roukmoute/Cryptography.php

## Cryptography.php
<?php

declare(strict_types=1);

use Exception;
use SodiumException;
use TypeError;

class Cryptography
{
    /** @var string */
    private $key;

    /**
     * @param string $base64Key Symmetric encryption key encoded in base64
     *                          To generate a new one: base64_encode(sodium_crypto_secretbox_keygen())
     */
    public function __construct(string $base64Key)
    {
        $this->key = base64_decode($base64Key, true);

        if (!$this->key) {
            throw new TypeError('Cryptography key expects to be a string encoded in base64.');
        }
    }

    public function encrypt(string $message): string
    {
        try {
            $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
        } catch (Exception $exception) {
            throw new Exception('It was not possible to gather sufficient entropy', $exception->getCode(), $exception);
        }

        try {
            $cipher = base64_encode(
                $nonce .
                sodium_crypto_secretbox(
                    $message,
                    $nonce,
                    $this->key
                )
            );
        } catch (SodiumException $exception) {
            throw new Exception('Cannot encrypt message', $exception->getCode(), $exception);
        }

        try {
            sodium_memzero($message);
        } catch (SodiumException $e) {
        }

        return $cipher;
    }

    public function decrypt(string $encrypted): string
    {
        $decoded = base64_decode($encrypted, true);

        if ($decoded === false) {
            throw new Exception('The decoding failed');
        }

        if (mb_strlen($decoded, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
            throw new Exception('The message was truncated');
        }

        $nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
        $ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
        $plain = false;
        try {
            $plain = sodium_crypto_secretbox_open($ciphertext, $nonce, $this->key);
        } catch (SodiumException $e) {
        }

        if ($plain === false) {
            throw new Exception('The message was tampered with in transit');
        }

        try {
            sodium_memzero($ciphertext);
        } catch (SodiumException $e) {
        }

        return $plain;
    }
}

## CryptographyTest.php
<?php

declare(strict_types=1);

namespace unit\Security;

use Codeception\Test\Unit;
use Exception;
use Library\Security\Cryptography;
use ReflectionProperty;
use Tests\UnitTester;
use TypeError;

class CryptographyTest extends Unit
{
    /** @var string */
    private $key;

    /** @var UnitTester */
    protected $tester;

    protected function _before()
    {
        $this->key = base64_encode(sodium_crypto_secretbox_keygen());
    }

    public function testConstruct()
    {
        $this->tester->expectThrowable(
            new TypeError('Cryptography key expects to be a string encoded in base64.'),
            function () {
                new Cryptography($this->key . '*');
            }
        );
    }

    public function testEncryptAndDecrypt()
    {
        $cryptography = new Cryptography($this->key);
        $message = 'mon message';
        $encrypted = $cryptography->encrypt($message);

        $this->tester->assertSame($message, $cryptography->decrypt($encrypted));
    }

    public function testCannotEncryptMessage()
    {
        $this->tester->expectThrowable(
            new Exception('Cannot encrypt message'),
            function () {
                $cryptography = new Cryptography($this->key);
                $property = new ReflectionProperty($cryptography, 'key');
                $property->setAccessible(true);
                $property->setValue($cryptography, 'wrong_key');
                $cryptography->encrypt('mon message');
            }
        );
    }

    public function testMessageWasTruncated()
    {
        $this->tester->expectThrowable(
            new Exception('The message was truncated'),
            function () {
                (new Cryptography($this->key))->decrypt(base64_encode('mon message'));
            }
        );
    }

    public function testTheMessageWasTamperedWithInTransitCauseSodiumException()
    {
        $this->tester->expectThrowable(
            new Exception('The message was tampered with in transit'),
            function () {
                $cryptography = new Cryptography($this->key);
                $encrypted = $cryptography->encrypt('mon message');
                $property = new ReflectionProperty($cryptography, 'key');
                $property->setAccessible(true);
                $property->setValue($cryptography, 'wrong_key');
                $cryptography->decrypt($encrypted);
            }
        );
    }

    public function testTheMessageWasTamperedWithInTransitCauseDecryptHasFailed()
    {
        $this->tester->expectThrowable(
            new Exception('The message was tampered with in transit'),
            function () {
                $cryptography = new Cryptography($this->key);
                $encrypted = $cryptography->encrypt('mon message');
                $property = new ReflectionProperty($cryptography, 'key');
                $property->setAccessible(true);
                $property->setValue($cryptography, sodium_crypto_secretbox_keygen());
                $cryptography->decrypt($encrypted);
            }
        );
    }
}
	<?php

	declare(strict_types=1);

	use Exception;
	use SodiumException;
	use TypeError;

	class Cryptography
	{
	/** @var string */
	private $key;

	/**
	* @param string $base64Key Symmetric encryption key encoded in base64
	* To generate a new one: base64_encode(sodium_crypto_secretbox_keygen())
	*/
	public function __construct(string $base64Key)
	{
	$this->key = base64_decode($base64Key, true);

	if (!$this->key) {
	throw new TypeError('Cryptography key expects to be a string encoded in base64.');
	}
	}

	public function encrypt(string $message): string
	{
	try {
	$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
	} catch (Exception $exception) {
	throw new Exception('It was not possible to gather sufficient entropy', $exception->getCode(), $exception);
	}

	try {
	$cipher = base64_encode(
	$nonce .
	sodium_crypto_secretbox(
	$message,
	$nonce,
	$this->key
	)
	);
	} catch (SodiumException $exception) {
	throw new Exception('Cannot encrypt message', $exception->getCode(), $exception);
	}

	try {
	sodium_memzero($message);
	} catch (SodiumException $e) {
	}

	return $cipher;
	}

	public function decrypt(string $encrypted): string
	{
	$decoded = base64_decode($encrypted, true);

	if ($decoded === false) {
	throw new Exception('The decoding failed');
	}

	if (mb_strlen($decoded, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
	throw new Exception('The message was truncated');
	}

	$nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
	$ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
	$plain = false;
	try {
	$plain = sodium_crypto_secretbox_open($ciphertext, $nonce, $this->key);
	} catch (SodiumException $e) {
	}

	if ($plain === false) {
	throw new Exception('The message was tampered with in transit');
	}

	try {
	sodium_memzero($ciphertext);
	} catch (SodiumException $e) {
	}

	return $plain;
	}
	}
	<?php

	declare(strict_types=1);

	namespace unit\Security;

	use Codeception\Test\Unit;
	use Exception;
	use Library\Security\Cryptography;
	use ReflectionProperty;
	use Tests\UnitTester;
	use TypeError;

	class CryptographyTest extends Unit
	{
	/** @var string */
	private $key;

	/** @var UnitTester */
	protected $tester;

	protected function _before()
	{
	$this->key = base64_encode(sodium_crypto_secretbox_keygen());
	}

	public function testConstruct()
	{
	$this->tester->expectThrowable(
	new TypeError('Cryptography key expects to be a string encoded in base64.'),
	function () {
	new Cryptography($this->key . '*');
	}
	);
	}

	public function testEncryptAndDecrypt()
	{
	$cryptography = new Cryptography($this->key);
	$message = 'mon message';
	$encrypted = $cryptography->encrypt($message);

	$this->tester->assertSame($message, $cryptography->decrypt($encrypted));
	}

	public function testCannotEncryptMessage()
	{
	$this->tester->expectThrowable(
	new Exception('Cannot encrypt message'),
	function () {
	$cryptography = new Cryptography($this->key);
	$property = new ReflectionProperty($cryptography, 'key');
	$property->setAccessible(true);
	$property->setValue($cryptography, 'wrong_key');
	$cryptography->encrypt('mon message');
	}
	);
	}

	public function testMessageWasTruncated()
	{
	$this->tester->expectThrowable(
	new Exception('The message was truncated'),
	function () {
	(new Cryptography($this->key))->decrypt(base64_encode('mon message'));
	}
	);
	}

	public function testTheMessageWasTamperedWithInTransitCauseSodiumException()
	{
	$this->tester->expectThrowable(
	new Exception('The message was tampered with in transit'),
	function () {
	$cryptography = new Cryptography($this->key);
	$encrypted = $cryptography->encrypt('mon message');
	$property = new ReflectionProperty($cryptography, 'key');
	$property->setAccessible(true);
	$property->setValue($cryptography, 'wrong_key');
	$cryptography->decrypt($encrypted);
	}
	);
	}

	public function testTheMessageWasTamperedWithInTransitCauseDecryptHasFailed()
	{
	$this->tester->expectThrowable(
	new Exception('The message was tampered with in transit'),
	function () {
	$cryptography = new Cryptography($this->key);
	$encrypted = $cryptography->encrypt('mon message');
	$property = new ReflectionProperty($cryptography, 'key');
	$property->setAccessible(true);
	$property->setValue($cryptography, sodium_crypto_secretbox_keygen());
	$cryptography->decrypt($encrypted);
	}
	);
	}
	}