ -68,7 +69,7 @@ public static function makeSecretKey(string $keyPair) : string
  *
  * @return string
  */
- public static function makePublicKey(string $keyPair) : string
+ public static function makePublicKey(#[SensitiveParameter] string $keyPair) : string
  {
  return \sodium_crypto_box_publickey($keyPair);
  }

src/GenericHash.php

@@ -11,6 +11,7 @@
 
 use LengthException;
 use RangeException;
+use SensitiveParameter;
 use SodiumException;
 
 /**
@@ -34,8 +35,10 @@ class GenericHash
  * @throws LengthException if key length is not between 16 and 64
  * @throws RangeException if the hashLength value is not in the range 16 to 64
  */
- public function __construct(string $key, int $hashLength = \SODIUM_CRYPTO_GENERICHASH_BYTES)
- {
+ public function __construct(
+ #[SensitiveParameter] string $key,
+ int $hashLength = \SODIUM_CRYPTO_GENERICHASH_BYTES
+ ) {
  $this->validateKey($key);
  $this->validateHashLength($hashLength);
  $this->key = $key;
@@ -49,7 +52,7 @@ public function __construct(string $key, int $hashLength = \SODIUM_CRYPTO_GENERI
  *
  * @throws LengthException if key length is not between 16 and 64
  */
- protected function validateKey(string $key) : void
+ protected function validateKey(#[SensitiveParameter] string $key) : void
  {
  $length = \mb_strlen($key, '8bit');
  if ($length < \SODIUM_CRYPTO_GENERICHASH_KEYBYTES_MIN
@@ -96,8 +99,10 @@ protected function validateHashLength(int $length) : void
  *
  * @return string
  */
- public function signature(string $message, int $hashLength = null) : string
- {
+ public function signature(
+ #[SensitiveParameter] string $message,
+ int $hashLength = null
+ ) : string {
  return Utils::bin2base64(
  $this->makeHash($message, $hashLength),
  \SODIUM_BASE64_VARIANT_ORIGINAL_NO_PADDING
@@ -117,8 +122,11 @@ public function signature(string $message, int $hashLength = null) : string
  *
  * @return bool
  */
- public function verify(string $message, string $signature, int $hashLength = null) : bool
- {
+ public function verify(
+ #[SensitiveParameter] string $message,
+ #[SensitiveParameter] string $signature,
+ int $hashLength = null
+ ) : bool {
  return \hash_equals(
  $this->makeHash($message, $hashLength),
  Utils::base642bin($signature, \SODIUM_BASE64_VARIANT_ORIGINAL_NO_PADDING)
@@ -137,7 +145,7 @@ public function verify(string $message, string $signature, int $hashLength = nul
  *
  * @return string
  */
- protected function makeHash(string $message, int $length = null) : string
+ protected function makeHash(#[SensitiveParameter] string $message, int $length = null) : string
  {
  if ($length !== null) {
  $this->validateHashLength($length);

src/Password.php

@@ -10,6 +10,7 @@
 namespace Framework\Crypto;
 
 use InvalidArgumentException;
+use SensitiveParameter;
 use SodiumException;
 
 /**
@@ -61,7 +62,7 @@ class Password
  * @return string
  */
  public static function hash(
- string $password,
+ #[SensitiveParameter] string $password,
  int $opslimit = null,
  int $memlimit = null
  ) : string {
@@ -86,7 +87,7 @@ public static function hash(
  * @return bool
  */
  public static function needsRehash(
- string $hash,
+ #[SensitiveParameter] string $hash,
  int $opslimit = null,
  int $memlimit = null
  ) : bool {
@@ -109,8 +110,10 @@ public static function needsRehash(
  *
  * @return bool
  */
- public static function verify(string $password, string $hash) : bool
- {
+ public static function verify(
+ #[SensitiveParameter] string $password,
+ #[SensitiveParameter] string $hash
+ ) : bool {
  return \sodium_crypto_pwhash_str_verify($hash, $password);
  }
 

src/SecretBox.php

@@ -11,6 +11,7 @@
 
 use Exception;
 use LengthException;
+use SensitiveParameter;
 use SodiumException;
 
 /**
@@ -34,8 +35,10 @@ class SecretBox
  *
  * @throws LengthException if key or nonce has not the required length
  */
- public function __construct(string $key, string $nonce)
- {
+ public function __construct(
+ #[SensitiveParameter] string $key,
+ #[SensitiveParameter] string $nonce
+ ) {
  $this->validatedLengths($key, $nonce);
  $this->key = $key;
  $this->nonce = $nonce;
@@ -49,8 +52,10 @@ public function __construct(string $key, string $nonce)
  *
  * @throws LengthException if key or nonce has not the required length
  */
- protected function validatedLengths(string $key, string $nonce) : void
- {
+ protected function validatedLengths(
+ #[SensitiveParameter] string $key,
+ #[SensitiveParameter] string $nonce
+ ) : void {
  $length = \mb_strlen($key, '8bit');
  if ($length !== \SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
  throw new LengthException(
@@ -76,7 +81,7 @@ protected function validatedLengths(string $key, string $nonce) : void
  *
  * @return string
  */
- public function encrypt(string $message) : string
+ public function encrypt(#[SensitiveParameter] string $message) : string
  {
  return \sodium_crypto_secretbox($message, $this->nonce, $this->key);
  }
@@ -90,7 +95,7 @@ public function encrypt(string $message) : string
  *
  * @return false|string
  */
- public function decrypt(string $ciphertext) : false | string
+ public function decrypt(#[SensitiveParameter] string $ciphertext) : false | string
  {
  return \sodium_crypto_secretbox_open($ciphertext, $this->nonce, $this->key);
  }

src/Sign.php

@@ -9,6 +9,7 @@
  */
 namespace Framework\Crypto;
 
+use SensitiveParameter;
 use SodiumException;
 
 /**
@@ -41,7 +42,7 @@ public static function makeKeyPair() : string
  *
  * @return string
  */
- public static function makeSecretKey(string $keyPair) : string
+ public static function makeSecretKey(#[SensitiveParameter] string $keyPair) : string
  {
  return \sodium_crypto_sign_secretkey($keyPair); // @phpstan-ignore-line
  }
@@ -57,7 +58,7 @@ public static function makeSecretKey(string $keyPair) : string
  *
  * @return string
  */
- public static function makePublicKey(string $keyPair) : string
+ public static function makePublicKey(#[SensitiveParameter] string $keyPair) : string
  {
  return \sodium_crypto_sign_publickey($keyPair); // @phpstan-ignore-line
  }
@@ -74,8 +75,10 @@ public static function makePublicKey(string $keyPair) : string
  *
  * @return string
  */
- public static function signature(string $message, string $secretKey) : string
- {
+ public static function signature(
+ #[SensitiveParameter] string $message,
+ #[SensitiveParameter] string $secretKey
+ ) : string {
  return \sodium_crypto_sign_detached($message, $secretKey); // @phpstan-ignore-line
  }
 
@@ -94,9 +97,9 @@ public static function signature(string $message, string $secretKey) : string
  * @return bool
  */
  public static function verify(
- string $message,
- string $signature,
- string $publicKey
+ #[SensitiveParameter] string $message,
+ #[SensitiveParameter] string $signature,
+ #[SensitiveParameter] string $publicKey
  ) : bool {
  return \sodium_crypto_sign_verify_detached($signature, $message, $publicKey); // @phpstan-ignore-line
  }