Conversation
- Added CreateEncryptedSystemWalletService for creating and persisting encrypted system wallets. - Introduced AeadCryptedValue class to encapsulate AEAD encrypted data structure. - Created EntitySchemaBuilderInterface for defining schema builders for entities. - Developed AeadEncryptor service for handling AEAD encryption and decryption. - Implemented EntityAeadEncryptor for encrypting and decrypting entity data. - Established EntitySchemaBuilderCollection and EntitySchemaBuilderLocator for managing schema builders. - Added SystemWalletV1SchemaBuilder for generating associated data for SystemWallet entities. - Introduced CryptEngine enum to define supported cryptographic engines. - Created CryptKey class to represent cryptographic keys. - Developed SecretBoxCryptedValue and Encryptor for handling SecretBox encryption. - Implemented Vault service for managing cryptographic keys. - Added tests for AEAD and SecretBox encryption services to ensure functionality and security.
There was a problem hiding this comment.
Pull request overview
This PR implements AEAD (Authenticated Encryption with Associated Data) encryption to replace the existing SecretBox encryption for protecting sensitive data such as system wallet private keys. The implementation follows Stellar's security best practices by cryptographically binding encrypted data to its context through additional authenticated data.
Key Changes:
- Introduces AEAD encryption with XChaCha20-Poly1305-IETF algorithm and key derivation
- Implements a versioned schema builder architecture for generating entity-specific additional data
- Maintains backward compatibility by keeping SecretBox encryption alongside the new AEAD implementation
- Upgrades Symfony from 7.3 to 7.4 and Node.js from 22.5.1 to 24.12.0
Reviewed changes
Copilot reviewed 43 out of 45 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
src/Domain/Crypt/Aead/Service/AeadEncryptor.php |
Core AEAD encryption/decryption with key derivation |
src/Domain/Crypt/Aead/Service/EntityAeadEncryptor.php |
Entity-aware encryption wrapper using schema builders |
src/Domain/Crypt/Aead/Service/Schema/SystemWalletV1SchemaBuilder.php |
Schema builder for SystemWallet additional data generation |
src/Domain/Crypt/Aead/Service/EntitySchemaBuilderLocator.php |
Locates appropriate schema builders for entities |
src/Domain/Crypt/Aead/Service/EntitySchemaBuilderCollection.php |
Manages collection of schema builders |
src/Domain/Crypt/Aead/AeadCryptedValue.php |
Value object for AEAD encrypted data |
src/Domain/Crypt/SecretBox/Service/Encryptor.php |
Refactored SecretBox encryptor to use Vault |
src/Domain/Crypt/Service/Vault.php |
Centralized key management service |
src/Application/SystemWallet/Service/CreateEncryptedSystemWalletService.php |
Service for creating encrypted system wallets |
tests/Domain/Crypt/Aead/Service/AeadEncryptorTest.php |
Comprehensive AEAD encryption tests |
tests/Domain/Crypt/Aead/Service/EntityAeadEncryptorTest.php |
Entity encryption tests |
config/services.yaml |
Service configuration with vault keys binding |
docker/entrypoint.sh |
Generates AEAD encryption keys on initialization |
composer.json |
Symfony 7.4 upgrade and Redis extension provision |
Comments suppressed due to low confidence (3)
src/Domain/Crypt/SecretBox/Service/Encryptor.php:30
- Spelling error: "encriptionKey" should be "encryptionKey". The correct spelling uses "encryption" not "encription".
src/Domain/Crypt/SecretBox/Service/Encryptor.php:36 - Spelling error: "encriptionKey" should be "encryptionKey". The correct spelling uses "encryption" not "encription".
src/Domain/Crypt/SecretBox/Service/Encryptor.php:18 - Spelling error: "encriptionKey" should be "encryptionKey". The correct spelling uses "encryption" not "encription".
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| public function configure(EntitySchemaBuilderLocator $entitySchemaBuilderLocator) { | ||
|
|
||
| $collection = new EntitySchemaBuilderCollection(); | ||
| foreach($this->handlers as $sch) { |
There was a problem hiding this comment.
Missing space after "foreach" keyword. Should be "foreach (" instead of "foreach(". This is inconsistent with the PSR-12 coding standard.
| public function getAeadKey(): CryptKey | ||
| { | ||
| $aeadKey = VaultKey::getAeadKey()->value; | ||
| if(!isset($this->vaultKeys[$aeadKey])) { |
There was a problem hiding this comment.
Missing space after "if" keyword. Should be "if (" instead of "if(". This is inconsistent with the PSR-12 coding standard followed in other files in the codebase.
src/Domain/Crypt/Aead/Service/EntitySchemaBuilderLocatorConfigurator.php
Show resolved
Hide resolved
|
|
||
| use App\Domain\Crypt\Aead\EntitySchemaBuilderInterface; | ||
|
|
||
| class EntitySchemaBuilderCollection { |
There was a problem hiding this comment.
The opening brace should be on the next line according to PSR-12 standards. Should be "class EntitySchemaBuilderCollection\n{" instead of "class EntitySchemaBuilderCollection {"
|
|
||
| public function getSchemaBuilderVersion(string $entity, string $version): ?EntitySchemaBuilderInterface | ||
| { | ||
| if(!isset($this->schemaBuilders[$entity])) { |
There was a problem hiding this comment.
Missing space after "if" keyword. Should be "if (" instead of "if(". This is inconsistent with the PSR-12 coding standard.
|
|
||
| public function getLatestSchemaVersion(string $entity): ?EntitySchemaBuilderInterface | ||
| { | ||
| if(!isset($this->schemaBuilders[$entity])) { |
There was a problem hiding this comment.
Missing space after "if" keyword. Should be "if (" instead of "if(". This is inconsistent with the PSR-12 coding standard.
| { | ||
| private EntitySchemaBuilderCollection $schemaBuilders; | ||
|
|
||
| public function setSchemaBuilders( EntitySchemaBuilderCollection $schemaBuilders) |
There was a problem hiding this comment.
Extra space after opening parenthesis in the method signature. Should be "setSchemaBuilders(EntitySchemaBuilderCollection $schemaBuilders)" without the extra space after the opening parenthesis.
No description provided.