Hide sensitive keys and plaintext (#15)

Parameters are hidden with `SensitiveParameter` which is available starting with PHP 8.2 (see #13), keys property with `HiddenString`.

src/SymmetricKeyEncryption.php

@@ -13,6 +13,7 @@
 use ParagonIE\Halite\Symmetric\Crypto;
 use ParagonIE\Halite\Symmetric\EncryptionKey;
 use ParagonIE\HiddenString\HiddenString;
+use SensitiveParameter;
 use SodiumException;
 use Spaze\Encryption\Exceptions\InvalidNumberOfComponentsException;
 use Spaze\Encryption\Exceptions\UnknownEncryptionKeyIdException;
@@ -25,16 +26,24 @@ class SymmetricKeyEncryption
 
 	private const KEY_CIPHERTEXT_SEPARATOR = '$';
 
+	/** @var array<string, array<string, HiddenString>> */
+	private array $keys = [];
+
 
 	/**
 	 * @param array<string, array<string, string>> $keys key group => key id => key
 	 * @param array<string, string> $activeKeyIds key group => key id
 	 */
 	public function __construct(
 		private string $keyGroup,
-		private array $keys,
+		#[SensitiveParameter] array $keys,
 		private array $activeKeyIds,
 	) {
+		foreach ($keys as $name => $group) {
+			foreach ($group as $id => $key) {
+				$this->keys[$name][$id] = new HiddenString(Hex::decode($key));
+			}
+		}
 	}
 
 
@@ -48,7 +57,7 @@ public function __construct(
 	 * @throws TypeError
 	 * @throws UnknownEncryptionKeyIdException
 	 */
-	public function encrypt(string $data): string
+	public function encrypt(#[SensitiveParameter] string $data): string
 	{
 		$keyId = $this->getActiveKeyId();
 		$key = $this->getKey($keyId);
@@ -97,7 +106,7 @@ public function needsReEncrypt(string $data): bool
 	private function getKey(string $keyId): EncryptionKey
 	{
 		if (isset($this->keys[$this->keyGroup][$keyId])) {
-			return new EncryptionKey(new HiddenString(Hex::decode($this->keys[$this->keyGroup][$keyId])));
+			return new EncryptionKey($this->keys[$this->keyGroup][$keyId]);
 		} else {
 			throw new UnknownEncryptionKeyIdException($keyId);
 		}

tests/SymmetricKeyEncryptionTest.phpt

@@ -34,7 +34,7 @@ class SymmetricKeyEncryptionTest extends TestCase
 	protected function setUp(): void
 	{
 		$this->keys = [
-			'token' => [
+			self::KEY_GROUP => [
 				self::INACTIVE_KEY => bin2hex(random_bytes(32)),
 				self::ACTIVE_KEY => bin2hex(random_bytes(32)),
 			],
@@ -101,6 +101,27 @@ class SymmetricKeyEncryptionTest extends TestCase
 		];
 	}
 
+
+	public function testEncryptSensitiveParameter(): void
+	{
+		$e = Assert::exception(
+			function () {
+				(new SymmetricKeyEncryption(self::KEY_GROUP, $this->keys, [self::KEY_GROUP => 'foo']))->encrypt(self::PLAINTEXT);
+			},
+			UnknownEncryptionKeyIdException::class,
+		);
+		Assert::notContains(self::PLAINTEXT, $e->getTraceAsString());
+		Assert::contains('SensitiveParameterValue', $e->getTraceAsString());
+	}
+
+
+	public function testHiddenStringKeys(): void
+	{
+		$object = print_r(new SymmetricKeyEncryption(self::KEY_GROUP, $this->keys, [self::KEY_GROUP => self::ACTIVE_KEY]), true);
+		Assert::notContains($this->keys[self::KEY_GROUP][self::ACTIVE_KEY], $object);
+		Assert::notContains($this->keys[self::KEY_GROUP][self::INACTIVE_KEY], $object);
+	}
+
 }
 
 (new SymmetricKeyEncryptionTest())->run();