DefuseCryptoKeyOrPassword

The WooCommerce Germanized Defuse Crypto KeyOrPassword class.

Defined (1)

The class is defined in the following location(s).

/includes/gateways/direct-debit/libraries/php-encryption/KeyOrPassword.php  
  1. final class KeyOrPassword 
  2. const PBKDF2_ITERATIONS = 100000; 
  3. const SECRET_TYPE_KEY = 1; 
  4. const SECRET_TYPE_PASSWORD = 2; 
  5.  
  6. private $secret_type = null; 
  7. private $secret = null; 
  8.  
  9. /** 
  10. * Initializes an instance of KeyOrPassword from a key. 
  11. * @param Key $key 
  12. * @return KeyOrPassword 
  13. */ 
  14. public static function createFromKey(Key $key) 
  15. return new KeyOrPassword(self::SECRET_TYPE_KEY, $key); 
  16.  
  17. /** 
  18. * Initializes an instance of KeyOrPassword from a password. 
  19. * @param string $password 
  20. * @return KeyOrPassword 
  21. */ 
  22. public static function createFromPassword($password) 
  23. return new KeyOrPassword(self::SECRET_TYPE_PASSWORD, $password); 
  24.  
  25. /** 
  26. * Derives authentication and encryption keys from the secret, using a slow 
  27. * key derivation function if the secret is a password. 
  28. * @param string $salt 
  29. * @throws Defuse\Crypto\Exception\EnvironmentIsBrokenException 
  30. * @return DerivedKeys 
  31. */ 
  32. public function deriveKeys($salt) 
  33. if (Core::ourStrlen($salt) !== Core::SALT_BYTE_SIZE) { 
  34. throw new Ex\EnvironmentIsBrokenException('Bad salt.'); 
  35.  
  36. if ($this->secret_type === self::SECRET_TYPE_KEY) { 
  37. $akey = Core::HKDF( 
  38. Core::HASH_FUNCTION_NAME,  
  39. $this->secret->getRawBytes(),  
  40. Core::KEY_BYTE_SIZE,  
  41. Core::AUTHENTICATION_INFO_STRING,  
  42. $salt 
  43. ); 
  44. $ekey = Core::HKDF( 
  45. Core::HASH_FUNCTION_NAME,  
  46. $this->secret->getRawBytes(),  
  47. Core::KEY_BYTE_SIZE,  
  48. Core::ENCRYPTION_INFO_STRING,  
  49. $salt 
  50. ); 
  51. return new DerivedKeys($akey, $ekey); 
  52. } elseif ($this->secret_type === self::SECRET_TYPE_PASSWORD) { 
  53. /** Our PBKDF2 polyfill is vulnerable to a DoS attack documented in 
  54. * GitHub issue #230. The fix is to pre-hash the password to ensure 
  55. * it is short. We do the prehashing here instead of in pbkdf2() so 
  56. * that pbkdf2() still computes the function as defined by the 
  57. * standard. */ 
  58. $prehash = \hash(Core::HASH_FUNCTION_NAME, $this->secret, true); 
  59. $prekey = Core::pbkdf2( 
  60. Core::HASH_FUNCTION_NAME,  
  61. $prehash,  
  62. $salt,  
  63. self::PBKDF2_ITERATIONS,  
  64. Core::KEY_BYTE_SIZE,  
  65. true 
  66. ); 
  67. $akey = Core::HKDF( 
  68. Core::HASH_FUNCTION_NAME,  
  69. $prekey,  
  70. Core::KEY_BYTE_SIZE,  
  71. Core::AUTHENTICATION_INFO_STRING,  
  72. $salt 
  73. ); 
  74. /** Note the cryptographic re-use of $salt here. */ 
  75. $ekey = Core::HKDF( 
  76. Core::HASH_FUNCTION_NAME,  
  77. $prekey,  
  78. Core::KEY_BYTE_SIZE,  
  79. Core::ENCRYPTION_INFO_STRING,  
  80. $salt 
  81. ); 
  82. return new DerivedKeys($akey, $ekey); 
  83. } else { 
  84. throw new Ex\EnvironmentIsBrokenException('Bad secret type.'); 
  85.  
  86. /** 
  87. * Constructor for KeyOrPassword. 
  88. * @param int $secret_type 
  89. * @param mixed $secret (either a Key or a password string) 
  90. */ 
  91. private function __construct($secret_type, $secret) 
  92. $this->secret_type = $secret_type; 
  93. $this->secret = $secret;