symfony
diff --git a/‎composer.json
Copy file name to clipboardExpand all lines: composer.json
+2-1Lines changed: 2 additions & 1 deletion b/‎composer.json
Copy file name to clipboardExpand all lines: composer.json
+2-1Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
+11-3Lines changed: 11 additions & 3 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
+11-3Lines changed: 11 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Encryption/PhpseclibEncryption.php
Copy file name to clipboard
+160Lines changed: 160 additions & 0 deletions b/‎src/Symfony/Component/Security/Core/Encryption/PhpseclibEncryption.php
Copy file name to clipboard
+160Lines changed: 160 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Core/Exception/WrongEncryptionKeyException.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Exception/WrongEncryptionKeyException.php
+1-1Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/Security/Core/Exception/WrongEncryptionKeyException.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Exception/WrongEncryptionKeyException.php
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Core/Tests/Encryption/SodiumEncryptionTest.php renamed to ‎src/Symfony/Component/Security/Core/Tests/Encryption/AbstractAsymmetricEncryptionTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Encryption/AbstractAsymmetricEncryptionTest.php
+21-43Lines changed: 21 additions & 43 deletions b/‎src/Symfony/Component/Security/Core/Tests/Encryption/SodiumEncryptionTest.php renamed to ‎src/Symfony/Component/Security/Core/Tests/Encryption/AbstractAsymmetricEncryptionTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Core/Tests/Encryption/AbstractAsymmetricEncryptionTest.php
+21-43Lines changed: 21 additions & 43 deletions
@@ -135,7 +135,8 @@
         "phpdocumentor/reflection-docblock": "^3.0|^4.0|^5.0",
         "twig/cssinliner-extra": "^2.12",
         "twig/inky-extra": "^2.12",
-        "twig/markdown-extra": "^2.12"
+        "twig/markdown-extra": "^2.12",
+        "phpseclib/phpseclib": "^2.0.29"
     },
     "conflict": {
         "async-aws/core": "<1.5",
 
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
+use phpseclib\Crypt\AES;
 use Symfony\Bundle\SecurityBundle\CacheWarmer\ExpressionCacheWarmer;
 use Symfony\Bundle\SecurityBundle\EventListener\FirewallEventBubblingListener;
 use Symfony\Bundle\SecurityBundle\EventListener\FirewallListener;
@@ -37,6 +38,7 @@
 use Symfony\Component\Security\Core\Encoder\UserPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
 use Symfony\Component\Security\Core\Encryption\AsymmetricEncryptionInterface;
+use Symfony\Component\Security\Core\Encryption\PhpseclibEncryption;
 use Symfony\Component\Security\Core\Encryption\SodiumEncryption;
 use Symfony\Component\Security\Core\Encryption\SymmetricEncryptionInterface;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
@@ -61,6 +63,9 @@
         ->set('security.role_hierarchy.roles', [])
     ;
 
+    $sodiumInstalled = \function_exists('sodium_crypto_box_keypair');
+    $phpseclibInstalled = class_exists(AES::class);
+
     $container->services()
         ->set('security.authorization_checker', AuthorizationChecker::class)
             ->public()
@@ -100,12 +105,15 @@
             ->tag('controller.argument_value_resolver', ['priority' => 40])
 
         ->set('security.encryption.sodium', SodiumEncryption::class)
-            ->abstract()
             ->args([
                 '%kernel.secret%',
             ])
-        ->alias(SymmetricEncryptionInterface::class, 'security.encryption.sodium')
-        ->alias(AsymmetricEncryptionInterface::class, 'security.encryption.sodium')
+        ->set('security.encryption.phpseclib', PhpseclibEncryption::class)
+            ->args([
+                '%kernel.secret%',
+            ])
+        ->alias(SymmetricEncryptionInterface::class, $phpseclibInstalled && !$sodiumInstalled ? 'security.encryption.phpseclib' : 'security.encryption.sodium')
+        ->alias(AsymmetricEncryptionInterface::class, $phpseclibInstalled && !$sodiumInstalled ? 'security.encryption.phpseclib' : 'security.encryption.sodium')
 
         // Authentication related services
         ->set('security.authentication.trust_resolver', AuthenticationTrustResolver::class)
 
@@ -0,0 +1,160 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encryption;
+
+use phpseclib\Crypt\AES;
+use phpseclib\Crypt\RSA;
+use Symfony\Component\Security\Core\Exception\EncryptionException;
+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
+use Symfony\Component\Security\Core\Exception\MalformedCipherException;
+use Symfony\Component\Security\Core\Exception\UnsupportedAlgorithmException;
+use Symfony\Component\Security\Core\Exception\WrongEncryptionKeyException;
+
+if (!class_exists(RSA::class)) {
+    throw new \LogicException('You cannot use "Symfony\Component\Security\Core\Encryption\PhpseclibEncryption" as the "phpseclib/phpseclib:2.x" package is not installed. Try running "composer require phpseclib/phpseclib:^2".');
+}
+
+/**
+ * The secret key length should be 32 bytes, but other sizes are accepted.
+ *
+ * @author Tobias Nyholm <tobias.nyholm@gmail.com>
+ * @experimental in 5.2
+ */
+class PhpseclibEncryption implements SymmetricEncryptionInterface, AsymmetricEncryptionInterface
+{
+    /**
+     * @var string application secret
+     */
+    private $secret;
+
+    public function __construct(string $secret)
+    {
+        $this->secret = $secret;
+    }
+
+    public function generateKeypair(): array
+    {
+        $rsa = new RSA();
+        $key = $rsa->createKey();
+
+        if ($key['partialkey']) {
+            throw new EncryptionException('Failed to generate RSA keypair.');
+        }
+
+        return [
+            'public' => $key['publickey'],
+            'private' => $key['privatekey'],
+        ];
+    }
+
+    public function encrypt(string $message, ?string $publicKey = null, ?string $privateKey = null): string
+    {
+        set_error_handler(__CLASS__.'::throwError');
+        $nonce = random_bytes(16);
+        try {
+            if (null === $publicKey) {
+                $algorithm = 'aes';
+                $aes = new AES();
+                $aes->setKey($this->secret);
+                $cipher = $aes->encrypt($message);
+            } elseif (null === $privateKey) {
+                $algorithm = 'rsa';
+                $rsa = new RSA();
+                $rsa->loadKey($publicKey);
+                $cipher = $rsa->encrypt($message);
+            } elseif (null !== $publicKey && null !== $privateKey) {
+                $algorithm = 'rsa_signature_pss';
+                $rsa = new RSA();
+                $rsa->loadKey($publicKey);
+                $cipher = $rsa->encrypt($message);
+
+                // Load private key after encryption
+                $rsa->loadKey($privateKey);
+                $rsa->setSignatureMode(RSA::SIGNATURE_PSS);
+                $nonce = $rsa->sign($cipher);
+            } else {
+                throw new InvalidArgumentException('Private key cannot have a value when no public key is provided.');
+            }
+        } catch (\ErrorException $exception) {
+            throw new EncryptionException(sprintf('Failed to encrypt message with algorithm "%s".', $algorithm), 0, $exception);
+        } finally {
+            restore_error_handler();
+        }
+
+        return sprintf('%s.%s.%s', base64_encode($cipher), base64_encode($algorithm), base64_encode($nonce));
+    }
+
+    public function decrypt(string $message, ?string $privateKey = null, ?string $publicKey = null): string
+    {
+        // Make sure the message has two periods
+        $parts = explode('.', $message);
+        if (false === $parts || 3 !== \count($parts)) {
+            throw new MalformedCipherException();
+        }
+
+        [$cipher, $algorithm, $nonce] = $parts;
+        $algorithm = base64_decode($algorithm);
+        $ciphertext = base64_decode($cipher, true);
+        $nonce = base64_decode($nonce, true);
+
+        set_error_handler(__CLASS__.'::throwError');
+        try {
+            if ('rsa' === $algorithm) {
+                if (null !== $publicKey) {
+                    throw new WrongEncryptionKeyException();
+                }
+
+                $rsa = new RSA();
+                $rsa->loadKey($privateKey);
+                $output = $rsa->decrypt($ciphertext);
+            } elseif ('rsa_signature_pss' === $algorithm) {
+                if (null === $publicKey) {
+                    throw new WrongEncryptionKeyException();
+                }
+                $rsa = new RSA();
+                $rsa->loadKey($publicKey);
+                $verify = $rsa->verify($ciphertext, $nonce);
+                if (!$verify) {
+                    throw new WrongEncryptionKeyException();
+                }
+
+                // Load private key after verification
+                $rsa->loadKey($privateKey);
+                $output = $rsa->decrypt($ciphertext);
+            } elseif ('aes' === $algorithm) {
+                $aes = new AES();
+                $aes->setKey($this->secret);
+                $output = $aes->decrypt($ciphertext);
+            } else {
+                throw new UnsupportedAlgorithmException($algorithm);
+            }
+        } catch (\ErrorException $exception) {
+            throw new EncryptionException(sprintf('Failed to decrypt message with algorithm "%s".', $algorithm), 0, $exception);
+        } finally {
+            restore_error_handler();
+        }
+
+        if (false === $output) {
+            throw new WrongEncryptionKeyException();
+        }
+
+        return $output;
+    }
+
+    /**
+     * @internal
+     */
+    public static function throwError($type, $message, $file, $line)
+    {
+        throw new \ErrorException($message, 0, $type, $file, $line);
+    }
+}
@@ -14,7 +14,7 @@
 /**
  * @author Tobias Nyholm <tobias.nyholm@gmail.com>
  */
-class WrongEncryptionKeyException extends \Exception implements EncryptionExceptionInterface
+class WrongEncryptionKeyException extends EncryptionException implements EncryptionExceptionInterface
 {
     public function __construct(\Throwable $previous = null)
     {
 
@@ -12,29 +12,20 @@
 namespace Symfony\Component\Security\Core\Tests\Encryption;
 
 use PHPUnit\Framework\TestCase;
-use Symfony\Component\Security\Core\Encryption\SodiumEncryption;
+use Symfony\Component\Security\Core\Encryption\AsymmetricEncryptionInterface;
+use Symfony\Component\Security\Core\Exception\EncryptionException;
 use Symfony\Component\Security\Core\Exception\MalformedCipherException;
 use Symfony\Component\Security\Core\Exception\UnsupportedAlgorithmException;
 use Symfony\Component\Security\Core\Exception\WrongEncryptionKeyException;
 
-class SodiumEncryptionTest extends TestCase
+/**
+ * @author Tobias Nyholm <tobias.nyholm@gmail.com>
+ */
+abstract class AbstractAsymmetricEncryptionTest extends TestCase
 {
-    public function testEncryption()
-    {
-        $sodium = new SodiumEncryption('s3cr3t');
-        $cipher = $sodium->encrypt('');
-        $this->assertNotEmpty('input', $cipher);
-        $this->assertTrue(\strlen($cipher) > 10);
-        $this->assertNotEquals('input', $sodium->encrypt('input'));
-
-        $cipher = $sodium->encrypt($input = 'random_string');
-        $sodium = new SodiumEncryption('different_secret');
-        $this->assertNotEquals($cipher, $sodium->encrypt($input));
-    }
-
     public function testAsymmetricEncryption()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
         ['public' => $bobPublic, 'private' => $bobPrivate] = $sodium->generateKeypair();
 
@@ -46,7 +37,7 @@ public function testAsymmetricEncryption()
 
     public function testAsymmetricEncryptionWithIdentification()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
         ['public' => $bobPublic, 'private' => $bobPrivate] = $sodium->generateKeypair();
 
@@ -57,17 +48,9 @@ public function testAsymmetricEncryptionWithIdentification()
         $this->assertNotEquals('input', $sodium->encrypt('input', $bobPublic, $alicePrivate));
     }
 
-    public function testDecryption()
-    {
-        $sodium = new SodiumEncryption('s3cr3t');
-
-        $this->assertEquals($input = '', $sodium->decrypt($sodium->encrypt($input)));
-        $this->assertEquals($input = 'foobar', $sodium->decrypt($sodium->encrypt($input)));
-    }
-
     public function testAsymmetricDecryption()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
 
         $cipher = $sodium->encrypt($input = 'input', $alicePublic);
@@ -76,7 +59,7 @@ public function testAsymmetricDecryption()
 
     public function testAsymmetricDecryptionWithIdentification()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
         ['public' => $bobPublic, 'private' => $bobPrivate] = $sodium->generateKeypair();
 
@@ -86,7 +69,7 @@ public function testAsymmetricDecryptionWithIdentification()
 
     public function testAsymmetricDecryptionUnableToVerifySender()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
         ['public' => $bobPublic, 'private' => $bobPrivate] = $sodium->generateKeypair();
 
@@ -98,7 +81,7 @@ public function testAsymmetricDecryptionUnableToVerifySender()
 
     public function testAsymmetricDecryptionIgnoreToVerifySender()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
         ['public' => $bobPublic, 'private' => $bobPrivate] = $sodium->generateKeypair();
 
@@ -108,48 +91,43 @@ public function testAsymmetricDecryptionIgnoreToVerifySender()
         $this->assertEquals($input, $sodium->decrypt($cipher, $bobPrivate));
     }
 
-    public function testDecryptionThrowsOnMalformedCipher()
-    {
-        $sodium = new SodiumEncryption('s3cr3t');
-        $this->expectException(MalformedCipherException::class);
-        $sodium->decrypt('foo');
-    }
-
     public function testAsymmetricDecryptionThrowsOnMalformedCipher()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         $this->expectException(MalformedCipherException::class);
         $sodium->decrypt('foo', 'private', 'public');
     }
 
     public function testDecryptionThrowsOnUnsupportedAlgorithm()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         $this->expectException(UnsupportedAlgorithmException::class);
-        $sodium->decrypt('foo.bar.baz');
+        $sodium->decrypt('foo.bar.baz', 'private', 'public');
     }
 
     public function testAsymmetricDecryptionThrowsExceptionOnWrongPublicKey()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
         ['public' => $bobPublic, 'private' => $bobPrivate] = $sodium->generateKeypair();
         ['public' => $evePublic, 'private' => $evePrivate] = $sodium->generateKeypair();
 
         $cipher = $sodium->encrypt('input', $bobPublic, $alicePrivate);
-        $this->expectException(WrongEncryptionKeyException::class);
+        $this->expectException(EncryptionException::class);
         $sodium->decrypt($cipher, $bobPrivate, $evePublic);
     }
 
     public function testAsymmetricDecryptionThrowsExceptionOnWrongPrivateKey()
     {
-        $sodium = new SodiumEncryption('s3cr3t');
+        $sodium = $this->getAsymmetricEncryption();
         ['public' => $alicePublic, 'private' => $alicePrivate] = $sodium->generateKeypair();
         ['public' => $bobPublic, 'private' => $bobPrivate] = $sodium->generateKeypair();
         ['public' => $evePublic, 'private' => $evePrivate] = $sodium->generateKeypair();
 
         $cipher = $sodium->encrypt('input', $bobPublic, $alicePrivate);
-        $this->expectException(WrongEncryptionKeyException::class);
+        $this->expectException(EncryptionException::class);
         $sodium->decrypt($cipher, $evePrivate, $alicePublic);
     }
+
+    abstract protected function getAsymmetricEncryption(): AsymmetricEncryptionInterface;
 }
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`	`/**`
`15`	`15`	`* @author Tobias Nyholm <tobias.nyholm@gmail.com>`
`16`	`16`	`*/`
`17`		`-class WrongEncryptionKeyException extends \Exception implements EncryptionExceptionInterface`
	`17`	`+class WrongEncryptionKeyException extends EncryptionException implements EncryptionExceptionInterface`
`18`	`18`	`{`
`19`	`19`	`public function __construct(\Throwable $previous = null)`
`20`	`20`	`{`