/** * @see CryptofierCryptoInterface * * NB: Shouldn't be called externally/by derived classes as doesn't use the server key! * * @param $value * @param $friendlyKey * * @return string - maybe unfriendly * @throws CryptofierException */ protected final function decrypt_native($value, $friendlyKey) { try { return Crypto::decrypt($value, $this->unfriendly($friendlyKey)); } catch (Exception $e) { throw new CryptofierException("Failed to " . __METHOD__); } }
/** * Encrypts data * * @param string $data The data to encrypt * * @return string The encrypted data * * @throws \CodeCollab\Encryption\CryptoException When not being able to (safely) encrypt the data */ public function encrypt(string $data) : string { try { return Crypto::encrypt($data, $this->key); } catch (EnvironmentIsBrokenException $e) { throw new CryptoException($e->getMessage(), $e->getCode(), $e); } }
/** * Key rotation method -- decrypt with your old key then re-encrypt with your new key * * @param string $ciphertext * @param string $oldKey - must be exactly 16 bytes * @param string $newKey - must be exactly 16 bytes * @return string */ public static function rotateKey($ciphertext, $oldKey, $newKey) { if (self::safeStrlen($oldKey) !== 16 || self::safeStrlen($newKey) !== 16) { throw new \Exception("Encryption keys must be 16 bytes long"); } $plaintext = Crypto::decrypt($ciphertext, $oldKey); return Crypto::encrypt($plaintext, $newKey); }
private function decrypt($resource) { if ($resource !== null) { $msg = stream_get_contents($resource); return Crypto::decrypt($msg, $this->key, true); } return null; }
/** * {@inheritdoc} */ public function get() { if (!$this->isHit()) { return; } $item = json_decode(Crypto::decrypt($this->cacheItem->get(), $this->key), true); return $this->transform($item); }
public function write($data) { $cipher = Crypto::Encrypt(json_encode($data), $this->key); $cookie_domain = ''; if (!empty(\Config\Base::$auth['cookie_domain'])) { $cookie_domain = \Config\Base::$auth['cookie_domain']; } setcookie('auth', $cipher, time() + $this->timeout, '/', $cookie_domain); }
public static function encryptDataKeyAndPutIntoSession(Request $request, User $user, $password, $salt) { $key = Key::CreateKeyBasedOnPassword($password, $salt); $encryptedKey = $user->getDataKey(); $asciiDataKey = Crypto::decrypt($encryptedKey, $key, true); $dataKey = Key::LoadFromAsciiSafeString($asciiDataKey); $request->getSession()->set(AuthSuccessHandler::SESSION_KEY_DATA_KEY, $dataKey); return $dataKey; }
/** * Decrypt with AES256. * This method relies on the settings in application config `AES_KEY256` which is generated at install to * a unique key for your application. You can use a different key by passing it in at `$key256`. * * * @param string $crypt Value to decrypt using AES256. * @param null|string $key256 An options key used to perform the decryption with instead of the `AES_KEY256`. * * @return string The decrypted value of $crypt. */ public function decrypt($crypt, $key256 = null) { if ($key256 === null) { $key256 = \App::config('AES_KEY256'); } //if $key256 = \Defuse\Crypto\Key::loadFromAsciiSafeString($key256); return \Defuse\Crypto\Crypto::decrypt($crypt, $key256); }
/** * Decrypts data * * @param string $data The data to encrypt * * @return string The encrypted data * * @throws \CodeCollab\Encryption\CryptoException When the message could not be decrypted * @throws \CodeCollab\Encryption\FraudException When the message is potentially tampered with */ public function decrypt(string $data) : string { try { return Crypto::legacyDecrypt($data, $this->key); } catch (WrongKeyOrModifiedCiphertextException $e) { throw new FraudException($e->getMessage(), $e->getCode(), $e); } catch (EnvironmentIsBrokenException $e) { throw new CryptoException($e->getMessage(), $e->getCode(), $e); } }
/** * Returns a cookie value thus also decrypting it * * @param mixed $key * @param mixed|boolean $default * @param string $domain * * @return mixed */ public static function get($key, $default = false, $domain = '/') { if (isset($_COOKIE[sha1($key)])) { try { return Crypto::decrypt($_COOKIE[sha1($key)], self::$_enckey); } catch (\Exception $e) { self::remove($key, $domain); } } return $default; }
/** * Method to encrypt a data string. * * @param string $data The data string to encrypt. * @param Key $key The key object to use for encryption. * * @return string The encrypted data string. * * @since 1.3.0 * @throws \InvalidArgumentException * @throws \RuntimeException */ public function encrypt($data, Key $key) { // Validate key. if ($key->getType() != 'crypto') { throw new \InvalidArgumentException('Invalid key of type: ' . $key->getType() . '. Expected crypto.'); } // Encrypt the data. try { return DefuseCrypto::encrypt($data, DefuseKey::loadFromAsciiSafeString($key->getPrivate())); } catch (EnvironmentIsBrokenException $ex) { throw new \RuntimeException('Cannot safely perform encryption', $ex->getCode(), $ex); } }
public static function decrypt($ciphertext, $urlSafe = false) { if (!self::$key) { throw new Exception('Generate and set Encryption::$key before calling Encryption::encrypt()!'); } if ($urlSafe) { $ciphertext = base64_decode(str_replace(array('_', '-'), array('/', '+'), $ciphertext)); } try { return Crypto::decrypt($ciphertext, self::$key); } catch (Exception $e) { return ""; } }
/** * * Encrypt a message with defuse/php-encryption, using an ephemeral key, * then encrypt the key with RSA. * * @param string $ciphertext * @param PrivateKey $rsaPrivateKey * * @return string * @throws InvalidCiphertextException * @throws InvalidChecksumException */ public static function decrypt($ciphertext, PrivateKey $rsaPrivateKey) { $split = explode(self::SEPARATOR, $ciphertext); if (\count($split) !== 4) { throw new InvalidCiphertextException('Invalid ciphertext message'); } if (!\hash_equals($split[0], self::VERSION_TAG)) { throw new InvalidCiphertextException('Invalid version tag'); } $checksum = \substr(\hash('sha256', implode('$', array_slice($split, 0, 3))), 0, 16); if (!\hash_equals($split[3], $checksum)) { throw new InvalidChecksumException('Invalid checksum'); } $key = Key::loadFromAsciiSafeString(self::rsaDecrypt(Base64::decode($split[1]), $rsaPrivateKey)); return Crypto::Decrypt(Base64::decode($split[2]), $key, true); }
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token) { parent::onLoginSuccess($request, $response, $token); try { $password = $request->get('password'); $cookie = $this->getCookie($response); $hash = $this->decodeCookie($cookie->getValue())[3]; $key = $this->createKey($hash); $value = Crypto::encrypt($password, $key); $response->headers->setCookie(new Cookie($this->options['name'] . '_A', $value, $cookie->getExpiresTime(), $this->options['path'], $this->options['domain'], $this->options['secure'], $this->options['httponly'])); } catch (Exception $ex) { $this->logger->error('unexpected exception occurred, while decrypting the rememberMe cookie' . "\n" . $ex->getTraceAsString()); $request->getSession()->invalidate(); throw new AccessDeniedException("Unexpected exception occurred."); } }
/** * @param Schema $schema */ public function up(Schema $schema) { // this up() migration is auto-generated, please modify it to your needs $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on \'mysql\'.'); $password = '******'; $hash = password_hash($password, PASSWORD_BCRYPT); $salt = base64_decode($this->container->getParameter('salt_key')); if (\strlen($salt) < Key::MIN_SAFE_KEY_BYTE_SIZE) { $suggestedSalt = base64_encode(openssl_random_pseudo_bytes(Key::MIN_SAFE_KEY_BYTE_SIZE * 2)); throw new AbortMigrationException('You need to define an own salt_key in your parameters.yml file which is at least ' . Key::MIN_SAFE_KEY_BYTE_SIZE . ' characters long.' . "\n" . 'Following a randomly created key:' . "\n" . 'salt_key: ' . $suggestedSalt); } $dataKey = null; if ($this->container->hasParameter('data_key_delete_after_migration')) { $asciiDataKey = $this->container->getParameter('data_key_delete_after_migration'); $dataKey = Key::LoadFromAsciiSafeString($asciiDataKey); } if ($dataKey == null) { throw new AbortMigrationException('You need to define an own data_key_delete_after_migration in your parameters.yml which is a key generated with \\Defuse\\Crypto\\Key::CreateNewRandomKey()->saveToAsciiSafeString()' . "\n" . 'Following a randomly created key:' . "\n" . 'data_key_delete_after_migration: ' . Key::CreateNewRandomKey()->saveToAsciiSafeString() . "\n" . 'YOU MUST delete this entry in your parameters.yml afterwards (you can make a copy on a save device).'); } $key = Key::CreateKeyBasedOnPassword($password, $salt); $encryptedDataKey = Crypto::encrypt($asciiDataKey, $key, true); $this->addSql('CREATE TABLE category (id INT AUTO_INCREMENT NOT NULL, name VARBINARY(255) NOT NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, UNIQUE INDEX UNIQ_64C19C15E237E06 (name), INDEX IDX_64C19C1A7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB'); $this->addSql('CREATE TABLE purchase (id INT AUTO_INCREMENT NOT NULL, user_id INT NOT NULL, purchase_date DATE NOT NULL, total VARBINARY(255) NOT NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, INDEX IDX_6117D13BA76ED395 (user_id), INDEX IDX_6117D13BA7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB'); $this->addSql('CREATE TABLE purchase_position (id INT AUTO_INCREMENT NOT NULL, purchase_id INT NOT NULL, category_id INT NOT NULL, expression LONGBLOB NOT NULL, price VARBINARY(255) NOT NULL, notice LONGBLOB NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, INDEX IDX_6FEEF7A712469DE2 (category_id), INDEX IDX_6FEEF7A7558FBEB9 (purchase_id), INDEX IDX_6FEEF7A7A7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB'); $this->addSql('CREATE TABLE app_users (id INT AUTO_INCREMENT NOT NULL, username VARCHAR(25) NOT NULL, password VARCHAR(64) NOT NULL, email VARCHAR(60) NOT NULL, role VARCHAR(20) DEFAULT NULL, data_key VARBINARY(255) NOT NULL, updated_by_user INT NOT NULL, updated_at DATETIME NOT NULL, UNIQUE INDEX UNIQ_C2502824F85E0677 (username), UNIQUE INDEX UNIQ_C2502824E7927C74 (email), INDEX IDX_C2502824A7F6CB27 (updated_by_user), PRIMARY KEY(id)) DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci ENGINE = InnoDB'); $this->addSql('ALTER TABLE category ADD CONSTRAINT FK_64C19C1A7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)'); $this->addSql('ALTER TABLE purchase ADD CONSTRAINT FK_6117D13BA76ED395 FOREIGN KEY (user_id) REFERENCES app_users (id)'); $this->addSql('ALTER TABLE purchase ADD CONSTRAINT FK_6117D13BA7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)'); $this->addSql('ALTER TABLE purchase_position ADD CONSTRAINT FK_6FEEF7A712469DE2 FOREIGN KEY (category_id) REFERENCES category (id)'); $this->addSql('ALTER TABLE purchase_position ADD CONSTRAINT FK_6FEEF7A7558FBEB9 FOREIGN KEY (purchase_id) REFERENCES purchase (id) ON DELETE CASCADE'); $this->addSql('ALTER TABLE purchase_position ADD CONSTRAINT FK_6FEEF7A7A7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)'); $this->addSql('ALTER TABLE app_users ADD CONSTRAINT FK_C2502824A7F6CB27 FOREIGN KEY (updated_by_user) REFERENCES app_users (id)'); $now = date('Y-m-d\\TH:i:s', time()); $this->addSql('INSERT INTO app_users (username, password, role, data_key, updated_by_user, updated_at) ' . 'VALUES (\'admin\', :password, \'ROLE_ADMIN\', :data_key, \'1\', :updated_at)', array('password' => $hash, 'data_key' => $encryptedDataKey, 'updated_at' => $now)); $this->addSql('INSERT INTO category (name, updated_by_user, updated_at) ' . 'VALUES (:name, \'1\', :updated_at)', array('name' => Crypto::encrypt('Lebensmittel', $dataKey, true), 'updated_at' => $now)); }
private function decryptProtected($key, $encryptedField) { // Decrypt encrypted field with group key $plaintext = ""; try { $plaintext = Crypto::decrypt($encryptedField, $key); } catch (Ex\InvalidCiphertextException $ex) { // VERY IMPORTANT // Either: // 1. The ciphertext was modified by the attacker, // 2. The key is wrong, or // 3. $ciphertext is not a valid ciphertext or was corrupted. // Assume the worst. throw $ex; // Unable to decode encrypted field } catch (Ex\CryptoTestFailedException $ex) { throw $ex; // Cannot safely perform field } catch (Ex\CannotPerformOperationException $ex) { throw $ex; // Cannot safely perform field } return $plaintext; }
$date_errors = DateTime::getLastErrors(); if ($date_errors['warning_count'] + $date_errors['error_count'] > 0) { $errors = true; response(VALIDATION_DATE_INVALID, $errors); } if (strtotime($expiration_date) > strtotime("today +30 days")) { $errors = true; response(VALIDATION_DATE_INVALID, $errors); } // If all of the above validation checks pass, continue on if (!$errors) { // Create an array of data to be encrypted $data = serialize(array("message" => $message, "email_sender" => $email_sender)); // Encrypt data, reference: https://github.com/defuse/php-encryption/ try { $data_encrypted = Crypto::encryptWithPassword($data, $password); } catch (Ex\EnvironmentIsBrokenException $ex) { response(ENCRYPTION_UNSAFE, true); } // Store the encrypted data $array = array('secret' => bin2hex($data_encrypted), 'expiration_date' => strtotime($expiration_date . ' +1 day')); $item = $collection->item(); if ($item->post($array)) { $item->event('log')->post(['action' => 'created']); $id = $item->getKey(); } else { response($item->getStatus(), true); } // Send email to recipient if (!empty($email_recipient)) { // Email body
/** * Decrypt the given time. * * @param mixed $time * @return string|null */ protected function decryptTime($time) { try { return Crypto::decrypt($time, $this->key); } catch (Ex\InvalidCiphertextException $ex) { // VERY IMPORTANT // Either: // 1. The ciphertext was modified by the attacker, // 2. The key is wrong, or // 3. $ciphertext is not a valid ciphertext or was corrupted. // Assume the worst. return false; //die('DANGER! DANGER! The ciphertext has been tampered with!'); } catch (Ex\CryptoTestFailedException $ex) { return false; //die('Cannot safely perform decryption'); } catch (Ex\CannotPerformOperationException $ex) { return false; //die('Cannot safely perform decryption2'); } }
/** * @param $passwordHash * @param $token * @return array */ public static function tokenDecrypt($passwordHash, $token) { $decrypted = Crypto::decryptWithPassword($token, $passwordHash); return explode("|", $decrypted); }
/** * For migrating from an older version of the library * * @param string $password * @param string $ciphertext * @param string $oldKey * @param Key $newKey * @return string * @throws \Exception */ public static function upgradeFromVersion1(string $password, string $ciphertext, string $oldKey, Key $newKey) : string { if (!self::decryptAndVerifyLegacy($password, $ciphertext, $oldKey)) { throw new \Exception('The correct password is necessary for legacy migration.'); } $plaintext = Crypto::legacyDecrypt($ciphertext, $oldKey); return self::hashAndEncrypt($plaintext, $newKey); }
<?php // Set the encoding to something more "challenging." $ret = mb_internal_encoding('UTF-8'); if ($ret === FALSE) { echo "Couldn't set encoding."; exit(1); } // Dump out the settings / encoding for future reference. $val = ini_get("mbstring.func_overload"); echo "Settings: \n"; echo " func_overload: " . $val . "\n"; echo " mb_internal_encoding(): " . mb_internal_encoding() . "\n"; // Perform the tests. require_once \dirname(__DIR__) . '/autoload.php'; try { \Defuse\Crypto\Crypto::RuntimeTest(); echo "TEST PASSED!\n"; exit(0); } catch (\Defuse\Crypto\Exception\CryptoTestFailed $ex) { echo "TEST FAILED!\n"; var_dump($ex); exit(1); } catch (\Defuse\Crypto\Exception\CannotPerformOperation $ex) { echo "TEST FAILED\n"; var_dump($ex); exit(1); }
<?php use Defuse\Crypto\Crypto; require_once 'autoload.php'; function showResults($type, $start, $end, $count) { $time = $end - $start; $rate = $count / $time; echo $type, ': ', $rate, ' calls/s', "\n"; } // Note: By default, the runtime tests are "cached" and not re-executed for // every call. To disable this, look at the RuntimeTest() function. $start = \microtime(true); for ($i = 0; $i < 1000; $i++) { $key = Crypto::createNewRandomKey(); } $end = \microtime(true); showResults("createNewRandomKey()", $start, $end, 1000); $start = \microtime(true); for ($i = 0; $i < 100; $i++) { $ciphertext = Crypto::encrypt(\str_repeat("A", 1024 * 1024), \str_repeat("B", 16)); } $end = microtime(true); showResults("encrypt(1MB)", $start, $end, 100); $start = microtime(true); for ($i = 0; $i < 1000; $i++) { $ciphertext = Crypto::encrypt(\str_repeat("A", 1024), \str_repeat("B", 16)); } $end = \microtime(true); showResults("encrypt(1KB)", $start, $end, 1000);
if ($fail_total >= 3) { $item->event('log')->post(['action' => 'disabled']); $errors = true; response(VALIDATION_TOO_MANY_ATTEMPTS, $errors); } // If all of the above validation checks pass, continue on if (!$errors) { $salt = Crypto::hexToBin($item->salt); $data_encrypted = Crypto::hexToBin($item->secret); // Create decryption key $length = 16; $iterations = PASSWORD_ITERATIONS; $key = hash_pbkdf2("sha256", $password, $salt, $iterations, $length); // Decrypt data, reference: https://github.com/defuse/php-encryption/ try { $data_decrypted = Crypto::Decrypt($data_encrypted, $key); } catch (Ex\InvalidCiphertextException $ex) { // VERY IMPORTANT // Log event $item->event('log')->post(['action' => 'failed']); response(DECRYPTION_PASSWORD_WRONG, true); } catch (Ex\CryptoTestFailedException $ex) { response(ENCRYPTION_UNSAFE, true); } catch (Ex\CannotPerformOperationException $ex) { response(DECRYPTION_UNSAFE, true); } // Delete message $item->delete(); // Log event if ($item->delete()) { $item->event('log')->post(['action' => 'deleted']);
/** * {@inheritdoc} */ public function decrypt(string $ciphertext) : string { return Crypto::decrypt($ciphertext, $this->key); }
/** * @param mixed $value * @return string */ public function reverseTransform($value) { return Crypto::decrypt($value, $this->key, $this->getBinary()); }
<?php require_once \dirname(__DIR__) . '/autoload.php'; use Defuse\Crypto\Crypto; $status = 0; for ($i = 0; $i < 100; ++$i) { $random = \openssl_random_pseudo_bytes(32); $encode_a = Crypto::binToHex($random); $encode_b = \bin2hex($random); if ($encode_a !== $encode_b) { $status = 1; \var_dump([$encode_a, $encode_b]); } // echo "\t", $encode_a, "\t", $encode_b, "\n"; $decode_a = Crypto::hexToBin($encode_b); $decode_b = \hex2bin($encode_a); if ($decode_a !== $decode_b) { $status = 1; \var_dump([\base64_encode($decode_a), \base64_decode($decode_b)]); } } if ($status < 0) { echo 'Encoded successfully!', "\n"; } exit($status); \var_dump(Crypto::binToHex("ABJA")); \var_dump(Crypto::hexToBin('41424a41'));
/** * @param string $ciphertext * @param null|Key $key * @return string * @throws CannotPerformOperationException * @throws InvalidCiphertextException */ public function decrypt($ciphertext, $key = null) { $key = $this->getKey($key); return Crypto::Decrypt($ciphertext, $key); }
$key = Crypto::createNewRandomKey(); // WARNING: Do NOT encode $key with bin2hex() or base64_encode(), // they may leak the key to the attacker through side channels. } catch (Ex\CryptoTestFailed $ex) { die('Cannot safely create a key'); } catch (Ex\CannotPerformOperation $ex) { die('Cannot safely create a key'); } $message = "ATTACK AT DAWN"; try { $ciphertext = Crypto::encrypt($message, $key); } catch (Ex\CryptoTestFailed $ex) { die('Cannot safely perform encryption'); } catch (Ex\CannotPerformOperation $ex) { die('Cannot safely perform encryption'); } try { $decrypted = Crypto::decrypt($ciphertext, $key); } catch (Ex\InvalidCiphertext $ex) { // VERY IMPORTANT // Either: // 1. The ciphertext was modified by the attacker, // 2. The key is wrong, or // 3. $ciphertext is not a valid ciphertext or was corrupted. // Assume the worst. die('DANGER! DANGER! The ciphertext has been tampered with!'); } catch (Ex\CryptoTestFailed $ex) { die('Cannot safely perform dencryption'); } catch (Ex\CannotPerformOperation $ex) { die('Cannot safely perform decryption'); }
private function encodePasswordAndChangeDataKey(User $user) { $plainPassword = $user->getPlainPassword(); $password = $this->get('security.password_encoder')->encodePassword($user, $plainPassword); $user->setPassword($password); $saltKey = base64_decode($this->getParameter('salt_key')); $key = Key::CreateKeyBasedOnPassword($plainPassword, $saltKey); /*@var $cryptoKey \Defuse\Crypto\Key */ $cryptoKey = $this->get('session')->get(AuthSuccessHandler::SESSION_KEY_DATA_KEY); $asciiDataKey = $cryptoKey->saveToAsciiSafeString(); $encryptedDataKey = Crypto::encrypt($asciiDataKey, $key, true); $user->setDataKey($encryptedDataKey); }
/** * Encrypt something * * @param string $cleartext * @return string hexadecimal representation of crypted string */ public function encrypt($cleartext) { return Crypto::binToHex(Crypto::encrypt($cleartext, $this->getSecretKey())); }