first commit

backend/core/Security/EncryptionHelper.php

@@ -0,0 +1,87 @@
+<?php
+// ============================================================
+// core/Security/EncryptionHelper.php
+// يدعم AES-256-GCM الجديد + AES-256-CBC القديم (توافقية)
+// ============================================================
+
+class EncryptionHelper
+{
+    private string $key;
+    private string $cbcIv;
+    private const ALGO_GCM = 'aes-256-gcm';
+    private const ALGO_CBC = 'AES-256-CBC'; // للتوافقية
+    private const IV_LEN_GCM  = 12;
+    private const TAG_LEN = 16;
+    private const PREFIX_GCM = 'GCM:'; // للتمييز بين الجديد والقديم
+
+    public function __construct(string $key, ?string $cbcIv = null)
+    {
+        if (strlen($key) !== 32) {
+            throw new InvalidArgumentException('Encryption key must be exactly 32 bytes.');
+        }
+        $this->key = $key;
+        // IV القديم للتوافقية أثناء مرحلة المايغريشن
+        $this->cbcIv = $cbcIv ?: getenv('initializationVector') ?: str_repeat('0', 16);
+    }
+
+    // ─── تشفير نص باستخدام AES-256-GCM ──
+    public function encryptData(string $plainText): string
+    {
+        $plainText = mb_convert_encoding($plainText, 'UTF-8');
+        $iv = random_bytes(self::IV_LEN_GCM);
+        $tag = '';
+        $encrypted = openssl_encrypt($plainText, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag, "", self::TAG_LEN);
+        return self::PREFIX_GCM . base64_encode($iv . $tag . $encrypted);
+    }
+
+    // ─── فك تشفير نص (يدعم CBC والـ GCM المستقبلي) ───────────
+    public function decryptData(string $cipherText): string|false
+    {
+        // تحقق إن كان مشفر بالنظام الجديد
+        if (str_starts_with($cipherText, self::PREFIX_GCM)) {
+            $raw = base64_decode(substr($cipherText, strlen(self::PREFIX_GCM)), true);
+            if ($raw === false || strlen($raw) < self::IV_LEN_GCM + self::TAG_LEN) return false;
+
+            $iv     = substr($raw, 0, self::IV_LEN_GCM);
+            $tag    = substr($raw, self::IV_LEN_GCM, self::TAG_LEN);
+            $cipher = substr($raw, self::IV_LEN_GCM + self::TAG_LEN);
+
+            $plain = openssl_decrypt($cipher, self::ALGO_GCM, $this->key, OPENSSL_RAW_DATA, $iv, $tag);
+            return $plain !== false ? $plain : false;
+        }
+
+        // وإلا استخدم CBC القديم
+        $decoded = base64_decode($cipherText, true);
+        if ($decoded === false) return false;
+
+        $decrypted = openssl_decrypt($decoded, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
+        if ($decrypted === false) return false;
+
+        $pad = ord($decrypted[strlen($decrypted) - 1]);
+        if ($pad < 1 || $pad > 16) return false;
+
+        return substr($decrypted, 0, -$pad);
+    }
+
+    // ─── تشفير/فك تشفير Binary (صور، ملفات) ───────────────
+    public function encryptBinary(string $data): string
+    {
+        return openssl_encrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
+    }
+
+    public function decryptBinary(string $data): string|false
+    {
+        return openssl_decrypt($data, self::ALGO_CBC, $this->key, OPENSSL_RAW_DATA, $this->cbcIv);
+    }
+
+    // --------- دوال الـ Padding للـ CBC ----------
+    private function addPadding($data, $blockSize = 16) {
+        $pad = $blockSize - (strlen($data) % $blockSize);
+        return $data . str_repeat(chr($pad), $pad);
+    }
+
+    private function removePadding($data) {
+        $pad = ord($data[strlen($data) - 1]);
+        return substr($data, 0, -$pad);
+    }
+}