Fixing FileProvider for read key from kubernetes secret file

.gitignore

@@ -1,3 +1,4 @@
 /.idea
 /composer.lock
 /vendor
+.phpunit.result.cache

src/KeyProvider/FileProvider.php

@@ -2,10 +2,11 @@
 declare(strict_types=1);
 namespace ParagonIE\CipherSweet\KeyProvider;
 
+use ParagonIE\CipherSweet\Util;
 use ParagonIE\CipherSweet\Backend\Key\SymmetricKey;
 use ParagonIE\CipherSweet\Contract\KeyProviderInterface;
 use ParagonIE\CipherSweet\Exception\KeyProviderException;
-
+use ParagonIE\CipherSweet\Exception\CryptoOperationException;
 /**
  * Class FileProvider
  * @package ParagonIE\CipherSweet\KeyProvider
@@ -42,6 +43,15 @@ public function getSymmetricKey(): SymmetricKey
             throw new KeyProviderException('Could not read symmetric key from file.');
         }
 
+        try{
+            // If hash has string hashes or base64 key decode it
+            $binaryKey = Util::convertSymmetricStringKeyToBinary(trim($contents));
+            return new SymmetricKey($binaryKey);
+        }catch(CryptoOperationException $e){
+
+        }
+
+        // otherwise read as binary
         return new SymmetricKey($contents);
     }
 

src/KeyProvider/StringProvider.php

@@ -6,11 +6,6 @@
 use ParagonIE\CipherSweet\Contract\KeyProviderInterface;
 use ParagonIE\CipherSweet\Exception\CryptoOperationException;
 use ParagonIE\CipherSweet\Util;
-use ParagonIE\ConstantTime\{
-    Base64UrlSafe,
-    Binary,
-    Hex
-};
 use SodiumException;
 
 /**
@@ -35,15 +30,7 @@ public function __construct(
         #[\SensitiveParameter]
         string $rawKey = ''
     ) {
-        if (Binary::safeStrlen($rawKey) === 64) {
-            $this->rootSymmetricKey = Hex::decode($rawKey);
-        } elseif (Binary::safeStrlen($rawKey) === 44) {
-            $this->rootSymmetricKey = Base64UrlSafe::decode($rawKey);
-        } elseif (Binary::safeStrlen($rawKey) === 32) {
-            $this->rootSymmetricKey = $rawKey;
-        } else {
-            throw new CryptoOperationException('Invalid key size');
-        }
+        $this->rootSymmetricKey = Util::convertSymmetricStringKeyToBinary($rawKey);
     }
 
     /**

src/Util.php

@@ -2,13 +2,17 @@
 declare(strict_types=1);
 namespace ParagonIE\CipherSweet;
 
+use ParagonIE\CipherSweet\Exception\CryptoOperationException;
 use ParagonIE\CipherSweet\Backend\Key\SymmetricKey;
-use ParagonIE\ConstantTime\Binary;
 use ParagonIE_Sodium_Core_Util as SodiumUtil;
 use ArrayAccess;
 use SodiumException;
 use TypeError;
-
+use ParagonIE\ConstantTime\{
+    Base64UrlSafe,
+    Binary,
+    Hex
+};
 /**
  * Class Util
  * @package ParagonIE\CipherSweet
@@ -317,6 +321,27 @@ public static function stringToInt(string $string): int
         return SodiumUtil::load64_le($string);
     }
 
+    /**
+     * Parse string symetric key
+     *
+     * @param string $key
+     *
+     * @throws CryptoOperationException
+     */
+    public static function convertSymmetricStringKeyToBinary(string $key): string
+    {
+        if (Binary::safeStrlen($key) === 64) 
+            return Hex::decode($key);
+
+        if (Binary::safeStrlen($key) === 44) 
+            return Base64UrlSafe::decode($key);
+
+        if (Binary::safeStrlen($key) === 32) 
+            return $key;
+
+        throw new CryptoOperationException('Invalid key size');
+    }
+
     /**
      * @throws SodiumException
      */

tests/KeyProvider/FileProviderTest.php

@@ -16,6 +16,8 @@ class FileProviderTest extends TestCase
      * @var string $prefix
      */
     private $prefix;
+    private $symmetric;
+
 
     /**
      * @before
@@ -25,10 +27,22 @@ public function before()
     {
         $this->prefix = Base32::encodeUnpadded(random_bytes(16));
 
-        $symmetric = \random_bytes(32);
+        $this->symmetric = \random_bytes(32);
         \file_put_contents(
             __DIR__ . '/files/' . $this->prefix . '.symmetric',
-            $symmetric
+            $this->symmetric
+        );
+
+        // save hashed ranbom bytes as hash
+        \file_put_contents(
+            __DIR__ . '/files/' . $this->prefix . '.symmetric.hash',
+            trim(bin2hex($this->symmetric))
+        );
+
+        // save hashed random bytes as hash with whitelines
+        \file_put_contents(
+            __DIR__ . '/files/' . $this->prefix . '.symmetric.hash.whitelines',
+            bin2hex($this->symmetric)."\n"
         );
     }
 
@@ -38,6 +52,9 @@ public function before()
     public function afterClass()
     {
         \unlink(__DIR__ . '/files/' . $this->prefix . '.symmetric');
+        \unlink(__DIR__ . '/files/' . $this->prefix . '.symmetric.hash');
+        \unlink(__DIR__ . '/files/' . $this->prefix . '.symmetric.hash.whitelines');
+
     }
 
     /**
@@ -50,5 +67,33 @@ public function testHappyPath()
         );
 
         $this->assertInstanceOf(SymmetricKey::class, $provider->getSymmetricKey());
+        $this->assertSame($provider->getSymmetricKey()->getRawKey(), $this->symmetric);
+    }
+
+       /**
+     * @throws \ParagonIE\CipherSweet\Exception\KeyProviderException
+     */
+    public function testHashedPassword()
+    {
+        $provider = new FileProvider(
+            __DIR__ . '/files/' . $this->prefix . '.symmetric.hash'
+        );
+
+        $this->assertInstanceOf(SymmetricKey::class, $provider->getSymmetricKey());
+        $this->assertSame($provider->getSymmetricKey()->getRawKey(), $this->symmetric);
+
+    }
+
+       /**
+     * @throws \ParagonIE\CipherSweet\Exception\KeyProviderException
+     */
+    public function testHashedPasswordWithWhitelines()
+    {
+        $provider = new FileProvider(
+            __DIR__ . '/files/' . $this->prefix . '.symmetric.hash.whitelines'
+        );
+
+        $this->assertInstanceOf(SymmetricKey::class, $provider->getSymmetricKey());
+        $this->assertSame($provider->getSymmetricKey()->getRawKey(), $this->symmetric);
     }
 }

tests/KeyProvider/files/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore