feat: add hmac signer

Author: innocenzi

packages/cryptography/src/Signing/Exceptions/SigningException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Tempest\Cryptography\Signing\Exceptions;
+
+interface SigningException
+{
+}

packages/cryptography/src/Signing/Exceptions/SigningKeyWasMissing.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Tempest\Cryptography\Signing\Exceptions;
+
+use Exception;
+
+final class SigningKeyWasMissing extends Exception implements SigningException
+{
+    public function __construct()
+    {
+        parent::__construct('Signing key is not configured. Ensure you have a `SIGNING_KEY` environment variable.');
+    }
+}

packages/cryptography/src/Signing/GenericSigner.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace Tempest\Cryptography\Signing;
+
+use Tempest\Cryptography\Signing\Exceptions\SigningKeyWasMissing;
+
+final class GenericSigner implements Signer
+{
+    public SigningAlgorithm $algorithm {
+        get => $this->config->algorithm;
+    }
+
+    private string $key {
+        get {
+            if (trim($this->config->key) === '') {
+                throw new SigningKeyWasMissing();
+            }
+
+            return $this->config->key;
+        }
+    }
+
+    public function __construct(
+        private readonly SigningConfig $config,
+    ) {}
+
+    public function sign(string $data): Signature
+    {
+        return new Signature(hash_hmac(
+            algo: $this->algorithm->value,
+            data: $data,
+            key: $this->key,
+        ));
+    }
+
+    public function verify(string $data, Signature $signature): bool
+    {
+        return hash_equals(
+            known_string: $this->sign($data)->signature,
+            user_string: $signature->signature,
+        );
+    }
+}

packages/cryptography/src/Signing/Signature.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace Tempest\Cryptography\Signing;
+
+use Stringable;
+
+final readonly class Signature implements Stringable
+{
+    public function __construct(
+        public string $signature,
+    ) {}
+
+    public function __toString(): string
+    {
+        return $this->signature;
+    }
+}

packages/cryptography/src/Signing/Signer.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Tempest\Cryptography\Signing;
+
+interface Signer
+{
+    public SigningAlgorithm $algorithm {
+        get;
+    }
+
+    /**
+     * Signs the given data.
+     */
+    public function sign(string $data): Signature;
+
+    /**
+     * Verifies the integrity and provenance of the given data thanks to the given user-provided signature.
+     */
+    public function verify(string $data, Signature $signature): bool;
+}

packages/cryptography/src/Signing/SignerInitializer.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Tempest\Cryptography\Signing;
+
+use Tempest\Container\Container;
+use Tempest\Container\Initializer;
+use Tempest\Container\Singleton;
+
+final class SignerInitializer implements Initializer
+{
+    #[Singleton]
+    public function initialize(Container $container): Signer
+    {
+        return new GenericSigner($container->get(SigningConfig::class));
+    }
+}

packages/cryptography/src/Signing/SigningAlgorithm.php

@@ -0,0 +1,11 @@
+<?php
+
+namespace Tempest\Cryptography\Signing;
+
+enum SigningAlgorithm: string
+{
+    case SHA256 = 'sha256';
+    case SHA512 = 'sha512';
+    case SHA3_256 = 'sha3-256';
+    case SHA3_512 = 'sha3-512';
+}

packages/cryptography/src/Signing/SigningConfig.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Tempest\Cryptography\Signing;
+
+final class SigningConfig
+{
+    /**
+     * @param SigningAlgorithm $algorithm The algorithm used for signing and verifying signatures.
+     * @param non-empty-string $key The key used for signing and verifying signatures.
+     */
+    public function __construct(
+        public SigningAlgorithm $algorithm,
+        #[\SensitiveParameter]
+        public string $key,
+    ) {}
+}

packages/cryptography/src/Signing/signing.config.php

@@ -0,0 +1,9 @@
+<?php
+
+use Tempest\Cryptography\Signing\SigningAlgorithm;
+use Tempest\Cryptography\Signing\SigningConfig;
+
+return new SigningConfig(
+    algorithm: SigningAlgorithm::SHA256,
+    key: Tempest\env('SIGNING_KEY', default: ''),
+);

packages/cryptography/tests/Signing/SignerTest.php

@@ -0,0 +1,137 @@
+<?php
+
+namespace Tempest\Cryptography\Tests\Signing;
+
+use PHPUnit\Framework\TestCase;
+use Tempest\Cryptography\Signing\Exceptions\SigningKeyWasMissing;
+use Tempest\Cryptography\Signing\GenericSigner;
+use Tempest\Cryptography\Signing\SigningAlgorithm;
+use Tempest\Cryptography\Signing\SigningConfig;
+
+final class SignerTest extends TestCase
+{
+    public function test_good_signature(): void
+    {
+        $signer = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA256,
+            key: 'my_secret_key',
+        ));
+
+        $data = 'important data';
+        $signature = $signer->sign($data);
+
+        $this->assertTrue($signer->verify($data, $signature));
+    }
+
+    public function test_bad_signature(): void
+    {
+        $signer = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA256,
+            key: 'my_secret_key',
+        ));
+
+        $data = 'important data';
+        $signature = $signer->sign($data);
+
+        // Tamper with the data
+        $tamperedData = 'tampered data';
+
+        $this->assertFalse($signer->verify($tamperedData, $signature));
+    }
+
+    public function test_different_algoritms(): void
+    {
+        $signer1 = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA256,
+            key: 'my_secret_key',
+        ));
+
+        $signer2 = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA512,
+            key: 'my_secret_key',
+        ));
+
+        $data = 'important data';
+        $signature1 = $signer1->sign($data);
+        $signature2 = $signer2->sign($data);
+
+        // Signatures should be different due to different algorithms
+        $this->assertNotEquals($signature1, $signature2);
+
+        // Verify with the correct signer
+        $this->assertTrue($signer1->verify($data, $signature1));
+        $this->assertTrue($signer2->verify($data, $signature2));
+
+        // Verify with the wrong signer
+        $this->assertFalse($signer1->verify($data, $signature2));
+        $this->assertFalse($signer2->verify($data, $signature1));
+    }
+
+    public function test_no_signing_key(): void
+    {
+        $this->expectException(SigningKeyWasMissing::class);
+
+        $signer = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA256,
+            key: '',
+        ));
+
+        $signer->sign('important data');
+    }
+
+    public function test_empty_data(): void
+    {
+        $signer = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA256,
+            key: 'my_secret_key',
+        ));
+
+        $signature = $signer->sign('');
+
+        // An empty string should still produce a valid signature
+        $this->assertTrue($signer->verify('', $signature));
+    }
+
+    public function test_consistent_signature(): void
+    {
+        $signer = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA256,
+            key: 'my_secret_key',
+        ));
+
+        $data = 'important data';
+        $signature1 = $signer->sign($data);
+        $signature2 = $signer->sign($data);
+
+        // Signing the same data should produce the same signature
+        $this->assertEquals($signature1, $signature2);
+    }
+
+    public function test_different_keys(): void
+    {
+        $signer1 = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA256,
+            key: 'signer1_key_foo',
+        ));
+
+        $signer2 = new GenericSigner(new SigningConfig(
+            algorithm: SigningAlgorithm::SHA512,
+            key: 'signer2_key_bar',
+        ));
+
+        $data = 'important data';
+        $signature1 = $signer1->sign($data);
+        $signature2 = $signer2->sign($data);
+
+        // Signatures should be different due to different keys
+        $this->assertNotEquals($signature1, $signature2);
+
+        // Verify with the correct signer
+        $this->assertTrue($signer1->verify($data, $signature1));
+        $this->assertTrue($signer2->verify($data, $signature2));
+
+        // Verify with the wrong signer
+        $this->assertFalse($signer1->verify($data, $signature2));
+        $this->assertFalse($signer2->verify($data, $signature1));
+    }
+}