Second Pass

2026-01-13 15:37:46 +01:00
parent 4f21d10383
commit 61606fd793
24 changed files with 1516 additions and 0 deletions
--- a/includes/dependency/class-crypto.php
+++ b/includes/dependency/class-crypto.php
@@ -0,0 +1,116 @@
+<?php
+declare(strict_types=1);
+
+defined('ABSPATH') or die;
+
+class Crypto {
+    private const VERSION = '1.1';
+
+    // --- Configuration ---
+    private const CIPHER = 'aes-256-gcm';
+    private const NONCE_LEN = 12;
+    private const TAG_LEN   = 16;
+
+    private static function getKey(): string {
+        $material = (defined('CRYPTO_SALT_1') ? CRYPTO_SALT_1 : AUTH_SALT) .
+                    (defined('CRYPTO_SALT_2') ? CRYPTO_SALT_2 : SECURE_AUTH_SALT) .
+                    'crypto-v1';
+        return hash('sha256', $material, true); // 32 bytes for AES-256
+    }
+
+    public static function encryptSecret(?string $plaintext): ?string {
+        if (!is_string($plaintext) || $plaintext === '') {
+            return null;
+        }
+        $key   = self::getKey();
+        $nonce = random_bytes(self::NONCE_LEN);
+
+        $ciphertext = openssl_encrypt(
+            $plaintext,
+            self::CIPHER,
+            $key,
+            OPENSSL_RAW_DATA,
+            $nonce,
+            $tag,
+            '',
+            self::TAG_LEN
+        );
+        if ($ciphertext === false) {
+            return null;
+        }
+
+        // Package as: [nonce | tag | ciphertext], then base64-encode for storage
+        return base64_encode($nonce . $tag . $ciphertext);
+    }
+
+    public static function decryptSecret(?string $encoded): ?string {
+        if (!is_string($encoded) || $encoded === '') {
+            return null;
+        }
+        $blob = base64_decode($encoded, true);
+        if ($blob === false) {
+            return null;
+        }
+        if (strlen($blob) < self::NONCE_LEN + self::TAG_LEN) {
+            return null;
+        }
+
+        $nonce      = substr($blob, 0, self::NONCE_LEN);
+        $tag        = substr($blob, self::NONCE_LEN, self::TAG_LEN);
+        $ciphertext = substr($blob, self::NONCE_LEN + self::TAG_LEN);
+
+        $key = self::getKey();
+        $plaintext = openssl_decrypt(
+            $ciphertext,
+            self::CIPHER,
+            $key,
+            OPENSSL_RAW_DATA,
+            $nonce,
+            $tag,
+            ''
+        );
+
+        return ($plaintext === false) ? null : $plaintext;
+    }
+
+    public static function makeKey(bool $random = false, string $prefix = ''): string {
+        if ($random) {
+            return $prefix . bin2hex(random_bytes(16));
+        }
+        return $prefix . self::uuid7();
+    }
+
+    private static function uuid7(): string {
+        static $lastUnixMs = null;
+        static $sequence = 0;
+
+        $unixMs = (int) floor(microtime(true) * 1000);
+
+        if ($unixMs === $lastUnixMs) {
+            $sequence = ($sequence + 1) & 0x3FFF;
+            if ($sequence === 0) {
+                $unixMs++;
+            }
+        } else {
+            $sequence = random_int(0, 0x3FFF);
+            $lastUnixMs = $unixMs;
+        }
+
+        $time_high = ($unixMs >> 16) & 0xFFFFFFFF;
+        $time_low  = $unixMs & 0xFFFF;
+
+        $time_hi_and_version = ($time_low & 0x0FFF) | (0x7 << 12);
+        $clock_seq_hi_and_reserved = ($sequence & 0x3FFF) | 0x8000;
+
+        $randHex = bin2hex(random_bytes(6));
+
+        return sprintf(
+            '%08x-%04x-%04x-%04x-%012s',
+            $time_high,
+            $time_low,
+            $time_hi_and_version,
+            $clock_seq_hi_and_reserved,
+            $randHex
+        );
+    }
+}