/**
  * Create a new UserAgentGenerator instance.
  *
  * @param Key         $secretKey
  * @param string|null $userAgent
  */
 public function __construct(Key $secretKey, string $userAgent = null)
 {
     if ($userAgent !== null) {
         $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
     }
     $this->userAgent = $secretKey->saveToAsciiSafeString() . $userAgent;
 }
Example #2
0
 private function encryptGroupKey(User $user, Key $groupKey)
 {
     // Encrypt key with users public key
     $pubKey = $user->getPubKey();
     // TODO check return
     openssl_public_encrypt($groupKey->saveToAsciiSafeString(), $encryptedKey, $pubKey);
     return $encryptedKey;
 }
Example #3
0
 /**
  * @expectedException \Defuse\Crypto\Exception\BadFormatException
  * @excpectedExceptionMessage key version header
  */
 public function testIncorrectHeader()
 {
     $key = Key::createNewRandomKey();
     $str = $key->saveToAsciiSafeString();
     $str[0] = 'f';
     Key::loadFromAsciiSafeString($str);
 }
 /**
  * @expectedException \Defuse\Crypto\Exception\InvalidCiphertext
  */
 public function testBitflip()
 {
     $key = \Defuse\Crypto\Key::LoadFromAsciiSafeString(\hex2bin('0102030405060708090a0b0c0d0e0f10'));
     $password = PasswordLock::hashAndEncrypt('YELLOW SUBMARINE', $key);
     $password[0] = \ord($password[0]) === 0 ? 255 : 0;
     PasswordLock::decryptAndVerify('YELLOW SUBMARINE', $password, $key);
 }
 /**
  * @expectedException \Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException
  */
 public function testBitflip()
 {
     $key = Key::createNewRandomKey();
     $password = PasswordLock::hashAndEncrypt('YELLOW SUBMARINE', $key);
     $password[0] = \ord($password[0]) === 0 ? 255 : 0;
     PasswordLock::decryptAndVerify('YELLOW SUBMARINE', $password, $key);
 }
Example #6
0
 function install()
 {
     if (self::$key === null) {
         $cryptokey = \Defuse\Crypto\Key::createNewRandomKey();
         self::$key = $cryptokey->saveToAsciiSafeString();
     }
     $authconfig = $this->getConfigIni()->getValue('auth', 'coordplugins');
     $authconfigMaster = $this->getLocalConfigIni()->getValue('auth', 'coordplugins');
     $forWS = in_array($this->entryPoint->type, array('json', 'jsonrpc', 'soap', 'xmlrpc'));
     if (!$authconfig || $forWS && $authconfig == $authconfigMaster) {
         if ($forWS) {
             $pluginIni = 'authsw.coord.ini.php';
         } else {
             $pluginIni = 'auth.coord.ini.php';
         }
         $authconfig = dirname($this->entryPoint->getConfigFile()) . '/' . $pluginIni;
         if ($this->firstExec('auth:' . $authconfig)) {
             // no configuration, let's install the plugin for the entry point
             $this->config->setValue('auth', $authconfig, 'coordplugins');
             if (!file_exists(jApp::configPath($authconfig))) {
                 $this->copyFile('var/config/' . $pluginIni, jApp::configPath($authconfig));
             }
         }
     }
     $this->getLocalConfigIni()->setValue('persistant_encryption_key', self::$key, 'coordplugin_auth');
 }
Example #7
0
 public function testEncryptionAndDecrypt()
 {
     $e = new Encrypter(Key::createNewRandomKey());
     $encrypted = $e->encrypt('foo');
     $this->assertNotEquals('foo', $encrypted);
     $this->assertEquals('foo', $e->decrypt($encrypted));
 }
Example #8
0
 /**
  * Creates instance
  *
  * @param string $key The encryption key
  *
  * @throws \CodeCollab\Encryption\CryptoException When the key is not in a valid format
  */
 public function __construct(string $key)
 {
     try {
         $this->key = DefuseKey::loadFromAsciiSafeString($key);
     } catch (BadFormatException $e) {
         throw new CryptoException($e->getMessage(), $e->getCode(), $e);
     }
 }
 public function testProviderWithoutConfigManagerAndNamespace()
 {
     $container = new Container();
     $container->register(new HashingServiceProvider());
     $container->instance('viserio.hashing.options', ['key' => Key::createNewRandomKey()]);
     $this->assertInstanceOf(Password::class, $container->get(Password::class));
     $this->assertInstanceOf(Password::class, $container->get('password'));
 }
 /**
  * @param $key
  * @param array $options
  */
 public function __construct($key, array $options = [])
 {
     if (is_string($key)) {
         $key = Key::loadFromAsciiSafeString($key);
     }
     $this->key = $key;
     $this->setOptions($options);
 }
Example #11
0
 /**
  * Generates a new key
  *
  * @return string The generated key
  *
  * @throws \CodeCollab\Encryption\CryptoException When not being able to create a sufficient strong key
  */
 public function generate() : string
 {
     try {
         return DefuseKey::createNewRandomKey()->saveToAsciiSafeString();
     } catch (EnvironmentIsBrokenException $e) {
         throw new CryptoException($e->getMessage(), $e->getCode(), $e);
     }
 }
Example #12
0
 /**
  * Decrypt with AES256.
  * This method relies on the settings in application config `AES_KEY256` which is generated at install to 
  * a unique key for your application. You can use a different key by passing it in at `$key256`.
  *
  *
  * @param  string $crypt Value to decrypt using AES256.
  * @param null|string $key256 An options key used to perform the decryption with instead of the `AES_KEY256`.
  *
  * @return string The decrypted value of $crypt.
  */
 public function decrypt($crypt, $key256 = null)
 {
     if ($key256 === null) {
         $key256 = \App::config('AES_KEY256');
     }
     //if
     $key256 = \Defuse\Crypto\Key::loadFromAsciiSafeString($key256);
     return \Defuse\Crypto\Crypto::decrypt($crypt, $key256);
 }
 public function testGenerate()
 {
     $generator = new UserAgentGenerator(Key::createNewRandomKey(), 'test');
     $this->assertInternalType('string', $generator->generate());
     $this->assertSame(40, strlen($generator->generate()));
     $generator = new UserAgentGenerator(Key::createNewRandomKey());
     $this->assertInternalType('string', $generator->generate());
     $this->assertSame(40, strlen($generator->generate()));
 }
Example #14
0
 public static function encryptDataKeyAndPutIntoSession(Request $request, User $user, $password, $salt)
 {
     $key = Key::CreateKeyBasedOnPassword($password, $salt);
     $encryptedKey = $user->getDataKey();
     $asciiDataKey = Crypto::decrypt($encryptedKey, $key, true);
     $dataKey = Key::LoadFromAsciiSafeString($asciiDataKey);
     $request->getSession()->set(AuthSuccessHandler::SESSION_KEY_DATA_KEY, $dataKey);
     return $dataKey;
 }
 public function testProviderWithoutConfigManagerAndNamespace()
 {
     $container = new Container();
     $container->register(new EncrypterServiceProvider());
     $key = Key::createNewRandomKey();
     $container->instance('viserio.encryption.options', ['key' => $key->saveToAsciiSafeString()]);
     $this->assertInstanceOf(Encrypter::class, $container->get(Encrypter::class));
     $this->assertInstanceOf(Encrypter::class, $container->get('encrypter'));
 }
Example #16
0
 public function testEncryptDecryptWithPassword()
 {
     $data = "EnCrYpT EvErYThInG";
     $password = '******';
     // Make sure encrypting then decrypting doesn't change the message.
     $ciphertext = Crypto::encryptWithPassword($data, $password, true);
     try {
         $decrypted = Crypto::decryptWithPassword($ciphertext, $password, true);
     } catch (Ex\WrongKeyOrModifiedCiphertextException $ex) {
         // It's important to catch this and change it into a
         // Ex\EnvironmentIsBrokenException, otherwise a test failure could trick
         // the user into thinking it's just an invalid ciphertext!
         throw new Ex\EnvironmentIsBrokenException();
     }
     if ($decrypted !== $data) {
         throw new Ex\EnvironmentIsBrokenException();
     }
     // Modifying the ciphertext: Appending a string.
     try {
         Crypto::decryptWithPassword($ciphertext . 'a', $password, true);
         throw new Ex\EnvironmentIsBrokenException();
     } catch (Ex\WrongKeyOrModifiedCiphertextException $e) {
         /* expected */
     }
     // Modifying the ciphertext: Changing an HMAC byte.
     $indices_to_change = [0, Core::HEADER_VERSION_SIZE + 1, Core::HEADER_VERSION_SIZE + Core::SALT_BYTE_SIZE + 1, Core::HEADER_VERSION_SIZE + Core::SALT_BYTE_SIZE + Core::BLOCK_BYTE_SIZE + 1];
     foreach ($indices_to_change as $index) {
         try {
             $ciphertext[$index] = \chr((\ord($ciphertext[$index]) + 1) % 256);
             Crypto::decryptWithPassword($ciphertext, $password, true);
             throw new Ex\EnvironmentIsBrokenException();
         } catch (Ex\WrongKeyOrModifiedCiphertextException $e) {
             /* expected */
         }
     }
     // Decrypting with the wrong password.
     $password = '******';
     $data = 'abcdef';
     $ciphertext = Crypto::encryptWithPassword($data, $password, true);
     $wrong_password = '******';
     try {
         Crypto::decryptWithPassword($ciphertext, $wrong_password, true);
         throw new Ex\EnvironmentIsBrokenException();
     } catch (Ex\WrongKeyOrModifiedCiphertextException $e) {
         /* expected */
     }
     // Ciphertext too small.
     $password = Key::createNewRandomKey();
     $ciphertext = \str_repeat('A', Core::MINIMUM_CIPHERTEXT_SIZE - 1);
     try {
         Crypto::decryptWithPassword($ciphertext, $password, true);
         throw new Ex\EnvironmentIsBrokenException();
     } catch (Ex\WrongKeyOrModifiedCiphertextException $e) {
         /* expected */
     }
 }
Example #17
0
 public function testGenerateWithIp()
 {
     $_SERVER['REMOTE_ADDR'] = '192.0.2.60';
     $generator = new ClientIpGenerator(Key::createNewRandomKey());
     $this->assertInternalType('string', $generator->generate());
     $this->assertSame(40, strlen($generator->generate()));
     unset($_SERVER['REMOTE_ADDR']);
     // return empty ip string
     $this->assertInternalType('string', $generator->generate());
     $this->assertSame(40, strlen($generator->generate()));
 }
Example #18
0
 public function setUp()
 {
     parent::setUp();
     $encrypter = new Encrypter(Key::createNewRandomKey());
     $config = $this->mock(ConfigContract::class);
     $config->shouldReceive('get')->with('cache.drivers', []);
     $config->shouldReceive('get')->with('cache.namespace');
     $manager = new SessionManager($config, $encrypter);
     $manager->setContainer(new ArrayContainer([JarContract::class => $this->mock(JarContract::class), CacheManagerContract::class => new CacheManager($config)]));
     $this->manager = $manager;
 }
 public function testProvider()
 {
     $container = new Container();
     $container->register(new EncrypterServiceProvider());
     $container->register(new ConfigServiceProvider());
     $container->register(new SessionServiceProvider());
     $container->register(new FilesServiceProvider());
     $key = Key::createNewRandomKey();
     $container->get('config')->set('encryption', ['key' => $key->saveToAsciiSafeString()]);
     $container->get('config')->set('session', ['path' => '', 'lifetime' => 3000, 'cookie' => 'test']);
     $this->assertInstanceOf(SessionManager::class, $container->get(SessionManager::class));
     $this->assertInstanceOf(SessionManager::class, $container->get('session'));
     $this->assertInstanceOf(StoreContract::class, $container->get('session.store'));
 }
Example #20
0
 /**
  * 
  * Encrypt a message with defuse/php-encryption, using an ephemeral key, 
  * then encrypt the key with RSA.
  * 
  * @param string $ciphertext
  * @param PrivateKey $rsaPrivateKey
  * 
  * @return string
  * @throws InvalidCiphertextException
  * @throws InvalidChecksumException
  */
 public static function decrypt($ciphertext, PrivateKey $rsaPrivateKey)
 {
     $split = explode(self::SEPARATOR, $ciphertext);
     if (\count($split) !== 4) {
         throw new InvalidCiphertextException('Invalid ciphertext message');
     }
     if (!\hash_equals($split[0], self::VERSION_TAG)) {
         throw new InvalidCiphertextException('Invalid version tag');
     }
     $checksum = \substr(\hash('sha256', implode('$', array_slice($split, 0, 3))), 0, 16);
     if (!\hash_equals($split[3], $checksum)) {
         throw new InvalidChecksumException('Invalid checksum');
     }
     $key = Key::loadFromAsciiSafeString(self::rsaDecrypt(Base64::decode($split[1]), $rsaPrivateKey));
     return Crypto::Decrypt(Base64::decode($split[2]), $key, true);
 }
Example #21
0
 function install()
 {
     if (self::$key === null) {
         $cryptokey = \Defuse\Crypto\Key::createNewRandomKey();
         self::$key = $cryptokey->saveToAsciiSafeString();
     }
     $conf = $this->getConfigIni()->getValue('auth', 'coordplugins');
     if ($conf == '1') {
         $this->getConfigIni()->removeValue('persistant_crypt_key', 'coordplugin_auth');
     } else {
         if ($conf) {
             $conff = jApp::configPath($conf);
             if (file_exists($conff)) {
                 $ini = new \Jelix\IniFile\IniModifier($conff);
                 $ini->removeValue('persistant_crypt_key');
             }
         }
     }
     $this->getLocalConfigIni()->setValue('persistant_encryption_key', self::$key, 'coordplugin_auth');
 }
Example #22
0
 /**
  * @param Schema $schema
  */
 public function up(Schema $schema)
 {
     // this up() migration is auto-generated, please modify it to your needs
     $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on \'mysql\'.');
     $password = '******';
     $hash = password_hash($password, PASSWORD_BCRYPT);
     $salt = base64_decode($this->container->getParameter('salt_key'));
     if (\strlen($salt) < Key::MIN_SAFE_KEY_BYTE_SIZE) {
         $suggestedSalt = base64_encode(openssl_random_pseudo_bytes(Key::MIN_SAFE_KEY_BYTE_SIZE * 2));
         throw new AbortMigrationException('You need to define an own salt_key in your parameters.yml file which is at least ' . Key::MIN_SAFE_KEY_BYTE_SIZE . ' characters long.' . "\n" . 'Following a randomly created key:' . "\n" . 'salt_key: ' . $suggestedSalt);
     }
     $dataKey = null;
     if ($this->container->hasParameter('data_key_delete_after_migration')) {
         $asciiDataKey = $this->container->getParameter('data_key_delete_after_migration');
         $dataKey = Key::LoadFromAsciiSafeString($asciiDataKey);
     }
     if ($dataKey == null) {
         throw new AbortMigrationException('You need to define an own data_key_delete_after_migration in your parameters.yml which is a key generated with \\Defuse\\Crypto\\Key::CreateNewRandomKey()->saveToAsciiSafeString()' . "\n" . 'Following a randomly created key:' . "\n" . 'data_key_delete_after_migration: ' . Key::CreateNewRandomKey()->saveToAsciiSafeString() . "\n" . 'YOU MUST delete this entry in your parameters.yml afterwards (you can make a copy on a save device).');
     }
     $key = Key::CreateKeyBasedOnPassword($password, $salt);
     $encryptedDataKey = Crypto::encrypt($asciiDataKey, $key, true);
     $this->addSql('CREATE TABLE category (id INT AUTO_INCREMENT NOT NULL, name VARBINARY(255) NOT NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, UNIQUE INDEX UNIQ_64C19C15E237E06 (name), INDEX IDX_64C19C1A7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB');
     $this->addSql('CREATE TABLE purchase (id INT AUTO_INCREMENT NOT NULL, user_id INT NOT NULL, purchase_date DATE NOT NULL, total VARBINARY(255) NOT NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, INDEX IDX_6117D13BA76ED395 (user_id), INDEX IDX_6117D13BA7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB');
     $this->addSql('CREATE TABLE purchase_position (id INT AUTO_INCREMENT NOT NULL, purchase_id INT NOT NULL, category_id INT NOT NULL, expression LONGBLOB NOT NULL, price VARBINARY(255) NOT NULL, notice LONGBLOB NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, INDEX IDX_6FEEF7A712469DE2 (category_id), INDEX IDX_6FEEF7A7558FBEB9 (purchase_id), INDEX IDX_6FEEF7A7A7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB');
     $this->addSql('CREATE TABLE app_users (id INT AUTO_INCREMENT NOT NULL, username VARCHAR(25) NOT NULL, password VARCHAR(64) NOT NULL, email VARCHAR(60) NOT NULL, role VARCHAR(20) DEFAULT NULL, data_key VARBINARY(255) NOT NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, UNIQUE INDEX UNIQ_C2502824F85E0677 (username), UNIQUE INDEX UNIQ_C2502824E7927C74 (email), INDEX IDX_C2502824A7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB');
     $this->addSql('ALTER TABLE category ADD CONSTRAINT FK_64C19C1A7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)');
     $this->addSql('ALTER TABLE purchase ADD CONSTRAINT FK_6117D13BA76ED395 FOREIGN KEY (user_id) REFERENCES app_users (id)');
     $this->addSql('ALTER TABLE purchase ADD CONSTRAINT FK_6117D13BA7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)');
     $this->addSql('ALTER TABLE purchase_position ADD CONSTRAINT FK_6FEEF7A712469DE2 FOREIGN KEY (category_id) REFERENCES category (id)');
     $this->addSql('ALTER TABLE purchase_position ADD CONSTRAINT FK_6FEEF7A7558FBEB9 FOREIGN KEY (purchase_id) REFERENCES purchase (id) ON DELETE CASCADE');
     $this->addSql('ALTER TABLE purchase_position ADD CONSTRAINT FK_6FEEF7A7A7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)');
     $this->addSql('ALTER TABLE app_users ADD CONSTRAINT FK_C2502824A7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)');
     $now = date('Y-m-d\\TH:i:s', time());
     $this->addSql('INSERT INTO app_users (username, password, role, data_key, updated_by_user, updated_at) ' . 'VALUES (\'admin\', :password, \'ROLE_ADMIN\', :data_key, \'1\', :updated_at)', array('password' => $hash, 'data_key' => $encryptedDataKey, 'updated_at' => $now));
     $this->addSql('INSERT INTO category (name, updated_by_user, updated_at) ' . 'VALUES (:name, \'1\', :updated_at)', array('name' => Crypto::encrypt('Lebensmittel', $dataKey, true), 'updated_at' => $now));
 }
Example #23
0
 /**
  * Method to generate a new encryption key object.
  *
  * @param   array  $options  Key generation options.
  *
  * @return  Key
  *
  * @since   1.3.0
  * @throws  \RuntimeException
  */
 public function generateKey(array $options = array())
 {
     // Generate the encryption key.
     try {
         $public = DefuseKey::createNewRandomKey();
     } catch (EnvironmentIsBrokenException $ex) {
         throw new \RuntimeException('Cannot safely create a key', $ex->getCode(), $ex);
     }
     // Create the new encryption key object.
     return new Key('crypto', $public->saveToAsciiSafeString(), $public->getRawBytes());
 }
Example #24
0
 /**
  * Decrypt the contents of a file handle $inputHandle and store the results
  * in $outputHandle using HKDF of $key to decrypt then verify
  *
  * @param resource $inputHandle
  * @param resource $outputHandle
  * @param Key $key
  * @return boolean
  */
 public static function decryptResource($inputHandle, $outputHandle, Key $key)
 {
     // Because we don't have strict typing in PHP 5
     if (!\is_resource($inputHandle)) {
         throw new Ex\InvalidInput('Input handle must be a resource!');
     }
     if (!\is_resource($outputHandle)) {
         throw new Ex\InvalidInput('Output handle must be a resource!');
     }
     // Parse the header.
     $header = self::readBytes($inputHandle, Core::HEADER_VERSION_SIZE);
     $config = self::getFileVersionConfigFromHeader($header, Core::CURRENT_FILE_VERSION);
     // Let's add this check before anything
     if (!\in_array($config->hashFunctionName(), \hash_algos())) {
         throw new Ex\CannotPerformOperationException('The specified hash function does not exist');
     }
     // Let's grab the file salt.
     $file_salt = self::readBytes($inputHandle, $config->saltByteSize());
     // For storing MACs of each buffer chunk
     $macs = [];
     /**
      * 1. We need to decode some values from our files
      */
     /**
      * Let's split our keys
      *
      * $ekey -- Encryption Key -- used for AES
      */
     $ekey = Core::HKDF($config->hashFunctionName(), $key->getRawBytes(), $config->keyByteSize(), $config->encryptionInfoString(), $file_salt, $config);
     /**
      * $akey -- Authentication Key -- used for HMAC
      */
     $akey = Core::HKDF($config->hashFunctionName(), $key->getRawBytes(), $config->keyByteSize(), $config->authenticationInfoString(), $file_salt, $config);
     /**
      * Grab our IV from the encrypted message
      *
      * It should be the first N blocks of the file (N = 16)
      */
     $ivsize = \openssl_cipher_iv_length($config->cipherMethod());
     $iv = self::readBytes($inputHandle, $ivsize);
     // How much do we increase the counter after each buffered encryption to prevent nonce reuse
     $inc = $config->bufferByteSize() / $config->blockByteSize();
     $thisIv = $iv;
     /**
      * Let's grab our MAC
      *
      * It should be the last N blocks of the file (N = 32)
      */
     if (\fseek($inputHandle, -1 * $config->macByteSize(), SEEK_END) === false) {
         throw new Ex\CannotPerformOperationException('Cannot seek to beginning of MAC within input file');
     }
     // Grab our last position of ciphertext before we read the MAC
     $cipher_end = \ftell($inputHandle);
     if ($cipher_end === false) {
         throw new Ex\CannotPerformOperationException('Cannot read input file');
     }
     --$cipher_end;
     // We need to subtract one
     // We keep our MAC stored in this variable
     $stored_mac = self::readBytes($inputHandle, $config->macByteSize());
     /**
      * We begin recalculating the HMAC for the entire file...
      */
     $hmac = \hash_init($config->hashFunctionName(), HASH_HMAC, $akey);
     if ($hmac === false) {
         throw new Ex\CannotPerformOperationException('Cannot initialize a hash context');
     }
     /**
      * Reset file pointer to the beginning of the file after the header
      */
     if (\fseek($inputHandle, Core::HEADER_VERSION_SIZE, SEEK_SET) === false) {
         throw new Ex\CannotPerformOperationException('Cannot read seek within input file');
     }
     /**
      * Set it to the first non-salt and non-IV byte
      */
     if (\fseek($inputHandle, $config->saltByteSize() + $ivsize, SEEK_CUR) === false) {
         throw new Ex\CannotPerformOperationException('Cannot read seek input file to beginning of ciphertext');
     }
     /**
      * 2. Let's recalculate the MAC
      */
     /**
      * Let's initialize our $hmac hasher with our Salt and IV
      */
     \hash_update($hmac, $header);
     \hash_update($hmac, $file_salt);
     \hash_update($hmac, $iv);
     $hmac2 = \hash_copy($hmac);
     $break = false;
     while (!$break) {
         /**
          * First, grab the current position
          */
         $pos = \ftell($inputHandle);
         if ($pos === false) {
             throw new Ex\CannotPerformOperationException('Could not get current position in input file during decryption');
         }
         /**
          * Would a full DBUFFER read put it past the end of the
          * ciphertext? If so, only return a portion of the file.
          */
         if ($pos + $config->bufferByteSize() >= $cipher_end) {
             $break = true;
             $read = self::readBytes($inputHandle, $cipher_end - $pos + 1);
         } else {
             $read = self::readBytes($inputHandle, $config->bufferByteSize());
         }
         if ($read === false) {
             throw new Ex\CannotPerformOperationException('Could not read input file during decryption');
         }
         /**
          * We're updating our HMAC and nothing else
          */
         \hash_update($hmac, $read);
         /**
          * Store a MAC of each chunk
          */
         $chunkMAC = \hash_copy($hmac);
         if ($chunkMAC === false) {
             throw new Ex\CannotPerformOperationException('Cannot duplicate a hash context');
         }
         $macs[] = \hash_final($chunkMAC);
     }
     /**
      * We should now have enough data to generate an identical HMAC
      */
     $finalHMAC = \hash_final($hmac, true);
     /**
      * 3. Did we match?
      */
     if (!Core::hashEquals($finalHMAC, $stored_mac)) {
         throw new Ex\InvalidCiphertextException('Message Authentication failure; tampering detected.');
     }
     /**
      * 4. Okay, let's begin decrypting
      */
     /**
      * Return file pointer to the first non-header, non-IV byte in the file
      */
     if (\fseek($inputHandle, $config->saltByteSize() + $ivsize + Core::HEADER_VERSION_SIZE, SEEK_SET) === false) {
         throw new Ex\CannotPerformOperationException('Could not move the input file pointer during decryption');
     }
     /**
      * Should we break the writing?
      */
     $breakW = false;
     /**
      * This loop writes plaintext to the destination file:
      */
     while (!$breakW) {
         /**
          * Get the current position
          */
         $pos = \ftell($inputHandle);
         if ($pos === false) {
             throw new Ex\CannotPerformOperationException('Could not get current position in input file during decryption');
         }
         /**
          * Would a full BUFFER read put it past the end of the
          * ciphertext? If so, only return a portion of the file.
          */
         if ($pos + $config->bufferByteSize() >= $cipher_end) {
             $breakW = true;
             $read = self::readBytes($inputHandle, $cipher_end - $pos + 1);
         } else {
             $read = self::readBytes($inputHandle, $config->bufferByteSize());
         }
         /**
          * Recalculate the MAC, compare with the one stored in the $macs
          * array to ensure attackers couldn't tamper with the file
          * after MAC verification
          */
         \hash_update($hmac2, $read);
         $calcMAC = \hash_copy($hmac2);
         if ($calcMAC === false) {
             throw new Ex\CannotPerformOperationException('Cannot duplicate a hash context');
         }
         $calc = \hash_final($calcMAC);
         if (empty($macs)) {
             throw new Ex\InvalidCiphertextException('File was modified after MAC verification');
         } elseif (!Core::hashEquals(\array_shift($macs), $calc)) {
             throw new Ex\InvalidCiphertextException('File was modified after MAC verification');
         }
         $thisIv = Core::incrementCounter($thisIv, $inc, $config);
         /**
          * Perform the AES decryption. Decrypts the message.
          */
         $decrypted = \openssl_decrypt($read, $config->cipherMethod(), $ekey, OPENSSL_RAW_DATA, $thisIv);
         /**
          * Test for decryption faulure
          */
         if ($decrypted === false) {
             throw new Ex\CannotPerformOperationException('OpenSSL decryption error');
         }
         /**
          * Write the plaintext out to the output file
          */
         self::writeBytes($outputHandle, $decrypted, Core::ourStrlen($decrypted));
     }
     return true;
 }
Example #25
0
 public function testShouldRecreate()
 {
     $key = Key::createNewRandomKey();
     $hash = $this->password->create('totally-insecure-but-lengthy-password');
     $this->assertNotSame($hash, $this->password->shouldRecreate($hash, $key));
 }
Example #26
0
 /**
  * @return \Defuse\Crypto\Key
  */
 private function createKey($hash)
 {
     return Key::CreateKeyBasedOnPassword($hash, $this->saltKey);
 }
 public function getKey($rawKey)
 {
     // If this is already a \Defuse\Crypto\Key object, just return it
     if ($rawKey instanceof Key) {
         return $rawKey;
     }
     if ($rawKey === null && defined('ENCRYPT_AT_REST_KEY')) {
         // Retrieve key from _ss_env, if set
         $rawKey = ENCRYPT_AT_REST_KEY;
     }
     if ($rawKey === null) {
         throw new \InvalidArgumentException('Can\'t encrypt without a key. Define ENCRYPT_AT_REST_KEY, or pass the $key argument.');
     }
     $key = Key::LoadFromAsciiSafeString($rawKey);
     return $key;
 }
Example #28
0
 public static function generateCookieToken($login, $password)
 {
     $persistence = 0;
     $config = self::loadConfig();
     // Add a cookie for session persistance, if enabled
     if (isset($config['persistant_enable']) && $config['persistant_enable']) {
         if (trim($config['persistant_encryption_key']) == '' || trim($config['persistant_cookie_name']) == '') {
             jLog::log(jLocale::get('jelix~auth.error.persistant.incorrectconfig', 'persistant_cookie_name, persistant_encryption_key'), 'error');
             return 0;
         }
         if (isset($config['persistant_duration'])) {
             $persistence = intval($config['persistant_duration']) * 86400;
         } else {
             $persistence = 86400;
             // 24h
         }
         $persistence += time();
         $cryptokey = \Defuse\Crypto\Key::loadFromAsciiSafeString($config['persistant_encryption_key']);
         $encrypted = \Defuse\Crypto\Crypto::encrypt(json_encode(array($login, $password)), $cryptokey);
         setcookie($config['persistant_cookie_name'], $encrypted, $persistence, $config['persistant_cookie_path'], "", false, true);
     }
     return $persistence;
 }
Example #29
0
 private function encodePasswordAndChangeDataKey(User $user)
 {
     $plainPassword = $user->getPlainPassword();
     $password = $this->get('security.password_encoder')->encodePassword($user, $plainPassword);
     $user->setPassword($password);
     $saltKey = base64_decode($this->getParameter('salt_key'));
     $key = Key::CreateKeyBasedOnPassword($plainPassword, $saltKey);
     /*@var $cryptoKey \Defuse\Crypto\Key */
     $cryptoKey = $this->get('session')->get(AuthSuccessHandler::SESSION_KEY_DATA_KEY);
     $asciiDataKey = $cryptoKey->saveToAsciiSafeString();
     $encryptedDataKey = Crypto::encrypt($asciiDataKey, $key, true);
     $user->setDataKey($encryptedDataKey);
 }
Example #30
0
 public function testStartMethodGeneratesFingerprint()
 {
     $session = $this->session;
     $oldFingerprint = $session->getFingerprint();
     $session->addFingerprintGenerator(new UserAgentGenerator(Key::createNewRandomKey(), 'test'));
     $session->start();
     $this->assertSame('', $oldFingerprint);
     $this->assertEquals(40, strlen($session->getFingerprint()));
     $this->assertNotEquals($oldFingerprint, $session->getFingerprint());
 }