Added ability to rotate hmac encryption

 keys and re-encrypt existing hmac
 secretKeys with updated encryption

Author: tswagger

phpunit.xml.dist

@@ -94,7 +94,9 @@
 		<env name="COMPOSER_DISABLE_XDEBUG_WARN" value="1"/>
 
         <!-- Default HMAC encryption key -->
-        <env name="authtoken.hmacEncryptionKey" value="hex2bin:178ed94fd0b6d57dd31dd6b22fc601fab8ad191efac165a5f3f30a8ac09d813d"/>
+        <env name="authtoken.hmacEncryptionKey" value="{&quot;k1&quot;:&quot;hex2bin:178ed94fd0b6d57dd31dd6b22fc601fab8ad191efac165a5f3f30a8ac09d813d&quot;,&quot;k2&quot;:&quot;hex2bin:b0ab85bd0320824c496db2f40eb47c8712a6dfcfdf99b805988e22bdea6b9203&quot;}"/>
+        <env name="authtoken.hmacEncryptionDriver" value="{&quot;k1&quot;:&quot;OpenSSL&quot;,&quot;k2&quot;:&quot;OpenSSL&quot;}"/>
+        <env name="authtoken.hmacEncryptionDigest" value="{&quot;k1&quot;:&quot;SHA512&quot;,&quot;k2&quot;:&quot;SHA512&quot;}"/>
 
         <!-- Database configuration -->
 		<env name="database.tests.strictOn" value="true"/>

src/Authentication/HMAC/HmacEncrypter.php

@@ -6,6 +6,7 @@
 
 use CodeIgniter\Encryption\EncrypterInterface;
 use CodeIgniter\Encryption\Exceptions\EncryptionException;
+use CodeIgniter\Shield\Auth;
 use CodeIgniter\Shield\Config\AuthToken;
 use CodeIgniter\Shield\Exceptions\RuntimeException;
 use Config\Encryption;
@@ -29,19 +30,31 @@ class HmacEncrypter
      */
     private AuthToken $authConfig;
 
+    /**
+     * Selected Key Index
+     */
+    private string $keyIndex;
+
     /**
      * Constructor
      * Setup encryption configuration
+     *
+     * @param bool $deprecatedKey Use the deprecated key (useful when re-encrypting on key rotation) [default: false]
      */
-    public function __construct()
+    public function __construct(bool $deprecatedKey = false)
     {
-        $this->authConfig = config('AuthToken');
-        $config           = new Encryption();
+        /** @var AuthToken $authConfig */
+        $authConfig = config('AuthToken');
+        $config     = new Encryption();
+
+        // identify which encryption key should be used
+        $this->keyIndex = $deprecatedKey ? $authConfig->hmacDeprecatedKeyIndex : $authConfig->hmacKeyIndex;
 
-        $config->key    = $this->authConfig->hmacEncryptionKey;
-        $config->driver = $this->authConfig->hmacEncryptionDriver;
-        $config->digest = $this->authConfig->hmacEncryptionDigest;
+        $config->key    = $authConfig->hmacEncryptionKey[$this->keyIndex];
+        $config->driver = $authConfig->hmacEncryptionDriver[$this->keyIndex];
+        $config->digest = $authConfig->hmacEncryptionDigest[$this->keyIndex];
 
+        $this->authConfig = $authConfig;
         // decrypt secret key so signature can be validated
         $this->encrypter = Services::encrypter($config);
     }
@@ -57,8 +70,8 @@ public function __construct()
      */
     public function decrypt(string $encString): string
     {
-        // Removes `$b6$` for base64 format.
-        $encString = substr($encString, 4);
+        // Removes `$b6$keyIndex$` for base64 format.
+        $encString = substr($encString, strlen($this->keyIndex) + 5);
 
         return $this->encrypter->decrypt(base64_decode($encString, true));
     }
@@ -75,7 +88,7 @@ public function decrypt(string $encString): string
      */
     public function encrypt(string $rawString): string
     {
-        $encryptedString = '$b6$' . base64_encode($this->encrypter->encrypt($rawString));
+        $encryptedString = '$b6$' . $this->keyIndex . '$' . base64_encode($this->encrypter->encrypt($rawString));
 
         if (strlen($encryptedString) > $this->authConfig->secret2StorageLimit) {
             throw new RuntimeException('Encrypted key too long. Unable to store value.');
@@ -89,7 +102,7 @@ public function encrypt(string $rawString): string
      */
     public function isEncrypted(string $string): bool
     {
-        return str_starts_with($string, '$b6$');
+        return str_starts_with($string, '$b6$' . $this->keyIndex . '$');
     }
 
     /**

src/Commands/Hmac.php

@@ -25,7 +25,8 @@ class Hmac extends BaseCommand
      *
      * @var string
      */
-    protected $description = 'Encrypt/Decrypt secretKey for HMAC tokens. The encryption should only be run on existing raw secret keys (extremely rare).';
+    protected $description = 'Encrypt/Decrypt secretKey for HMAC tokens. The reencrypt command should be used when
+     rotating the encryption keys. The encrypt command should only be run on existing raw secret keys (extremely rare).';
 
     /**
      * the Command's usage
@@ -34,6 +35,7 @@ class Hmac extends BaseCommand
      */
     protected $usage = <<<'EOL'
         shield:hmac <action>
+            shield:hmac reencrypt
             shield:hmac encrypt
             shield:hmac decrypt
         EOL;
@@ -45,6 +47,7 @@ class Hmac extends BaseCommand
      */
     protected $arguments = [
         'action' => <<<'EOL'
+                reencrypt: Re-encrypts all HMAC Secret Keys on encryption key rotation
                 encrypt: Encrypt all raw HMAC Secret Keys
                 decrypt: Decrypt all encrypted HMAC Secret Keys
             EOL,
@@ -81,6 +84,10 @@ public function run(array $params): int
                     $this->decrypt();
                     break;
 
+                case 'reencrypt':
+                    $this->reEncrypt();
+                    break;
+
                 default:
                     throw new BadInputException('Unrecognized Command');
             }
@@ -156,4 +163,37 @@ static function ($identity) use ($uIdModelSub, $encrypter, $that): void {
             }
         );
     }
+
+    /**
+     * Re-encrypt all encrypted HMAC Secret Keys from existing/deprecated
+     * encryption key to new encryption key.
+     *
+     * @throws ReflectionException
+     */
+    public function reEncrypt(): void
+    {
+        $uIdModel    = new UserIdentityModel();
+        $uIdModelSub = new UserIdentityModel(); // For saving.
+        $decrypter   = new HmacEncrypter(true);
+        $encrypter   = $this->encrypter;
+
+        $that = $this;
+
+        $uIdModel->where('type', 'hmac_sha256')->chunk(
+            100,
+            static function ($identity) use ($uIdModelSub, $decrypter, $encrypter, $that): void {
+                if (! $decrypter->isEncrypted($identity->secret2)) {
+                    $that->write('id: ' . $identity->id . ', not re-encrypted, skipped.');
+
+                    return;
+                }
+
+                $identity->secret2 = $decrypter->decrypt($identity->secret2);
+                $identity->secret2 = $encrypter->encrypt($identity->secret2);
+                $uIdModelSub->save($identity);
+
+                $that->write('id: ' . $identity->id . ', Re-encrypted.');
+            }
+        );
+    }
 }

src/Config/AuthToken.php

@@ -78,9 +78,20 @@ class AuthToken extends BaseConfig
      * --------------------------------------------------------------------
      * Key to be used when encrypting HMAC Secret Key for storage.
      *
+     * This is an array of keys which will facilitate key rotation. Valid
+     *  keyTitles must include only [a-zA-z0-9_] and should be kept to a
+     *  max of 8 characters.
+     *
+     * The valid and old/deprecated keys are identified using $hmacKeyIndex
+     *  and $hmacDeprecatedKeyIndex.
+     *
+     * @param array<string, string>|string $hmacEncryptionKey ['keyTitle' => 'keyValue']
+     *
      * @see https://codeigniter.com/user_guide/libraries/encryption.html
      */
-    public string $hmacEncryptionKey = '';
+    public $hmacEncryptionKey = [
+        'k1' => '',
+    ];
 
     /**
      * --------------------------------------------------------------------
@@ -92,9 +103,16 @@ class AuthToken extends BaseConfig
      * OpenSSL
      * Sodium
      *
+     * This is an array of drivers values.  The keys MUST match and correlate
+     *  to the $hmacEncryptionKey array keys.
+     *
+     * @param array<string, string>|string $hmacEncryptionDriver ['keyTitle' => 'driverValue']
+     *
      * @see https://codeigniter.com/user_guide/libraries/encryption.html
      */
-    public string $hmacEncryptionDriver = 'OpenSSL';
+    public $hmacEncryptionDriver = [
+        'k1' => 'OpenSSL',
+    ];
 
     /**
      * --------------------------------------------------------------------
@@ -104,7 +122,79 @@ class AuthToken extends BaseConfig
      *
      * e.g. 'SHA512' or 'SHA256'. Default value is 'SHA512'.
      *
+     * This is an array of digest values.  The keys MUST match and correlate
+     *  to the $hmacEncryptionKey array keys.
+     *
+     * @param array<string, string>|string $hmacEncryptionDigest ['keyTitle' => 'digestValue']
+     *
      * @see https://codeigniter.com/user_guide/libraries/encryption.html
      */
-    public string $hmacEncryptionDigest = 'SHA512';
+    public $hmacEncryptionDigest = [
+        'k1' => 'SHA512',
+    ];
+
+    /**
+     * --------------------------------------------------------------------
+     * HMAC encryption key selector
+     * --------------------------------------------------------------------
+     * This identifies which encryption key {$hmacEncryptionKey} is active
+     *  and valid.
+     */
+    public string $hmacKeyIndex = 'k1';
+
+    /**
+     * --------------------------------------------------------------------
+     * HMAC encryption key deprecated selector
+     * --------------------------------------------------------------------
+     * This identifies which encryption key {$hmacEncryptionKey} is
+     *  recently deprecated.  This is required and used when rotating keys.
+     *  Effectively, this is the index selector for the old key.
+     */
+    public string $hmacDeprecatedKeyIndex = '';
+
+    public function __construct()
+    {
+        parent::__construct();
+
+        if (is_string($this->hmacEncryptionKey)) {
+            $array = json_decode($this->hmacEncryptionKey, true);
+            if (is_array($array)) {
+                $this->hmacEncryptionKey = $array;
+            }
+        }
+        if (is_string($this->hmacEncryptionDriver)) {
+            $array = json_decode($this->hmacEncryptionDriver, true);
+            if (is_array($array)) {
+                $this->hmacEncryptionDriver = $array;
+            }
+        }
+        if (is_string($this->hmacEncryptionDigest)) {
+            $array = json_decode($this->hmacEncryptionDigest, true);
+            if (is_array($array)) {
+                $this->hmacEncryptionDigest = $array;
+            }
+        }
+    }
+
+    /**
+     * Override parent initEnvValue() to allow for direct setting to array properties values from ENV
+     *
+     * In order to set array properties via ENV vars we need to set the property to a string value first.
+     *
+     * @param mixed $property
+     */
+    protected function initEnvValue(&$property, string $name, string $prefix, string $shortPrefix): void
+    {
+        switch ($name) {
+            case 'hmacEncryptionKey':
+            case 'hmacEncryptionDriver':
+            case 'hmacEncryptionDigest':
+                // if attempting to set property from ENV, first set to empty string
+                if ((bool) $this->getEnvValue($name, $prefix, $shortPrefix)) {
+                    $property = '';
+                }
+        }
+
+        parent::initEnvValue($property, $name, $prefix, $shortPrefix);
+    }
 }

tests/Commands/HmacTest.php

@@ -5,16 +5,21 @@
 namespace Tests\Commands;
 
 use CodeIgniter\Shield\Authentication\HMAC\HmacEncrypter;
+use CodeIgniter\Shield\Commands\Hmac;
+use CodeIgniter\Shield\Config\AuthToken;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 use CodeIgniter\Shield\Models\UserModel;
+use CodeIgniter\Shield\Test\MockInputOutput;
 use Tests\Support\DatabaseTestCase;
 
 /**
  * @internal
  */
 final class HmacTest extends DatabaseTestCase
 {
+    private ?MockInputOutput $io = null;
+
     public function testEncrypt(): void
     {
         $idModel = new UserIdentityModel();
@@ -60,4 +65,58 @@ public function testDecrypt(): void
 
         $this->assertSame($rawSecretKey, $tokenCheck->secret2);
     }
+
+    public function testReEncrypt(): void
+    {
+        $idModel = new UserIdentityModel();
+
+        // generate first token
+        /** @var User $user */
+        $user   = fake(UserModel::class);
+        $token1 = $user->generateHmacToken('foo');
+
+        // update config, rotate keys
+        /** @var AuthToken $config */
+        $config = config('AuthToken');
+
+        $config->hmacKeyIndex           = 'k2';
+        $config->hmacDeprecatedKeyIndex = 'k1';
+
+        // new key generated with updated encryption
+        $token2 = $user->generateHmacToken('bar');
+
+        $this->setMockIo([]);
+        $this->assertNotFalse(command('shield:hmac reencrypt'));
+
+        $resultsString = $this->io->getOutputs();
+        $results       = explode("\n", trim($resultsString));
+
+        // verify that only 1 key needed to be re-encrypted
+        $this->assertCount(2, $results);
+        $this->assertSame('id: 1, Re-encrypted.', $results[0]);
+        $this->assertSame('id: 2, not re-encrypted, skipped.', $results[1]);
+
+        $encrypter = new HmacEncrypter();
+
+        $tokenCheck1        = $idModel->find($token1->id);
+        $descryptSecretKey1 = $encrypter->decrypt($tokenCheck1->secret2);
+        $this->assertSame($token1->rawSecretKey, $descryptSecretKey1);
+
+        $tokenCheck2        = $idModel->find($token2->id);
+        $descryptSecretKey2 = $encrypter->decrypt($tokenCheck2->secret2);
+        $this->assertSame($token2->rawSecretKey, $descryptSecretKey2);
+    }
+
+    /**
+     * Set MockInputOutput and user inputs.
+     *
+     * @param array<int, string> $inputs User inputs
+     * @phpstan-param list<string> $inputs
+     */
+    private function setMockIo(array $inputs): void
+    {
+        $this->io = new MockInputOutput();
+        $this->io->setInputs($inputs);
+        Hmac::setInputOutput($this->io);
+    }
 }