wsc-crypto-php

PoC of cryptographic utility functions for WoltLab Suite Core, implemented in PHP.

Overview

This project provides cryptographic helper functions, including:

• Creating secure signatures based on the Keyed-Hash Message Authentication Code (HMAC) algorithm.
• Base64 encoding and decoding without cache-timing leaks.
• Parsing and verifying signed strings to ensure data integrity and authenticity.

Installation

Use Composer to install the package:

composer require softcreatr/wsc-crypto-php

Usage

For detailed usage examples, please refer to the examples directory.

Examples

• Creating and Verifying a Signed String
• Handling a Session Cookie
• Parsing a Signed String Directly

Testing

The project includes a comprehensive test suite using PHPUnit.

Running Tests

1. Install Dependencies:

   Ensure all dependencies are installed via Composer:

   composer install

2. Run PHPUnit with Coverage:

   Execute the following command to run your tests and generate an HTML coverage report:

   ./vendor/bin/phpunit --coverage-html coverage

3. View Coverage Report:

   Open coverage/index.html in your browser to view detailed coverage statistics.

License

This project is licensed under the ISC License. See the LICENSE file for details.

Author

• Sascha Greuel
• Email: hello@1-2.dev
• GitHub: SoftCreatR

Security Considerations

• Protect the signatureSecret: Ensure that the signature secret is stored securely and not exposed in version control or logs.
• Validate Inputs: Always validate and sanitize inputs when dealing with signed strings to prevent security vulnerabilities.

Contributing

Contributions are welcome! Please open issues or submit pull requests for improvements and bug fixes.

Acknowledgments

• ParagonIE for their constant-time encoding library.
• Inspired by WoltLab's WCF Crypto utilities.