Download the PHP package vamischenko/decorators without Composer
On this page you can find all versions of the php package vamischenko/decorators. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download vamischenko/decorators
More information about vamischenko/decorators
Files in vamischenko/decorators
Package decorators
Short Description PSR-7 stream decorators for WhatsApp media encryption and decryption
License MIT
Homepage https://github.com/vamischenko/decorators
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package decorators
vamischenko/decorators
PSR-7 stream decorators for encrypting and decrypting WhatsApp media files using the WhatsApp AES-256-CBC algorithm.
Requirements
- PHP 8.1+
- ext-openssl
- ext-hash
- guzzlehttp/psr7 ^2.0
Installation
Architecture
The encryption pipeline is built from composable PSR-7 stream decorators, inspired by jeskew/php-encrypted-streams (Apache 2.0). Since that package requires guzzlehttp/psr7 ~1.0 and is no longer maintained, its core classes were adapted and included directly.
Encryption is true streaming — no full-file buffering. Data is processed block by block as the stream is read.
Algorithm
- Expand the 32-byte
mediaKeyto 112 bytes using HKDF with SHA-256 (RFC 5869) - Split into
iv(16 bytes),cipherKey(32),macKey(32),refKey(32) - Encrypt with AES-256-CBC + PKCS7 padding
- Compute HMAC-SHA256 over
iv + ciphertext, truncate to 10 bytes - Output:
[ciphertext][mac]
Media-type-specific HKDF info strings:
| Type | Info string |
|---|---|
| IMAGE | WhatsApp Image Keys |
| VIDEO | WhatsApp Video Keys |
| AUDIO | WhatsApp Audio Keys |
| DOCUMENT | WhatsApp Document Keys |
Usage
Encryption
Decryption
Exceptions
InvalidMediaKeyException— thrown when the key is not exactly 32 bytesMacVerificationException— thrown when the HMAC does not match (corrupt or tampered data)
Security
- MAC verification uses constant-time
hash_equals()to prevent timing attacks - Integrity is verified before any plaintext is returned
- Key derivation follows RFC 5869 (HKDF) with WhatsApp-specific info strings
Memory behaviour
| Stream type | Encryption | Decryption |
|---|---|---|
| Seekable (file) | Incremental — O(block) memory | Incremental — O(block) memory (MAC read via seek, then streaming AesDecryptingStream) |
| Non-seekable (HTTP) | Incremental — O(block) memory | Full ciphertext buffered (MAC is at the tail), then plaintext delivered incrementally — no second copy |
For memory-constrained environments with non-seekable sources, wrap the response body in a temp-file stream before passing it to DecryptingStream.
Sidecar
The sidecar enables random-offset decryption for VIDEO and AUDIO streams, allowing players to seek without downloading the full file.
It is generated during encryption with no additional reads from the source stream. Each 10-byte entry is the HMAC-SHA256 of the [n*64K, (n+1)*64K+16] slice of the logical combined buffer iv + ciphertext + mac, truncated to 10 bytes.
Running tests
All versions of decorators with dependencies
ext-openssl Version *
ext-hash Version *
psr/http-message Version ^1.1 || ^2.0
guzzlehttp/psr7 Version ^2.0