Strong type custom openssl_seal implementation

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>

apps/encryption/lib/Crypto/Crypt.php

@@ -161,7 +161,7 @@ public function createKeyPair() {
  /**
  * Generates a new private key
  *
- * @return resource
+ * @return \OpenSSLAsymmetricKey|false
  */
  public function getOpenSSLPKey() {
  $config = $this->getOpenSSLConfig();
@@ -519,12 +519,9 @@ public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $ciph
  /**
  * check for valid signature
  *
- * @param string $data
- * @param string $passPhrase
- * @param string $expectedSignature
  * @throws GenericEncryptionException
  */
- private function checkSignature($data, $passPhrase, $expectedSignature) {
+ private function checkSignature(string $data, string $passPhrase, string $expectedSignature): void {
  $enforceSignature = !$this->config->getSystemValueBool('encryption_skip_signature_check', false);
 
  $signature = $this->createSignature($data, $passPhrase);
@@ -697,9 +694,9 @@ public function generateFileKey() {
  }
 
  /**
- * @param $encKeyFile
- * @param $shareKey
- * @param $privateKey
+ * @param string $encKeyFile
+ * @param string $shareKey
+ * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $privateKey
  * @return string
  * @throws MultiKeyDecryptException
  */
@@ -708,7 +705,8 @@ public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) {
  throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content');
  }
 
- if ($this->wrapped_openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey, 'RC4')) {
+ $plainContent = '';
+ if ($this->opensslOpen($encKeyFile, $plainContent, $shareKey, $privateKey, 'RC4')) {
  return $plainContent;
  } else {
  throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
@@ -733,7 +731,7 @@ public function multiKeyEncrypt($plainContent, array $keyFiles) {
  $shareKeys = [];
  $mappedShareKeys = [];
 
- if ($this->wrapped_openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles, 'RC4')) {
+ if ($this->opensslSeal($plainContent, $sealed, $shareKeys, $keyFiles, 'RC4')) {
  $i = 0;
 
  // Ensure each shareKey is labelled with its corresponding key id
@@ -811,16 +809,10 @@ public function rc4($data, $secret) {
  * wraps openssl_open() for cases where RC4 is not supported by OpenSSL v3
  * and replaces it with a custom implementation where necessary
  *
- * @param $data
- * @param $output
- * @param $encrypted_key
- * @param $private_key
- * @param $cipher_algo
- * @param $iv
- * @return bool
+ * @param \OpenSSLAsymmetricKey|\OpenSSLCertificate|array|string $private_key
  * @throws DecryptionFailedException
  */
- public function wrapped_openssl_open($data, &$output, $encrypted_key, $private_key, $cipher_algo, $iv = null) {
+ public function opensslOpen(string $data, string &$output, string $encrypted_key, $private_key, string $cipher_algo): bool {
  $result = false;
 
  // check if RC4 is used
@@ -840,25 +832,17 @@ public function wrapped_openssl_open($data, &$output, $encrypted_key, $private_k
  }
 
  /**
- * wraps openssl_seal() for cases where RC4 is not supported by OpenSSL v3
- * and replaces it with a custom implementation where necessary
+ * Custom implementation of openssl_seal()
  *
- * @param $data
- * @param $sealed_data
- * @param $encrypted_keys
- * @param $public_key
- * @param $cipher_algo
- * @param $iv
- * @return bool|int
  * @throws EncryptionFailedException
  */
- public function wrapped_openssl_seal($data, &$sealed_data, &$encrypted_keys, $public_key, $cipher_algo, $iv = null) {
+ public function opensslSeal(string $data, string &$sealed_data, array &$encrypted_keys, array $public_key, string $cipher_algo): int|false {
  $result = false;
 
  // check if RC4 is used
  if (strcasecmp($cipher_algo, "rc4") === 0) {
  // make sure that there is at least one public key to use
- if (is_array($public_key) && (1 <= count($public_key))) {
+ if (count($public_key) >= 1) {
  // generate the intermediate key
  $intermediate = openssl_random_pseudo_bytes(16, $strong_result);