Pulling in sapsaldog/client-encryption-php.

Author: rfeelin

.gitignore

@@ -2,4 +2,6 @@
 vendor
 tests.xml
 coverage.xml
-.scannerwork
+.scannerwork
+.phpunit.result.cache
+composer.lock

composer.json

@@ -18,12 +18,14 @@
         }
     ],
     "require": {
-        "phpseclib/phpseclib": "^2.0",
-        "symfony/polyfill-php70": "^1.19"
+        "phpseclib/phpseclib": "~3.0",
+        "symfony/polyfill-php70": "^1.19",
+        "galbar/jsonpath": "^2.0"
     },
     "require-dev": {
         "guzzlehttp/guzzle": "^6.2",
-        "yoast/phpunit-polyfills": "^1.0"
+        "yoast/phpunit-polyfills": "^1.0",
+        "phake/phake": "*"
     },
     "suggest": {
         "psr/http-message": "Allow usage of the PsrHttpMessageEncryptionInterceptor class"

src/Developer/Encryption/AES/AESCBC.php

@@ -0,0 +1,49 @@
+<?php
+
+namespace Mastercard\Developer\Encryption\AES;
+
+use Mastercard\Developer\Encryption\EncryptionException;
+use phpseclib3\Crypt\AES;
+
+class AESCBC
+{
+    private function __construct(){
+        // This class can't be instantiated
+    }
+
+    /**
+     * @param string $iv
+     * @param string $key
+     * @param string $bytes
+     * @throws EncryptionException
+     * @return string
+     */
+    public static function encrypt($iv, $key, $bytes) {
+        $aes = new AES('cbc');
+        $aes->setKey($key);
+        $aes->setIV($iv);
+        $encryptedBytes = $aes->encrypt($bytes);
+        if (false === $encryptedBytes) {
+            throw new EncryptionException('Failed to encrypt bytes!');
+        }
+        return $encryptedBytes;
+    }
+
+    /**
+     * @param string $iv
+     * @param string $key
+     * @param string $encryptedBytes
+     * @throws EncryptionException
+     * @return string
+     */
+    public static function decrypt($iv, $key, $encryptedBytes) {
+        $aes = new AES('cbc');
+        $aes->setKey($key);
+        $aes->setIV($iv);
+        $bytes = $aes->decrypt($encryptedBytes);
+        if (false === $bytes) {
+            throw new EncryptionException('Failed to decrypt bytes with the provided key and IV!');
+        }
+        return $bytes;
+    }    
+}

src/Developer/Encryption/AES/AESEncryption.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace Mastercard\Developer\Encryption\AES;
+
+class AESEncryption
+{
+    private function __construct()
+    {
+        // Nothing to do here
+    }
+
+
+    /**
+     * @param string            $cipher_algo
+     * @return string 
+     */    
+    public static function generateIv($cipher_algo = 'AES-128-CBC')
+    {
+        $ivLength = openssl_cipher_iv_length($cipher_algo);
+        $iv = openssl_random_pseudo_bytes($ivLength);
+
+        return $iv;
+    }
+
+    /**
+     * @param int            $bitLength
+     * @return string 
+     */    
+    public static function generateCek($bitLength)
+    {
+        return openssl_random_pseudo_bytes($bitLength / 8);
+    }
+}

src/Developer/Encryption/AES/AESGCM.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace Mastercard\Developer\Encryption\AES;
+
+use phpseclib3\Crypt\AES;
+
+class AESGCM
+{
+    private function __construct()
+    {
+    }
+
+    /**
+     * @param string $iv
+     * @param string $key
+     * @param string $authTag
+     * @param string $aad
+     * @param string $cipherText
+     * @return string
+     */
+    public static function decrypt($iv, $key, $authTag, $aad, $cipherText)
+    {
+        $cipher = new AES('gcm');
+        $cipher->setNonce($iv);
+        $cipher->setKey($key);
+        $cipher->disablePadding();
+        $cipher->setTag($authTag);
+        $cipher->setAAD($aad);
+        return $cipher->decrypt($cipherText);
+    }
+}

src/Developer/Encryption/EncryptionConfig.php

@@ -0,0 +1,178 @@
+<?php
+
+namespace Mastercard\Developer\Encryption;
+
+use Mastercard\Developer\Keys\DecryptionKey;
+use Mastercard\Developer\Keys\EncryptionKey;
+
+abstract class EncryptionConfig
+{
+    /**
+     * The different methods of encryption
+     */
+    /**
+     * The encryption scheme to be used
+     */
+    protected $scheme = EncryptionConfigScheme::LEGACY;
+
+    /**
+     * @var string|null
+     * The SHA-256 hex-encoded digest of the key used for encryption (optional, the digest will be
+     * automatically computed if this field is null or empty).
+     * Example: "c3f8ef7053c4fb306f7476e7d1956f0aa992ff9dfdd5244b912a1d377ff3a84f"
+     */
+    protected $encryptionKeyFingerprint = null;
+
+    /**
+     * @var EncryptionKey
+     * A certificate object whose public key will be used for encryption.
+     */
+    protected $encryptionCertificate;
+
+    /**
+     * @var DecryptionKey
+     * A private key object to be used for decryption.
+     */
+    protected $decryptionKey;
+
+    /**
+     * @var array
+     * A list of JSON paths to encrypt in request payloads.
+     * Example:
+     * <pre>
+     * new HashMap<>() {
+     *     {
+     *         put("$.path.to.element.to.be.encrypted", "$.path.to.object.where.to.store.encryption.fields");
+     *     }
+     * }
+     * </pre>
+     */
+    private $encryptionPaths = [];
+
+    /**
+     * @var array
+     * A list of JSON paths to decrypt in response payloads.
+     * Example:
+     * <pre>
+     * new HashMap<>() {
+     *     {
+     *         put("$.path.to.object.with.encryption.fields", "$.path.where.to.write.decrypted.element");
+     *     }
+     * }
+     * </pre>
+     */
+    private $decryptionPaths = [];
+
+    /**
+     * @var string|null
+     * The name of the payload field where to write/read the encrypted data value.
+     */
+    protected $encryptedValueFieldName = null;
+
+    /**
+     * @return string|null
+     */
+    public function getEncryptionKeyFingerprint()
+    {
+        return $this->encryptionKeyFingerprint;
+    }
+
+    /**
+     * @return EncryptionKey
+     */    
+    public function getEncryptionCertificate()
+    {
+        return $this->encryptionCertificate;
+    }
+
+    /**
+     * @return DecryptionKey
+     */
+    public function getDecryptionKey()
+    {
+        return $this->decryptionKey;
+    }
+
+    /**
+     * @return int
+     */    
+    public function getScheme()
+    {
+        return $this->scheme;
+    }
+
+    /**
+     * @return array
+     */    
+    public function getEncryptionPaths()
+    {
+        return $this->encryptionPaths;
+    }
+
+    /**
+     * @return array
+     */    
+    public function getDecryptionPaths()
+    {
+        return $this->decryptionPaths;
+    }
+
+    /**
+     * @return string
+     */    
+    public function getEncryptedValueFieldName()
+    {
+        return $this->encryptedValueFieldName;
+    }    
+
+    /**
+     * @param string|null $encryptionKeyFingerprint 
+     */    
+    public function setEncryptionKeyFingerprint($encryptionKeyFingerprint)
+    {
+        $this->encryptionKeyFingerprint = $encryptionKeyFingerprint;
+    }
+
+    /**
+     * @param string $encryptionCertificate 
+     */    
+    public function setEncryptionCertificate($encryptionCertificate)
+    {
+        $this->encryptionCertificate = $encryptionCertificate;
+    }
+
+    /**
+     * @param string|null $decryptionKey 
+     */    
+    public function setDecryptionKey($decryptionKey)
+    {
+        $this->decryptionKey = $decryptionKey;
+    }
+
+    /**
+     * @param string $encryptedValueFieldName 
+     */    
+    public function setEncryptedValueFieldName($encryptedValueFieldName)
+    {
+        $this->encryptedValueFieldName = $encryptedValueFieldName;
+    }
+
+    /**
+     * @param array $encryptionPaths
+     */    
+    public function setEncryptionPaths($encryptionPaths)
+    {
+        $this->encryptionPaths = $encryptionPaths;
+    }
+
+    /**
+     * @param array $decryptionPaths
+     */    
+    public function setDecryptionPaths($decryptionPaths)
+    {
+        $this->decryptionPaths = $decryptionPaths;
+    }
+
+
+    
+}

src/Developer/Encryption/EncryptionConfigBuilder.php

@@ -0,0 +1,70 @@
+<?php
+
+namespace Mastercard\Developer\Encryption;
+
+use Mastercard\Developer\Json\JsonPath;
+use Mastercard\Developer\Keys\DecryptionKey;
+use Mastercard\Developer\Keys\EncryptionKey;
+
+abstract class EncryptionConfigBuilder
+{
+    /**
+     * @var EncryptionKey
+     */
+    protected $encryptionCertificate;
+
+    /**
+     * @var string|null
+     */
+    protected $encryptionKeyFingerprint = null;
+
+    /**
+     * @var DecryptionKey
+     */
+    protected $decryptionKey;
+
+    /**
+     * @var array
+     */
+    protected $encryptionPaths = [];
+
+    /**
+     * @var array
+     */
+    protected $decryptionPaths = [];
+
+    /**
+     * @var string|null
+     */
+    protected $encryptedValueFieldName = null;
+
+    protected function computeEncryptionKeyFingerprintWhenNeeded()
+    {
+        try {
+            if ($this->encryptionCertificate == null || isset($this->encryptionKeyFingerprint)) {
+                // No encryption certificate set or key fingerprint already provided
+                return;
+            }
+
+            $cert = openssl_x509_read($this->encryptionCertificate->getBytes());
+            $this->encryptionKeyFingerprint = openssl_x509_fingerprint($cert, 'sha256');
+        } catch (\Exception $e) {
+            throw new EncryptionException("Failed to compute encryption key fingerprint!", $e);
+        }
+    }
+
+    protected function checkJsonPathParameterValues()
+    {
+        foreach ($this->decryptionPaths as $key => $value) {
+            if (!JsonPath::isPathDefinite($key) || !JsonPath::isPathDefinite($value)) {
+                throw new \InvalidArgumentException("JSON paths for decryption must point to a single item!");
+            }
+        }
+
+        foreach ($this->encryptionPaths as $key => $value) {
+            if (!JsonPath::isPathDefinite($key) || !JsonPath::isPathDefinite($value)) {
+                throw new \InvalidArgumentException("JSON paths for decryption must point to a single item!");
+            }
+        }
+    }
+}