refactor(cryptography): several fixes and improvements (#1764)

xHeaven · web-flow · commit ae05f565375c · 2025-12-07T15:55:43.000+01:00
diff --git a/packages/cryptography/src/Encryption/EncryptedData.php b/packages/cryptography/src/Encryption/EncryptedData.php
@@ -38,10 +38,18 @@ public static function unserialize(string $data): self
             throw EncryptedDataWasInvalid::dueToInvalidFormat();
         }
 
+        $payload = base64_decode($decoded['payload'], strict: true);
+        $iv = base64_decode($decoded['iv'], strict: true);
+        $tag = base64_decode($decoded['tag'], strict: true);
+
+        if ($payload === false || $iv === false || $tag === false) {
+            throw EncryptedDataWasInvalid::dueToInvalidFormat();
+        }
+
         return new self(
-            payload: base64_decode($decoded['payload'], strict: true),
-            iv: base64_decode($decoded['iv'], strict: true),
-            tag: base64_decode($decoded['tag'], strict: true),
+            payload: $payload,
+            iv: $iv,
+            tag: $tag,
             signature: new Signature($decoded['signature']),
             algorithm: EncryptionAlgorithm::from($decoded['algorithm']),
         );
diff --git a/packages/cryptography/src/Encryption/EncryptionKey.php b/packages/cryptography/src/Encryption/EncryptionKey.php
@@ -33,7 +33,13 @@ public static function generate(EncryptionAlgorithm $algorithm): self
      */
     public static function fromString(?string $key, EncryptionAlgorithm $algorithm): self
     {
-        return new self(base64_decode($key ?: '', strict: true), $algorithm);
+        $decoded = base64_decode($key ?: '', strict: true);
+
+        if ($decoded === false) {
+            $decoded = '';
+        }
+
+        return new self($decoded, $algorithm);
     }
 
     public function toString(): string
diff --git a/packages/cryptography/src/Password/BcryptConfig.php b/packages/cryptography/src/Password/BcryptConfig.php
@@ -2,8 +2,6 @@
 
 namespace Tempest\Cryptography\Password;
 
-use Tempest\Cryptography\Password\HashingAlgorithm;
-
 final class BcryptConfig implements PasswordHashingConfig
 {
     public HashingAlgorithm $algorithm = HashingAlgorithm::BCRYPT;
diff --git a/packages/cryptography/src/Password/Exceptions/HashingFailed.php b/packages/cryptography/src/Password/Exceptions/HashingFailed.php
@@ -15,4 +15,9 @@ public static function forEmptyPassword(): self
     {
         return new self('Could not hash an empty password.');
     }
+
+    public static function forInvalidHashingAlgorithm(): self
+    {
+        return new self('The specified hashing algorithm is not supported.');
+    }
 }
diff --git a/packages/cryptography/src/Password/GenericPasswordHasher.php b/packages/cryptography/src/Password/GenericPasswordHasher.php
@@ -2,8 +2,9 @@
 
 namespace Tempest\Cryptography\Password;
 
+use Error;
 use Tempest\Cryptography\Password\Exceptions\HashingFailed;
-use Tempest\Cryptography\Password\HashingAlgorithm;
+use ValueError;
 
 final class GenericPasswordHasher implements PasswordHasher
 {
@@ -17,22 +18,24 @@ public function __construct(
 
     public function hash(#[\SensitiveParameter] string $password): string
     {
-        $hash = password_hash($password, $this->algorithm->value, $this->config->options);
-
-        if ($hash === false) {
-            throw HashingFailed::forUnknownReason();
+        if ($password === '') {
+            throw HashingFailed::forEmptyPassword();
         }
 
-        if (mb_strlen($password) === 0) {
-            throw HashingFailed::forEmptyPassword();
+        try {
+            $hash = password_hash($password, $this->algorithm->value, $this->config->options);
+        } catch (ValueError) {
+            throw HashingFailed::forInvalidHashingAlgorithm();
+        } catch (Error) {
+            throw HashingFailed::forUnknownReason();
         }
 
         return $hash;
     }
 
     public function verify(#[\SensitiveParameter] string $password, #[\SensitiveParameter] string $hash): bool
     {
-        if (mb_strlen($hash) === 0) {
+        if ($password === '' || $hash === '') {
             return false;
         }
 
@@ -41,11 +44,19 @@ public function verify(#[\SensitiveParameter] string $password, #[\SensitivePara
 
     public function needsRehash(#[\SensitiveParameter] string $hash): bool
     {
+        if ($hash === '') {
+            return false;
+        }
+
         return password_needs_rehash($hash, $this->algorithm->value, $this->config->options);
     }
 
     public function analyze(#[\SensitiveParameter] string $hash): ?Hash
     {
+        if ($hash === '') {
+            return null;
+        }
+
         $info = password_get_info($hash);
 
         if ($info['algo'] === null) {
diff --git a/packages/cryptography/src/Password/PasswordHasher.php b/packages/cryptography/src/Password/PasswordHasher.php
@@ -2,8 +2,6 @@
 
 namespace Tempest\Cryptography\Password;
 
-use Tempest\Cryptography\Password\HashingAlgorithm;
-
 interface PasswordHasher
 {
     public HashingAlgorithm $algorithm {
@@ -16,7 +14,7 @@ interface PasswordHasher
     public function hash(#[\SensitiveParameter] string $password): string;
 
     /**
-     * Checks if the given pain-text password matches the given hash.
+     * Checks if the given plain-text password matches the given hash.
      */
     public function verify(#[\SensitiveParameter] string $password, string $hash): bool;
 
@@ -27,7 +25,7 @@ public function verify(#[\SensitiveParameter] string $password, string $hash): b
     public function needsRehash(#[\SensitiveParameter] string $hash): bool;
 
     /**
-     * Returns informations about the given hash, such as the algorithm used and its options.
+     * Returns information about the given hash, such as the algorithm used and its options.
      */
     public function analyze(#[\SensitiveParameter] string $hash): ?Hash;
 }

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,13 @@ public static function generate(EncryptionAlgorithm $algorithm): self`
`33`	`33`	`*/`
`34`	`34`	`public static function fromString(?string $key, EncryptionAlgorithm $algorithm): self`
`35`	`35`	`{`
`36`		`- return new self(base64_decode($key ?: '', strict: true), $algorithm);`
	`36`	`+ $decoded = base64_decode($key ?: '', strict: true);`
	`37`	`+`
	`38`	`+ if ($decoded === false) {`
	`39`	`+ $decoded = '';`
	`40`	`+ }`
	`41`	`+`
	`42`	`+ return new self($decoded, $algorithm);`
`37`	`43`	`}`
`38`	`44`
`39`	`45`	`public function toString(): string`
Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,6 @@`
`2`	`2`
`3`	`3`	`namespace Tempest\Cryptography\Password;`
`4`	`4`
`5`		`-use Tempest\Cryptography\Password\HashingAlgorithm;`
`6`		`-`
`7`	`5`	`final class BcryptConfig implements PasswordHashingConfig`
`8`	`6`	`{`
`9`	`7`	`public HashingAlgorithm $algorithm = HashingAlgorithm::BCRYPT;`
Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,9 @@ public static function forEmptyPassword(): self`
`15`	`15`	`{`
`16`	`16`	`return new self('Could not hash an empty password.');`
`17`	`17`	`}`
	`18`	`+`
	`19`	`+ public static function forInvalidHashingAlgorithm(): self`
	`20`	`+ {`
	`21`	`+ return new self('The specified hashing algorithm is not supported.');`
	`22`	`+ }`
`18`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,9 @@`
`2`	`2`
`3`	`3`	`namespace Tempest\Cryptography\Password;`
`4`	`4`
	`5`	`+use Error;`
`5`	`6`	`use Tempest\Cryptography\Password\Exceptions\HashingFailed;`
`6`		`-use Tempest\Cryptography\Password\HashingAlgorithm;`
	`7`	`+use ValueError;`
`7`	`8`
`8`	`9`	`final class GenericPasswordHasher implements PasswordHasher`
`9`	`10`	`{`
`@@ -17,22 +18,24 @@ public function __construct(`
`17`	`18`
`18`	`19`	`public function hash(#[\SensitiveParameter] string $password): string`
`19`	`20`	`{`
`20`		`- $hash = password_hash($password, $this->algorithm->value, $this->config->options);`
`21`		`-`
`22`		`- if ($hash === false) {`
`23`		`- throw HashingFailed::forUnknownReason();`
	`21`	`+ if ($password === '') {`
	`22`	`+ throw HashingFailed::forEmptyPassword();`
`24`	`23`	`}`
`25`	`24`
`26`		`- if (mb_strlen($password) === 0) {`
`27`		`- throw HashingFailed::forEmptyPassword();`
	`25`	`+ try {`
	`26`	`+ $hash = password_hash($password, $this->algorithm->value, $this->config->options);`
	`27`	`+ } catch (ValueError) {`
	`28`	`+ throw HashingFailed::forInvalidHashingAlgorithm();`
	`29`	`+ } catch (Error) {`
	`30`	`+ throw HashingFailed::forUnknownReason();`
`28`	`31`	`}`
`29`	`32`
`30`	`33`	`return $hash;`
`31`	`34`	`}`
`32`	`35`
`33`	`36`	`public function verify(#[\SensitiveParameter] string $password, #[\SensitiveParameter] string $hash): bool`
`34`	`37`	`{`
`35`		`- if (mb_strlen($hash) === 0) {`
	`38`	`+ if ($password === '' \|\| $hash === '') {`
`36`	`39`	`return false;`
`37`	`40`	`}`
`38`	`41`
`@@ -41,11 +44,19 @@ public function verify(#[\SensitiveParameter] string $password, #[\SensitivePara`
`41`	`44`
`42`	`45`	`public function needsRehash(#[\SensitiveParameter] string $hash): bool`
`43`	`46`	`{`
	`47`	`+ if ($hash === '') {`
	`48`	`+ return false;`
	`49`	`+ }`
	`50`	`+`
`44`	`51`	`return password_needs_rehash($hash, $this->algorithm->value, $this->config->options);`
`45`	`52`	`}`
`46`	`53`
`47`	`54`	`public function analyze(#[\SensitiveParameter] string $hash): ?Hash`
`48`	`55`	`{`
	`56`	`+ if ($hash === '') {`
	`57`	`+ return null;`
	`58`	`+ }`
	`59`	`+`
`49`	`60`	`$info = password_get_info($hash);`
`50`	`61`
`51`	`62`	`if ($info['algo'] === null) {`