hide sensitive info with SensitiveParameter attribute

src/ClientJsonTrait.php

@@ -63,7 +63,12 @@ abstract protected static function withDefaults(array ...$config): array;
      *
      * @return callable(RequestInterface)
      */
-    public static function signer(string $mchid, string $serial, $privateKey): callable
+    public static function signer(
+        string $mchid,
+        string $serial,
+        #[\SensitiveParameter]
+        $privateKey
+    ): callable
     {
         return static function (RequestInterface $request) use ($mchid, $serial, $privateKey): RequestInterface {
             $nonce = Formatter::nonce();

src/ClientXmlTrait.php

@@ -54,8 +54,6 @@ trait ClientXmlTrait
         '/payitil/report',
         '/risk/getpublickey',
         '/risk/getviolation',
-        '/sandboxnew/pay/downloadbill',
-        '/sandboxnew/pay/getsignkey',
         '/secapi/mch/submchmanage',
         '/xdc/apiv2getsignkey/sign/getsignkey',
     ];
@@ -74,7 +72,12 @@ abstract protected static function withDefaults(array ...$config): array;
      * @return callable(callable(RequestInterface, array))
      * @throws \WeChatPay\Exception\InvalidArgumentException
      */
-    public static function transformRequest(?string $mchid = null, string $secret = '', ?array $merchant = null): callable
+    public static function transformRequest(
+        ?string $mchid = null,
+        #[\SensitiveParameter]
+        string $secret = '',
+        ?array $merchant = null
+    ): callable
     {
         return static function (callable $handler) use ($mchid, $secret, $merchant): callable {
             return static function (RequestInterface $request, array $options = []) use ($handler, $mchid, $secret, $merchant): PromiseInterface {
@@ -112,7 +115,10 @@ public static function transformRequest(?string $mchid = null, string $secret =
      *
      * @return callable(callable(RequestInterface, array))
      */
-    public static function transformResponse(string $secret = ''): callable
+    public static function transformResponse(
+        #[\SensitiveParameter]
+        string $secret = ''
+    ): callable
     {
         return static function (callable $handler) use ($secret): callable {
             return static function (RequestInterface $request, array $options = []) use ($secret, $handler): PromiseInterface {

src/Crypto/AesEcb.php

@@ -19,7 +19,13 @@ class AesEcb implements AesInterface
     /**
      * @inheritDoc
      */
-    public static function encrypt(string $plaintext, string $key, string $iv = ''): string
+    public static function encrypt(
+        #[\SensitiveParameter]
+        string $plaintext,
+        #[\SensitiveParameter]
+        string $key,
+        string $iv = ''
+    ): string
     {
         $ciphertext = openssl_encrypt($plaintext, static::ALGO_AES_256_ECB, $key, OPENSSL_RAW_DATA, $iv = '');
 
@@ -33,7 +39,13 @@ public static function encrypt(string $plaintext, string $key, string $iv = ''):
     /**
      * @inheritDoc
      */
-    public static function decrypt(string $ciphertext, string $key, string $iv = ''): string
+    public static function decrypt(
+        #[\SensitiveParameter]
+        string $ciphertext,
+        #[\SensitiveParameter]
+        string $key,
+        string $iv = ''
+    ): string
     {
         $plaintext = openssl_decrypt(base64_decode($ciphertext), static::ALGO_AES_256_ECB, $key, OPENSSL_RAW_DATA, $iv = '');
 

src/Crypto/AesGcm.php

@@ -43,7 +43,14 @@ private static function preCondition(): void
      *
      * @return string - The base64-encoded ciphertext.
      */
-    public static function encrypt(string $plaintext, string $key, string $iv = '', string $aad = ''): string
+    public static function encrypt(
+        #[\SensitiveParameter]
+        string $plaintext,
+        #[\SensitiveParameter]
+        string $key,
+        string $iv = '',
+        string $aad = ''
+    ): string
     {
         self::preCondition();
 
@@ -66,7 +73,14 @@ public static function encrypt(string $plaintext, string $key, string $iv = '',
      *
      * @return string - The utf-8 plaintext.
      */
-    public static function decrypt(string $ciphertext, string $key, string $iv = '', string $aad = ''): string
+    public static function decrypt(
+        #[\SensitiveParameter]
+        string $ciphertext,
+        #[\SensitiveParameter]
+        string $key,
+        string $iv = '',
+        string $aad = ''
+    ): string
     {
         self::preCondition();
 

src/Crypto/AesInterface.php

@@ -43,7 +43,13 @@ interface AesInterface
      *
      * @return string - The base64-encoded ciphertext.
      */
-    public static function encrypt(string $plaintext, string $key, string $iv = ''): string;
+    public static function encrypt(
+        #[\SensitiveParameter]
+        string $plaintext,
+        #[\SensitiveParameter]
+        string $key,
+        string $iv = ''
+    ): string;
 
     /**
      * Takes a base64 encoded string and decrypts it using a given key and iv.
@@ -54,5 +60,11 @@ public static function encrypt(string $plaintext, string $key, string $iv = ''):
      *
      * @return string - The utf-8 plaintext.
      */
-    public static function decrypt(string $ciphertext, string $key, string $iv = ''): string;
+    public static function decrypt(
+        #[\SensitiveParameter]
+        string $ciphertext,
+        #[\SensitiveParameter]
+        string $key,
+        string $iv = ''
+    ): string;
 }

src/Crypto/Hash.php

@@ -40,7 +40,12 @@ class Hash
      *
      * @return string - The data signature
      */
-    public static function md5(string $thing, string $key = '', $agency = false): string
+    public static function md5(
+        string $thing,
+        #[\SensitiveParameter]
+        string $key = '',
+        $agency = false
+    ): string
     {
         $ctx = hash_init(ALGO_MD5);
 
@@ -58,7 +63,12 @@ public static function md5(string $thing, string $key = '', $agency = false): st
      *
      * @return string - The data signature
      */
-    public static function hmac(string $thing, string $key, string $algorithm = 'sha256'): string
+    public static function hmac(
+        string $thing,
+        #[\SensitiveParameter]
+        string $key,
+        string $algorithm = 'sha256'
+    ): string
     {
         $ctx = hash_init($algorithm, HASH_HMAC, $key);
 
@@ -75,7 +85,12 @@ public static function hmac(string $thing, string $key, string $algorithm = 'sha
      *
      * @return bool - Returns true when the two are equal, false otherwise.
      */
-    public static function equals(string $known_string, ?string $user_string = null): bool
+    public static function equals(
+        #[\SensitiveParameter]
+        string $known_string,
+        #[\SensitiveParameter]
+        ?string $user_string = null
+    ): bool
     {
         return is_null($user_string) ? false : hash_equals($known_string, $user_string);
     }
@@ -89,7 +104,12 @@ public static function equals(string $known_string, ?string $user_string = null)
      *
      * @return ?string - The data signature in UPPERCASE.
      */
-    public static function sign(string $type, string $data, string $key): ?string
+    public static function sign(
+        string $type,
+        string $data,
+        #[\SensitiveParameter]
+        string $key
+    ): ?string
     {
         return array_key_exists($type, ALGO_DICTONARIES) ? strtoupper(static::{ALGO_DICTONARIES[$type]}($data, $key)) : null;
     }

src/Crypto/Rsa.php

@@ -107,7 +107,10 @@ public static function pkcs1ToSpki(string $thing): string
      * @return \OpenSSLAsymmetricKey|resource|mixed
      * @throws UnexpectedValueException
      */
-    public static function fromPkcs8(string $thing)
+    public static function fromPkcs8(
+        #[\SensitiveParameter]
+        string $thing
+    )
     {
         return static::from(sprintf('private.pkcs8://%s', $thing), static::KEY_TYPE_PRIVATE);
     }
@@ -120,7 +123,11 @@ public static function fromPkcs8(string $thing)
      * @return \OpenSSLAsymmetricKey|resource|mixed
      * @throws UnexpectedValueException
      */
-    public static function fromPkcs1(string $thing, string $type = self::KEY_TYPE_PRIVATE)
+    public static function fromPkcs1(
+        #[\SensitiveParameter]
+        string $thing,
+        string $type = self::KEY_TYPE_PRIVATE
+    )
     {
         return static::from(sprintf('%s://%s', $type === static::KEY_TYPE_PUBLIC ? 'public.pkcs1' : 'private.pkcs1', $thing), $type);
     }
@@ -154,7 +161,11 @@ public static function fromSpki(string $thing)
      * @return \OpenSSLAsymmetricKey|resource|mixed
      * @throws UnexpectedValueException
      */
-    public static function from($thing, string $type = self::KEY_TYPE_PRIVATE)
+    public static function from(
+        #[\SensitiveParameter]
+        $thing,
+        string $type = self::KEY_TYPE_PRIVATE
+    )
     {
         $pkey = ($isPublic = $type === static::KEY_TYPE_PUBLIC)
             ? openssl_pkey_get_public(self::parse($thing, $type))
@@ -205,7 +216,11 @@ public static function from($thing, string $type = self::KEY_TYPE_PRIVATE)
      * @param string $type - Either `self::KEY_TYPE_PUBLIC` or `self::KEY_TYPE_PRIVATE` string, default is `self::KEY_TYPE_PRIVATE`.
      * @return \OpenSSLAsymmetricKey|\OpenSSLCertificate|resource|array{string,string}|string|mixed
      */
-    private static function parse($thing, string $type = self::KEY_TYPE_PRIVATE)
+    private static function parse(
+        #[\SensitiveParameter]
+        $thing,
+        string $type = self::KEY_TYPE_PRIVATE
+    )
     {
         $src = $thing;
 
@@ -259,7 +274,12 @@ private static function paddingModeLimitedCheck(int $padding): void
      * @return string - The base64-encoded ciphertext.
      * @throws UnexpectedValueException
      */
-    public static function encrypt(string $plaintext, $publicKey, int $padding = OPENSSL_PKCS1_OAEP_PADDING): string
+    public static function encrypt(
+        #[\SensitiveParameter]
+        string $plaintext,
+        $publicKey,
+        int $padding = OPENSSL_PKCS1_OAEP_PADDING
+    ): string
     {
         self::paddingModeLimitedCheck($padding);
 
@@ -298,7 +318,11 @@ public static function verify(string $message, string $signature, $publicKey): b
      * @return string - The base64-encoded signature.
      * @throws UnexpectedValueException
      */
-    public static function sign(string $message, $privateKey): string
+    public static function sign(
+        string $message,
+        #[\SensitiveParameter]
+        $privateKey
+    ): string
     {
         if (!openssl_sign($message, $signature, $privateKey, OPENSSL_ALGO_SHA256)) {
             throw new UnexpectedValueException('Signing the input $message failed, please checking your $privateKey whether or nor correct.');
@@ -317,7 +341,12 @@ public static function sign(string $message, $privateKey): string
      * @return string - The utf-8 plaintext.
      * @throws UnexpectedValueException
      */
-    public static function decrypt(string $ciphertext, $privateKey, int $padding = OPENSSL_PKCS1_OAEP_PADDING): string
+    public static function decrypt(
+        string $ciphertext,
+        #[\SensitiveParameter]
+        $privateKey,
+        int $padding = OPENSSL_PKCS1_OAEP_PADDING
+    ): string
     {
         self::paddingModeLimitedCheck($padding);
 

src/Util/PemUtil.php

@@ -27,7 +27,10 @@ class PemUtil
      *
      * @return \OpenSSLAsymmetricKey|resource|mixed
      */
-    public static function loadPrivateKey(string $filepath)
+    public static function loadPrivateKey(
+        #[\SensitiveParameter]
+        string $filepath
+    )
     {
         return Rsa::from((false === strpos($filepath, self::LOCAL_FILE_PROTOCOL) ? self::LOCAL_FILE_PROTOCOL : '') . $filepath);
     }
@@ -40,7 +43,10 @@ public static function loadPrivateKey(string $filepath)
      *
      * @return \OpenSSLAsymmetricKey|resource|mixed
      */
-    public static function loadPrivateKeyFromString($content)
+    public static function loadPrivateKeyFromString(
+        #[\SensitiveParameter]
+        $content
+    )
     {
         return Rsa::from($content);
     }