I respect OP’s dedication to reducing footguns here, but I don’t think I would recommend this approach.
My general recommendation for doing cryptography in PHP is to use ext/sodium, bundled since PHP 7.2. If that’s not available, you can use the paragonie/sodium_compat polyfill for it. For OP’s use case, the simplest answer is probably to use sodium_crypto_secretbox and friends. The roundtrip use case might see value from AEAD (sodium_crypto_aead_chacha20poly1305_encrypt and friends), though personally I hate how long those function names are.
There’s certainly still room for a wrapper around sodium - dealing with serialization and deserialization, providing a container for ciphertext + nonce - but that would dramatically reduce the number of knobs involved (on the principle that cryptographic agility is generally more dangerous than useful).
The PHP style itself also feels a little dated to me; I would expect a new library like this to support PSR-4 autoloading at a minimum, and probably also have composer support, type annotations, and a standard testing framework like phpunit.
I wanted to thank you again for your feedback. I have implemented PSR-4 autoloading and supplemented the code with type annotations and docblocks. I would be happy to list you as a code review contributor in the CONTRIBUTORS.md file, let me know if you’d like attribution.
I respect OP’s dedication to reducing footguns here, but I don’t think I would recommend this approach.
My general recommendation for doing cryptography in PHP is to use
ext/sodium, bundled since PHP 7.2. If that’s not available, you can use theparagonie/sodium_compatpolyfill for it. For OP’s use case, the simplest answer is probably to usesodium_crypto_secretboxand friends. The roundtrip use case might see value from AEAD (sodium_crypto_aead_chacha20poly1305_encryptand friends), though personally I hate how long those function names are.There’s certainly still room for a wrapper around sodium - dealing with serialization and deserialization, providing a container for ciphertext + nonce - but that would dramatically reduce the number of knobs involved (on the principle that cryptographic agility is generally more dangerous than useful).
The PHP style itself also feels a little dated to me; I would expect a new library like this to support PSR-4 autoloading at a minimum, and probably also have composer support, type annotations, and a standard testing framework like phpunit.
Thanks for your comments! I think maybe I’m old fashioned. :P
I wanted to thank you again for your feedback. I have implemented PSR-4 autoloading and supplemented the code with type annotations and docblocks. I would be happy to list you as a code review contributor in the CONTRIBUTORS.md file, let me know if you’d like attribution.
Very kind of you, but no need. I was just giving a few passing comments on a forum.
Added support for Sodium.