sodium_crypto_box_seal_open - PHP code example

Sodium and the PHP Function Sodium_CryptoBoxSealOpen

PHP Functions are a set of instructions that will be executed at runtime. The instructions are passed to the functions through the arguments, which are listed within the parentheses of the function name. Each argument has a specific value, and you can include as many arguments as you want. You can use the comma (,) to divide the parameters.

Sodium is a fork of NaCl, and a much more modern and opinionated cryptography library that removes a lot of decision making from the end user. It provides a few algorithms with optimal defaults and opinionated key sizes to encrypt/decrypt data. It also supports authenticated encryption, which protects against Chosen-ciphertext attacks.

The libsodium PHP extension is the recommended way to use Sodium in your applications. It’s available as a PECL extension and is built into PHP since 7.2. Libsodium is highly performant and provides API variants to support a variety of use cases.

For example, it supports Authenticated Asymmetric Encryption/Decryption with crypto_box_seal(). This allows the sender to encrypt the message with the recipient's public key, and for the recipient to decrypt it with their private key. The recipient can then validate the message as being authenticated by the sender.

To do this, the message and some additional data is encoded together into an authentication tag. This tag is then embedded into the ciphertext for later verification. Unlike the case of HMAC, this type of encryption doesn’t require a shared secret key between parties – only the sender's private key is used.

sodium_crypto_box_seal_open example

return null;
        }

        $this->loadKeys();

        if ('' === $this->decryptionKey) {
            $this->lastMessage = sprintf('Secret "%s" cannot be revealed as no decryption key was found in "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));

            return null;
        }

        if (false === $value = sodium_crypto_box_seal_open(include $file, $this->decryptionKey)) {
            $this->lastMessage = sprintf('Secret "%s" cannot be revealed as the wrong decryption key was provided for "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));

            return null;
        }

        return $value;
    }

    public function remove(string $name): bool
    {
        $this->lastMessage = null;

public function testMarshall()
    {
        $defaultMarshaller = new DefaultMarshaller();
        $sodiumMarshaller = new SodiumMarshaller([$this->decryptionKey], $defaultMarshaller);

        $values = ['a' => '123'];
        $failed = [];
        $defaultResult = $defaultMarshaller->marshall($values, $failed);

        $sodiumResult = $sodiumMarshaller->marshall($values, $failed);
        $sodiumResult['a'] = sodium_crypto_box_seal_open($sodiumResult['a'], $this->decryptionKey);

        $this->assertSame($defaultResult, $sodiumResult);
    }

    public function testUnmarshall()
    {
        $defaultMarshaller = new DefaultMarshaller();
        $sodiumMarshaller = new SodiumMarshaller([$this->decryptionKey], $defaultMarshaller);

        $values = ['a' => '123'];
        $failed = [];

/* Input validation: */
        if (ParagonIE_Sodium_Core_Util::strlen($keypair) !== self::CRYPTO_BOX_KEYPAIRBYTES) {
            throw new SodiumException('Argument 2 must be CRYPTO_BOX_KEYPAIRBYTES long.');
        }

        if (self::useNewSodiumAPI()) {
            /** * @psalm-suppress InvalidReturnStatement * @psalm-suppress FalsableReturnStatement */
            return sodium_crypto_box_seal_open($ciphertext, $keypair);
        }
        if (self::use_fallback('crypto_box_seal_open')) {
            return call_user_func('\\Sodium\\crypto_box_seal_open', $ciphertext, $keypair);
        }
        if (PHP_INT_SIZE === 4) {
            return ParagonIE_Sodium_Crypto32::box_seal_open($ciphertext, $keypair);
        }
        return ParagonIE_Sodium_Crypto::box_seal_open($ciphertext, $keypair);
    }

    /** * Generate a new random X25519 keypair. * * @return string A 64-byte string; the first 32 are your secret key, while * the last 32 are your public key. crypto_box_secretkey() * and crypto_box_publickey() exist to separate them so you * don't accidentally get them mixed up! * @throws SodiumException * @throws TypeError * @psalm-suppress MixedArgument */

$encryptedValues = [];
        foreach ($this->marshaller->marshall($values, $failed) as $k => $v) {
            $encryptedValues[$k] = sodium_crypto_box_seal($v, $encryptionKey);
        }

        return $encryptedValues;
    }

    public function unmarshall(string $value): mixed
    {
        foreach ($this->decryptionKeys as $k) {
            if (false !== $decryptedValue = @sodium_crypto_box_seal_open($value, $k)) {
                $value = $decryptedValue;
                break;
            }
        }

        return $this->marshaller->unmarshall($value);
    }
}