diff --git a/src/Alg/Encryption/AES.php b/src/Alg/Encryption/AES.php index 9379cb78..e4ad3c2c 100644 --- a/src/Alg/Encryption/AES.php +++ b/src/Alg/Encryption/AES.php @@ -20,8 +20,11 @@ class AES extends AbstractEncryptor * @param \SimpleSAML\XMLSecurity\Key\SymmetricKey $key The symmetric key to use. * @param string $algId The identifier of this algorithm. */ - public function __construct(SymmetricKey $key, string $algId = C::BLOCK_ENC_AES256_GCM) - { + public function __construct( + #[\SensitiveParameter] + SymmetricKey $key, + string $algId = C::BLOCK_ENC_AES256_GCM, + ) { parent::__construct($key, $algId); } diff --git a/src/Alg/Encryption/AbstractEncryptor.php b/src/Alg/Encryption/AbstractEncryptor.php index ea7c048a..de8c8eee 100644 --- a/src/Alg/Encryption/AbstractEncryptor.php +++ b/src/Alg/Encryption/AbstractEncryptor.php @@ -35,6 +35,7 @@ abstract class AbstractEncryptor implements EncryptionAlgorithmInterface * @param string $algId The identifier of this algorithm. */ public function __construct( + #[\SensitiveParameter] private KeyInterface $key, protected string $algId, ) { diff --git a/src/Alg/Encryption/EncryptionAlgorithmFactory.php b/src/Alg/Encryption/EncryptionAlgorithmFactory.php index 69ca61c2..ce9475b4 100644 --- a/src/Alg/Encryption/EncryptionAlgorithmFactory.php +++ b/src/Alg/Encryption/EncryptionAlgorithmFactory.php @@ -96,8 +96,11 @@ public function __construct( * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given * algorithm is blacklisted, unknown or the given key is not suitable for it. */ - public function getAlgorithm(string $algId, KeyInterface $key): EncryptionAlgorithmInterface - { + public function getAlgorithm( + string $algId, + #[\SensitiveParameter] + KeyInterface $key, + ): EncryptionAlgorithmInterface { Assert::false( ($this->blacklist !== null) && in_array($algId, $this->blacklist, true), sprintf('Blacklisted algorithm: \'%s\'.', $algId), diff --git a/src/Alg/Encryption/TripleDES.php b/src/Alg/Encryption/TripleDES.php index 5bbaa122..46e6f975 100644 --- a/src/Alg/Encryption/TripleDES.php +++ b/src/Alg/Encryption/TripleDES.php @@ -19,8 +19,10 @@ class TripleDES extends AbstractEncryptor * * @param \SimpleSAML\XMLSecurity\Key\SymmetricKey $key The symmetric key to use. */ - public function __construct(SymmetricKey $key) - { + public function __construct( + #[\SensitiveParameter] + SymmetricKey $key, + ) { parent::__construct($key, C::BLOCK_ENC_3DES); } diff --git a/src/Alg/KeyTransport/AbstractKeyTransporter.php b/src/Alg/KeyTransport/AbstractKeyTransporter.php index fb9847f8..7dd9a037 100644 --- a/src/Alg/KeyTransport/AbstractKeyTransporter.php +++ b/src/Alg/KeyTransport/AbstractKeyTransporter.php @@ -35,6 +35,7 @@ abstract class AbstractKeyTransporter implements KeyTransportAlgorithmInterface * @param string $algId The identifier of this algorithm. */ public function __construct( + #[\SensitiveParameter] private KeyInterface $key, protected string $algId, ) { diff --git a/src/Alg/KeyTransport/KeyTransportAlgorithmFactory.php b/src/Alg/KeyTransport/KeyTransportAlgorithmFactory.php index 4a0106a8..79cccafd 100644 --- a/src/Alg/KeyTransport/KeyTransportAlgorithmFactory.php +++ b/src/Alg/KeyTransport/KeyTransportAlgorithmFactory.php @@ -94,8 +94,11 @@ public function __construct( * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given * algorithm is blacklisted, unknown or the given key is not suitable for it. */ - public function getAlgorithm(string $algId, KeyInterface $key): KeyTransportAlgorithmInterface - { + public function getAlgorithm( + string $algId, + #[\SensitiveParameter] + KeyInterface $key, + ): KeyTransportAlgorithmInterface { Assert::false( ($this->blacklist !== null) && in_array($algId, $this->blacklist, true), sprintf('Blacklisted algorithm: \'%s\'.', $algId), diff --git a/src/Alg/KeyTransport/RSA.php b/src/Alg/KeyTransport/RSA.php index 2245b7a6..bd79ddfe 100644 --- a/src/Alg/KeyTransport/RSA.php +++ b/src/Alg/KeyTransport/RSA.php @@ -20,8 +20,11 @@ final class RSA extends AbstractKeyTransporter * @param \SimpleSAML\XMLSecurity\Key\AsymmetricKey $key The asymmetric key (either public or private) to use. * @param string $algId The identifier of this algorithm. */ - public function __construct(AsymmetricKey $key, string $algId = C::KEY_TRANSPORT_OAEP_MGF1P) - { + public function __construct( + #[\SensitiveParameter] + AsymmetricKey $key, + string $algId = C::KEY_TRANSPORT_OAEP_MGF1P, + ) { parent::__construct($key, $algId); } diff --git a/src/Alg/Signature/AbstractSigner.php b/src/Alg/Signature/AbstractSigner.php index 4c780f07..6b30d6fb 100644 --- a/src/Alg/Signature/AbstractSigner.php +++ b/src/Alg/Signature/AbstractSigner.php @@ -36,6 +36,7 @@ abstract class AbstractSigner implements SignatureAlgorithmInterface * @param string $digest The identifier of the digest algorithm to use. */ public function __construct( + #[\SensitiveParameter] private KeyInterface $key, protected string $algId, protected string $digest, diff --git a/src/Alg/Signature/HMAC.php b/src/Alg/Signature/HMAC.php index 62b5c753..071f35b2 100644 --- a/src/Alg/Signature/HMAC.php +++ b/src/Alg/Signature/HMAC.php @@ -25,8 +25,11 @@ final class HMAC extends AbstractSigner implements SignatureAlgorithmInterface * @param \SimpleSAML\XMLSecurity\Key\SymmetricKey $key The symmetric key to use. * @param string $algId The identifier of this algorithm. */ - public function __construct(SymmetricKey $key, string $algId = C::SIG_HMAC_SHA256) - { + public function __construct( + #[\SensitiveParameter] + SymmetricKey $key, + string $algId = C::SIG_HMAC_SHA256, + ) { parent::__construct($key, $algId, C::$HMAC_DIGESTS[$algId]); } diff --git a/src/Alg/Signature/RSA.php b/src/Alg/Signature/RSA.php index 58435942..d5592eb2 100644 --- a/src/Alg/Signature/RSA.php +++ b/src/Alg/Signature/RSA.php @@ -20,8 +20,11 @@ final class RSA extends AbstractSigner implements SignatureAlgorithmInterface * @param \SimpleSAML\XMLSecurity\Key\AsymmetricKey $key The asymmetric key (either public or private) to use. * @param string $algId The identifier of this algorithm. */ - public function __construct(AsymmetricKey $key, string $algId = C::SIG_RSA_SHA256) - { + public function __construct( + #[\SensitiveParameter] + AsymmetricKey $key, + string $algId = C::SIG_RSA_SHA256, + ) { parent::__construct($key, $algId, C::$RSA_DIGESTS[$algId]); } diff --git a/src/Alg/Signature/SignatureAlgorithmFactory.php b/src/Alg/Signature/SignatureAlgorithmFactory.php index 3dcd7b24..8dbb806a 100644 --- a/src/Alg/Signature/SignatureAlgorithmFactory.php +++ b/src/Alg/Signature/SignatureAlgorithmFactory.php @@ -98,8 +98,11 @@ public function __construct( * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given * algorithm is blacklisted, unknown or the given key is not suitable for it. */ - public function getAlgorithm(string $algId, KeyInterface $key): SignatureAlgorithmInterface - { + public function getAlgorithm( + string $algId, + #[\SensitiveParameter] + KeyInterface $key, + ): SignatureAlgorithmInterface { Assert::false( ($this->blacklist !== null) && in_array($algId, $this->blacklist, true), sprintf('Blacklisted algorithm: \'%s\'.', $algId), diff --git a/src/Backend/EncryptionBackend.php b/src/Backend/EncryptionBackend.php index 7453e112..0b1c8141 100644 --- a/src/Backend/EncryptionBackend.php +++ b/src/Backend/EncryptionBackend.php @@ -35,7 +35,11 @@ public function setCipher(string $cipher): void; * * @throws \SimpleSAML\XMLSecurity\Exception\RuntimeException If there is an error while encrypting the plaintext. */ - public function encrypt(KeyInterface $key, string $plaintext): string; + public function encrypt( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + ): string; /** @@ -48,5 +52,9 @@ public function encrypt(KeyInterface $key, string $plaintext): string; * * @throws \SimpleSAML\XMLSecurity\Exception\RuntimeException If there is an error while decrypting the ciphertext. */ - public function decrypt(KeyInterface $key, string $ciphertext): string; + public function decrypt( + #[\SensitiveParameter] + KeyInterface $key, + string $ciphertext, + ): string; } diff --git a/src/Backend/HMAC.php b/src/Backend/HMAC.php index bb4f40eb..12bc958e 100644 --- a/src/Backend/HMAC.php +++ b/src/Backend/HMAC.php @@ -60,8 +60,11 @@ public function setDigestAlg(string $digest): void * * @return string The (binary) signature corresponding to the given plaintext. */ - public function sign(KeyInterface $key, string $plaintext): string - { + public function sign( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + ): string { return hash_hmac($this->digest, $plaintext, $key->getMaterial(), true); } @@ -75,8 +78,12 @@ public function sign(KeyInterface $key, string $plaintext): string * * @return boolean True if the signature can be verified, false otherwise. */ - public function verify(KeyInterface $key, string $plaintext, string $signature): bool - { + public function verify( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + string $signature, + ): bool { return hash_equals(hash_hmac($this->digest, $plaintext, $key->getMaterial(), true), $signature); } } diff --git a/src/Backend/OpenSSL.php b/src/Backend/OpenSSL.php index a49fe2f8..820f5572 100644 --- a/src/Backend/OpenSSL.php +++ b/src/Backend/OpenSSL.php @@ -74,8 +74,11 @@ public function __construct() * @return string The encrypted plaintext (ciphertext). * @throws \SimpleSAML\XMLSecurity\Exception\OpenSSLException If there is an error while encrypting the plaintext. */ - public function encrypt(KeyInterface $key, string $plaintext): string - { + public function encrypt( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + ): string { if ($key instanceof AsymmetricKey) { // asymmetric encryption $fn = 'openssl_public_encrypt'; @@ -127,8 +130,11 @@ public function encrypt(KeyInterface $key, string $plaintext): string * * @throws \SimpleSAML\XMLSecurity\Exception\OpenSSLException If there is an error while decrypting the ciphertext. */ - public function decrypt(KeyInterface $key, string $ciphertext): string - { + public function decrypt( + #[\SensitiveParameter] + KeyInterface $key, + string $ciphertext, + ): string { if ($key instanceof AsymmetricKey) { // asymmetric encryption $fn = 'openssl_public_decrypt'; @@ -182,8 +188,11 @@ public function decrypt(KeyInterface $key, string $ciphertext): string * * @throws \SimpleSAML\XMLSecurity\Exception\OpenSSLException If there is an error while signing the plaintext. */ - public function sign(KeyInterface $key, string $plaintext): string - { + public function sign( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + ): string { if (!openssl_sign($plaintext, $signature, $key->getMaterial(), $this->digest)) { throw new OpenSSLException('Cannot sign data'); } @@ -200,8 +209,12 @@ public function sign(KeyInterface $key, string $plaintext): string * * @return boolean True if the signature can be verified, false otherwise. */ - public function verify(KeyInterface $key, string $plaintext, string $signature): bool - { + public function verify( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + string $signature, + ): bool { return openssl_verify($plaintext, $signature, $key->getMaterial(), $this->digest) === 1; } diff --git a/src/Backend/SignatureBackend.php b/src/Backend/SignatureBackend.php index cf3b03cc..d779f854 100644 --- a/src/Backend/SignatureBackend.php +++ b/src/Backend/SignatureBackend.php @@ -33,7 +33,11 @@ public function setDigestAlg(string $digest): void; * * @throws \SimpleSAML\XMLSecurity\Exception\RuntimeException If there is an error while signing the plaintext. */ - public function sign(KeyInterface $key, string $plaintext): string; + public function sign( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + ): string; /** @@ -45,5 +49,10 @@ public function sign(KeyInterface $key, string $plaintext): string; * * @return boolean True if the signature can be verified, false otherwise. */ - public function verify(KeyInterface $key, string $plaintext, string $signature): bool; + public function verify( + #[\SensitiveParameter] + KeyInterface $key, + string $plaintext, + string $signature, + ): bool; } diff --git a/src/Key/PrivateKey.php b/src/Key/PrivateKey.php index e124afd8..ce7298e0 100644 --- a/src/Key/PrivateKey.php +++ b/src/Key/PrivateKey.php @@ -23,8 +23,10 @@ class PrivateKey extends AsymmetricKey * * @param \SimpleSAML\XMLSecurity\CryptoEncoding\PEM $key The PEM-encoded key material. */ - final public function __construct(PEM $key) - { + final public function __construct( + #[\SensitiveParameter] + PEM $key, + ) { Assert::oneOf( $key->type(), [PEM::TYPE_PRIVATE_KEY, PEM::TYPE_RSA_PRIVATE_KEY], @@ -45,8 +47,11 @@ final public function __construct(PEM $key) * * @throws \SimpleSAML\XMLSecurity\Exception\InvalidArgumentException If the file cannot be read. */ - public static function fromFile(string $file, string $passphrase = ''): static - { + public static function fromFile( + string $file, + #[\SensitiveParameter] + string $passphrase = '', + ): static { if (($key = openssl_pkey_get_private($file, $passphrase)) === false) { throw new OpenSSLException('Failed to read key'); } diff --git a/src/Key/PublicKey.php b/src/Key/PublicKey.php index 8d40d878..0fd860b4 100644 --- a/src/Key/PublicKey.php +++ b/src/Key/PublicKey.php @@ -45,8 +45,10 @@ class PublicKey extends AsymmetricKey * * @param \SimpleSAML\XMLSecurity\CryptoEncoding\PEM $key The PEM-encoded key material. */ - final public function __construct(PEM $key) - { + final public function __construct( + #[\SensitiveParameter] + PEM $key, + ) { Assert::oneOf( $key->type(), [PEM::TYPE_PUBLIC_KEY, PEM::TYPE_RSA_PUBLIC_KEY],