1. 2
    1. 4

      I respect OP’s dedication to reducing footguns here, but I don’t think I would recommend this approach.

      My general recommendation for doing cryptography in PHP is to use ext/sodium, bundled since PHP 7.2. If that’s not available, you can use the paragonie/sodium_compat polyfill for it. For OP’s use case, the simplest answer is probably to use sodium_crypto_secretbox and friends. The roundtrip use case might see value from AEAD (sodium_crypto_aead_chacha20poly1305_encrypt and friends), though personally I hate how long those function names are.

      There’s certainly still room for a wrapper around sodium - dealing with serialization and deserialization, providing a container for ciphertext + nonce - but that would dramatically reduce the number of knobs involved (on the principle that cryptographic agility is generally more dangerous than useful).

      The PHP style itself also feels a little dated to me; I would expect a new library like this to support PSR-4 autoloading at a minimum, and probably also have composer support, type annotations, and a standard testing framework like phpunit.

      1. 1

        Thanks for your comments! I think maybe I’m old fashioned. :P

      2. 1

        I wanted to thank you again for your feedback. I have implemented PSR-4 autoloading and supplemented the code with type annotations and docblocks. I would be happy to list you as a code review contributor in the CONTRIBUTORS.md file, let me know if you’d like attribution.

        1. 1

          Very kind of you, but no need. I was just giving a few passing comments on a forum.

      3. 1

        Added support for Sodium.