/**
* Must accept data and return encrypted data
*/
public function encrypt($data)
{
if (!is_string($data) || empty($data)) {
return $data;
}
return $this->adapter->encrypt($data);
}
public function testDecryptAuthFail()
{
$this->blockCipher->setKey('test');
$this->blockCipher->setKeyIteration(1000);
$encrypted = $this->blockCipher->encrypt($this->plaintext);
$this->assertTrue(!empty($encrypted));
// tamper the encrypted data
$encrypted = substr($encrypted, -1);
$decrypted = $this->blockCipher->decrypt($encrypted);
$this->assertTrue($decrypted === false);
}
/**
* Encrypt using a keyrings
*
* @param string $plaintext
* @param array|string $keys
* @return string
* @throws RuntimeException
*/
public function encrypt($plaintext, $keys = null)
{
// generate a random session key
$sessionKey = Rand::getBytes($this->bCipher->getCipher()->getKeySize());
// encrypt the plaintext with blockcipher algorithm
$this->bCipher->setKey($sessionKey);
$ciphertext = $this->bCipher->encrypt($plaintext);
if (!is_array($keys)) {
$keys = ['' => $keys];
}
$encKeys = '';
// encrypt the session key with public keys
foreach ($keys as $id => $pubkey) {
if (!$pubkey instanceof PubKey && !is_string($pubkey)) {
throw new Exception\RuntimeException(sprintf("The public key must be a string in PEM format or an instance of %s", PubKey::class));
}
$pubkey = is_string($pubkey) ? new PubKey($pubkey) : $pubkey;
$encKeys .= sprintf("%s:%s:", base64_encode($id), base64_encode($this->rsa->encrypt($sessionKey, $pubkey)));
}
return $encKeys . ';' . $ciphertext;
}
/**
* This is a central function for encrypting and decrypting so that
* logic is all in one location
*
* @param string $text The text to be encrypted or decrypted
* @param bool $encrypt True if we wish to encrypt text, False if we wish to
* decrypt text.
*
* @return string|bool The encrypted/decrypted string
* @throws \VuFind\Exception\PasswordSecurity
*/
protected function encryptOrDecrypt($text, $encrypt = true)
{
// Ignore empty text:
if (empty($text)) {
return $text;
}
// Load encryption key from configuration if not already present:
if (null === $this->encryptionKey) {
if (!isset($this->config->Authentication->ils_encryption_key) || empty($this->config->Authentication->ils_encryption_key)) {
throw new \VuFind\Exception\PasswordSecurity('ILS password encryption on, but no key set.');
}
$this->encryptionKey = $this->config->Authentication->ils_encryption_key;
}
// Perform encryption:
$cipher = new BlockCipher(new Mcrypt(['algorithm' => 'blowfish']));
$cipher->setKey($this->encryptionKey);
return $encrypt ? $cipher->encrypt($text) : $cipher->decrypt($text);
}
public function encrypt($string)
{
return $this->cipher->encrypt($string);
}
public function encrypt(&$data, BlockCipher $blockCipher)
{
$data['secretString'] = $blockCipher->encrypt($data['secretString']);
$data['secretArray'] = $blockCipher->encrypt(json_encode($data['secretArray']));
}
public function createIdentity(string $username, string $password) : Identity
{
return new Identity($username, $this->blockCipher->encrypt($password));
}
/**
* Convert hash algorithms
* Expected parameters: oldmethod:oldkey (or none) newmethod:newkey
*
* @return \Zend\Console\Response
*/
public function switchdbhashAction()
{
// Validate command line arguments:
$argv = $this->consoleOpts->getRemainingArgs();
if (count($argv) < 1) {
Console::writeLine('Expected parameters: newmethod [newkey]');
return $this->getFailureResponse();
}
// Pull existing encryption settings from the configuration:
$config = $this->getConfig();
if (!isset($config->Authentication->encrypt_ils_password) || !isset($config->Authentication->ils_encryption_key) || !$config->Authentication->encrypt_ils_password) {
$oldhash = 'none';
$oldkey = null;
} else {
$oldhash = isset($config->Authentication->ils_encryption_algo) ? $config->Authentication->ils_encryption_algo : 'blowfish';
$oldkey = $config->Authentication->ils_encryption_key;
}
// Pull new encryption settings from arguments:
$newhash = $argv[0];
$newkey = isset($argv[1]) ? $argv[1] : $oldkey;
// No key specified AND no key on file = fatal error:
if ($newkey === null) {
Console::writeLine('Please specify a key as the second parameter.');
return $this->getFailureResponse();
}
// If no changes were requested, abort early:
if ($oldkey == $newkey && $oldhash == $newhash) {
Console::writeLine('No changes requested -- no action needed.');
return $this->getSuccessResponse();
}
// Initialize Mcrypt first, so we can catch any illegal algorithms before
// making any changes:
try {
if ($oldhash != 'none') {
$oldCrypt = new Mcrypt(['algorithm' => $oldhash]);
}
$newCrypt = new Mcrypt(['algorithm' => $newhash]);
} catch (\Exception $e) {
Console::writeLine($e->getMessage());
return $this->getFailureResponse();
}
// Next update the config file, so if we are unable to write the file,
// we don't go ahead and make unwanted changes to the database:
$configPath = ConfigLocator::getLocalConfigPath('config.ini', null, true);
Console::writeLine("\tUpdating {$configPath}...");
$writer = new ConfigWriter($configPath);
$writer->set('Authentication', 'encrypt_ils_password', true);
$writer->set('Authentication', 'ils_encryption_algo', $newhash);
$writer->set('Authentication', 'ils_encryption_key', $newkey);
if (!$writer->save()) {
Console::writeLine("\tWrite failed!");
return $this->getFailureResponse();
}
// Now do the database rewrite:
$userTable = $this->getServiceLocator()->get('VuFind\\DbTablePluginManager')->get('User');
$users = $userTable->select(function ($select) {
$select->where->isNotNull('cat_username');
});
Console::writeLine("\tConverting hashes for " . count($users) . ' user(s).');
foreach ($users as $row) {
$pass = null;
if ($oldhash != 'none' && isset($row['cat_pass_enc'])) {
$oldcipher = new BlockCipher($oldCrypt);
$oldcipher->setKey($oldkey);
$pass = $oldcipher->decrypt($row['cat_pass_enc']);
} else {
$pass = $row['cat_password'];
}
$newcipher = new BlockCipher($newCrypt);
$newcipher->setKey($newkey);
$row['cat_password'] = null;
$row['cat_pass_enc'] = $newcipher->encrypt($pass);
$row->save();
}
// If we got this far, all went well!
Console::writeLine("\tFinished.");
return $this->getSuccessResponse();
}
/**
* {@inheritDoc}
*/
public function encrypt($data)
{
return $this->blockCipher->encrypt(json_encode($data));
}
