Add sensitive data attribute

simplesamlphp · May 30, 2024 · 647f11c · 647f11c
1 parent aea3c7a
commit 647f11c
Show file tree

Hide file tree

Showing 17 changed files with 108 additions and 38 deletions.
diff --git a/src/Alg/Encryption/AES.php b/src/Alg/Encryption/AES.php
@@ -20,8 +20,11 @@ class AES extends AbstractEncryptor
      * @param \SimpleSAML\XMLSecurity\Key\SymmetricKey $key The symmetric key to use.
      * @param string $algId The identifier of this algorithm.
      */
-    public function __construct(SymmetricKey $key, string $algId = C::BLOCK_ENC_AES256_GCM)
-    {
+    public function __construct(
+        #[\SensitiveParameter]
+        SymmetricKey $key,
+        string $algId = C::BLOCK_ENC_AES256_GCM,
+    ) {
         parent::__construct($key, $algId);
     }
 

diff --git a/src/Alg/Encryption/AbstractEncryptor.php b/src/Alg/Encryption/AbstractEncryptor.php
@@ -35,6 +35,7 @@ abstract class AbstractEncryptor implements EncryptionAlgorithmInterface
      * @param string $algId The identifier of this algorithm.
      */
     public function __construct(
+        #[\SensitiveParameter]
         private KeyInterface $key,
         protected string $algId,
     ) {

diff --git a/src/Alg/Encryption/EncryptionAlgorithmFactory.php b/src/Alg/Encryption/EncryptionAlgorithmFactory.php
@@ -96,8 +96,11 @@ public function __construct(
      * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given
      * algorithm is blacklisted, unknown or the given key is not suitable for it.
      */
-    public function getAlgorithm(string $algId, KeyInterface $key): EncryptionAlgorithmInterface
-    {
+    public function getAlgorithm(
+        string $algId,
+        #[\SensitiveParameter]
+        KeyInterface $key,
+    ): EncryptionAlgorithmInterface {
         Assert::false(
             ($this->blacklist !== null) && in_array($algId, $this->blacklist, true),
             sprintf('Blacklisted algorithm: \'%s\'.', $algId),

diff --git a/src/Alg/Encryption/TripleDES.php b/src/Alg/Encryption/TripleDES.php
@@ -19,8 +19,10 @@ class TripleDES extends AbstractEncryptor
      *
      * @param \SimpleSAML\XMLSecurity\Key\SymmetricKey $key The symmetric key to use.
      */
-    public function __construct(SymmetricKey $key)
-    {
+    public function __construct(
+        #[\SensitiveParameter]
+        SymmetricKey $key,
+    ) {
         parent::__construct($key, C::BLOCK_ENC_3DES);
     }
 

diff --git a/src/Alg/KeyTransport/AbstractKeyTransporter.php b/src/Alg/KeyTransport/AbstractKeyTransporter.php
@@ -35,6 +35,7 @@ abstract class AbstractKeyTransporter implements KeyTransportAlgorithmInterface
      * @param string $algId The identifier of this algorithm.
      */
     public function __construct(
+        #[\SensitiveParameter]
         private KeyInterface $key,
         protected string $algId,
     ) {

diff --git a/src/Alg/KeyTransport/KeyTransportAlgorithmFactory.php b/src/Alg/KeyTransport/KeyTransportAlgorithmFactory.php
@@ -94,8 +94,11 @@ public function __construct(
      * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given
      * algorithm is blacklisted, unknown or the given key is not suitable for it.
      */
-    public function getAlgorithm(string $algId, KeyInterface $key): KeyTransportAlgorithmInterface
-    {
+    public function getAlgorithm(
+        string $algId,
+        #[\SensitiveParameter]
+        KeyInterface $key,
+    ): KeyTransportAlgorithmInterface {
         Assert::false(
             ($this->blacklist !== null) && in_array($algId, $this->blacklist, true),
             sprintf('Blacklisted algorithm: \'%s\'.', $algId),

diff --git a/src/Alg/KeyTransport/RSA.php b/src/Alg/KeyTransport/RSA.php
@@ -20,8 +20,11 @@ final class RSA extends AbstractKeyTransporter
      * @param \SimpleSAML\XMLSecurity\Key\AsymmetricKey $key The asymmetric key (either public or private) to use.
      * @param string $algId The identifier of this algorithm.
      */
-    public function __construct(AsymmetricKey $key, string $algId = C::KEY_TRANSPORT_OAEP_MGF1P)
-    {
+    public function __construct(
+        #[\SensitiveParameter]
+        AsymmetricKey $key,
+        string $algId = C::KEY_TRANSPORT_OAEP_MGF1P,
+    ) {
         parent::__construct($key, $algId);
     }
 

diff --git a/src/Alg/Signature/AbstractSigner.php b/src/Alg/Signature/AbstractSigner.php
@@ -36,6 +36,7 @@ abstract class AbstractSigner implements SignatureAlgorithmInterface
      * @param string $digest The identifier of the digest algorithm to use.
      */
     public function __construct(
+        #[\SensitiveParameter]
         private KeyInterface $key,
         protected string $algId,
         protected string $digest,

diff --git a/src/Alg/Signature/HMAC.php b/src/Alg/Signature/HMAC.php
@@ -25,8 +25,11 @@ final class HMAC extends AbstractSigner implements SignatureAlgorithmInterface
      * @param \SimpleSAML\XMLSecurity\Key\SymmetricKey $key The symmetric key to use.
      * @param string $algId The identifier of this algorithm.
      */
-    public function __construct(SymmetricKey $key, string $algId = C::SIG_HMAC_SHA256)
-    {
+    public function __construct(
+        #[\SensitiveParameter]
+        SymmetricKey $key,
+        string $algId = C::SIG_HMAC_SHA256,
+    ) {
         parent::__construct($key, $algId, C::$HMAC_DIGESTS[$algId]);
     }
 

diff --git a/src/Alg/Signature/RSA.php b/src/Alg/Signature/RSA.php
@@ -20,8 +20,11 @@ final class RSA extends AbstractSigner implements SignatureAlgorithmInterface
      * @param \SimpleSAML\XMLSecurity\Key\AsymmetricKey $key The asymmetric key (either public or private) to use.
      * @param string $algId The identifier of this algorithm.
      */
-    public function __construct(AsymmetricKey $key, string $algId = C::SIG_RSA_SHA256)
-    {
+    public function __construct(
+        #[\SensitiveParameter]
+        AsymmetricKey $key,
+        string $algId = C::SIG_RSA_SHA256,
+    ) {
         parent::__construct($key, $algId, C::$RSA_DIGESTS[$algId]);
     }
 

diff --git a/src/Alg/Signature/SignatureAlgorithmFactory.php b/src/Alg/Signature/SignatureAlgorithmFactory.php
@@ -98,8 +98,11 @@ public function __construct(
      * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given
      * algorithm is blacklisted, unknown or the given key is not suitable for it.
      */
-    public function getAlgorithm(string $algId, KeyInterface $key): SignatureAlgorithmInterface
-    {
+    public function getAlgorithm(
+        string $algId,
+        #[\SensitiveParameter]
+        KeyInterface $key,
+    ): SignatureAlgorithmInterface {
         Assert::false(
             ($this->blacklist !== null) && in_array($algId, $this->blacklist, true),
             sprintf('Blacklisted algorithm: \'%s\'.', $algId),

diff --git a/src/Backend/EncryptionBackend.php b/src/Backend/EncryptionBackend.php
@@ -35,7 +35,11 @@ public function setCipher(string $cipher): void;
      *
      * @throws \SimpleSAML\XMLSecurity\Exception\RuntimeException If there is an error while encrypting the plaintext.
      */
-    public function encrypt(KeyInterface $key, string $plaintext): string;
+    public function encrypt(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+    ): string;
 
 
     /**
@@ -48,5 +52,9 @@ public function encrypt(KeyInterface $key, string $plaintext): string;
      *
      * @throws \SimpleSAML\XMLSecurity\Exception\RuntimeException If there is an error while decrypting the ciphertext.
      */
-    public function decrypt(KeyInterface $key, string $ciphertext): string;
+    public function decrypt(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $ciphertext,
+    ): string;
 }
diff --git a/src/Backend/HMAC.php b/src/Backend/HMAC.php
@@ -60,8 +60,11 @@ public function setDigestAlg(string $digest): void
      *
      * @return string The (binary) signature corresponding to the given plaintext.
      */
-    public function sign(KeyInterface $key, string $plaintext): string
-    {
+    public function sign(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+    ): string {
         return hash_hmac($this->digest, $plaintext, $key->getMaterial(), true);
     }
 
@@ -75,8 +78,12 @@ public function sign(KeyInterface $key, string $plaintext): string
      *
      * @return boolean True if the signature can be verified, false otherwise.
      */
-    public function verify(KeyInterface $key, string $plaintext, string $signature): bool
-    {
+    public function verify(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+        string $signature,
+    ): bool {
         return hash_equals(hash_hmac($this->digest, $plaintext, $key->getMaterial(), true), $signature);
     }
 }
diff --git a/src/Backend/OpenSSL.php b/src/Backend/OpenSSL.php
@@ -74,8 +74,11 @@ public function __construct()
      * @return string The encrypted plaintext (ciphertext).
      * @throws \SimpleSAML\XMLSecurity\Exception\OpenSSLException If there is an error while encrypting the plaintext.
      */
-    public function encrypt(KeyInterface $key, string $plaintext): string
-    {
+    public function encrypt(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+    ): string {
         if ($key instanceof AsymmetricKey) {
             // asymmetric encryption
             $fn = 'openssl_public_encrypt';
@@ -127,8 +130,11 @@ public function encrypt(KeyInterface $key, string $plaintext): string
      *
      * @throws \SimpleSAML\XMLSecurity\Exception\OpenSSLException If there is an error while decrypting the ciphertext.
      */
-    public function decrypt(KeyInterface $key, string $ciphertext): string
-    {
+    public function decrypt(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $ciphertext,
+    ): string {
         if ($key instanceof AsymmetricKey) {
             // asymmetric encryption
             $fn = 'openssl_public_decrypt';
@@ -182,8 +188,11 @@ public function decrypt(KeyInterface $key, string $ciphertext): string
      *
      * @throws \SimpleSAML\XMLSecurity\Exception\OpenSSLException If there is an error while signing the plaintext.
      */
-    public function sign(KeyInterface $key, string $plaintext): string
-    {
+    public function sign(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+    ): string {
         if (!openssl_sign($plaintext, $signature, $key->getMaterial(), $this->digest)) {
             throw new OpenSSLException('Cannot sign data');
         }
@@ -200,8 +209,12 @@ public function sign(KeyInterface $key, string $plaintext): string
      *
      * @return boolean True if the signature can be verified, false otherwise.
      */
-    public function verify(KeyInterface $key, string $plaintext, string $signature): bool
-    {
+    public function verify(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+        string $signature,
+    ): bool {
         return openssl_verify($plaintext, $signature, $key->getMaterial(), $this->digest) === 1;
     }
 

diff --git a/src/Backend/SignatureBackend.php b/src/Backend/SignatureBackend.php
@@ -33,7 +33,11 @@ public function setDigestAlg(string $digest): void;
      *
      * @throws \SimpleSAML\XMLSecurity\Exception\RuntimeException If there is an error while signing the plaintext.
      */
-    public function sign(KeyInterface $key, string $plaintext): string;
+    public function sign(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+    ): string;
 
 
     /**
@@ -45,5 +49,10 @@ public function sign(KeyInterface $key, string $plaintext): string;
      *
      * @return boolean True if the signature can be verified, false otherwise.
      */
-    public function verify(KeyInterface $key, string $plaintext, string $signature): bool;
+    public function verify(
+        #[\SensitiveParameter]
+        KeyInterface $key,
+        string $plaintext,
+        string $signature,
+    ): bool;
 }
diff --git a/src/Key/PrivateKey.php b/src/Key/PrivateKey.php
@@ -23,8 +23,10 @@ class PrivateKey extends AsymmetricKey
      *
      * @param \SimpleSAML\XMLSecurity\CryptoEncoding\PEM $key The PEM-encoded key material.
      */
-    final public function __construct(PEM $key)
-    {
+    final public function __construct(
+        #[\SensitiveParameter]
+        PEM $key,
+    ) {
         Assert::oneOf(
             $key->type(),
             [PEM::TYPE_PRIVATE_KEY, PEM::TYPE_RSA_PRIVATE_KEY],
@@ -45,8 +47,11 @@ final public function __construct(PEM $key)
      *
      * @throws \SimpleSAML\XMLSecurity\Exception\InvalidArgumentException If the file cannot be read.
      */
-    public static function fromFile(string $file, string $passphrase = ''): static
-    {
+    public static function fromFile(
+        string $file,
+        #[\SensitiveParameter]
+        string $passphrase = '',
+    ): static {
         if (($key = openssl_pkey_get_private($file, $passphrase)) === false) {
             throw new OpenSSLException('Failed to read key');
         }

diff --git a/src/Key/PublicKey.php b/src/Key/PublicKey.php
@@ -45,8 +45,10 @@ class PublicKey extends AsymmetricKey
      *
      * @param \SimpleSAML\XMLSecurity\CryptoEncoding\PEM $key The PEM-encoded key material.
      */
-    final public function __construct(PEM $key)
-    {
+    final public function __construct(
+        #[\SensitiveParameter]
+        PEM $key,
+    ) {
         Assert::oneOf(
             $key->type(),
             [PEM::TYPE_PUBLIC_KEY, PEM::TYPE_RSA_PUBLIC_KEY],