From 021513c417c1b7d715bdba10524ae333d293fac9 Mon Sep 17 00:00:00 2001
From: David Badura <david.badura@patchlevel.de>
Date: Tue, 24 Feb 2026 15:11:57 +0100
Subject: [PATCH] base64 iv in payload

---
 phpstan-baseline.neon                         | 42 +++----------------
 .../Cryptography/BaseCryptographer.php        |  6 ++-
 .../Cryptography/BaseCryptographerTest.php    |  6 +--
 3 files changed, 13 insertions(+), 41 deletions(-)

diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
index c0528cc4..ab4a1e59 100644
--- a/phpstan-baseline.neon
+++ b/phpstan-baseline.neon
@@ -1,5 +1,11 @@
 parameters:
 	ignoreErrors:
+		-
+			message: '#^Parameter \#3 \$iv of class Patchlevel\\Hydrator\\Extension\\Cryptography\\Cipher\\CipherKey constructor expects non\-empty\-string, string given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/Extension/Cryptography/BaseCryptographer.php
+
 		-
 			message: '#^Method Patchlevel\\Hydrator\\Extension\\Cryptography\\Cipher\\OpensslCipher\:\:encrypt\(\) should return non\-empty\-string but returns string\.$#'
 			identifier: return.type
@@ -90,42 +96,6 @@ parameters:
 			count: 1
 			path: src/Normalizer/ObjectNormalizer.php
 
-		-
-			message: '#^Call to method clear\(\) on an unknown class Patchlevel\\Hydrator\\Cryptography\\Store\\InMemoryCipherKeyStore\.$#'
-			identifier: class.notFound
-			count: 1
-			path: tests/Benchmark/HydratorWithCryptographyBench.php
-
-		-
-			message: '#^Call to static method createWithOpenssl\(\) on an unknown class Patchlevel\\Hydrator\\Cryptography\\BaseCryptographer\.$#'
-			identifier: class.notFound
-			count: 1
-			path: tests/Benchmark/HydratorWithCryptographyBench.php
-
-		-
-			message: '#^Instantiated class Patchlevel\\Hydrator\\Cryptography\\CryptographyExtension not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: tests/Benchmark/HydratorWithCryptographyBench.php
-
-		-
-			message: '#^Instantiated class Patchlevel\\Hydrator\\Cryptography\\Store\\InMemoryCipherKeyStore not found\.$#'
-			identifier: class.notFound
-			count: 1
-			path: tests/Benchmark/HydratorWithCryptographyBench.php
-
-		-
-			message: '#^Parameter \#1 \$extension of method Patchlevel\\Hydrator\\HydratorBuilder\:\:useExtension\(\) expects Patchlevel\\Hydrator\\Extension, Patchlevel\\Hydrator\\Cryptography\\CryptographyExtension given\.$#'
-			identifier: argument.type
-			count: 1
-			path: tests/Benchmark/HydratorWithCryptographyBench.php
-
-		-
-			message: '#^Property Patchlevel\\Hydrator\\Tests\\Benchmark\\HydratorWithCryptographyBench\:\:\$store has unknown class Patchlevel\\Hydrator\\Cryptography\\Store\\InMemoryCipherKeyStore as its type\.$#'
-			identifier: class.notFound
-			count: 1
-			path: tests/Benchmark/HydratorWithCryptographyBench.php
-
 		-
 			message: '#^Property Patchlevel\\Hydrator\\Tests\\Unit\\Extension\\Cryptography\\Fixture\\ChildWithSensitiveDataWithIdentifierDto\:\:\$email is never read, only written\.$#'
 			identifier: property.onlyWritten
diff --git a/src/Extension/Cryptography/BaseCryptographer.php b/src/Extension/Cryptography/BaseCryptographer.php
index 906ecc10..1419249a 100644
--- a/src/Extension/Cryptography/BaseCryptographer.php
+++ b/src/Extension/Cryptography/BaseCryptographer.php
@@ -15,6 +15,8 @@
 use Patchlevel\Hydrator\Extension\Cryptography\Store\CipherKeyStore;
 
 use function array_key_exists;
+use function base64_decode;
+use function base64_encode;
 use function is_array;
 
 /**
@@ -52,7 +54,7 @@ public function encrypt(string $subjectId, mixed $value): array
             '__enc' => 'v1',
             'data' => $this->cipher->encrypt($cipherKey, $value),
             'method' => $cipherKey->method,
-            'iv' => $cipherKey->iv,
+            'iv' => base64_encode($cipherKey->iv),
         ];
     }
 
@@ -70,7 +72,7 @@ public function decrypt(string $subjectId, mixed $encryptedData): mixed
             new CipherKey(
                 $cipherKey->key,
                 $encryptedData['method'] ?? $cipherKey->method,
-                $encryptedData['iv'] ?? $cipherKey->iv,
+                isset($encryptedData['iv']) ? base64_decode($encryptedData['iv']) : $cipherKey->iv,
             ),
             $encryptedData['data'],
         );
diff --git a/tests/Unit/Extension/Cryptography/BaseCryptographerTest.php b/tests/Unit/Extension/Cryptography/BaseCryptographerTest.php
index 56697456..9d714b4b 100644
--- a/tests/Unit/Extension/Cryptography/BaseCryptographerTest.php
+++ b/tests/Unit/Extension/Cryptography/BaseCryptographerTest.php
@@ -46,7 +46,7 @@ public function testEncrypt(): void
             '__enc' => 'v1',
             'data' => 'encrypted',
             'method' => 'methodA',
-            'iv' => 'random',
+            'iv' => 'cmFuZG9t',
         ];
 
         self::assertEquals($expected, $cryptographer->encrypt('foo', 'info@patchlevel.de'));
@@ -81,7 +81,7 @@ public function testEncryptWithoutKey(): void
             '__enc' => 'v1',
             'data' => 'encrypted',
             'method' => 'methodA',
-            'iv' => 'random',
+            'iv' => 'cmFuZG9t',
         ];
 
         self::assertEquals($expected, $cryptographer->encrypt('foo', 'info@patchlevel.de'));
@@ -115,7 +115,7 @@ public function testDecrypt(): void
                     '__enc' => 'v1',
                     'data' => 'encrypted',
                     'method' => 'methodA',
-                    'iv' => 'random',
+                    'iv' => 'cmFuZG9t',
                 ],
             ),
         );