PASERK PHP: Extend PASETO to wrap and serialize keys

Recommend this page to a friend!

Author

Name:	Scott Arciszewski `<contact>`
Classes:	35 packages by Scott Arciszewski
Country:	United States

Innovation award

Nominee: 27x

Winner: 1x

Detailed description

Download .zip .tar.gz

This package can extend PASETO to wrap and serialize keys.

It provides classes that can perform several operations with keys used by the PHP implementation of the PASETO security tokens specification.

Currently, it provides classes that implement:

- Types of data that can be encoded and decoded, like seals and secret passwords

- Operations with the types of data like wrapping and serialization

Details

PASERK (PHP)

Platform Agnostic SERialized Keys. Requires PHP 7.1 or newer.

PASERK Specification

The PASERK Specification can be found in this repository.

Installing

composer require paragonie/paserk

PASERK Library Versions

PASERK PHP Version 2 * Requires PHP 8.1+ * PASETO versions: `v3`, `v4` * This means only the corresponding `k3` and `k4` modes are implemented.
PASERK PHP Version 1 * Requires PHP 7.1+ * PASETO versions: `v1`, `v2`, `v3`, `v4` * This provides a stable reference implementation for the PASERK specification.

Documentation

See this directory for the documentation.

Example: Public-key Encryption

Wrapping

<?php
use ParagonIE\Paseto\Builder;
use ParagonIE\Paseto\Keys\SymmetricKey;
use ParagonIE\Paseto\Protocol\Version4;
use ParagonIE\Paserk\Operations\Key\SealingPublicKey;
use ParagonIE\Paserk\Types\Seal;

$version = new Version4();

// First, you need a sealing keypair.

// $sealingSecret = ParagonIE\Paserk\Operations\Key\SealingSecretKey::generate();
// $sealingPublic = $sealingSecret->getPublicKey();
// var_dump($sealingSecret->encode(), $sealingPublic->encode());

$sealingPublic = SealingPublicKey::fromEncodedString(
    "vdd1m2Eri8ggYYR5YtnmEninoiCxH1eguGNKe4pes3g",
    $version
);
$sealer = new Seal($sealingPublic);

// Generate a random one-time key, which will be encrypted with the public key:
$key = SymmetricKey::generate($version);

// Seal means "public key encryption":
$paserk = $sealer->encode($key);

// Now let's associate this PASERK with a PASETO that uses the local key:
$paseto = Builder::getLocal($key, $version)
    ->with('test', 'readme')
    ->withExpiration(
        (new DateTime('NOW'))
            ->add(new DateInterval('P01D'))
    )
    ->withFooterArray(['kid' => $sealer->id($key)])
    ->toString();

var_dump($paserk, $paseto);

Unwrapping

<?php
use ParagonIE\Paseto\Protocol\Version4;
use ParagonIE\Paserk\Operations\Key\SealingSecretKey;
use ParagonIE\Paserk\Types\Lid;
use ParagonIE\Paserk\Types\Seal;
use ParagonIE\Paseto\Parser as PasetoParser;
use ParagonIE\Paseto\ProtocolCollection;

$version = new Version4();

// From previous example:
$paserk = "k4.seal.F2qE4x0JfqT7JYhOB7S12SikvLaRuEpxRkgxxHfh4hVpE1JfwIDnreuhs9v5gjoBl3WTVjdIz6NkwQdqRoS2EDc3yGvdf_Da4K1xUSJ8IVTn4HQeol5ruYwjQlA_Ph4N";
$paseto = "v4.local.hYG-BfpTTM3bb-xZ-q5-w77XGayS4WA8kA5R5ZL85u3nzgrWba5NdqgIouFn71CJyGAff1eloirzz3sWRdVXnDeSIYxXDIerNkbLI5ALn24JehhSLKrv8R2-yhfo_XZF9XEASXtwrOyMNjeEAan5kqO6Dg.eyJraWQiOiJrNC5saWQueDAycGJDRmhxU1Q4endnbEJyR3VqWE9LYU5kRkJjY1dsTFFRN0pzcGlZM18ifQ";

// Keys for unsealing:
$sealingSecret = SealingSecretKey::fromEncodedString(
    "j043XiZTuGLleB0kAy8f3Tz-lEePK_ynEWPp4OyB-lS913WbYSuLyCBhhHli2eYSeKeiILEfV6C4Y0p7il6zeA",
    $version
);
$sealingPublic = $sealingSecret->getPublicKey();

// Unwrap the sytmmetric key for `v4.local.` tokens.
$sealer = new Seal($sealingPublic, $sealingSecret);
$unwrapped = $sealer->decode($paserk);

// Parse the PASETO
$parsed = PasetoParser::getLocal($unwrapped, ProtocolCollection::v4())
    ->parse($paseto);

// Get the claims from the parsed and validated token:
var_dump($parsed->getClaims());
/*
array(2) {
  ["test"]=>
  string(6) "readme"
  ["exp"]=>
  string(25) "2038-01-19T03:14:08+00:00"
}
*/

// Observe the Key ID is the same as the value stored in the footer.
var_dump(Lid::encode($version, $paserk));
var_dump($parsed->getFooterArray()['kid']);
/*
string(51) "k4.lid.x02pbCFhqST8zwglBrGujXOKaNdFBccWlLQQ7JspiY3_"
string(51) "k4.lid.x02pbCFhqST8zwglBrGujXOKaNdFBccWlLQQ7JspiY3_"
*/

PASERK Feature Coverage

[x] lid
[x] local
[x] seal
[x] local-wrap - [x] pie
[x] local-pw * (Requires ext-sodium for v2/v4 keys, due to Argon2id)
[x] pid
[x] public
[x] secret
[x] secret-wrap - [x] pie
[x] secret-pw * (Requires ext-sodium for v2/v4 keys, due to Argon2id)

Classes of Scott Arciszewski

PASERK PHP

Download .zip .tar.gz

Support forum

Blog

Latest changes

Name:	PASERK PHP Support forum
Base name:	`paserk-php`
Description:	Extend PASETO to wrap and serialize keys
Version:	`-`
PHP version:	`5`
License:	MIT/X Consortium License

File	Role	Description
`.github` (1 directory)
`docs` (1 file, 2 directories)
`src` (6 files, 2 directories)
`tests` (2 files, 4 directories)
`composer.json`	Data	Auxiliary data
`LICENSE`	Lic.	License text
`phpunit.xml`	Data	Auxiliary data
`psalm.xml`	Data	Auxiliary data
`README.md`	Doc.	Read me

File	Role	Description
`Types` (11 files)
`Wrap` (2 files)
`README.md`	Doc.	Documentation

File	Role	Description
`Lid.md`	Doc.	Documentation
`Local.md`	Doc.	Documentation
`LocalPW.md`	Doc.	Documentation
`LocalWrap.md`	Doc.	Documentation
`Pid.md`	Doc.	Documentation
`PublicType.md`	Doc.	Documentation
`Seal.md`	Doc.	Documentation
`SecretPW.md`	Doc.	Documentation
`SecretType.md`	Doc.	Documentation
`SecretWrap.md`	Doc.	Documentation
`Sid.md`	Doc.	Documentation

File	Role	Description
`Operations` (6 files, 4 directories)
`Types` (11 files)
`ConstraintTrait.php`	Class	Class source
`IdCommonTrait.php`	Class	Class source
`IdInterface.php`	Class	Class source
`PaserkException.php`	Class	Class source
`PaserkTypeInterface.php`	Class	Class source
`Util.php`	Class	Class source

File	Role	Description
`Key` (2 files)
`PBKW` (2 files)
`PKE` (3 files)
`Wrap` (1 file)
`PBKW.php`	Class	Class source
`PBKWInterface.php`	Class	Class source
`PKE.php`	Class	Class source
`PKEInterface.php`	Class	Class source
`Wrap.php`	Class	Class source
`WrapInterface.php`	Class	Class source

File	Role	Description
`SealingPublicKey.php`	Class	Class source
`SealingSecretKey.php`	Class	Class source

File	Role	Description
`PKETrait.php`	Class	Class source
`PKEv3.php`	Class	Class source
`PKEv4.php`	Class	Class source

File	Role	Description
`Lid.php`	Class	Class source
`Local.php`	Class	Class source
`LocalPW.php`	Class	Class source
`LocalWrap.php`	Class	Class source
`Pid.php`	Class	Class source
`PublicType.php`	Class	Class source
`Seal.php`	Class	Class source
`SecretPW.php`	Class	Class source
`SecretType.php`	Class	Class source
`SecretWrap.php`	Class	Class source
`Sid.php`	Class	Class source

File	Role	Description
`KAT` (11 files)
`Operations` (3 files, 1 directory)
`test-vectors` (23 files)
`Types` (8 files)
`KnownAnswers.php`	Class	Class source
`UtilTest.php`	Class	Class source

File	Role	Description
`LidTest.php`	Class	Class source
`LocalPWTest.php`	Class	Class source
`LocalTest.php`	Class	Class source
`LocalWrapPieTest.php`	Class	Class source
`PidTest.php`	Class	Class source
`PublicTest.php`	Class	Class source
`SealTest.php`	Class	Class source
`SecretPWTest.php`	Class	Class source
`SecretTest.php`	Class	Class source
`SecretWrapPieTest.php`	Class	Class source
`SidTest.php`	Class	Class source

File	Role	Description
`Wrap` (1 file)
`PBKWTest.php`	Class	Class source
`PKETest.php`	Class	Class source
`WrapTest.php`	Class	Class source

File	Role	Description
`k3.lid.json`	Data	Auxiliary data
`k3.local-pw.json`	Data	Auxiliary data
`k3.local-wrap.pie.json`	Data	Auxiliary data
`k3.local.json`	Data	Auxiliary data
`k3.pid.json`	Data	Auxiliary data
`k3.public.json`	Data	Auxiliary data
`k3.seal.json`	Data	Auxiliary data
`k3.secret-pw.json`	Data	Auxiliary data
`k3.secret-wrap.pie.json`	Data	Auxiliary data
`k3.secret.json`	Data	Auxiliary data
`k3.sid.json`	Data	Auxiliary data
`k4.lid.json`	Data	Auxiliary data
`k4.local-pw.json`	Data	Auxiliary data
`k4.local-wrap.pie.json`	Data	Auxiliary data
`k4.local.json`	Data	Auxiliary data
`k4.pid.json`	Data	Auxiliary data
`k4.public.json`	Data	Auxiliary data
`k4.seal.json`	Data	Auxiliary data
`k4.secret-pw.json`	Data	Auxiliary data
`k4.secret-wrap.pie.json`	Data	Auxiliary data
`k4.secret.json`	Data	Auxiliary data
`k4.sid.json`	Data	Auxiliary data
`README.md`	Doc.	Documentation