/**
* Must accept data and return decrypted data
*/
public function decrypt($data)
{
if (empty($data)) {
return $data;
}
return $this->adapter->decrypt($data);
}
public function testDecryptAuthFail()
{
$this->blockCipher->setKey('test');
$this->blockCipher->setKeyIteration(1000);
$encrypted = $this->blockCipher->encrypt($this->plaintext);
$this->assertTrue(!empty($encrypted));
// tamper the encrypted data
$encrypted = substr($encrypted, -1);
$decrypted = $this->blockCipher->decrypt($encrypted);
$this->assertTrue($decrypted === false);
}
/**
* Decrypt using a private key
*
* @param string $msg
* @param string $privateKey
* @param string $passPhrase
* @param string $id
* @return string
* @throws RuntimeException
*/
public function decrypt($msg, $privateKey = null, $passPhrase = null, $id = null)
{
// get the session key
list($encKeys, $ciphertext) = explode(';', $msg, 2);
$keys = explode(':', $encKeys);
$pos = array_search(base64_encode($id), $keys);
if (false === $pos) {
throw new Exception\RuntimeException("This private key cannot be used for decryption");
}
if (!$privateKey instanceof PrivateKey && !is_string($privateKey)) {
throw new Exception\RuntimeException(sprintf("The private key must be a string in PEM format or an instance of %s", PrivateKey::class));
}
$privateKey = is_string($privateKey) ? new PrivateKey($privateKey, $passPhrase) : $privateKey;
// decrypt the session key with privateKey
$sessionKey = $this->rsa->decrypt(base64_decode($keys[$pos + 1]), $privateKey);
// decrypt the plaintext with the blockcipher algorithm
$this->bCipher->setKey($sessionKey);
return $this->bCipher->decrypt($ciphertext, $sessionKey);
}
/**
* This is a central function for encrypting and decrypting so that
* logic is all in one location
*
* @param string $text The text to be encrypted or decrypted
* @param bool $encrypt True if we wish to encrypt text, False if we wish to
* decrypt text.
*
* @return string|bool The encrypted/decrypted string
* @throws \VuFind\Exception\PasswordSecurity
*/
protected function encryptOrDecrypt($text, $encrypt = true)
{
// Ignore empty text:
if (empty($text)) {
return $text;
}
// Load encryption key from configuration if not already present:
if (null === $this->encryptionKey) {
if (!isset($this->config->Authentication->ils_encryption_key) || empty($this->config->Authentication->ils_encryption_key)) {
throw new \VuFind\Exception\PasswordSecurity('ILS password encryption on, but no key set.');
}
$this->encryptionKey = $this->config->Authentication->ils_encryption_key;
}
// Perform encryption:
$cipher = new BlockCipher(new Mcrypt(['algorithm' => 'blowfish']));
$cipher->setKey($this->encryptionKey);
return $encrypt ? $cipher->encrypt($text) : $cipher->decrypt($text);
}
public function decrypt($string)
{
return $this->cipher->decrypt($string);
}
public function decrypt(&$data, BlockCipher $blockCipher)
{
$data['secretString'] = $blockCipher->decrypt($data['secretString']);
$data['secretArray'] = json_decode($blockCipher->decrypt($data['secretArray']), true);
}
public function decryptPassword(Identity $identity) : string
{
return $this->blockCipher->decrypt($identity->getEncryptedPassword());
}
/**
* Convert hash algorithms
* Expected parameters: oldmethod:oldkey (or none) newmethod:newkey
*
* @return \Zend\Console\Response
*/
public function switchdbhashAction()
{
// Validate command line arguments:
$argv = $this->consoleOpts->getRemainingArgs();
if (count($argv) < 1) {
Console::writeLine('Expected parameters: newmethod [newkey]');
return $this->getFailureResponse();
}
// Pull existing encryption settings from the configuration:
$config = $this->getConfig();
if (!isset($config->Authentication->encrypt_ils_password) || !isset($config->Authentication->ils_encryption_key) || !$config->Authentication->encrypt_ils_password) {
$oldhash = 'none';
$oldkey = null;
} else {
$oldhash = isset($config->Authentication->ils_encryption_algo) ? $config->Authentication->ils_encryption_algo : 'blowfish';
$oldkey = $config->Authentication->ils_encryption_key;
}
// Pull new encryption settings from arguments:
$newhash = $argv[0];
$newkey = isset($argv[1]) ? $argv[1] : $oldkey;
// No key specified AND no key on file = fatal error:
if ($newkey === null) {
Console::writeLine('Please specify a key as the second parameter.');
return $this->getFailureResponse();
}
// If no changes were requested, abort early:
if ($oldkey == $newkey && $oldhash == $newhash) {
Console::writeLine('No changes requested -- no action needed.');
return $this->getSuccessResponse();
}
// Initialize Mcrypt first, so we can catch any illegal algorithms before
// making any changes:
try {
if ($oldhash != 'none') {
$oldCrypt = new Mcrypt(['algorithm' => $oldhash]);
}
$newCrypt = new Mcrypt(['algorithm' => $newhash]);
} catch (\Exception $e) {
Console::writeLine($e->getMessage());
return $this->getFailureResponse();
}
// Next update the config file, so if we are unable to write the file,
// we don't go ahead and make unwanted changes to the database:
$configPath = ConfigLocator::getLocalConfigPath('config.ini', null, true);
Console::writeLine("\tUpdating {$configPath}...");
$writer = new ConfigWriter($configPath);
$writer->set('Authentication', 'encrypt_ils_password', true);
$writer->set('Authentication', 'ils_encryption_algo', $newhash);
$writer->set('Authentication', 'ils_encryption_key', $newkey);
if (!$writer->save()) {
Console::writeLine("\tWrite failed!");
return $this->getFailureResponse();
}
// Now do the database rewrite:
$userTable = $this->getServiceLocator()->get('VuFind\\DbTablePluginManager')->get('User');
$users = $userTable->select(function ($select) {
$select->where->isNotNull('cat_username');
});
Console::writeLine("\tConverting hashes for " . count($users) . ' user(s).');
foreach ($users as $row) {
$pass = null;
if ($oldhash != 'none' && isset($row['cat_pass_enc'])) {
$oldcipher = new BlockCipher($oldCrypt);
$oldcipher->setKey($oldkey);
$pass = $oldcipher->decrypt($row['cat_pass_enc']);
} else {
$pass = $row['cat_password'];
}
$newcipher = new BlockCipher($newCrypt);
$newcipher->setKey($newkey);
$row['cat_password'] = null;
$row['cat_pass_enc'] = $newcipher->encrypt($pass);
$row->save();
}
// If we got this far, all went well!
Console::writeLine("\tFinished.");
return $this->getSuccessResponse();
}
/**
* {@inheritDoc}
*/
public function decrypt($data)
{
return json_decode($this->blockCipher->decrypt($data), true);
}
