Replace Psalm with PHPStan

.github/workflows/php.yml

@@ -49,9 +49,8 @@ jobs:
         with:
           # Should be the higest supported version, so we can use the newest tools
           php-version: '8.3'
-          tools: composer, composer-require-checker, composer-unused, phpcs, psalm
-          # optional performance gain for psalm: opcache
-          extensions: ctype, date, dom, filter, hash, mbstring, opcache, openssl, pcre, spl, xml
+          tools: composer, composer-require-checker, composer-unused, phpcs, phpstan
+          extensions: ctype, date, dom, filter, hash, mbstring, openssl, pcre, spl, xml
           coverage: none
 
       - name: Setup problem matchers for PHP
@@ -84,27 +83,13 @@ jobs:
       - name: PHP Code Sniffer
         run: phpcs
 
-      - name: Psalm
-        continue-on-error: true
-        run: |
-          psalm -c psalm.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
-
-      - name: Psalm (testsuite)
+      - name: PHPStan
         run: |
-          psalm -c psalm-dev.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          phpstan analyze -c phpstan.neon
 
-      - name: Psalter
+      - name: PHPStan (testsuite)
         run: |
-          psalm --alter \
-          --issues=UnnecessaryVarAnnotation \
-          --dry-run \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          phpstan analyze -c phpstan-dev.neon
 
   security:
     name: Security checks

README.md

@@ -3,8 +3,7 @@
 [![Build Status](https://github.com/simplesamlphp/xml-security/workflows/CI/badge.svg?branch=master)](https://github.com/simplesamlphp/xml-security/actions)
 [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/simplesamlphp/xml-security/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/simplesamlphp/xml-security/?branch=master)
 [![Coverage Status](https://codecov.io/gh/simplesamlphp/xml-security/branch/master/graph/badge.svg)](https://codecov.io/gh/simplesamlphp/xml-security)
-[![Type coverage](https://shepherd.dev/github/simplesamlphp/xml-security/coverage.svg)](https://shepherd.dev/github/simplesamlphp/xml-security)
-[![Psalm Level](https://shepherd.dev/github/simplesamlphp/xml-security/level.svg)](https://shepherd.dev/github/simplesamlphp/xml-security)
+[![PHPStan Enabled](https://img.shields.io/badge/PHPStan-enabled-brightgreen.svg?style=flat)](https://github.com/simplesamlphp/xml-security)
 
 This library implements XML signatures and encryption. It provides an extensible
 interface that allows you to use your own signature and encryption

composer.json

@@ -42,8 +42,8 @@
         "ext-pcre": "*",
         "ext-spl": "*",
 
-        "simplesamlphp/assert": "^1.0",
-        "simplesamlphp/xml-common": "^1.14"
+        "simplesamlphp/assert": "^1.1",
+        "simplesamlphp/xml-common": "^1.15"
     },
     "require-dev": {
         "simplesamlphp/simplesamlphp-test-framework": "^1.5"

phpstan-dev.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 6
+  paths:
+    - tests

phpstan.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 6
+  paths:
+    - src

src/Alg/AbstractAlgorithmFactory.php

@@ -22,20 +22,19 @@
  */
 abstract class AbstractAlgorithmFactory
 {
-    /**
-     * A cache of algorithm implementations indexed by algorithm ID.
-     *
-     * @var string[]
-     */
-    protected static array $cache = [];
-
     /**
      * Whether the factory has been initialized or not.
      *
      * @var bool
      */
     protected static bool $initialized = false;
 
+    /**
+     * A cache of algorithm implementations indexed by algorithm ID.
+     *
+     * @var array<string, \SimpleSAML\XMLSecurity\Alg\AlgorithmInterface>
+     */
+    protected static array $cache = [];
 
     /**
      * Build a factory that creates algorithms.
@@ -67,15 +66,16 @@ public function __construct(
 
 
     /**
-     * Get a new object implementing the given algorithm.
+     * Get a new object implementing the given digital signature algorithm.
      *
      * @param string $algId The identifier of the algorithm desired.
      * @param \SimpleSAML\XMLSecurity\Key\KeyInterface $key The key to use with the given algorithm.
      *
-     * @return \SimpleSAML\XMLSecurity\Alg\AlgorithmInterface An object implementing the given algorithm.
+     * @return \SimpleSAML\XMLSecurity\Alg\AlgorithmInterface An object implementing the given
+     * algorithm.
      *
-     * @throws \SimpleSAML\XMLSecurity\Exception\InvalidArgumentException If an error occurs, e.g. the given algorithm
-     * is blacklisted, unknown or the given key is not suitable for it.
+     * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given
+     * algorithm is blacklisted, unknown or the given key is not suitable for it.
      */
     public function getAlgorithm(string $algId, KeyInterface $key): AlgorithmInterface
     {
@@ -91,15 +91,14 @@ public function getAlgorithm(string $algId, KeyInterface $key): AlgorithmInterfa
             UnsupportedAlgorithmException::class,
         );
 
-        /** @psalm-var AlgorithmInterface */
         return new static::$cache[$algId]($key, $algId);
     }
 
 
     /**
      * Get the name of the abstract class our algorithm implementations must extend.
      *
-     * @return string
+     * @return class-string
      */
     abstract protected static function getExpectedParent(): string;
 

src/Alg/Encryption/AbstractEncryptor.php

@@ -99,7 +99,7 @@ public function encrypt(string $plaintext): string
     /**
      * Decrypt a given ciphertext with the current algorithm and key.
      *
-     * @param string The (binary) ciphertext to decrypt.
+     * @param string $ciphertext The (binary) ciphertext to decrypt.
      *
      * @return string The decrypted plaintext.
      */

src/Alg/Encryption/EncryptionAlgorithmFactory.php

@@ -4,8 +4,11 @@
 
 namespace SimpleSAML\XMLSecurity\Alg\Encryption;
 
+use SimpleSAML\Assert\Assert;
 use SimpleSAML\XMLSecurity\Alg\AbstractAlgorithmFactory;
 use SimpleSAML\XMLSecurity\Constants as C;
+use SimpleSAML\XMLSecurity\Exception\BlacklistedAlgorithmException;
+use SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException;
 use SimpleSAML\XMLSecurity\Key\KeyInterface;
 
 /**
@@ -29,7 +32,7 @@ final class EncryptionAlgorithmFactory extends AbstractAlgorithmFactory
     /**
      * A cache of algorithm implementations indexed by algorithm ID.
      *
-     * @var string[]
+     * @var array<string, \SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmInterface>
      */
     protected static array $cache = [];
 
@@ -44,7 +47,7 @@ final class EncryptionAlgorithmFactory extends AbstractAlgorithmFactory
     /**
      * Build a factory that creates encryption algorithms.
      *
-     * @param array|null $blacklist A list of algorithms forbidden for their use.
+     * @param string[]|null $blacklist A list of algorithms forbidden for their use.
      */
     public function __construct(array $blacklist = null)
     {
@@ -67,22 +70,4 @@ protected static function getExpectedParent(): string
     {
         return EncryptionAlgorithmInterface::class;
     }
-
-
-    /**
-     * Get a new object implementing the given encryption algorithm.
-     *
-     * @param string $algId The identifier of the algorithm desired.
-     * @param \SimpleSAML\XMLSecurity\Key\KeyInterface $key The key to use with the given algorithm.
-     *
-     * @return \SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmInterface An object implementing the given
-     * algorithm.
-     *
-     * @throws \SimpleSAML\XMLSecurity\Exception\InvalidArgumentException If an error occurs, e.g. the given algorithm
-     * is blacklisted, unknown or the given key is not suitable for it.
-     */
-    public function getAlgorithm(string $algId, KeyInterface $key): EncryptionAlgorithmInterface
-    {
-        return parent::getAlgorithm($algId, $key);
-    }
 }

src/Alg/KeyTransport/KeyTransportAlgorithmFactory.php

@@ -5,6 +5,7 @@
 namespace SimpleSAML\XMLSecurity\Alg\KeyTransport;
 
 use SimpleSAML\XMLSecurity\Alg\AbstractAlgorithmFactory;
+use SimpleSAML\XMLSecurity\Alg\AlgorithmInterface;
 use SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmInterface;
 use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\Key\KeyInterface;
@@ -28,7 +29,7 @@ class KeyTransportAlgorithmFactory extends AbstractAlgorithmFactory
     /**
      * A cache of algorithm implementations indexed by algorithm ID.
      *
-     * @var string[]
+     * @var array<string, \SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmInterface>
      */
     protected static array $cache = [];
 
@@ -43,7 +44,7 @@ class KeyTransportAlgorithmFactory extends AbstractAlgorithmFactory
     /**
      * Build a factory that creates key transport algorithms.
      *
-     * @param array|null $blacklist A list of algorithms forbidden for their use.
+     * @param string[]|null $blacklist A list of algorithms forbidden for their use.
      */
     public function __construct(array $blacklist = null)
     {
@@ -65,13 +66,13 @@ protected static function getExpectedParent(): string
      * @param string $algId The identifier of the algorithm desired.
      * @param \SimpleSAML\XMLSecurity\Key\KeyInterface $key The key to use with the given algorithm.
      *
-     * @return \SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmInterface An object implementing the given
+     * @return \SimpleSAML\XMLSecurity\Alg\AlgorithmInterface An object implementing the given
      * algorithm.
      *
      * @throws \SimpleSAML\XMLSecurity\Exception\InvalidArgumentException If an error occurs, e.g. the given algorithm
      * is blacklisted, unknown or the given key is not suitable for it.
      */
-    public function getAlgorithm(string $algId, KeyInterface $key): EncryptionAlgorithmInterface
+    public function getAlgorithm(string $algId, KeyInterface $key): AlgorithmInterface
     {
         return parent::getAlgorithm($algId, $key);
     }

src/Alg/Signature/SignatureAlgorithmFactory.php

@@ -4,8 +4,11 @@
 
 namespace SimpleSAML\XMLSecurity\Alg\Signature;
 
+use SimpleSAML\Assert\Assert;
 use SimpleSAML\XMLSecurity\Alg\AbstractAlgorithmFactory;
 use SimpleSAML\XMLSecurity\Constants as C;
+use SimpleSAML\XMLSecurity\Exception\BlacklistedAlgorithmException;
+use SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException;
 use SimpleSAML\XMLSecurity\Key\KeyInterface;
 
 /**
@@ -30,7 +33,7 @@ final class SignatureAlgorithmFactory extends AbstractAlgorithmFactory
     /**
      * A cache of algorithm implementations indexed by algorithm ID.
      *
-     * @var string[]
+     * @var array<string, \SimpleSAML\XMLSecurity\Alg\Signature\SignatureAlgorithmInterface>
      */
     protected static array $cache = [];
 
@@ -45,7 +48,7 @@ final class SignatureAlgorithmFactory extends AbstractAlgorithmFactory
     /**
      * Build a factory that creates signature algorithms.
      *
-     * @param array|null $blacklist A list of algorithms forbidden for their use.
+     * @param string[]|null $blacklist A list of algorithms forbidden for their use.
      */
     public function __construct(array $blacklist = null)
     {
@@ -68,22 +71,4 @@ protected static function getExpectedParent(): string
     {
         return SignatureAlgorithmInterface::class;
     }
-
-
-    /**
-     * Get a new object implementing the given digital signature algorithm.
-     *
-     * @param string $algId The identifier of the algorithm desired.
-     * @param \SimpleSAML\XMLSecurity\Key\KeyInterface $key The key to use with the given algorithm.
-     *
-     * @return \SimpleSAML\XMLSecurity\Alg\Signature\SignatureAlgorithmInterface An object implementing the given
-     * algorithm.
-     *
-     * @throws \SimpleSAML\XMLSecurity\Exception\UnsupportedAlgorithmException If an error occurs, e.g. the given
-     * algorithm is blacklisted, unknown or the given key is not suitable for it.
-     */
-    public function getAlgorithm(string $algId, KeyInterface $key): SignatureAlgorithmInterface
-    {
-        return parent::getAlgorithm($algId, $key);
-    }
 }

src/Backend/EncryptionBackend.php

@@ -18,7 +18,7 @@ interface EncryptionBackend
      *
      * @param string $cipher The identifier of the cipher.
      *
-     * @throws InvalidArgumentException If the cipher is unknown or not supported.
+     * @throws \SimpleSAML\XMLSecurity\Exception\InvalidArgumentException If the cipher is unknown or not supported.
      *
      * @see \SimpleSAML\XMLSecurity\Constants
      */

src/Constants.php

@@ -21,6 +21,7 @@ class Constants extends \SimpleSAML\XML\Constants
     public const DIGEST_SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512';
     public const DIGEST_RIPEMD160 = 'http://www.w3.org/2001/04/xmlenc#ripemd160';
 
+    /** @var array<string, string> */
     public static array $DIGEST_ALGORITHMS = [
         self::DIGEST_SHA1 => 'sha1',
         self::DIGEST_SHA224 => 'sha224',
@@ -47,6 +48,7 @@ class Constants extends \SimpleSAML\XML\Constants
     public const BLOCK_ENC_AES192_GCM = 'http://www.w3.org/2009/xmlenc11#aes192-gcm';
     public const BLOCK_ENC_AES256_GCM = 'http://www.w3.org/2009xmlenc11#aes256-gcm';
 
+    /** @var array<string, string> */
     public static array $BLOCK_CIPHER_ALGORITHMS = [
         self::BLOCK_ENC_3DES => 'des-ede3-cbc',
         self::BLOCK_ENC_AES128 => 'aes-128-cbc',
@@ -57,6 +59,7 @@ class Constants extends \SimpleSAML\XML\Constants
         self::BLOCK_ENC_AES256_GCM => 'aes-256-gcm',
     ];
 
+    /** @var array<string, positive-int> */
     public static array $BLOCK_SIZES = [
         self::BLOCK_ENC_3DES => 8,
         self::BLOCK_ENC_AES128 => 16,
@@ -67,6 +70,7 @@ class Constants extends \SimpleSAML\XML\Constants
         self::BLOCK_ENC_AES256_GCM => 16,
     ];
 
+    /** @var array<string, positive-int> */
     public static array $BLOCK_CIPHER_KEY_SIZES = [
         self::BLOCK_ENC_3DES => 24,
         self::BLOCK_ENC_AES128 => 16,
@@ -84,6 +88,7 @@ class Constants extends \SimpleSAML\XML\Constants
     public const KEY_TRANSPORT_OAEP = 'http://www.w3.org/2009/xmlenc11#rsa-oaep';
     public const KEY_TRANSPORT_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p';
 
+    /** @var string[] */
     public static array $KEY_TRANSPORT_ALGORITHMS = [
         self::KEY_TRANSPORT_RSA_1_5,
         self::KEY_TRANSPORT_OAEP,
@@ -114,6 +119,7 @@ class Constants extends \SimpleSAML\XML\Constants
     public const SIG_HMAC_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#hmac-sha512';
     public const SIG_HMAC_RIPEMD160 = 'http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160';
 
+    /** @var array<string, string> */
     public static array $RSA_DIGESTS = [
         self::SIG_RSA_SHA1 => self::DIGEST_SHA1,
         self::SIG_RSA_SHA224 => self::DIGEST_SHA224,
@@ -123,6 +129,7 @@ class Constants extends \SimpleSAML\XML\Constants
         self::SIG_RSA_RIPEMD160 => self::DIGEST_RIPEMD160,
     ];
 
+    /** @var array<string, string> */
     public static array $HMAC_DIGESTS = [
         self::SIG_HMAC_SHA1 => self::DIGEST_SHA1,
         self::SIG_HMAC_SHA224 => self::DIGEST_SHA224,

src/CryptoEncoding/PEMBundle.php

@@ -25,13 +25,15 @@
  * Container for multiple PEM objects.
  *
  * The order of PEMs shall be retained, eg. when read from a file.
+ *
+ * @phpstan-implements IteratorAggregate<int, \SimpleSAML\XMLSecurity\CryptoEncoding\PEM>
  */
 class PEMBundle implements Countable, IteratorAggregate
 {
     /**
      * Array of PEM objects.
      *
-     * @var array \SimpleSAML\XMLSecurity\CryptoEncoding\PEM[]
+     * @var \SimpleSAML\XMLSecurity\CryptoEncoding\PEM[]
      */
     protected array $pems;
 
@@ -190,7 +192,7 @@ public function count(): int
      *
      * @see \IteratorAggregate::getIterator()
      *
-     * @return \ArrayIterator
+     * @return ArrayIterator<int, \SimpleSAML\XMLSecurity\CryptoEncoding\PEM>
      */
     public function getIterator(): ArrayIterator
     {