Rework of encrypter so it can decrypt all

old keys.
Added parent config to AuthToken.php.
Update documentation to reflect change.

Author: tswagger

docs/references/authentication/hmac.md

@@ -177,14 +177,13 @@ public array $hmacEncryption = [
     'driver'        => ['k1' => 'OpenSSL'],
     'digest'        => ['k1' => 'SHA512'],
     'currentKey'    => 'k1',
-    'deprecatedKey' => null,
 ];
 ```
 
 When it is time to update your encryption keys you will need to add an additional key to the above arrays. Then adjust
-the `$hmacEncryption['currentKey']` to point at the new key and adjust `$hmacEncryption['deprecatedKey']` to point at the
-old key.  After the new encryption key is in place, run `php spark shield:hmac reencrypt` to re-encrypt all existing keys
-with the new encryption key.
+the `$hmacEncryption['currentKey']` to point at the new key.  After the new encryption key is in place, run
+`php spark shield:hmac reencrypt` to re-encrypt all existing keys with the new encryption key.  You will need to leave
+the old key in the array as it will be used read the existing keys during re-encryption.
 
 ```php
 public array $hmacEncryption = [
@@ -201,7 +200,6 @@ public array $hmacEncryption = [
         'k2' => 'SHA512',
     ],
     'currentKey'    => 'k2',
-    'deprecatedKey' => 'k1',
 ];
 ```
 
@@ -217,7 +215,6 @@ authtoken.hmacEncryption.key = '{"k1":"hex2bin:923dfab5ddca0c7784c2c388a848a704f
 authtoken.hmacEncryption.driver = '{"k1":"OpenSSL","k2":"OpenSSL"}'
 authtoken.hmacEncryption.digest = '{"k1":"SHA512","k2":"SHA512"}'
 authtoken.hmacEncryption.currentKey = k2
-authtoken.hmacEncryption.deprecatedKey = k1
 ```
 
 Depending on the set length of the Secret Key and the type of encryption used, it is possible for the encrypted value to

src/Authentication/HMAC/HmacEncrypter.php

@@ -22,41 +22,25 @@ class HmacEncrypter
 {
     /**
      * Codeigniter Encrypter
+     *
+     * @var array<string, EncrypterInterface>
      */
-    private EncrypterInterface $encrypter;
+    private array $encrypter;
 
     /**
      * Auth Token config
      */
     private AuthToken $authConfig;
 
-    /**
-     * Selected Key Index
-     */
-    private string $keyIndex;
-
     /**
      * Constructor
      * Setup encryption configuration
-     *
-     * @param bool $deprecatedKey Use the deprecated key (useful when re-encrypting on key rotation) [default: false]
      */
-    public function __construct(bool $deprecatedKey = false)
+    public function __construct()
     {
-        /** @var AuthToken $authConfig */
-        $authConfig = config('AuthToken');
-        $config     = new Encryption();
-
-        // identify which encryption key should be used
-        $this->keyIndex = $deprecatedKey ? $authConfig->hmacEncryption['deprecatedKey'] : $authConfig->hmacEncryption['currentKey'];
+        $this->authConfig = config('AuthToken');
 
-        $config->key    = $authConfig->hmacEncryption['key'][$this->keyIndex];
-        $config->driver = $authConfig->hmacEncryption['driver'][$this->keyIndex];
-        $config->digest = $authConfig->hmacEncryption['digest'][$this->keyIndex];
-
-        $this->authConfig = $authConfig;
-        // decrypt secret key so signature can be validated
-        $this->encrypter = Services::encrypter($config);
+        $this->getEncrypter($this->authConfig->hmacEncryption['currentKey']);
     }
 
     /**
@@ -70,10 +54,15 @@ public function __construct(bool $deprecatedKey = false)
      */
     public function decrypt(string $encString): string
     {
-        // Removes `$b6$keyIndex$` for base64 format.
-        $encString = substr($encString, strlen($this->keyIndex) + 5);
+        $matches = [];
+        // check for a match
+        if (preg_match('/^\$b6\$(\w+?)\$(.+)$/', $encString, $matches) !== 1) {
+            throw new EncryptionException('Unable to decrypt string');
+        }
+
+        $encrypter = $this->getEncrypter($matches[1]);
 
-        return $this->encrypter->decrypt(base64_decode($encString, true));
+        return $encrypter->decrypt(base64_decode($matches[2], true));
     }
 
     /**
@@ -88,7 +77,9 @@ public function decrypt(string $encString): string
      */
     public function encrypt(string $rawString): string
     {
-        $encryptedString = '$b6$' . $this->keyIndex . '$' . base64_encode($this->encrypter->encrypt($rawString));
+        $currentKey = $this->authConfig->hmacEncryption['currentKey'];
+
+        $encryptedString = '$b6$' . $currentKey . '$' . base64_encode($this->encrypter[$currentKey]->encrypt($rawString));
 
         if (strlen($encryptedString) > $this->authConfig->secret2StorageLimit) {
             throw new RuntimeException('Encrypted key too long. Unable to store value.');
@@ -102,15 +93,17 @@ public function encrypt(string $rawString): string
      */
     public function isEncrypted(string $string): bool
     {
-        return (bool) preg_match('/^\$b6\$/', $string);
+        return preg_match('/^\$b6\$/', $string) === 1;
     }
 
     /**
-     * Check if the string already encrypted
+     * Check if the string already encrypted with the Current Set Key
      */
-    public function isEncryptedWithSetKey(string $string): bool
+    public function isEncryptedWithCurrentKey(string $string): bool
     {
-        return preg_match('/^\$b6\$' . $this->keyIndex . '\$/', $string) === 1;
+        $currentKey = $this->authConfig->hmacEncryption['currentKey'];
+
+        return preg_match('/^\$b6\$' . $currentKey . '\$/', $string) === 1;
     }
 
     /**
@@ -124,4 +117,28 @@ public function generateSecretKey(): string
     {
         return base64_encode(random_bytes($this->authConfig->hmacSecretKeyByteSize));
     }
+
+    /**
+     * Retrieve encrypter for selected key
+     *
+     * @param string $encrypterKey Index Key for selected Encrypter
+     */
+    private function getEncrypter(string $encrypterKey): EncrypterInterface
+    {
+        if (! isset($this->encrypter[$encrypterKey])) {
+            if (! isset($this->authConfig->hmacEncryption['key'][$encrypterKey])) {
+                throw new RuntimeException('Encryption key does not exist.');
+            }
+
+            $config = new Encryption();
+
+            $config->key    = $this->authConfig->hmacEncryption['key'][$encrypterKey];
+            $config->driver = $this->authConfig->hmacEncryption['driver'][$encrypterKey];
+            $config->digest = $this->authConfig->hmacEncryption['digest'][$encrypterKey];
+
+            $this->encrypter[$encrypterKey] = Services::encrypter($config);
+        }
+
+        return $this->encrypter[$encrypterKey];
+    }
 }

src/Commands/Hmac.php

@@ -176,21 +176,20 @@ public function reEncrypt(): void
     {
         $uIdModel    = new UserIdentityModel();
         $uIdModelSub = new UserIdentityModel(); // For saving.
-        $decrypter   = new HmacEncrypter(true);
         $encrypter   = $this->encrypter;
 
         $that = $this;
 
         $uIdModel->where('type', 'hmac_sha256')->orderBy('id')->chunk(
             100,
-            static function ($identity) use ($uIdModelSub, $decrypter, $encrypter, $that): void {
-                if (! $decrypter->isEncryptedWithSetKey($identity->secret2)) {
+            static function ($identity) use ($uIdModelSub, $encrypter, $that): void {
+                if ($encrypter->isEncryptedWithCurrentKey($identity->secret2)) {
                     $that->write('id: ' . $identity->id . ', not re-encrypted, skipped.');
 
                     return;
                 }
 
-                $identity->secret2 = $decrypter->decrypt($identity->secret2);
+                $identity->secret2 = $encrypter->decrypt($identity->secret2);
                 $identity->secret2 = $encrypter->encrypt($identity->secret2);
                 $uIdModelSub->save($identity);
 

src/Commands/Setup.php

@@ -140,9 +140,8 @@ private function publishConfigAuthToken(): void
     {
         $file     = 'Config/AuthToken.php';
         $replaces = [
-            'namespace CodeIgniter\Shield\Config'  => 'namespace Config',
-            'use CodeIgniter\\Config\\BaseConfig;' => 'use CodeIgniter\\Shield\\Config\\AuthToken as ShieldAuthToken;',
-            'extends BaseConfig'                   => 'extends ShieldAuthToken',
+            'namespace CodeIgniter\Shield\Config;' => "namespace Config;\n\nuse CodeIgniter\\Shield\\Config\\AuthToken as ShieldAuthToken;",
+            'extends BaseAuthToken'                => 'extends ShieldAuthToken',
         ];
 
         $this->copyAndReplace($file, $replaces);

src/Config/AuthToken.php

@@ -13,12 +13,10 @@
 
 namespace CodeIgniter\Shield\Config;
 
-use CodeIgniter\Config\BaseConfig;
-
 /**
  * Configuration for Token Auth and HMAC Auth
  */
-class AuthToken extends BaseConfig
+class AuthToken extends BaseAuthToken
 {
     /**
      * --------------------------------------------------------------------
@@ -79,7 +77,7 @@ class AuthToken extends BaseConfig
      * This sets the key to be used when encrypting a user's HMAC Secret Key.
      *
      * 'key' is an array of keys which will facilitate key rotation. Valid
-     *  keyTitles must include only [a-zA-z0-9_] and should be kept to a
+     *  keyTitles must include only [a-zA-Z0-9_] and should be kept to a
      *  max of 8 characters.
      *
      * 'driver' is used when encrypting HMAC Secret Key for storage.
@@ -96,65 +94,18 @@ class AuthToken extends BaseConfig
      * This is an array of digest values.  The keys MUST match and correlate
      *  to the 'key' array keys.
      *
-     * The valid and old/deprecated keys are identified using 'currentKey'
-     *  and 'deprecatedKey'.
+     * The valid/current key is identified using 'currentKey'
      *
-     * 'deprecatedKey' reflects which 'key' is recently deprecated.  This
-     *  is required and used when rotating keys. Effectively, this is the
-     *  index selector for the old key.
+     * Old keys will are used to decrypt existing Secret Keys.  It is encouraged
+     *  to run 'php spark shield:hmac reencrypt' to update existing Secret
+     *  Key encryptions.
      *
      * @see https://codeigniter.com/user_guide/libraries/encryption.html
      */
     public array $hmacEncryption = [
-        'key'           => ['k1' => ''],
-        'driver'        => ['k1' => 'OpenSSL'],
-        'digest'        => ['k1' => 'SHA512'],
-        'currentKey'    => 'k1',
-        'deprecatedKey' => '',
+        'key'        => ['k1' => ''],
+        'driver'     => ['k1' => 'OpenSSL'],
+        'digest'     => ['k1' => 'SHA512'],
+        'currentKey' => 'k1',
     ];
-
-    /**
-     * AuthToken Config Constructor
-     */
-    public function __construct()
-    {
-        parent::__construct();
-
-        $overwriteHmacEncryptionFields = [
-            'key',
-            'driver',
-            'digest',
-        ];
-
-        foreach ($overwriteHmacEncryptionFields as $fieldName) {
-            if (is_string($this->hmacEncryption[$fieldName])) {
-                $array = json_decode($this->hmacEncryption[$fieldName], true);
-                if (is_array($array)) {
-                    $this->hmacEncryption[$fieldName] = $array;
-                }
-            }
-        }
-    }
-
-    /**
-     * Override parent initEnvValue() to allow for direct setting to array properties values from ENV
-     *
-     * In order to set array properties via ENV vars we need to set the property to a string value first.
-     *
-     * @param mixed $property
-     */
-    protected function initEnvValue(&$property, string $name, string $prefix, string $shortPrefix): void
-    {
-        switch ($name) {
-            case 'hmacEncryption.key':
-            case 'hmacEncryption.driver':
-            case 'hmacEncryption.digest':
-                // if attempting to set property from ENV, first set to empty string
-                if ($this->getEnvValue($name, $prefix, $shortPrefix) !== null) {
-                    $property = '';
-                }
-        }
-
-        parent::initEnvValue($property, $name, $prefix, $shortPrefix);
-    }
 }

src/Config/BaseAuthToken.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CodeIgniter\Shield\Config;
+
+use CodeIgniter\Config\BaseConfig;
+
+class BaseAuthToken extends BaseConfig
+{
+    public array $hmacEncryption;
+
+    /**
+     * AuthToken Config Constructor
+     */
+    public function __construct()
+    {
+        parent::__construct();
+
+        $overwriteHmacEncryptionFields = [
+            'key',
+            'driver',
+            'digest',
+        ];
+
+        foreach ($overwriteHmacEncryptionFields as $fieldName) {
+            if (is_string($this->hmacEncryption[$fieldName])) {
+                $array = json_decode($this->hmacEncryption[$fieldName], true);
+                if (is_array($array)) {
+                    $this->hmacEncryption[$fieldName] = $array;
+                }
+            }
+        }
+    }
+
+    /**
+     * Override parent initEnvValue() to allow for direct setting to array properties values from ENV
+     *
+     * In order to set array properties via ENV vars we need to set the property to a string value first.
+     *
+     * @param mixed $property
+     */
+    protected function initEnvValue(&$property, string $name, string $prefix, string $shortPrefix): void
+    {
+        switch ($name) {
+            case 'hmacEncryption.key':
+            case 'hmacEncryption.driver':
+            case 'hmacEncryption.digest':
+                // if attempting to set property from ENV, first set to empty string
+                if ($this->getEnvValue($name, $prefix, $shortPrefix) !== null) {
+                    $property = '';
+                }
+        }
+
+        parent::initEnvValue($property, $name, $prefix, $shortPrefix);
+    }
+}

tests/Commands/HmacTest.php

@@ -93,8 +93,7 @@ public function testReEncrypt(): void
         /** @var AuthToken $config */
         $config = config('AuthToken');
 
-        $config->hmacEncryption['currentKey']    = 'k2';
-        $config->hmacEncryption['deprecatedKey'] = 'k1';
+        $config->hmacEncryption['currentKey'] = 'k2';
 
         // new key generated with updated encryption
         $token2 = $user->generateHmacToken('bar');