PHPC-1499: Implement ClientEncryption::decrypt

alcaeus · alcaeus · commit f0372a50c5f0 · 2020-01-22T08:18:32.000+01:00
diff --git a/php_phongo.c b/php_phongo.c
@@ -3191,6 +3191,25 @@ void phongo_clientencryption_encrypt(php_phongo_clientencryption_t* clientencryp
 		mongoc_client_encryption_encrypt_opts_destroy(opts);
 	}
 } /* }}} */
+
+void phongo_clientencryption_decrypt(php_phongo_clientencryption_t* clientencryption, zval* zciphertext, zval* zvalue TSRMLS_DC) /* {{{ */
+{
+	bson_value_t ciphertext, value;
+	bson_error_t error = { 0 };
+
+	php_phongo_zval_to_bson_value(zciphertext, PHONGO_BSON_NONE, &ciphertext TSRMLS_CC);
+
+	if (!mongoc_client_encryption_decrypt(clientencryption->client_encryption, &ciphertext, &value, &error)) {
+		phongo_throw_exception_from_bson_error_t(&error TSRMLS_CC);
+		return;
+	}
+
+	if (!php_phongo_bson_value_to_zval(&value, zvalue)) {
+		/* Exception already thrown */
+		return;
+	}
+}
+/* }}} */
 #else /* MONGOC_ENABLE_CLIENT_SIDE_ENCRYPTION */
 static void phongo_throw_exception_no_cse(php_phongo_error_domain_t domain, const char* message TSRMLS_DC) /* {{{ */
 {
@@ -3227,6 +3246,12 @@ void phongo_clientencryption_encrypt(php_phongo_clientencryption_t* clientencryp
 	phongo_throw_exception_no_cse(PHONGO_ERROR_RUNTIME, "Cannot encrypt value." TSRMLS_CC);
 }
 /* }}} */
+
+void phongo_clientencryption_decrypt(php_phongo_clientencryption_t* clientencryption, zval* zciphertext, zval* zvalue TSRMLS_DC) /* {{{ */
+{
+	phongo_throw_exception_no_cse(PHONGO_ERROR_RUNTIME, "Cannot decrypt value." TSRMLS_CC);
+}
+/* }}} */
 #endif
 
 void phongo_manager_init(php_phongo_manager_t* manager, const char* uri_string, zval* options, zval* driverOptions TSRMLS_DC) /* {{{ */
diff --git a/php_phongo.h b/php_phongo.h
@@ -169,6 +169,7 @@ bool php_phongo_parse_int64(int64_t* retval, const char* data, phongo_zpp_char_l
 
 void phongo_clientencryption_create_datakey(php_phongo_clientencryption_t* clientencryption, zval* return_value, char* kms_provider, zval* options TSRMLS_DC);
 void phongo_clientencryption_encrypt(php_phongo_clientencryption_t* clientencryption, zval* zvalue, zval* zciphertext, zval* options TSRMLS_DC);
+void phongo_clientencryption_decrypt(php_phongo_clientencryption_t* clientencryption, zval* zciphertext, zval* zvalue TSRMLS_DC);
 
 zend_bool phongo_writeerror_init(zval* return_value, bson_t* bson TSRMLS_DC);
 zend_bool phongo_writeconcernerror_init(zval* return_value, bson_t* bson TSRMLS_DC);
diff --git a/src/MongoDB/ClientEncryption.c b/src/MongoDB/ClientEncryption.c
@@ -71,6 +71,27 @@ static PHP_METHOD(ClientEncryption, encrypt)
 	phongo_clientencryption_encrypt(intern, value, return_value, options TSRMLS_CC);
 } /* }}} */
 
+/* {{{ proto mixed MongoDB\Driver\ClientEncryption::decrypt(MongoDB\BSON\BinaryInterface $value)
+   Decrypts an encrypted value (BSON binary of subtype 6). Returns the original BSON value */
+static PHP_METHOD(ClientEncryption, decrypt)
+{
+	zval*                          ciphertext;
+	zend_error_handling            error_handling;
+	php_phongo_clientencryption_t* intern;
+
+	intern = Z_CLIENTENCRYPTION_OBJ_P(getThis());
+	zend_replace_error_handling(EH_THROW, phongo_exception_from_phongo_domain(PHONGO_ERROR_INVALID_ARGUMENT), &error_handling TSRMLS_CC);
+
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "O", &ciphertext, php_phongo_binary_interface_ce) == FAILURE) {
+		zend_restore_error_handling(&error_handling TSRMLS_CC);
+		return;
+	}
+
+	zend_restore_error_handling(&error_handling TSRMLS_CC);
+
+	phongo_clientencryption_decrypt(intern, ciphertext, return_value TSRMLS_CC);
+} /* }}} */
+
 ZEND_BEGIN_ARG_INFO_EX(ai_ClientEncryption_createDataKey, 0, 0, 1)
 	ZEND_ARG_INFO(0, kmsProvider)
 	ZEND_ARG_ARRAY_INFO(0, options, 1)
@@ -81,13 +102,18 @@ ZEND_BEGIN_ARG_INFO_EX(ai_ClientEncryption_encrypt, 0, 0, 1)
 	ZEND_ARG_ARRAY_INFO(0, options, 1)
 ZEND_END_ARG_INFO()
 
+ZEND_BEGIN_ARG_INFO_EX(ai_ClientEncryption_decrypt, 0, 0, 1)
+	ZEND_ARG_OBJ_INFO(0, keyVaultClient, MongoDB\\BSON\\BinaryInterface, 0)
+ZEND_END_ARG_INFO()
+
 ZEND_BEGIN_ARG_INFO_EX(ai_ClientEncryption_void, 0, 0, 0)
 ZEND_END_ARG_INFO()
 
 static zend_function_entry php_phongo_clientencryption_me[] = {
 	/* clang-format off */
 	PHP_ME(ClientEncryption, createDataKey, ai_ClientEncryption_createDataKey, ZEND_ACC_PUBLIC | ZEND_ACC_FINAL)
 	PHP_ME(ClientEncryption, encrypt, ai_ClientEncryption_encrypt, ZEND_ACC_PUBLIC | ZEND_ACC_FINAL)
+	PHP_ME(ClientEncryption, decrypt, ai_ClientEncryption_decrypt, ZEND_ACC_PUBLIC | ZEND_ACC_FINAL)
 	ZEND_NAMED_ME(__construct, PHP_FN(MongoDB_disabled___construct), ai_ClientEncryption_void, ZEND_ACC_PRIVATE | ZEND_ACC_FINAL)
 	ZEND_NAMED_ME(__wakeup, PHP_FN(MongoDB_disabled___wakeup), ai_ClientEncryption_void, ZEND_ACC_PUBLIC | ZEND_ACC_FINAL)
 	PHP_FE_END
diff --git a/tests/clientEncryption/clientEncryption-decrypt-001.phpt b/tests/clientEncryption/clientEncryption-decrypt-001.phpt
@@ -0,0 +1,27 @@
+--TEST--
+MongoDB\Driver\ClientEncryption::decrypt()
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_libmongocrypt(); ?>
+<?php skip_if_not_live(); ?>
+<?php skip_if_server_version('<', '3.6'); ?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$key = base64_decode('Mng0NCt4ZHVUYUJCa1kxNkVyNUR1QURhZ2h2UzR2d2RrZzh0cFBwM3R6NmdWMDFBMUN3YkQ5aXRRMkhGRGdQV09wOGVNYUMxT2k3NjZKelhaQmRCZGJkTXVyZG9uSjFk');
+
+$manager = new MongoDB\Driver\Manager(URI);
+$clientEncryption = $manager->createClientEncryption(['keyVaultNamespace' => 'default.keys', 'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary($key, 0)]]]);
+
+$key = $clientEncryption->createDataKey('local');
+
+$encrypted = $clientEncryption->encrypt('top-secret', ['keyId' => $key, 'algorithm' => 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic']);
+var_dump($clientEncryption->decrypt($encrypted));
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+string(10) "top-secret"
+===DONE===
