Rework of HMAC Encryption config properties.

Improved tests
Fixed bug with isEncrypted check
Cleaned up Documentation to reflect above changes

Author: tswagger

UPGRADING.md

@@ -53,17 +53,17 @@ protected function redirectToDeniedUrl(): RedirectResponse
 #### Config\AuthToken
 
 If you are using the HMAC authentication you need to update the encryption settings in **app/Config/AuthToken.php**.
-You will need to update and set the encryption key `$hmacEncryptionKey`. This should be set using **.env** and/or system
+You will need to update and set the encryption key `$hmacEncryption['key']`. This should be set using **.env** and/or system
 environment variables. Instructions on how to do that can be found in the
 [Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
 section of the CodeIgniter 4 documentation and in [HMAC SHA256 Token Authenticator](./docs/references/authentication/hmac.md#hmac-secret-key-encryption).
 
-You also may wish to adjust the default Driver `$hmacEncryptionDriver` and the default Digest `$hmacEncryptionDigest`,
+You also may wish to adjust the default Driver `$hmacEncryption['driver']` and the default Digest `$hmacEncryption['digest']`,
 these currently default to `'OpenSSL'` and `'SHA512'` respectively.
 
 #### Encrypt Existing Keys
 
-After updating the `$hmacEncryptionKey` value, you will need to run `php spark shield:hmac encrypt` in order to encrypt
+After updating the `$hmacEncryption['key']` value, you will need to run `php spark shield:hmac encrypt` in order to encrypt
 any existing HMAC tokens.  This only needs to be run if you have existing unencrypted HMAC secretKeys in stored in the
 database.
 

docs/guides/api_hmac_keys.md

@@ -91,13 +91,13 @@ $user->revokeAllHmacTokens();
 ## HMAC Secret Key Encryption
 
 The HMAC Secret Key is stored encrypted.  Before you start using HMAC, you will need to set/override the encryption key
-`$hmacEncryptionKey` in **app/Config/AuthToken.php**. This should be set using **.env** and/or system environment variables.
+`$hmacEncryption['key']` in **app/Config/AuthToken.php**. This should be set using **.env** and/or system environment variables.
 Instructions on how to do that can be found in the
 [Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
 section of the CodeIgniter 4 documentation.
 
-You will also be able to adjust the default Driver `$hmacEncryptionDriver` and the default Digest
-`$hmacEncryptionDigest`, these default to `'OpenSSL'` and `'SHA512'` respectively.
+You will also be able to adjust the default Driver `$hmacEncryption['driver']` and the default Digest
+`$hmacEncryption['digest']`, these default to `'OpenSSL'` and `'SHA512'` respectively.
 
 See [HMAC SHA256 Token Authenticator](../references/authentication/hmac.md#hmac-secret-key-encryption) for additional
 details on setting these values.

docs/references/authentication/hmac.md

@@ -160,54 +160,49 @@ if ($user->hmacTokenCant('forums.manage')) {
 ## HMAC Secret Key Encryption
 
 The HMAC Secret Key is stored encrypted.  Before you start using HMAC, you will need to set/override the encryption key
-`$hmacEncryptionKey` in **app/Config/AuthToken.php**. This should be set using .env and/or system environment variables.
+`$hmacEncryption['key']` in **app/Config/AuthToken.php**. This should be set using .env and/or system environment variables.
 Instructions on how to do that can be found in the
 [Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
 section of the CodeIgniter 4 documentation.
 
-You will also be able to adjust the default Driver `$hmacEncryptionDriver` and the default Digest
-`$hmacEncryptionDigest`, these default to `'OpenSSL'` and `'SHA512'` respectively. All three properties (`$hmacEncryptionKey`,
-`$hmacEncryptionDriver`, and `$hmacEncryptionDigest`) are set in array format (see below).
+You will also be able to adjust the default Driver `$hmacEncryption['driver']` and the default Digest
+`$hmacEncryption['digest']`, these default to `'OpenSSL'` and `'SHA512'` respectively. All three properties (`$hmacEncryption['key']`,
+`$hmacEncryption['driver']`, and `$hmacEncryption['digest']`) are set in array format (see below).
 
 ```php
-public $hmacEncryptionKey = [
-    'k1' => 'hex2bin:923dfab5ddca0c7784c2c388a848a704f5e048736c1a852c862959da62ade8c7',
+public array $hmacEncryption [
+    'key' => [
+        'k1' => 'hex2bin:923dfab5ddca0c7784c2c388a848a704f5e048736c1a852c862959da62ade8c7',
+    ],
+    'driver' => ['k1' => 'OpenSSL'],
+    'digest' => ['k1' => 'SHA512'],
+    'currentKey' => 'k1',
+    'deprecatedKey' => null
 ];
-
-public $hmacEncryptionDriver = [
-    'k1' => 'OpenSSL',
-];
-
-public $hmacEncryptionDigest = [
-    'k1' => 'SHA512',
-];
-
-public string $hmacKeyIndex = 'k1';
 ```
 
 When it is time to update your encryption keys you will need to add an additional key to the above arrays. Then adjust
-the `$hmacKeyIndex` to point at the new key and adjust `$hmacDeprecatedKeyIndex` to point at the old key.  After the new
-encryption key is in place, run `php spark shield:hmac reencrypt` to re-encrypt all existing keys with the new encryption
-key.
+the `$hmacEncryption['currentKey']` to point at the new key and adjust `$hmacEncryption['deprecatedKey']` to point at the
+old key.  After the new encryption key is in place, run `php spark shield:hmac reencrypt` to re-encrypt all existing keys
+with the new encryption key.
 
 ```php
-public $hmacEncryptionKey = [
-    'k1' => 'hex2bin:923dfab5ddca0c7784c2c388a848a704f5e048736c1a852c862959da62ade8c7',
-    'k2' => 'hex2bin:451df599363b19be1434605fff8556a0bbfc50bede1bb33793dcde4d97fce4b0',
+public array $hmacEncryption [
+    'key' => [
+        'k1' => 'hex2bin:923dfab5ddca0c7784c2c388a848a704f5e048736c1a852c862959da62ade8c7',
+        'k2' => 'hex2bin:451df599363b19be1434605fff8556a0bbfc50bede1bb33793dcde4d97fce4b0',
+    ],
+    'driver' => [
+        'k1' => 'OpenSSL',
+        'k2' => 'OpenSSL',
+    ],
+    'digest' => [
+        'k1' => 'SHA512',
+        'k2' => 'SHA512'
+    ],
+    'currentKey' => 'k2',
+    'deprecatedKey' => 'k1'
 ];
-
-public $hmacEncryptionDriver = [
-    'k1' => 'OpenSSL',
-    'k2' => 'OpenSSL',
-];
-
-public $hmacEncryptionDigest = [
-    'k1' => 'SHA512',
-    'k2' => 'SHA512',
-];
-
-public string $hmacKeyIndex = 'k2';
-public string $hmacDeprecatedKeyIndex = 'k1';
 ```
 
 ```shell
@@ -218,11 +213,11 @@ You can (and should) set these values using environment variable and/or the `.en
 the values as JSON strings:
 
 ```dotenv
-authtoken.hmacEncryptionKey = '{"k1":"hex2bin:923dfab5ddca0c7784c2c388a848a704f5e048736c1a852c862959da62ade8c7","k2":"hex2bin:451df599363b19be1434605fff8556a0bbfc50bede1bb33793dcde4d97fce4b0"}'
-authtoken.hmacEncryptionDriver = '{"k1":"OpenSSL","k2":"OpenSSL"}'
-authtoken.hmacEncryptionDigest = '{"k1":"SHA512","k2":"SHA512"}'
-authtoken.hmacKeyIndex = k2
-authtoken.hmacDeprecatedKeyIndex = k1
+authtoken.hmacEncryption.key = '{"k1":"hex2bin:923dfab5ddca0c7784c2c388a848a704f5e048736c1a852c862959da62ade8c7","k2":"hex2bin:451df599363b19be1434605fff8556a0bbfc50bede1bb33793dcde4d97fce4b0"}'
+authtoken.hmacEncryption.driver = '{"k1":"OpenSSL","k2":"OpenSSL"}'
+authtoken.hmacEncryption.digest = '{"k1":"SHA512","k2":"SHA512"}'
+authtoken.hmacEncryption.currentKey = k2
+authtoken.hmacEncryption.deprecatedKey = k1
 ```
 
 Depending on the set length of the Secret Key and the type of encryption used, it is possible for the encrypted value to

phpunit.xml.dist

@@ -94,9 +94,9 @@
 		<env name="COMPOSER_DISABLE_XDEBUG_WARN" value="1"/>
 
         <!-- Default HMAC encryption key -->
-        <env name="authtoken.hmacEncryptionKey" value="{&quot;k1&quot;:&quot;hex2bin:178ed94fd0b6d57dd31dd6b22fc601fab8ad191efac165a5f3f30a8ac09d813d&quot;,&quot;k2&quot;:&quot;hex2bin:b0ab85bd0320824c496db2f40eb47c8712a6dfcfdf99b805988e22bdea6b9203&quot;}"/>
-        <env name="authtoken.hmacEncryptionDriver" value="{&quot;k1&quot;:&quot;OpenSSL&quot;,&quot;k2&quot;:&quot;OpenSSL&quot;}"/>
-        <env name="authtoken.hmacEncryptionDigest" value="{&quot;k1&quot;:&quot;SHA512&quot;,&quot;k2&quot;:&quot;SHA512&quot;}"/>
+        <env name="authtoken.hmacEncryption.key" value="{&quot;k1&quot;:&quot;hex2bin:178ed94fd0b6d57dd31dd6b22fc601fab8ad191efac165a5f3f30a8ac09d813d&quot;,&quot;k2&quot;:&quot;hex2bin:b0ab85bd0320824c496db2f40eb47c8712a6dfcfdf99b805988e22bdea6b9203&quot;}"/>
+        <env name="authtoken.hmacEncryption.driver" value="{&quot;k1&quot;:&quot;OpenSSL&quot;,&quot;k2&quot;:&quot;OpenSSL&quot;}"/>
+        <env name="authtoken.hmacEncryption.digest" value="{&quot;k1&quot;:&quot;SHA512&quot;,&quot;k2&quot;:&quot;SHA512&quot;}"/>
 
         <!-- Database configuration -->
 		<env name="database.tests.strictOn" value="true"/>

src/Authentication/HMAC/HmacEncrypter.php

@@ -47,12 +47,19 @@ public function __construct(bool $deprecatedKey = false)
         $authConfig = config('AuthToken');
         $config     = new Encryption();
 
+        //        // identify which encryption key should be used
+        //        $this->keyIndex = $deprecatedKey ? $authConfig->hmacDeprecatedKeyIndex : $authConfig->hmacKeyIndex;
+        //
+        //        $config->key    = $authConfig->hmacEncryptionKey[$this->keyIndex];
+        //        $config->driver = $authConfig->hmacEncryptionDriver[$this->keyIndex];
+        //        $config->digest = $authConfig->hmacEncryptionDigest[$this->keyIndex];
+
         // identify which encryption key should be used
-        $this->keyIndex = $deprecatedKey ? $authConfig->hmacDeprecatedKeyIndex : $authConfig->hmacKeyIndex;
+        $this->keyIndex = $deprecatedKey ? $authConfig->hmacEncryption['deprecatedKey'] : $authConfig->hmacEncryption['currentKey'];
 
-        $config->key    = $authConfig->hmacEncryptionKey[$this->keyIndex];
-        $config->driver = $authConfig->hmacEncryptionDriver[$this->keyIndex];
-        $config->digest = $authConfig->hmacEncryptionDigest[$this->keyIndex];
+        $config->key    = $authConfig->hmacEncryption['key'][$this->keyIndex];
+        $config->driver = $authConfig->hmacEncryption['driver'][$this->keyIndex];
+        $config->digest = $authConfig->hmacEncryption['digest'][$this->keyIndex];
 
         $this->authConfig = $authConfig;
         // decrypt secret key so signature can be validated
@@ -102,7 +109,16 @@ public function encrypt(string $rawString): string
      */
     public function isEncrypted(string $string): bool
     {
-        return str_starts_with($string, '$b6$' . $this->keyIndex . '$');
+        return (bool) preg_match('/^\$b6\$/', $string);
+    }
+
+    /**
+     * Check if the string already encrypted
+     */
+    public function isEncryptedWithSetKey(string $string): bool
+    {
+        return (bool) preg_match('/^\$b6\$' . $this->keyIndex . '\$/', $string);
+        //        return str_starts_with($string, '$b6$' . $this->keyIndex . '$');
     }
 
     /**

src/Commands/Hmac.php

@@ -25,8 +25,7 @@ class Hmac extends BaseCommand
      *
      * @var string
      */
-    protected $description = 'Encrypt/Decrypt secretKey for HMAC tokens. The reencrypt command should be used when
-     rotating the encryption keys. The encrypt command should only be run on existing raw secret keys (extremely rare).';
+    protected $description = 'Encrypt/Decrypt secretKey for HMAC tokens.';
 
     /**
      * the Command's usage
@@ -38,6 +37,9 @@ class Hmac extends BaseCommand
             shield:hmac reencrypt
             shield:hmac encrypt
             shield:hmac decrypt
+
+            The reencrypt command should be used when rotating the encryption keys.
+            The encrypt command should only be run on existing raw secret keys (extremely rare).
         EOL;
 
     /**
@@ -147,7 +149,7 @@ public function decrypt(): void
 
         $that = $this;
 
-        $uIdModel->where('type', 'hmac_sha256')->chunk(
+        $uIdModel->where('type', 'hmac_sha256')->orderBy('id')->chunk(
             100,
             static function ($identity) use ($uIdModelSub, $encrypter, $that): void {
                 if (! $encrypter->isEncrypted($identity->secret2)) {
@@ -179,10 +181,10 @@ public function reEncrypt(): void
 
         $that = $this;
 
-        $uIdModel->where('type', 'hmac_sha256')->chunk(
+        $uIdModel->where('type', 'hmac_sha256')->orderBy('id')->chunk(
             100,
             static function ($identity) use ($uIdModelSub, $decrypter, $encrypter, $that): void {
-                if (! $decrypter->isEncrypted($identity->secret2)) {
+                if (! $decrypter->isEncryptedWithSetKey($identity->secret2)) {
                     $that->write('id: ' . $identity->id . ', not re-encrypted, skipped.');
 
                     return;

src/Config/AuthToken.php

@@ -74,107 +74,64 @@ class AuthToken extends BaseConfig
 
     /**
      * --------------------------------------------------------------------
-     * HMAC encryption key
+     * HMAC encryption Keys
      * --------------------------------------------------------------------
-     * Key to be used when encrypting HMAC Secret Key for storage.
+     * This sets the key to be used when encrypting a user's HMAC Secret Key.
      *
-     * This is an array of keys which will facilitate key rotation. Valid
+     * 'key' is an array of keys which will facilitate key rotation. Valid
      *  keyTitles must include only [a-zA-z0-9_] and should be kept to a
      *  max of 8 characters.
      *
-     * The valid and old/deprecated keys are identified using $hmacKeyIndex
-     *  and $hmacDeprecatedKeyIndex.
-     *
-     * @param array<string, string>|string $hmacEncryptionKey ['keyTitle' => 'keyValue']
-     *
-     * @see https://codeigniter.com/user_guide/libraries/encryption.html
-     */
-    public $hmacEncryptionKey = [
-        'k1' => '',
-    ];
-
-    /**
-     * --------------------------------------------------------------------
-     * HMAC encryption driver
-     * --------------------------------------------------------------------
-     * Driver to be used when encrypting HMAC Secret Key for storage.
-     *
-     * Available drivers:
-     * OpenSSL
-     * Sodium
+     * 'driver' is used when encrypting HMAC Secret Key for storage.
+     *    Available drivers:
+     *      - OpenSSL
+     *      - Sodium
      *
      * This is an array of drivers values.  The keys MUST match and correlate
-     *  to the $hmacEncryptionKey array keys.
-     *
-     * @param array<string, string>|string $hmacEncryptionDriver ['keyTitle' => 'driverValue']
+     *  to the 'key' array keys.
      *
-     * @see https://codeigniter.com/user_guide/libraries/encryption.html
-     */
-    public $hmacEncryptionDriver = [
-        'k1' => 'OpenSSL',
-    ];
-
-    /**
-     * --------------------------------------------------------------------
-     * HMAC encryption digest
-     * --------------------------------------------------------------------
-     * Digest to be used when encrypting HMAC Secret Key for storage.
-     *
-     * e.g. 'SHA512' or 'SHA256'. Default value is 'SHA512'.
+     * 'digest' is used when encrypting HMAC Secret Key for storage.
+     *    e.g. 'SHA512' or 'SHA256'. Default value is 'SHA512'.
      *
      * This is an array of digest values.  The keys MUST match and correlate
-     *  to the $hmacEncryptionKey array keys.
+     *  to the 'key' array keys.
+     *
+     * The valid and old/deprecated keys are identified using 'currentKey'
+     *  and 'deprecatedKey'.
      *
-     * @param array<string, string>|string $hmacEncryptionDigest ['keyTitle' => 'digestValue']
+     * 'deprecatedKey' reflects which 'key' is recently deprecated.  This
+     *  is required and used when rotating keys. Effectively, this is the
+     *  index selector for the old key.
      *
      * @see https://codeigniter.com/user_guide/libraries/encryption.html
      */
-    public $hmacEncryptionDigest = [
-        'k1' => 'SHA512',
+    public array $hmacEncryption = [
+        'key'           => ['k1' => ''],
+        'driver'        => ['k1' => 'OpenSSL'],
+        'digest'        => ['k1' => 'SHA512'],
+        'currentKey'    => 'k1',
+        'deprecatedKey' => '',
     ];
 
-    /**
-     * --------------------------------------------------------------------
-     * HMAC encryption key selector
-     * --------------------------------------------------------------------
-     * This identifies which encryption key {$hmacEncryptionKey} is active
-     *  and valid.
-     */
-    public string $hmacKeyIndex = 'k1';
-
-    /**
-     * --------------------------------------------------------------------
-     * HMAC encryption key deprecated selector
-     * --------------------------------------------------------------------
-     * This identifies which encryption key {$hmacEncryptionKey} is
-     *  recently deprecated.  This is required and used when rotating keys.
-     *  Effectively, this is the index selector for the old key.
-     */
-    public string $hmacDeprecatedKeyIndex = '';
-
     /**
      * AuthToken Config Constructor
      */
     public function __construct()
     {
         parent::__construct();
 
-        if (is_string($this->hmacEncryptionKey)) {
-            $array = json_decode($this->hmacEncryptionKey, true);
-            if (is_array($array)) {
-                $this->hmacEncryptionKey = $array;
-            }
-        }
-        if (is_string($this->hmacEncryptionDriver)) {
-            $array = json_decode($this->hmacEncryptionDriver, true);
-            if (is_array($array)) {
-                $this->hmacEncryptionDriver = $array;
-            }
-        }
-        if (is_string($this->hmacEncryptionDigest)) {
-            $array = json_decode($this->hmacEncryptionDigest, true);
-            if (is_array($array)) {
-                $this->hmacEncryptionDigest = $array;
+        $overwriteHmacEncryptionFields = [
+            'key',
+            'driver',
+            'digest',
+        ];
+
+        foreach ($overwriteHmacEncryptionFields as $fieldName) {
+            if (is_string($this->hmacEncryption[$fieldName])) {
+                $array = json_decode($this->hmacEncryption[$fieldName], true);
+                if (is_array($array)) {
+                    $this->hmacEncryption[$fieldName] = $array;
+                }
             }
         }
     }
@@ -189,12 +146,12 @@ public function __construct()
     protected function initEnvValue(&$property, string $name, string $prefix, string $shortPrefix): void
     {
         switch ($name) {
-            case 'hmacEncryptionKey':
-            case 'hmacEncryptionDriver':
-            case 'hmacEncryptionDigest':
+            case 'hmacEncryption.key':
+            case 'hmacEncryption.driver':
+            case 'hmacEncryption.digest':
                 // if attempting to set property from ENV, first set to empty string
                 if ((bool) $this->getEnvValue($name, $prefix, $shortPrefix)) {
-                    $property = '';
+                    $property = null;
                 }
         }