Boyscouting

src/Certainty.php

@@ -15,7 +15,9 @@ class Certainty
 
     /**
      * @param Fetch|null $fetch
+     *
      * @return Client
+     * @throws Exception\BundleException
      */
     public static function getGuzzleClient(Fetch $fetch = null)
     {

src/Fetch.php

@@ -44,6 +44,10 @@ public function __construct($dataDir = '')
      *                                         inside a Chronicle instance?
      * @return Bundle
      * @throws BundleException
+     * @throws EncodingException
+     * @throws Exception\RemoteException
+     * @throws FilesystemException
+     * @throws \SodiumException
      */
     public function getLatestBundle($checkEd25519Signature = null, $checkChronicle = null)
     {
@@ -88,6 +92,9 @@ public function getLatestBundle($checkEd25519Signature = null, $checkChronicle =
      *
      * @param string $customValidator Fully-qualified class name for Validator
      * @return array<int, Bundle>
+     *
+     * @throws EncodingException
+     * @throws FilesystemException
      */
     public function getAllBundles($customValidator = '')
     {
@@ -99,7 +106,9 @@ public function getAllBundles($customValidator = '')
      *
      * @param string $customValidator Fully-qualified class name for Validator
      * @return array<int, Bundle>
-     * @throws \Exception
+     *
+     * @throws EncodingException
+     * @throws FilesystemException
      */
     protected function listBundles($customValidator = '')
     {

src/LocalCACertBuilder.php

@@ -130,7 +130,6 @@ protected function commitToChronicle($sha256sum, $signature)
             return '';
         }
 
-        /** @var string $body */
         $body = \json_encode(
             [
                 'repository' => $this->chronicleRepoName,
@@ -172,7 +171,6 @@ protected function commitToChronicle($sha256sum, $signature)
             throw new InvalidResponseException('No valid signature for Chronicle response.');
         }
 
-        /** @var array $json */
         $json = \json_decode($responseBody, true);
         if (!\is_array($json)) {
             return '';
@@ -282,11 +280,7 @@ public function save()
     public function setChronicle($url = '', $publicKey = '', $clientId = '', $repository = 'paragonie/certainty')
     {
         if (\ParagonIE_Sodium_Core_Util::strlen($publicKey) === 64) {
-            /** @var string $publicKey */
             $publicKey = Hex::decode($publicKey);
-            if (!\is_string($publicKey)) {
-                throw new CryptoException('Signing secret keys must be SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES bytes long.');
-            }
         } elseif (\ParagonIE_Sodium_Core_Util::strlen($publicKey) !== 32) {
             throw new CryptoException('Signing secret keys must be SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES bytes long.');
         }
@@ -354,11 +348,7 @@ public function setSigningKey($secretKey = '')
     {
         // Handle hex-encoded strings.
         if (\ParagonIE_Sodium_Core_Util::strlen($secretKey) === 128) {
-            /** @var string $secretKey */
             $secretKey = Hex::decode($secretKey);
-            if (!\is_string($secretKey)) {
-                throw new CryptoException('Signing secret keys must be SODIUM_CRYPTO_SIGN_SECRETKEYBYTES bytes long.');
-            }
         } elseif (\ParagonIE_Sodium_Core_Util::strlen($secretKey) !== 64) {
             throw new CryptoException('Signing secret keys must be SODIUM_CRYPTO_SIGN_SECRETKEYBYTES bytes long.');
         }

src/RemoteFetch.php

@@ -3,6 +3,7 @@
 
 use GuzzleHttp\Client;
 use ParagonIE\Certainty\Exception\EncodingException;
+use ParagonIE\Certainty\Exception\FilesystemException;
 use ParagonIE\Certainty\Exception\NetworkException;
 
 /**
@@ -40,7 +41,11 @@ class RemoteFetch extends Fetch
      * @param string $url
      * @param Client|null $http
      * @param \DateInterval|string|null $timeout
+     *
+     * @throws Exception\BundleException
+     * @throws \Exception
      * @throws \TypeError
+     * @psalm-suppress RedundantConditionGivenDocblockType
      */
     public function __construct(
         $dataDir = '',
@@ -85,7 +90,6 @@ public function cacheExpired()
         if (!\file_exists($this->dataDirectory . '/ca-certs.cache')) {
             return true;
         }
-        /** @var string $cacheTime */
         $cacheTime = \file_get_contents($this->dataDirectory . '/ca-certs.cache');
         if (!\is_string($cacheTime)) {
             return true;
@@ -99,6 +103,8 @@ public function cacheExpired()
      *
      * @param string $customValidator
      * @return array<int, Bundle>
+     * @throws EncodingException
+     * @throws FilesystemException
      * @throws NetworkException
      */
     protected function listBundles($customValidator = '')

src/Validator.php

@@ -46,6 +46,7 @@ public static function checkSha256Sum(Bundle $bundle)
      * @param Bundle $bundle  Which bundle to validate
      * @param bool $backupKey Use the backup key? (Only if the primary is compromised.)
      * @return bool
+     * @throws \SodiumException
      */
     public static function checkEd25519Signature(Bundle $bundle, $backupKey = false)
     {
@@ -116,11 +117,7 @@ public static function checkChronicleHash(Bundle $bundle)
         $sigValid = false;
         foreach ($response->getHeader(Certainty::ED25519_HEADER) as $header) {
             // Don't catch exceptions here:
-            /** @var string $signature */
             $signature = Base64UrlSafe::decode($header);
-            if (!\is_string($signature)) {
-                throw new EncodingException('Signature invalid');
-            }
             $sigValid = $sigValid || \ParagonIE_Sodium_Compat::crypto_sign_verify_detached(
                 (string) $signature,
                 (string) $body,
@@ -166,6 +163,7 @@ public static function checkChronicleHash(Bundle $bundle)
      * @return bool
      * @throws CryptoException
      * @throws InvalidResponseException
+     * @throws \SodiumException
      */
     protected static function validateChronicleContents(Bundle $bundle, array $result = [])
     {