20714927937

Committed 05 Jan 2026 12:09PM UTC coverage: 85.469% (+0.001%) from 85.468%

Build # 20714927937

Build Type

Pull #9870

github

Committed by

web-flow

Commit Message

Merge 9be08e1af into e88e03a74

Pull Request Pull Request #9870: feat: encryption key rotation

Run Details

35 of 42 new or added lines in 4 files covered. (83.33%)

27 existing lines in 1 file now uncovered.

21863 of 25580 relevant lines covered (85.47%)

203.8 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

89.47

/system/Encryption/Handlers/OpenSSLHandler.php

<?php

declare(strict_types=1);

/**
 * This file is part of CodeIgniter 4 framework.
 *
 * (c) CodeIgniter Foundation <admin@codeigniter.com>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace CodeIgniter\Encryption\Handlers;

use CodeIgniter\Encryption\Exceptions\EncryptionException;
use SensitiveParameter;

/**
 * Encryption handling for OpenSSL library
 *
 * @see \CodeIgniter\Encryption\Handlers\OpenSSLHandlerTest
 */
class OpenSSLHandler extends BaseHandler
{
    /**
     * HMAC digest to use
     *
     * @var string
     */
    protected $digest = 'SHA512';

    /**
     * List of supported HMAC algorithms
     *
     * @var array [name => digest size]
     */
    protected array $digestSize = [
        'SHA224' => 28,
        'SHA256' => 32,
        'SHA384' => 48,
        'SHA512' => 64,
    ];

    /**
     * Cipher to use
     *
     * @var string
     */
    protected $cipher = 'AES-256-CTR';

    /**
     * Starter key
     *
     * @var string
     */
    protected $key = '';

    /**
     * Whether the cipher-text should be raw. If set to false, then it will be base64 encoded.
     */
    protected bool $rawData = true;

    /**
     * Encryption key info.
     * This setting is only used by OpenSSLHandler.
     *
     * Set to 'encryption' for CI3 Encryption compatibility.
     */
    public string $encryptKeyInfo = '';

    /**
     * Authentication key info.
     * This setting is only used by OpenSSLHandler.
     *
     * Set to 'authentication' for CI3 Encryption compatibility.
     */
    public string $authKeyInfo = '';

    /**
     * {@inheritDoc}
     */
    public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null)
    {
        // Allow key override
        $key = $params !== null
            ? (is_array($params) && isset($params['key']) ? $params['key'] : $params)
            : $this->key;

        if (empty($key)) {
            throw EncryptionException::forNeedsStarterKey();
        }

        // derive a secret key
        $encryptKey = \hash_hkdf($this->digest, $key, 0, $this->encryptKeyInfo);

        // basic encryption
        $iv = ($ivSize = \openssl_cipher_iv_length($this->cipher)) ? \openssl_random_pseudo_bytes($ivSize) : null;

        $data = \openssl_encrypt($data, $this->cipher, $encryptKey, OPENSSL_RAW_DATA, $iv);

        if ($data === false) {
            throw EncryptionException::forEncryptionFailed();
        }

        $result = $this->rawData ? $iv . $data : base64_encode($iv . $data);

        // derive a secret key
        $authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);

        $hmacKey = \hash_hmac($this->digest, $result, $authKey, $this->rawData);

        return $hmacKey . $result;
    }

    /**
     * {@inheritDoc}
     */
    public function decrypt($data, #[SensitiveParameter] $params = null)
    {
        // Allow key override
        $key = $params !== null
            ? (is_array($params) && isset($params['key']) ? $params['key'] : $params)
            : $this->key;

        if (empty($key)) {
            throw EncryptionException::forNeedsStarterKey();
        }

        // derive a secret key
        $authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);

        $hmacLength = $this->rawData
            ? $this->digestSize[$this->digest]
            : $this->digestSize[$this->digest] * 2;

        $hmacKey  = self::substr($data, 0, $hmacLength);
        $data     = self::substr($data, $hmacLength);
        $hmacCalc = \hash_hmac($this->digest, $data, $authKey, $this->rawData);

        if (! hash_equals($hmacKey, $hmacCalc)) {
            throw EncryptionException::forAuthenticationFailed();
        }

        $data = $this->rawData ? $data : base64_decode($data, true);

        if ($ivSize = \openssl_cipher_iv_length($this->cipher)) {
            $iv   = self::substr($data, 0, $ivSize);
            $data = self::substr($data, $ivSize);
        } else {
            $iv = null;
        }

        // derive a secret key
        $encryptKey = \hash_hkdf($this->digest, $key, 0, $this->encryptKeyInfo);

        $result = \openssl_decrypt($data, $this->cipher, $encryptKey, OPENSSL_RAW_DATA, $iv);

        if ($result === false) {
            throw EncryptionException::forAuthenticationFailed();
        }

        return $result;
    }
}

1	<?php
2
3	declare(strict_types=1);
4
5	/**
6	* This file is part of CodeIgniter 4 framework.
7	*
8	* (c) CodeIgniter Foundation <admin@codeigniter.com>
9	*
10	* For the full copyright and license information, please view
11	* the LICENSE file that was distributed with this source code.
12	*/
13
14	namespace CodeIgniter\Encryption\Handlers;
15
16	use CodeIgniter\Encryption\Exceptions\EncryptionException;
17	use SensitiveParameter;
18
19	/**
20	* Encryption handling for OpenSSL library
21	*
22	* @see \CodeIgniter\Encryption\Handlers\OpenSSLHandlerTest
23	*/
24	class OpenSSLHandler extends BaseHandler
25	{
26	/**
27	* HMAC digest to use
28	*
29	* @var string
30	*/
31	protected $digest = 'SHA512';
32
33	/**
34	* List of supported HMAC algorithms
35	*
36	* @var array [name => digest size]
37	*/
38	protected array $digestSize = [
39	'SHA224' => 28,
40	'SHA256' => 32,
41	'SHA384' => 48,
42	'SHA512' => 64,
43	];
44
45	/**
46	* Cipher to use
47	*
48	* @var string
49	*/
50	protected $cipher = 'AES-256-CTR';
51
52	/**
53	* Starter key
54	*
55	* @var string
56	*/
57	protected $key = '';
58
59	/**
60	* Whether the cipher-text should be raw. If set to false, then it will be base64 encoded.
61	*/
62	protected bool $rawData = true;
63
64	/**
65	* Encryption key info.
66	* This setting is only used by OpenSSLHandler.
67	*
68	* Set to 'encryption' for CI3 Encryption compatibility.
69	*/
70	public string $encryptKeyInfo = '';
71
72	/**
73	* Authentication key info.
74	* This setting is only used by OpenSSLHandler.
75	*
76	* Set to 'authentication' for CI3 Encryption compatibility.
77	*/
78	public string $authKeyInfo = '';
79
80	/**
81	* {@inheritDoc}
82	*/
83	public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null)
84	{
85	// Allow key override
86	$key = $params !== null	14✔
87	? (is_array($params) && isset($params['key']) ? $params['key'] : $params)	6✔
88	: $this->key;	9✔
89
90	if (empty($key)) {	14✔
91	throw EncryptionException::forNeedsStarterKey();	1✔
92	}
93
94	// derive a secret key
95	$encryptKey = \hash_hkdf($this->digest, $key, 0, $this->encryptKeyInfo);	13✔
96
97	// basic encryption
98	$iv = ($ivSize = \openssl_cipher_iv_length($this->cipher)) ? \openssl_random_pseudo_bytes($ivSize) : null;	13✔
99
100	$data = \openssl_encrypt($data, $this->cipher, $encryptKey, OPENSSL_RAW_DATA, $iv);	13✔
101
102	if ($data === false) {	13✔
103	throw EncryptionException::forEncryptionFailed();	×
104	}
105
106	$result = $this->rawData ? $iv . $data : base64_encode($iv . $data);	13✔
107
108	// derive a secret key
109	$authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);	13✔
110
111	$hmacKey = \hash_hmac($this->digest, $result, $authKey, $this->rawData);	13✔
112
113	return $hmacKey . $result;	13✔
114	}
115
116	/**
117	* {@inheritDoc}
118	*/
119	public function decrypt($data, #[SensitiveParameter] $params = null)
120	{
121	// Allow key override
122	$key = $params !== null	16✔
123	? (is_array($params) && isset($params['key']) ? $params['key'] : $params)	11✔
124	: $this->key;	11✔
125
126	if (empty($key)) {	16✔
127	throw EncryptionException::forNeedsStarterKey();	×
128	}
129
130	// derive a secret key
131	$authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);	16✔
132
133	$hmacLength = $this->rawData	16✔
134	? $this->digestSize[$this->digest]	14✔
135	: $this->digestSize[$this->digest] * 2;	2✔
136
137	$hmacKey = self::substr($data, 0, $hmacLength);	16✔
138	$data = self::substr($data, $hmacLength);	16✔
139	$hmacCalc = \hash_hmac($this->digest, $data, $authKey, $this->rawData);	16✔
140
141	if (! hash_equals($hmacKey, $hmacCalc)) {	16✔
142	throw EncryptionException::forAuthenticationFailed();	9✔
143	}
144
145	$data = $this->rawData ? $data : base64_decode($data, true);	11✔
146
147	if ($ivSize = \openssl_cipher_iv_length($this->cipher)) {	11✔
148	$iv = self::substr($data, 0, $ivSize);	11✔
149	$data = self::substr($data, $ivSize);	11✔
150	} else {
151	$iv = null;	×
152	}
153
154	// derive a secret key
155	$encryptKey = \hash_hkdf($this->digest, $key, 0, $this->encryptKeyInfo);	11✔
156
157	$result = \openssl_decrypt($data, $this->cipher, $encryptKey, OPENSSL_RAW_DATA, $iv);	11✔
158
159	if ($result === false) {	11✔
NEW 160	throw EncryptionException::forAuthenticationFailed();	×
161	}
162
163	return $result;	11✔
164	}
165	}

codeigniter4 / CodeIgniter4 / 20714927937

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous