Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Wycheproof
Assessments

Wycheproof Laravel Package

c2sp/wycheproof

Community-managed Wycheproof cryptography test vectors and JSON schemas. Validate crypto library implementations against known attacks and spec edge cases across many algorithms (AES-GCM, ECDSA, RSA, HKDF, ChaCha20-Poly1305, Kyber, Dilithium, more).

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Cryptographic Validation Layer: Wycheproof provides a pre-built test suite for validating cryptographic implementations against known attack vectors (e.g., invalid curve attacks, Bleichenbacher flaws, nonce bias). This aligns well with Laravel’s reliance on PHP’s cryptographic libraries (e.g., openssl, libsodium, or custom implementations) for features like:
    • Authentication (e.g., JWT, OAuth tokens)
    • Encryption (e.g., AES-GCM, ChaCha20-Poly1305)
    • Digital Signatures (e.g., ECDSA, EdDSA)
    • Key Exchange (e.g., ECDH, X25519)
  • Complementary to Laravel’s Security Stack: While Laravel itself doesn’t implement cryptography from scratch, it delegates to PHP’s ext-openssl, ext-sodium, or packages like paragonie/sodium_compat. Wycheproof can validate these dependencies at build/test time, reducing runtime vulnerabilities.
  • CI/CD Integration: Fits naturally into Laravel’s testing pipeline (e.g., PHPUnit, Pest) to enforce cryptographic correctness before deployment.

Integration Feasibility

  • Low-Coupling Design: Wycheproof is language-agnostic (JSON-based test vectors). Integration requires:
    1. Loading JSON test vectors (via Guzzle, Symfony\Component\Yaml, or native json_decode).
    2. Mapping vectors to Laravel/PHP crypto APIs (e.g., openssl_* functions, Sodium\* methods).
    3. Asserting outputs against expected results (valid/invalid/acceptable).
  • Existing PHP Libraries:

Technical Risk

Risk Area Description Mitigation Strategy
Algorithm Coverage Not all Wycheproof vectors map 1:1 to PHP’s openssl/sodium. E.g., AEGIS, Ascon, or ML-KEM (Kyber) lack native PHP support. Prioritize vectors for supported algorithms (e.g., AES-GCM, ECDSA, ChaCha20-Poly1305). Use feature flags to disable unsupported tests.
Performance Overhead Running 1,000+ test vectors in CI may slow down pipelines. Parallelize tests (e.g., using PHPUnit’s --parallel). Cache test results for unchanged codebases.
False Positives/Negatives PHP’s crypto functions may behave differently than Wycheproof’s expectations (e.g., padding schemes, key derivation). Baseline against known-good libraries (e.g., libressl, BoringSSL) before integrating. Document discrepancies in Laravel’s security docs.
Maintenance Burden Wycheproof’s test vectors evolve. Laravel’s crypto APIs may diverge from expectations. Automate schema validation (e.g., using justinrainbow/json-schema). Subscribe to Wycheproof’s release notes.
Dependency Bloat Adding Wycheproof may require pulling in heavy JSON parsers or custom crypto logic. Use composer scripts to load vectors only during test phase. Avoid runtime dependencies.

Key Questions for the TPM

  1. Algorithm Prioritization:
    • Which cryptographic algorithms does Laravel currently use (e.g., JWT signing, database encryption)?
    • Should we mandate Wycheproof coverage for all algorithms or start with high-risk ones (e.g., ECDSA, RSA)?
  2. Integration Scope:
    • Should Wycheproof tests run in CI (GitHub Actions/GitLab CI) or local development (e.g., Laravel Sail)?
    • Should we block merges if tests fail (strict mode) or warn only (lenient mode)?
  3. Performance Tradeoffs:
    • What’s the acceptable CI runtime for Wycheproof tests? Can we sample vectors instead of running all?
  4. False Positive Handling:
    • How will we triage failures (e.g., is PHP’s openssl_* implementation non-compliant, or is Wycheproof’s test incorrect)?
  5. Long-Term Maintenance:
    • Who will own Wycheproof updates (Security Team, Core Devs)?
    • Should we fork Wycheproof to customize vectors for Laravel’s needs?

Integration Approach

Stack Fit

  • PHP Ecosystem:
    • JSON Handling: Leverage json_decode() or Symfony\Component\Yaml for parsing vectors.
    • Crypto Libraries:
      • OpenSSL: For RSA, DSA, ECDSA, AES, etc. (via openssl_* functions).
      • Libsodium: For modern algorithms (ChaCha20-Poly1305, X25519) via paragonie/sodium_compat.
      • Custom: For unsupported algorithms (e.g., AEGIS), consider:
        • FFI to call native libraries.
        • PECL extensions (e.g., pecl/openssl).
        • External services (e.g., AWS KMS for Kyber).
    • Testing Frameworks:
      • PHPUnit/Pest: For assertions.
      • Laravel’s tests/Feature: To integrate into existing test suites.
  • Laravel-Specific:
    • Service Providers: Create a WycheproofServiceProvider to load vectors and register test runners.
    • Artisan Commands: Add php artisan wycheproof:test for manual runs.
    • Facades: Expose a Wycheproof facade for easy test invocation.

Migration Path

  1. Phase 1: Proof of Concept (2-4 weeks)

    • Scope: Pick 1-2 algorithms (e.g., AES-GCM + ECDSA) with high Laravel usage.
    • Implementation:
      • Write a custom test runner (e.g., WycheproofTestCase extending PHPUnit).
      • Map Wycheproof vectors to PHP functions (e.g., openssl_encrypt() for AES-GCM).
      • Run tests locally and in CI.
    • Deliverable: PR with a modular test suite for 1 algorithm.

  2. Phase 2: Core Integration (4-8 weeks)

    • Scope: Expand to all supported algorithms in Laravel’s crypto stack.
    • Implementation:
      • Automate vector loading (e.g., fetch from GitHub releases).
      • Add CI checks (e.g., fail builds on Wycheproof failures).
      • Document expected behavior for each algorithm.
    • Deliverable: Full Wycheproof integration in Laravel’s testing package.

  3. Phase 3: Optimization & Maintenance (Ongoing)

    • Scope: Reduce CI noise, improve performance, and handle schema updates.
    • Implementation:
      • Cache test results for unchanged code.
      • Parallelize tests (e.g., by algorithm).
      • Monitor false positives and file issues upstream.
    • Deliverable: Stable, high-coverage Wycheproof testing in Laravel.

Compatibility

Component Compatibility Notes
PHP Version Requires PHP 8.1+ (for typed properties, attributes). Older versions may need polyfills.
OpenSSL Extension Mandatory for RSA/DSA/ECDSA tests. Must be enabled (`php -m
Libsodium Recommended for modern algorithms (ChaCha20, X25519). paragonie/sodium_compat provides fallback.
Laravel Versions Works with Laravel 9+ (composer autoloading, PHP 8.1+). Older versions may need adjustments.
CI Environments Tested on GitHub Actions, GitLab CI, CircleCI. Ensure Docker images include openssl and libsodium.
Unsupported Algorithms For AEGIS/Ascon/Kyber, either: 1. Skip tests
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
craftcms/url-validator
directorytree/privacy-filter-classifier
directorytree/privacy-filter
datacore/hub-sdk
develia/commons
cuci/prototurk-sdk
cuci/prototurk-sdk-symfony
develia/geo-bundle
dreamzy/livewire-charts
touchestate-sdk/php-sdk
22h/doctrine-garbage-collection-bundle
agtp/agtp-php
agtp/mod-php
splash/sonata-admin
splash/metadata
splash/openapi
splash/scopes
splash/toolkit
testo/output-teamcity
testo/bridge-symfony