starekrow / lockbox Goto Github PK
View Code? Open in Web Editor NEWEncrypted storage with built-in key management facilities
License: MIT License
Encrypted storage with built-in key management facilities
License: MIT License
Hi
I'm trying to use lockbox but it fails on my computer (localhost, Windows 10).
I'm using the code below (a copy/paste from your readme.md) and I receive a fatal error when calling the Lock() method.
I'm under PHP 7.2.0 (it's working fine under PHP 5.6.25 or 7.0.10). I've just install PHP 7.2.1, same result : NOK.
Can you give advices please ? Any installation problem on my computer ?
Thanks.
define ('DS', DIRECTORY_SEPARATOR);
use starekrow\Lockbox\CryptoKey;
use starekrow\Lockbox\Secret;
use starekrow\Lockbox\Vault;
$lib = 'some_dir';
// Include Lockbox
require_once $lib."CryptoCore.php";
require_once $lib."CryptoCoreLoader.php";
require_once $lib."CryptoCoreFailed.php";
require_once $lib."CryptoCoreBuiltin.php";
require_once $lib."CryptoCoreOpenssl.php";
require_once $lib."Crypto.php";
require_once $lib."CryptoKey.php";
require_once $lib."Secret.php";
require_once $lib."Vault.php";
// CryptoKey defaults to AES-128-CBC encryption with a random key
$key = new CryptoKey();
$message = "You can't see me.";
echo $key->Lock( $message ).'<hr/>';
$key = new CryptoKey( "ILikeCheese", null, "AES-256-ECB" );
$no_see_um = $key->Lock( "This text is safe." );
echo $no_see_um.'<hr/>';
$see_um = $key->Unlock( $no_see_um );
echo $see_um.'<hr/>';
Full error message :
Fatal error: Uncaught Exception: Unknown algorithm in
libs\lockbox\CryptoCoreBuiltin.php:86 Stack trace:
#0 libs\lockbox\Crypto.php(84): starekrow\Lockbox\CryptoCoreBuiltin->ivlen('AES-128-CBC')
#1 libs\lockbox\CryptoKey.php(129): starekrow\Lockbox\Crypto::ivlen('AES-128-CBC')
#2 test.php(28): starekrow\Lockbox\CryptoKey->lock('You can't see m...')
#3 {main} thrown in libs\lockbox\CryptoCoreBuiltin.php on line 86
Getting distribution right is apparently hard. I've started a branch for a new module called KeyDrop that will handle that. It will supply all of the guts for a client/server model for secret distribution, with an offline master keyring.
I think this actually solves the entire question of how to securely configure a server; each KeyDrop client only needs a couple of items - the client ID and client key - to automatically and securely pull, store and update when needed all the other secrets assigned to that client.
I think some sort of CI should be ran on pull requests
Travis CI is free for open source projects
https://docs.travis-ci.com/user/languages/php/
Change comments format to phpdoc for better IDE support :)
https://github.com/phpDocumentor/fig-standards/blob/master/proposed/phpdoc.md
For improved interoperability, CryptoKey
should have some facility for returning and accepting raw binary ciphertext and IVs.
For example, update the signature of Lock()
to accept a second argument $raw
. If true, return an array of [ "iv" => "...", "data" => "..." ]. Likewise, Unlock()
could accept such an array.
I see you bumped the version to php 7 because of phpunit. I quick tested and it looks like I can get phpunit 4.x running with 2 minor changes to the tests (which supports php 5.5).
Although, I still like the idea of supporting 7+ (or 5.6+) because of PHP security patching support, but I also think the version shouldn't be bumped just because of the testing framework.
PHP support: http://php.net/supported-versions.php
see KJLJon@d8be026 for 5.5+ fix.
@starekrow what are your thoughts? I can send a PR for the commit listed above if you still want to support php 5.5+
Hi guys,
We should use a well-tested library for tests (such as PhpUnit) instead of custom TestFramework
I think a version should be tagged so it will be easier to install via composer. I recommend following symver
I am open to either one of these versions (depending on what your thoughts of the stability of the package is):
The CryptoKey tests offer an amount of indirect coverage, but there should be some explicit exercise of Failed, Builtin and Openssl (and Sodium when it arrives)
I think psr-2 (which includes adopting psr-1) should be adopted.
http://www.php-fig.org/psr/psr-2/
The downside it is changes almost every line (since spaces are used instead of tabs).
I think the HMAC hashing algorithm should be configurable and included in the export function.
For example, if I wanted to use sha512 instead of sha256
This is a potential solution to support random bytes. (it is also released under MIT license, and can be required with composer)
see https://github.com/paragonie/random_compat
lockbox/src/CryptoCoreBuiltin.php
Lines 70 to 80 in 4af2d72
I think the file system calls in Vault should be abstracted into an interface so the vault could be stored in other locations and someone could leverage packages like flysystem.
Of course default it with the file system for ease of use.
namespace starekrow\lockbox;
interface FileSystemInterface {
/**
* gets the content of a file
* @param string $file
* @return string
*/
public function get($file);
/**
* puts content into a file
* @param string $file
* @param string $content
* @return bool if it was successful
*/
public function put($file, $content);
/**
* checks if the file exists
* @param string $file
* @return bool if it exists
*/
public function has($file);
}
namespace starekrow\lockbox;
class LocalFileSystem implements FileSystemInterface {
/**
* @inheritdoc
*/
public function get($file)
{
return @file_get_contents($file);
}
/**
* @inheritdoc
*/
public function put($file, $content)
{
return @file_put_contents($file, $content);
}
/**
* @inheritdoc
*/
public function has($file)
{
return file_exists($file);
}
}
It would be nice to have optional support for libsodium as an alternative to the openssl
extension, since libsodium is moving into core.
This could be hacked in place, or done by isolating the crypto use in CryptoKey. Either way might complicate cipher selection (needs research).
I am not a security expert, but I typically read that the HMAC and Encryption keys should be different.
A unique key can be derived from a hkdf function. If your targeting >= php 7 then you can use hash_hkdf()
What versions of PHP are you looking to support?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.