docs(security): add security audit and improve crypto usage documentation

megyptm · megyptm · commit 168eee191385 · 2026-03-11T20:38:17.000+02:00
- add SECURITY_AUDIT.md with full pre-release security review
- expand SECURITY.md with cryptographic guarantees and safe usage guidelines
- clarify CryptoProvider context() vs direct() usage
- add explicit warning for direct() pipeline

No runtime or cryptographic changes.
Pre-release security hardening for v1.0.0.
diff --git a/SECURITY.md b/SECURITY.md
@@ -2,33 +2,134 @@
 
 ## Supported Versions
 
-Currently, only the latest major version of the Crypto module receives security updates.
+Only the latest major version of **maatify/crypto** receives security updates.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.x     | :white_check_mark: |
+| Version | Supported |
+| ------- | ---------- |
+| 1.x     | ✅ |
+
+---
 
 ## Cryptographic Guarantees
 
-This module provides the following strict cryptographic guarantees:
+The library provides the following strict cryptographic guarantees:
+
+1. **Authenticated Encryption (AEAD)**
+   All reversible encryption uses modern AEAD algorithms.
+   The default implementation uses **AES-256-GCM**, ensuring confidentiality and integrity.
+   Any modification of ciphertext or metadata is detected during decryption.
+
+2. **Domain Separation (HKDF)**
+   Context-based encryption derives unique keys using **HKDF (RFC 5869)**.
+   Each context (e.g. `auth:session:v1`) produces an independent encryption key, preventing cross-domain compromise.
+
+3. **Secure Password Hashing**
+   Passwords are hashed using **Argon2id**.
+   The system supports an optional but highly recommended **global pepper** applied via HMAC-SHA256 before hashing.
+
+4. **Fail-Closed Design**
+   Any cryptographic failure results in an **immediate exception**.
+   The library never:
+   - falls back to weaker algorithms
+   - silently ignores failures
+   - returns partially decrypted data
+
+5. **Key Rotation Safety**
+   The system supports multiple keys with lifecycle states:
+   - **ACTIVE** – used for encryption
+   - **INACTIVE** – preserved for decryption
+   - **RETIRED** – legacy decryption only
+
+   Exactly one key must always be **ACTIVE**.
+
+---
+
+## Safe Usage Guidelines
+
+### Protect Your Root Keys and Peppers
+
+The security of this library depends entirely on the secrecy of:
+
+- encryption root keys
+- password peppers
+
+Never hardcode them in source code.
+
+Use secure storage mechanisms such as:
+
+- environment variables
+- secret managers
+- vault systems
+
+---
+
+### Prefer Context-Based Encryption
+
+Always prefer:
+
+```php
+$crypto->context("domain:entity:v1");
+````
 
-1.  **Authenticated Encryption (AEAD):** All reversible encryption uses AEAD algorithms (e.g., XChaCha20-Poly1305 or AES-256-GCM). Data cannot be tampered with without detection.
-2.  **Domain Separation (HKDF):** Context-based encryption derives unique, independent keys for different domains (contexts). A compromised key in one domain does not compromise data in another.
-3.  **Secure Password Hashing:** Passwords are hashed using state-of-the-art algorithms (Argon2id) and support an optional, highly recommended global pepper (HMAC-SHA256) to mitigate offline attacks.
-4.  **Fail-Closed Design:** Any cryptographic failure (e.g., missing keys, invalid tags, malformed data, unsupported algorithms) results in an immediate exception. The module will never fall back to an insecure state or return partial/corrupted data.
-5.  **Seamless Key Rotation:** The system supports multiple keys with distinct states (Active, Inactive, Retired) to allow seamless decryption of legacy data while ensuring new data is always encrypted with the current Active key.
+This ensures proper **HKDF domain separation**.
 
-## Safe Usage Warnings
+Direct encryption:
 
--   **Protect Your Root Keys and Peppers:** The security of this module depends entirely on the secrecy of your injected root keys and password peppers. Do not hardcode them. Store them securely (e.g., in a secrets manager or environment variables) and inject them at runtime.
--   **Use Contexts (`cryptoProvider->context(...)`) over Direct Encryption:** Always prefer context-based encryption to ensure proper domain separation. Only use direct encryption (`cryptoProvider->direct(...)`) if you have a specific, justifiable reason to bypass HKDF.
--   **Do Not Ignore Exceptions:** Ensure your application handles exceptions thrown by the Crypto module gracefully. A thrown exception indicates a serious security condition (e.g., attempted tampering, missing key).
--   **Do Not Modify Core Algorithms:** The core algorithms and primitives are intentionally locked down. Do not attempt to bypass them or introduce custom, unverified cryptographic logic.
+```php
+$crypto->direct();
+```
+
+bypasses HKDF and should only be used for:
+
+* infrastructure secrets
+* internal system encryption
+* controlled environments where domain separation is unnecessary
+
+---
+
+### Always Handle Exceptions
+
+Cryptographic operations may throw exceptions when:
+
+* ciphertext is corrupted
+* authentication tags fail
+* keys are missing
+* metadata is invalid
+
+These exceptions indicate **security-relevant conditions** and must never be ignored.
+
+---
+
+### Do Not Modify Cryptographic Primitives
+
+The algorithms and primitives in this library are intentionally restricted.
+
+Do **not**:
+
+* replace algorithms
+* add fallback ciphers
+* inject custom crypto logic
+
+Doing so may introduce severe vulnerabilities.
+
+---
 
 ## Reporting a Vulnerability
 
-If you discover a security vulnerability within this module, please report it immediately.
+If you discover a security vulnerability in **maatify/crypto**, please report it responsibly.
+
+**Do not open a public GitHub issue.**
+
+Instead, send a report to:
+
+```
+security@maatify.com
+```
+
+Please include:
 
-**Do not open a public issue.**
+* description of the vulnerability
+* steps to reproduce
+* affected versions
 
-Please send an email to the security contact for this repository. We will acknowledge receipt of your vulnerability report and strive to send you regular updates about our progress. If you do not receive a response within 48 hours, please follow up.
+We will acknowledge receipt within **48 hours** and work with you to resolve the issue responsibly.
diff --git a/SECURITY_AUDIT.md b/SECURITY_AUDIT.md
@@ -0,0 +1,57 @@
+# SECURITY_AUDIT.md
+
+## 1. Executive Summary
+
+This document presents the findings of a comprehensive, read-only security audit of the `maatify/crypto` library prior to its v1.0.0 release. The audit focused on evaluating the cryptographic primitives, architectural isolation, fail-closed enforcement, and API design. The library demonstrates a highly secure, well-structured, and defense-in-depth approach to cryptography. Only minor, low-severity API risks were identified, and no critical or high-severity vulnerabilities exist. The library is secure and ready for public release.
+
+## 2. Audit Scope
+
+The scope of this audit covers the entire `src/` directory, specifically focusing on:
+
+- Cryptographic Primitive Safety (AES-GCM implementations)
+- HKDF Domain Separation
+- Password Hashing Security
+- Key Rotation Safety
+- Encryption / Decryption Safety
+- API Misuse Risk (DX module)
+- Randomness & Entropy
+- Fail-Closed Behavior
+- Dependency Review
+- Test Coverage Adequacy
+
+All actions performed during this audit were strictly read-only.
+
+## 3. Security Findings
+
+No critical or high-severity issues were found. The codebase implements rigorous controls and strong isolation.
+
+**Finding 3.1 - Misuse potential of `direct()` encryption pipeline**
+- **Severity:** Low
+- **Description:** The `CryptoProvider` exposes a `direct()` method which bypasses HKDF domain separation, using root keys directly for encryption via `CryptoDirectFactory`. While this is explicitly documented as an advanced pipeline meant for internal secrets, inexperienced developers might use `direct()` instead of `context()` out of convenience, leading to a lack of domain separation.
+- **Impact:** If `direct()` is misused across different domains, compromising a key in one domain could allow decrypting data in another.
+
+## 4. Verified Safe Design Decisions
+
+The library employs several excellent, verifiable security decisions:
+
+- **Cryptographic Primitives:** The default and recommended algorithm is AES-256-GCM (AEAD cipher). The implementation uses the correct constraints: 256-bit (32 bytes) key length, 96-bit (12 bytes) IV length generated safely via `random_bytes()`, and requires a 128-bit (16 bytes) authentication tag. Weak modes like ECB are explicitly absent. `OPENSSL_RAW_DATA` is used correctly.
+- **Domain Separation (HKDF):** The library uses standard RFC 5869 HMAC-SHA256 for key derivation. Contexts must be explicitly versioned (e.g., `:v1`), non-empty, and limited in length, ensuring tight domain boundaries.
+- **Password Hashing:** Implements a robust pipeline of HMAC-SHA256 (Pepper) followed by Argon2id. The pepper is required, missing peppers throw exceptions immediately, and constant-time `password_verify` is used.
+- **Key Rotation Invariants:** Enforced perfectly via `StrictSingleActiveKeyPolicy`. The system strictly validates that only *exactly one* ACTIVE key exists for encryption, while INACTIVE and RETIRED keys are preserved correctly for decryption.
+- **Fail-Closed Principle:** Exception handling is flawless. No operation falls back to weaker algorithms, returns false silently, or gracefully degrades. OpenSSL false returns, missing metadata, invalid lengths, and unregistered algorithms immediately throw explicit exceptions.
+- **RNG:** Predictable RNG functions (`rand`, `mt_rand`) are entirely absent. Entropy relies strictly on `random_bytes()`.
+- **Dependencies:** `composer.json` is clean, enforcing PHP `^8.2` and the necessary extensions (`ext-openssl`, `ext-sodium`), without risky runtime dependencies.
+
+## 5. Potential Risks (if any)
+
+- **Developer Convenience vs Security:** As noted in finding 3.1, providing the `direct()` method poses a minor risk if developers bypass domain separation when they shouldn't.
+
+## 6. Recommendations
+
+- **Documentation & DX Warnings:** Continue emphasizing in the documentation the dangers of `direct()` versus `context()`. Consider adding a PHPDoc `@warning` annotation to the `direct()` method in `CryptoProvider` to ensure IDEs highlight the risk of bypassing domain separation.
+
+## 7. Final Security Assessment
+
+The `maatify/crypto` library exhibits exceptional code quality and security posture. It successfully adheres to its stated goals of providing strict, decoupled, fail-closed, and isolated cryptographic primitives. The architecture perfectly separates key lifecycle management from the encryption routines.
+
+**Conclusion:** The library is highly secure and is approved for the v1.0.0 release.
diff --git a/src/DX/CryptoProvider.php b/src/DX/CryptoProvider.php
@@ -15,6 +15,9 @@
  * 1. Context-based encryption (HKDF Pipeline)
  * 2. Direct encryption (No-HKDF Pipeline)
  *
+ * The recommended default for application-level encryption is `context()`.
+ * It enforces HKDF-based domain separation.
+ *
  * @internal This is a DX helper.
  */
 final readonly class CryptoProvider
@@ -27,11 +30,19 @@ public function __construct(
 
     /**
      * Get a crypto service bound to a specific context.
-     * Uses HKDF to derive keys from the root rotation keys.
      *
-     * Pipeline: KeyRotation -> HKDF -> ReversibleCrypto
+     * Uses HKDF to derive domain-separated encryption keys
+     * from the root rotation keys.
+     *
+     * Pipeline:
+     * KeyRotation -> HKDF -> ReversibleCrypto
      *
-     * @param string $context Explicit context string (e.g. "notification:email:v1")
+     * Example contexts:
+     * - "user:email:v1"
+     * - "auth:session:v1"
+     * - "payment:card:v1"
+     *
+     * @param string $context Explicit context string (must be versioned)
      * @return ReversibleCryptoService
      */
     public function context(string $context): ReversibleCryptoService
@@ -40,10 +51,26 @@ public function context(string $context): ReversibleCryptoService
     }
 
     /**
-     * Get a direct crypto service using raw root keys.
-     * WARNING: Does not provide domain separation.
+     * Get a crypto service using raw root keys directly.
+     *
+     * ⚠ WARNING:
+     * This pipeline bypasses HKDF domain separation.
+     *
+     * Without domain separation, the same root key may be reused
+     * across different encryption domains, which increases the
+     * blast radius if a key is ever compromised.
+     *
+     * Prefer `context()` for application data encryption.
+     *
+     * Only use `direct()` when encrypting:
+     * - internal system secrets
+     * - infrastructure-level data
+     * - environments where domain separation is not required
+     *
+     * Pipeline:
+     * KeyRotation -> ReversibleCrypto
      *
-     * Pipeline: KeyRotation -> ReversibleCrypto
+     * @warning This method intentionally bypasses HKDF domain separation.
      *
      * @return ReversibleCryptoService
      */
