/** * Verify a MAC * * @param string $mac * @param string $message * @param string $aKey * @return bool */ protected static function verifyMAC($mac, $message, $aKey) { return \Sodium\crypto_auth_verify($mac, $message, $aKey); }
/** * Verify a MAC * * @param string $mac * @param string $message * @param string $aKey * @return bool * @throws CryptoException\InvalidSignature */ protected static function verifyMAC(string $mac, string $message, string $aKey) : bool { if (CryptoUtil::safeStrlen($mac) !== \Sodium\CRYPTO_AUTH_BYTES) { throw new CryptoException\InvalidSignature('Message Authentication Code is not the correct length; is it encoded?'); } return \Sodium\crypto_auth_verify($mac, $message, $aKey); }
/** * @param string $encrypted * * @throws CryptoException * * @return string */ public function decrypt($encrypted) { if (!$encrypted || !is_string($encrypted)) { throw new CryptoException(sprintf(self::ERR_CANNOT_DECRYPT, gettype($encrypted))); } // Sanity check size of payload is larger than MAC + NONCE if (ByteString::strlen($encrypted) < self::NONCE_SIZE_BYTES + \Sodium\CRYPTO_AUTH_BYTES) { throw new CryptoException(self::ERR_SIZE); } // Split into nonce, mac, and encrypted payload $nonce = ByteString::substr($encrypted, 0, self::NONCE_SIZE_BYTES); $mac = ByteString::substr($encrypted, self::NONCE_SIZE_BYTES, \Sodium\CRYPTO_AUTH_BYTES); $encrypted = ByteString::substr($encrypted, self::NONCE_SIZE_BYTES + \Sodium\CRYPTO_AUTH_BYTES); // Verify MAC try { $isVerified = \Sodium\crypto_auth_verify($mac, $nonce . $encrypted, $this->authSecret->getValue()); } catch (Exception $ex) { throw new CryptoException(sprintf(self::ERR_DECODE_UNEXPECTED, $ex->getMessage()), $ex->getCode(), $ex); } if (!$isVerified) { throw new CryptoException(self::ERR_DECODE); } // Decrypt authenticated payload try { $unencrypted = \Sodium\crypto_secretbox_open($encrypted, $nonce, $this->cryptoSecret->getValue()); } catch (Exception $ex) { throw new CryptoException(sprintf(self::ERR_DECRYPT, $ex->getMessage()), $ex->getCode(), $ex); } return $unencrypted; }
/** * Validates a message signature and returns the signed message. * * @param string $message The signed message JSON string. * @param string $key The signing key used with the message. * @param string $hashKey The key to hash the key with. * @return string A string returning the output of the signed message. * @throws Exceptions\InvalidTypeException * @throws Exceptions\SignatureException */ public static function verifyMessage($message, $key, $hashKey = '') { # Test the message and key for string validity. Helpers::isString($message, 'Encryption', 'verifyMessage'); Helpers::isString($key, 'Encryption', 'verifyMessage'); Helpers::isString($hashKey, 'Encryption', 'verifyMessage'); # Create a special hashed key for encryption. $key = Hash::hash($key, $hashKey, Constants::AUTH_KEYBYTES); # Decode the message from JSON. $message = base64_decode(json_decode($message, true)); if (\Sodium\crypto_auth_verify(Helpers::hex2bin($message['mac']), $message['msg'], $key)) { \Sodium\memzero($key); return $message['msg']; } else { \Sodium\memzero($key); throw new Exceptions\SignatureException('Signature for message invalid.'); } }