feat(cryptography): introduce cryptography component

composer.json

@@ -82,6 +82,7 @@
         "tempest/console": "self.version",
         "tempest/container": "self.version",
         "tempest/core": "self.version",
+        "tempest/cryptography": "self.version",
         "tempest/database": "self.version",
         "tempest/datetime": "self.version",
         "tempest/debug": "self.version",
@@ -119,6 +120,7 @@
             "Tempest\\Console\\": "packages/console/src",
             "Tempest\\Container\\": "packages/container/src",
             "Tempest\\Core\\": "packages/core/src",
+            "Tempest\\Cryptography\\": "packages/cryptography/src",
             "Tempest\\Database\\": "packages/database/src",
             "Tempest\\DateTime\\": "packages/datetime/src",
             "Tempest\\Debug\\": "packages/debug/src",
@@ -185,6 +187,7 @@
             "Tempest\\Console\\Tests\\": "packages/console/tests",
             "Tempest\\Container\\Tests\\": "packages/container/tests",
             "Tempest\\Core\\Tests\\": "packages/core/tests",
+            "Tempest\\Cryptography\\Tests\\": "packages/cryptography/tests",
             "Tempest\\Database\\Tests\\": "packages/database/tests",
             "Tempest\\DateTime\\Tests\\": "packages/datetime/tests",
             "Tempest\\EventBus\\Tests\\": "packages/event-bus/tests",

packages/clock/src/GenericClock.php

@@ -41,10 +41,9 @@ public function milliseconds(): int
 
     public function sleep(int|Duration $milliseconds): void
     {
-        if ($milliseconds instanceof Duration) {
-            $milliseconds = (int) $milliseconds->getTotalMilliseconds();
-        }
-
-        usleep($milliseconds * MILLISECONDS_PER_SECOND);
+        usleep(match (true) {
+            is_int($milliseconds) => $milliseconds * MILLISECONDS_PER_SECOND,
+            $milliseconds instanceof Duration => (int) $milliseconds->getTotalMicroseconds(),
+        });
     }
 }

packages/cryptography/.gitattributes

@@ -0,0 +1,14 @@
+# Exclude build/test files from the release
+.github/                  export-ignore
+tests/                    export-ignore
+.gitattributes            export-ignore
+.gitignore                export-ignore
+phpunit.xml               export-ignore
+README.md                 export-ignore
+
+# Configure diff output
+*.view.php diff=html
+*.php diff=php
+*.css diff=css
+*.html diff=html
+*.md diff=markdown

packages/cryptography/LICENSE.md

@@ -0,0 +1,9 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Brent Roose [email protected]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

packages/cryptography/composer.json

@@ -0,0 +1,22 @@
+{
+    "name": "tempest/cryptography",
+    "description": "A component for working with passwords, hashing, and cryptography.",
+    "license": "MIT",
+    "minimum-stability": "dev",
+    "require": {
+        "php": "^8.4",
+        "tempest/container": "dev-main",
+        "tempest/support": "dev-main",
+        "tempest/clock": "dev-main"
+    },
+    "autoload": {
+        "psr-4": {
+            "Tempest\\Cryptography\\": "src"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "Tempest\\Cryptography\\Tests\\": "tests"
+        }
+    }
+}

packages/cryptography/phpunit.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/11.4/phpunit.xsd"
+	bootstrap="vendor/autoload.php"
+	executionOrder="depends,defects"
+	beStrictAboutOutputDuringTests="true"
+	displayDetailsOnPhpunitDeprecations="true"
+	failOnPhpunitDeprecation="false"
+	failOnRisky="true"
+	failOnWarning="true"
+>
+	<testsuites>
+		<testsuite name="Tempest cryptography">
+			<directory>tests</directory>
+		</testsuite>
+	</testsuites>
+	<source restrictNotices="true" restrictWarnings="true" ignoreIndirectDeprecations="true">
+		<include>
+			<directory>src</directory>
+		</include>
+	</source>
+</phpunit>

packages/cryptography/src/CreateSigningKeyCommand.php

@@ -0,0 +1,63 @@
+<?php
+
+namespace Tempest\Cryptography;
+
+use Tempest\Console\Console;
+use Tempest\Console\ConsoleCommand;
+use Tempest\Console\ExitCode;
+use Tempest\Cryptography\Encryption\EncryptionConfig;
+use Tempest\Cryptography\Encryption\EncryptionKey;
+use Tempest\Support\Filesystem;
+use Tempest\Support\Regex;
+use Tempest\Support\Str;
+
+use function Tempest\root_path;
+
+final readonly class CreateSigningKeyCommand
+{
+    public function __construct(
+        private EncryptionConfig $encryptionConfig,
+        private Console $console,
+    ) {}
+
+    #[ConsoleCommand('key:generate', description: 'Generates the signing key required to sign and verify data.')]
+    public function __invoke(): ExitCode
+    {
+        $key = EncryptionKey::generate($this->encryptionConfig->algorithm);
+
+        $this->console->writeln();
+        $this->console->success('Signing key generated successfully.');
+
+        $this->createDotEnvIfNotExists();
+        $this->addToDotEnv($key->toString());
+
+        return ExitCode::SUCCESS;
+    }
+
+    private function getDotEnvPath(): string
+    {
+        return root_path('.env');
+    }
+
+    private function addToDotEnv(string $key): void
+    {
+        $file = Filesystem\read_file($this->getDotEnvPath());
+
+        if (! Str\contains($file, 'SIGNING_KEY=')) {
+            $file .= "\nSIGNING_KEY={$key}\n";
+        } else {
+            $file = Regex\replace($file, '/^SIGNING_KEY=.*$/m', "SIGNING_KEY={$key}");
+        }
+
+        Filesystem\write_file($this->getDotEnvPath(), $file);
+    }
+
+    private function createDotEnvIfNotExists(): void
+    {
+        if (Filesystem\exists($this->getDotEnvPath())) {
+            return;
+        }
+
+        Filesystem\create_file($this->getDotEnvPath());
+    }
+}

packages/cryptography/src/Encryption/EncryptedData.php

@@ -0,0 +1,54 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+use Stringable;
+use Tempest\Cryptography\Encryption\Exceptions\EncryptedDataWasInvalid;
+use Tempest\Cryptography\Signing\Signature;
+use Tempest\Support\Json;
+
+final readonly class EncryptedData implements Stringable
+{
+    public function __construct(
+        private(set) string $payload,
+        private(set) string $iv,
+        private(set) string $tag,
+        private(set) Signature $signature,
+        private(set) EncryptionAlgorithm $algorithm,
+    ) {}
+
+    public function serialize(): string
+    {
+        $data = [
+            'payload' => base64_encode($this->payload),
+            'iv' => base64_encode($this->iv),
+            'tag' => base64_encode($this->tag),
+            'signature' => $this->signature->value,
+            'algorithm' => $this->algorithm->value,
+        ];
+
+        return base64_encode(Json\encode($data));
+    }
+
+    public static function unserialize(string $data): self
+    {
+        $decoded = Json\decode(base64_decode($data, strict: true));
+
+        if (! is_array($decoded) || ! isset($decoded['payload'], $decoded['iv'], $decoded['tag'], $decoded['signature'], $decoded['algorithm'])) {
+            throw EncryptedDataWasInvalid::dueToInvalidFormat();
+        }
+
+        return new self(
+            payload: base64_decode($decoded['payload'], strict: true),
+            iv: base64_decode($decoded['iv'], strict: true),
+            tag: base64_decode($decoded['tag'], strict: true),
+            signature: new Signature($decoded['signature']),
+            algorithm: EncryptionAlgorithm::from($decoded['algorithm']),
+        );
+    }
+
+    public function __toString(): string
+    {
+        return $this->serialize();
+    }
+}

packages/cryptography/src/Encryption/Encrypter.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+interface Encrypter
+{
+    public EncryptionAlgorithm $algorithm {
+        get;
+    }
+
+    /**
+     * Encrypts the specified data.
+     */
+    public function encrypt(#[\SensitiveParameter] string $data): EncryptedData;
+
+    /**
+     * Decrypts the specified data.
+     */
+    public function decrypt(string|EncryptedData $data): string;
+}

packages/cryptography/src/Encryption/EncrypterInitializer.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+use Tempest\Container\Container;
+use Tempest\Container\Initializer;
+use Tempest\Container\Singleton;
+use Tempest\Cryptography\Signing\Signer;
+
+final class EncrypterInitializer implements Initializer
+{
+    #[Singleton]
+    public function initialize(Container $container): Encrypter
+    {
+        return new GenericEncrypter(
+            signer: $container->get(Signer::class),
+            config: $container->get(EncryptionConfig::class),
+        );
+    }
+}

packages/cryptography/src/Encryption/EncryptionAlgorithm.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+enum EncryptionAlgorithm: string
+{
+    case AES_256_GCM = 'aes-256-gcm';
+    case AES_256_CBC = 'aes-256-cbc';
+    case AES_128_GCM = 'aes-128-gcm';
+    case AES_128_CBC = 'aes-128-cbc';
+    case CHACHA20_POLY1305 = 'chacha20-poly1305';
+
+    /**
+     * Returns the length of the key, in bytes, for the encryption algorithm.
+     */
+    public function getKeyLength(): int
+    {
+        return openssl_cipher_key_length($this->value);
+    }
+
+    /**
+     * Returns the initialization vector (IV) length for the encryption algorithm.
+     */
+    public function getIvLength(): int
+    {
+        return openssl_cipher_iv_length($this->value);
+    }
+
+    /**
+     * Determines if the encryption algorithm allows embedding associated data.
+     *
+     * @see https://en.wikipedia.org/wiki/Authenticated_encryption
+     */
+    public function isAead(): bool
+    {
+        return match ($this) {
+            self::AES_256_GCM, self::AES_128_GCM, self::CHACHA20_POLY1305 => true,
+            self::AES_256_CBC, self::AES_128_CBC => false,
+        };
+    }
+}

packages/cryptography/src/Encryption/EncryptionConfig.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+final class EncryptionConfig
+{
+    /**
+     * @param EncryptionAlgorithm $algorithm The algorithm used for encrypting and decrypting values.
+     * @param non-empty-string $key A private, secure encryption key.
+     */
+    public function __construct(
+        public EncryptionAlgorithm $algorithm,
+        #[\SensitiveParameter]
+        public readonly ?string $key,
+    ) {}
+}

packages/cryptography/src/Encryption/EncryptionKey.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption;
+
+use Stringable;
+use Tempest\Cryptography\Encryption\Exceptions\EncryptionKeyWasInvalid;
+
+final readonly class EncryptionKey implements Stringable
+{
+    public function __construct(
+        private(set) string $value,
+        private(set) EncryptionAlgorithm $algorithm,
+    ) {
+        if (trim($value) === '') {
+            throw EncryptionKeyWasInvalid::becauseItIsMissing($algorithm);
+        }
+
+        if (strlen($value) !== $algorithm->getKeyLength()) {
+            throw EncryptionKeyWasInvalid::becauseLengthMismatched($algorithm);
+        }
+    }
+
+    /**
+     * Generates a new cryptographically secure key using the specified algorithm.
+     */
+    public static function generate(EncryptionAlgorithm $algorithm): self
+    {
+        return new self(random_bytes($algorithm->getKeyLength()), $algorithm);
+    }
+
+    /**
+     * Creates an encryption key from a string.
+     */
+    public static function fromString(?string $key, EncryptionAlgorithm $algorithm): self
+    {
+        return new self(base64_decode($key ?: '', strict: true), $algorithm);
+    }
+
+    public function toString(): string
+    {
+        return base64_encode($this->value);
+    }
+
+    public function __toString(): string
+    {
+        return $this->toString();
+    }
+}

packages/cryptography/src/Encryption/Exceptions/AlgorithmMismatched.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Tempest\Cryptography\Encryption\Exceptions;
+
+use Exception;
+
+final class AlgorithmMismatched extends Exception implements EncryptionException
+{
+    public static function betweenKeyAndData(): self
+    {
+        return new self('The encryption algorithm used for the key does not match the algorithm used for the data. Ensure that both are using the same algorithm.');
+    }
+}