Added check to ensure stored keys do not exceed db column width

tswagger · tswagger · commit 85b8db6fb6d3 · 2023-11-21T19:02:05.000-06:00
Updated documentation to reflect recent changes
diff --git a/UPGRADING.md b/UPGRADING.md
@@ -32,17 +32,6 @@ The following items have been added. Copy the properties in **src/Config/Auth.ph
 - `permission_denied` and `group_denied` are added to `Config\Auth::$redirects`.
 - `permissionDeniedRedirect()` and `groupDeniedRedirect()` are added.
 
-#### Config\AuthToken
-
-If you are using the HMAC authentication you need to update the encryption settings in **app/Config/AuthToken.php**.
-You will need to update and set the encryption key `$hmacEncryptionKey`. This should be set using .env and/or system
-environment variables. Instructions on how to do that can be found in the
-[Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
-section of the CodeIgniter 4 documentation.
-
-You also may wish to adjust the default Driver `$hmacEncryptionDriver` and the default Digest `$hmacEncryptionDigest`,
-these currently default to `'OpenSSL'` and `'SHA512'` respectively.
-
 ### Fix Custom Filter If extends `AbstractAuthFilter`
 
 If you have written a custom filter that extends `AbstractAuthFilter`, now you need to add and implement the `redirectToDeniedUrl()` method to your custom filter.
@@ -58,10 +47,25 @@ protected function redirectToDeniedUrl(): RedirectResponse
         ->with('error', lang('Auth.notEnoughPrivilege'));
 }
 ```
-### Database Migrations
 
-After updating the `$hmacEncryptionKey` value, you will need to run `php spark migrate --all` in order to encrypt any
-existing HMAC tokens.
+### Fix to HMAC Secret Key Encryption
+
+#### Config\AuthToken
+
+If you are using the HMAC authentication you need to update the encryption settings in **app/Config/AuthToken.php**.
+You will need to update and set the encryption key `$hmacEncryptionKey`. This should be set using .env and/or system
+environment variables. Instructions on how to do that can be found in the
+[Setting Your Encryption Key](https://codeigniter.com/user_guide/libraries/encryption.html#setting-your-encryption-key)
+section of the CodeIgniter 4 documentation.
+
+You also may wish to adjust the default Driver `$hmacEncryptionDriver` and the default Digest `$hmacEncryptionDigest`,
+these currently default to `'OpenSSL'` and `'SHA512'` respectively.
+
+#### Encrypt Existing Keys
+
+After updating the `$hmacEncryptionKey` value, you will need to run `php spark shield:hmac encrypt` in order to encrypt
+any existing HMAC tokens.  This only needs to be run if you have existing unencrypted HMAC secretKeys in stored in the
+database.
 
 ## Version 1.0.0-beta.6 to 1.0.0-beta.7
 
diff --git a/docs/guides/api_hmac_keys.md b/docs/guides/api_hmac_keys.md
@@ -99,6 +99,9 @@ section of the CodeIgniter 4 documentation.
 You will also be able to adjust the default Driver `$hmacEncryptionDriver` and the default Digest
 `$hmacEncryptionDigest`, these default to `'OpenSSL'` and `'SHA512'` respectively.
 
+Depending on the set length of the Secret Key and the type of encryption used, it is possible for the encrypted value to
+exceed the database column character limit of 255 characters.  If this happens, creation of a new HMAC identity will
+throw a `RuntimeException`.
 
 ## Protecting Routes
 
diff --git a/src/Authentication/HMAC/HmacEncrypter.php b/src/Authentication/HMAC/HmacEncrypter.php
@@ -5,7 +5,9 @@
 namespace CodeIgniter\Shield\Authentication\HMAC;
 
 use CodeIgniter\Encryption\EncrypterInterface;
+use CodeIgniter\Encryption\Exceptions\EncryptionException;
 use CodeIgniter\Shield\Config\AuthToken;
+use CodeIgniter\Shield\Exceptions\RuntimeException;
 use Config\Encryption;
 use Config\Services;
 use Exception;
@@ -47,36 +49,47 @@ public function __construct()
     /**
      * Decrypt
      *
-     * @param string $hexString Encrypted string in Hex format
+     * @param string $base64String Encrypted string in base64 format
      *
      * @return string Raw decrypted string
+     *
+     * @throws EncryptionException
      */
-    public function decrypt(string $hexString): string
+    public function decrypt(string $base64String): string
     {
-        return $this->encrypter->decrypt(hex2bin($hexString));
+        return $this->encrypter->decrypt(base64_decode($base64String, true));
     }
 
     /**
      * Encrypt
      *
      * @param string $rawString Raw string to encrypt
      *
-     * @return string Encrypted string in hex format
+     * @return string Encrypted string in base64 format
+     *
+     * @throws EncryptionException
+     * @throws RuntimeException
      */
     public function encrypt(string $rawString): string
     {
-        return bin2hex($this->encrypter->encrypt($rawString));
+        $encryptedString = base64_encode($this->encrypter->encrypt($rawString));
+
+        if (strlen($encryptedString) > $this->authConfig->secret2StorageLimit) {
+            throw new RuntimeException('Encrypted key too long. Unable to store value.');
+        }
+
+        return $encryptedString;
     }
 
     /**
      * Generate Key
      *
-     * @return string Secret Key in hexed format
+     * @return string Secret Key in base64 format
      *
      * @throws Exception
      */
     public function generateSecretKey(): string
     {
-        return bin2hex(random_bytes($this->authConfig->hmacSecretKeyByteSize));
+        return base64_encode(random_bytes($this->authConfig->hmacSecretKeyByteSize));
     }
 }
diff --git a/src/Commands/Hmac.php b/src/Commands/Hmac.php
@@ -7,6 +7,7 @@
 use CodeIgniter\Shield\Authentication\HMAC\HmacEncrypter;
 use CodeIgniter\Shield\Commands\Exceptions\BadInputException;
 use CodeIgniter\Shield\Models\UserIdentityModel;
+use Exception;
 use ReflectionException;
 
 class Hmac extends BaseCommand
@@ -82,7 +83,7 @@ public function run(array $params): int
                 default:
                     throw new BadInputException('Unrecognized Command');
             }
-        } catch (BadInputException|ReflectionException $e) {
+        } catch (Exception $e) {
             $this->write($e->getMessage(), 'red');
 
             return EXIT_ERROR;
diff --git a/src/Config/AuthToken.php b/src/Config/AuthToken.php
@@ -55,6 +55,14 @@ class AuthToken extends BaseConfig
      */
     public int $unusedTokenLifetime = YEAR;
 
+    /**
+     * --------------------------------------------------------------------
+     * Secret2 storage character limit
+     * --------------------------------------------------------------------
+     * Database size limit for the identities 'secret2' field.
+     */
+    public int $secret2StorageLimit = 255;
+
     /**
      * --------------------------------------------------------------------
      * HMAC secret key byte size

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,9 @@`
`5`	`5`	`namespace CodeIgniter\Shield\Authentication\HMAC;`
`6`	`6`
`7`	`7`	`use CodeIgniter\Encryption\EncrypterInterface;`
	`8`	`+use CodeIgniter\Encryption\Exceptions\EncryptionException;`
`8`	`9`	`use CodeIgniter\Shield\Config\AuthToken;`
	`10`	`+use CodeIgniter\Shield\Exceptions\RuntimeException;`
`9`	`11`	`use Config\Encryption;`
`10`	`12`	`use Config\Services;`
`11`	`13`	`use Exception;`
`@@ -47,36 +49,47 @@ public function __construct()`
`47`	`49`	`/**`
`48`	`50`	`* Decrypt`
`49`	`51`	`*`
`50`		`- * @param string $hexString Encrypted string in Hex format`
	`52`	`+ * @param string $base64String Encrypted string in base64 format`
`51`	`53`	`*`
`52`	`54`	`* @return string Raw decrypted string`
	`55`	`+ *`
	`56`	`+ * @throws EncryptionException`
`53`	`57`	`*/`
`54`		`- public function decrypt(string $hexString): string`
	`58`	`+ public function decrypt(string $base64String): string`
`55`	`59`	`{`
`56`		`- return $this->encrypter->decrypt(hex2bin($hexString));`
	`60`	`+ return $this->encrypter->decrypt(base64_decode($base64String, true));`
`57`	`61`	`}`
`58`	`62`
`59`	`63`	`/**`
`60`	`64`	`* Encrypt`
`61`	`65`	`*`
`62`	`66`	`* @param string $rawString Raw string to encrypt`
`63`	`67`	`*`
`64`		`- * @return string Encrypted string in hex format`
	`68`	`+ * @return string Encrypted string in base64 format`
	`69`	`+ *`
	`70`	`+ * @throws EncryptionException`
	`71`	`+ * @throws RuntimeException`
`65`	`72`	`*/`
`66`	`73`	`public function encrypt(string $rawString): string`
`67`	`74`	`{`
`68`		`- return bin2hex($this->encrypter->encrypt($rawString));`
	`75`	`+ $encryptedString = base64_encode($this->encrypter->encrypt($rawString));`
	`76`	`+`
	`77`	`+ if (strlen($encryptedString) > $this->authConfig->secret2StorageLimit) {`
	`78`	`+ throw new RuntimeException('Encrypted key too long. Unable to store value.');`
	`79`	`+ }`
	`80`	`+`
	`81`	`+ return $encryptedString;`
`69`	`82`	`}`
`70`	`83`
`71`	`84`	`/**`
`72`	`85`	`* Generate Key`
`73`	`86`	`*`
`74`		`- * @return string Secret Key in hexed format`
	`87`	`+ * @return string Secret Key in base64 format`
`75`	`88`	`*`
`76`	`89`	`* @throws Exception`
`77`	`90`	`*/`
`78`	`91`	`public function generateSecretKey(): string`
`79`	`92`	`{`
`80`		`- return bin2hex(random_bytes($this->authConfig->hmacSecretKeyByteSize));`
	`93`	`+ return base64_encode(random_bytes($this->authConfig->hmacSecretKeyByteSize));`
`81`	`94`	`}`
`82`	`95`	`}`