117 lines
3.2 KiB
PHP
117 lines
3.2 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
defined('ABSPATH') or die;
|
|
|
|
class Crypto {
|
|
private const VERSION = '1.1';
|
|
|
|
// --- Configuration ---
|
|
private const CIPHER = 'aes-256-gcm';
|
|
private const NONCE_LEN = 12;
|
|
private const TAG_LEN = 16;
|
|
|
|
private static function getKey(): string {
|
|
$material = (defined('CRYPTO_SALT_1') ? CRYPTO_SALT_1 : AUTH_SALT) .
|
|
(defined('CRYPTO_SALT_2') ? CRYPTO_SALT_2 : SECURE_AUTH_SALT) .
|
|
'crypto-v1';
|
|
return hash('sha256', $material, true); // 32 bytes for AES-256
|
|
}
|
|
|
|
public static function encryptSecret(?string $plaintext): ?string {
|
|
if (!is_string($plaintext) || $plaintext === '') {
|
|
return null;
|
|
}
|
|
$key = self::getKey();
|
|
$nonce = random_bytes(self::NONCE_LEN);
|
|
|
|
$ciphertext = openssl_encrypt(
|
|
$plaintext,
|
|
self::CIPHER,
|
|
$key,
|
|
OPENSSL_RAW_DATA,
|
|
$nonce,
|
|
$tag,
|
|
'',
|
|
self::TAG_LEN
|
|
);
|
|
if ($ciphertext === false) {
|
|
return null;
|
|
}
|
|
|
|
// Package as: [nonce | tag | ciphertext], then base64-encode for storage
|
|
return base64_encode($nonce . $tag . $ciphertext);
|
|
}
|
|
|
|
public static function decryptSecret(?string $encoded): ?string {
|
|
if (!is_string($encoded) || $encoded === '') {
|
|
return null;
|
|
}
|
|
$blob = base64_decode($encoded, true);
|
|
if ($blob === false) {
|
|
return null;
|
|
}
|
|
if (strlen($blob) < self::NONCE_LEN + self::TAG_LEN) {
|
|
return null;
|
|
}
|
|
|
|
$nonce = substr($blob, 0, self::NONCE_LEN);
|
|
$tag = substr($blob, self::NONCE_LEN, self::TAG_LEN);
|
|
$ciphertext = substr($blob, self::NONCE_LEN + self::TAG_LEN);
|
|
|
|
$key = self::getKey();
|
|
$plaintext = openssl_decrypt(
|
|
$ciphertext,
|
|
self::CIPHER,
|
|
$key,
|
|
OPENSSL_RAW_DATA,
|
|
$nonce,
|
|
$tag,
|
|
''
|
|
);
|
|
|
|
return ($plaintext === false) ? null : $plaintext;
|
|
}
|
|
|
|
public static function makeKey(bool $random = false, string $prefix = ''): string {
|
|
if ($random) {
|
|
return $prefix . bin2hex(random_bytes(16));
|
|
}
|
|
return $prefix . self::uuid7();
|
|
}
|
|
|
|
private static function uuid7(): string {
|
|
static $lastUnixMs = null;
|
|
static $sequence = 0;
|
|
|
|
$unixMs = (int) floor(microtime(true) * 1000);
|
|
|
|
if ($unixMs === $lastUnixMs) {
|
|
$sequence = ($sequence + 1) & 0x3FFF;
|
|
if ($sequence === 0) {
|
|
$unixMs++;
|
|
}
|
|
} else {
|
|
$sequence = random_int(0, 0x3FFF);
|
|
$lastUnixMs = $unixMs;
|
|
}
|
|
|
|
$time_high = ($unixMs >> 16) & 0xFFFFFFFF;
|
|
$time_low = $unixMs & 0xFFFF;
|
|
|
|
$time_hi_and_version = ($time_low & 0x0FFF) | (0x7 << 12);
|
|
$clock_seq_hi_and_reserved = ($sequence & 0x3FFF) | 0x8000;
|
|
|
|
$randHex = bin2hex(random_bytes(6));
|
|
|
|
return sprintf(
|
|
'%08x-%04x-%04x-%04x-%012s',
|
|
$time_high,
|
|
$time_low,
|
|
$time_hi_and_version,
|
|
$clock_seq_hi_and_reserved,
|
|
$randHex
|
|
);
|
|
}
|
|
}
|