Encryption

app/Config/Encryption.php

@@ -0,0 +1,36 @@
+<?php
+namespace Config;
+
+use CodeIgniter\Config\BaseConfig;
+
+/**
+ * Encryption configuration.
+ *
+ * These are the settings used for encryption, if you don't pass a parameter
+ * array to the encrypter for creation/initialization.
+ */
+class Encryption extends BaseConfig
+{
+	/*
+	  |--------------------------------------------------------------------------
+	  | Encryption Key Starter
+	  |--------------------------------------------------------------------------
+	  |
+	  | If you use the Encryption class you must set an encryption key (seed).
+	  | You need to ensure it is long enough for the cipher and mode you plan to use.
+	  | See the user guide for more info.
+	 */
+
+	public $key = '';
+
+	/*
+	  |--------------------------------------------------------------------------
+	  | Encryption driver to use
+	  |--------------------------------------------------------------------------
+	  |
+	  | One of the supported drivers, eg 'OpenSSL' or 'Sodium'.
+	  | The default driver, if you don't specify one, is 'OpenSSL'.
+	 */
+	public $driver = 'OpenSSL';
+
+}

system/Config/Services.php

@@ -43,6 +43,8 @@
 use CodeIgniter\Debug\Iterator;
 use CodeIgniter\Debug\Timer;
 use CodeIgniter\Debug\Toolbar;
+use CodeIgniter\Encryption\EncrypterInterface;
+use CodeIgniter\Encryption\Encryption;
 use CodeIgniter\Filters\Filters;
 use CodeIgniter\Honeypot\Honeypot;
 use CodeIgniter\HTTP\CLIRequest;
@@ -186,6 +188,33 @@ public static function curlrequest(array $options = [], ResponseInterface $respo
 
 	//--------------------------------------------------------------------
 
+	/**
+	 * The Encryption class provides two-way encryption.
+	 *
+	 * @param mixed   $config
+	 * @param boolean $getShared
+	 *
+	 * @return EncrypterInterface Encryption handler
+	 */
+	public static function encrypter($config = null, $getShared = false)
+	{
+		if ($getShared === true)
+		{
+			return static::getSharedInstance('encrypter', $config);
+		}
+
+		if (empty($config))
+		{
+			$config = new \Config\Encryption();
+		}
+
+		$encryption = new Encryption($config);
+		$encrypter  = $encryption->initialize($config);
+		return $encrypter;
+	}
+
+	//--------------------------------------------------------------------
+
 	/**
 	 * The Exceptions class holds the methods that handle:
 	 *

system/Encryption/EncrypterInterface.php

@@ -0,0 +1,66 @@
+<?php
+
+/**
+ * CodeIgniter
+ *
+ * An open source application development framework for PHP
+ *
+ * This content is released under the MIT License (MIT)
+ *
+ * Copyright (c) 2014-2017 British Columbia Institute of Technology
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @package    CodeIgniter
+ * @author     CodeIgniter Dev Team
+ * @copyright  2014-2017 British Columbia Institute of Technology (https://bcit.ca/)
+ * @license    https://opensource.org/licenses/MIT	MIT License
+ * @link       https://codeigniter.com
+ * @since      Version 4.0.0
+ * @filesource
+ */
+
+namespace CodeIgniter\Encryption;
+
+/**
+ * CodeIgniter Encryption Handler
+ *
+ * Provides two-way keyed encryption
+ */
+interface EncrypterInterface
+{
+
+	/**
+	 * Encrypt - convert plaintext into ciphertext
+	 *
+	 * @param  string $data   Input data
+	 * @param  array  $params Over-ridden parameters, specifically the key
+	 * @return string
+	 */
+	public function encrypt($data, $params = null);
+
+	/**
+	 * Decrypt - convert ciphertext into plaintext
+	 *
+	 * @param  string $data   Encrypted data
+	 * @param  array  $params Over-ridden parameters, specifically the key
+	 * @return string
+	 */
+	public function decrypt($data, $params = null);
+}

system/Encryption/Encryption.php

@@ -0,0 +1,198 @@
+<?php
+/**
+ * CodeIgniter
+ *
+ * An open source application development framework for PHP
+ *
+ * This content is released under the MIT License (MIT)
+ *
+ * Copyright (c) 2014-2017 British Columbia Institute of Technology
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ * @package    CodeIgniter
+ * @author     CodeIgniter Dev Team
+ * @copyright  2014-2017 British Columbia Institute of Technology (https://bcit.ca/)
+ * @license    https://opensource.org/licenses/MIT	MIT License
+ * @link       https://codeigniter.com
+ * @since      Version 4.0.0
+ * @filesource
+ */
+
+namespace CodeIgniter\Encryption;
+
+use Config\Encryption as EncryptionConfig;
+use CodeIgniter\Encryption\Exceptions\EncryptionException;
+use CodeIgniter\Config\BaseConfig;
+use CodeIgniter\Config\Services;
+
+/**
+ * CodeIgniter Encryption Manager
+ *
+ * Provides two-way keyed encryption via PHP's Sodium and/or OpenSSL extensions.
+ * This class determines the driver, cipher, and mode to use, and then
+ * initializes the appropriate encryption handler.
+ */
+class Encryption
+{
+
+	/**
+	 * The encrypter we create
+	 *
+	 * @var string
+	 */
+	protected $encrypter;
+
+	/**
+	 * The driver being used
+	 */
+	protected $driver;
+
+	/**
+	 * The key/seed being used
+	 */
+	protected $key;
+
+	/**
+	 * The derived hmac key
+	 */
+	protected $hmacKey;
+
+	/**
+	 * HMAC digest to use
+	 */
+	protected $digest = 'SHA512';
+
+	/**
+	 * Map of drivers to handler classes, in preference order
+	 *
+	 * @var array
+	 */
+	protected $drivers = [
+		'OpenSSL',
+	];
+
+	// --------------------------------------------------------------------
+
+	/**
+	 * Class constructor
+	 *
+	 * @param  BaseConfig $config Configuration parameters
+	 * @return void
+	 *
+	 * @throws \CodeIgniter\Encryption\Exceptions\EncryptionException
+	 */
+	public function __construct(BaseConfig $config = null)
+	{
+		if (empty($config))
+		{
+			$config = new \Config\Encryption();
+		}
+		$this->driver = $config->driver;
+		$this->key    = $config->key;
+
+		// determine what is installed
+		$this->handlers = [
+			'OpenSSL' => extension_loaded('openssl'),
+		];
+
+		// if any aren't there, bomb
+		if (in_array(false, $this->handlers))
+		{
+			// this should never happen in travis-ci
+			// @codeCoverageIgnoreStart
+			throw EncryptionException::forNoHandlerAvailable($this->driver);
+			// @codeCoverageIgnoreEnd
+		}
+	}
+
+	/**
+	 * Initialize or re-initialize an encrypter
+	 *
+	 * @param  BaseConfig $config Configuration parameters
+	 * @return \CodeIgniter\Encryption\EncrypterInterface
+	 *
+	 * @throws \CodeIgniter\Encryption\Exceptions\EncryptionException
+	 */
+	public function initialize(BaseConfig $config = null)
+	{
+		// override config?
+		if (! empty($config))
+		{
+			$this->driver = $config->driver;
+			$this->key    = $config->key;
+		}
+
+		// Insist on a driver
+		if (empty($this->driver))
+		{
+			throw EncryptionException::forNoDriverRequested();
+		}
+
+		// Check for an unknown driver
+		if (! in_array($this->driver, $this->drivers))
+		{
+			throw EncryptionException::forUnKnownHandler($this->driver);
+		}
+
+		if (empty($this->key))
+		{
+			throw EncryptionException::forNeedsStarterKey();
+		}
+
+		// Derive a secret key for the encrypter
+		$this->hmacKey = bin2hex(\hash_hkdf($this->digest, $this->key));
+
+		$handlerName     = 'CodeIgniter\\Encryption\\Handlers\\' . $this->driver . 'Handler';
+		$this->encrypter = new $handlerName($config);
+		return $this->encrypter;
+	}
+
+	// --------------------------------------------------------------------
+
+	/**
+	 * Create a random key
+	 *
+	 * @param  integer $length Output length
+	 * @return string
+	 */
+	public static function createKey($length = 32)
+	{
+		return random_bytes($length);
+	}
+
+	// --------------------------------------------------------------------
+
+	/**
+	 * __get() magic, providing readonly access to some of our protected properties
+	 *
+	 * @param  string $key Property name
+	 * @return mixed
+	 */
+	public function __get($key)
+	{
+		if (in_array($key, ['key', 'digest', 'driver', 'drivers'], true))
+		{
+			return $this->{$key};
+		}
+
+		return null;
+	}
+
+}

system/Encryption/Exceptions/EncryptionException.php

@@ -0,0 +1,41 @@
+<?php
+namespace CodeIgniter\Encryption\Exceptions;
+
+use CodeIgniter\Exceptions\ExceptionInterface;
+
+/**
+ * Encryption exception
+ */
+class EncryptionException extends \RuntimeException implements ExceptionInterface
+{
+
+	public static function forNoDriverRequested()
+	{
+		return new static(lang('Encryption.noDriverRequested'));
+	}
+
+	public static function forNoHandlerAvailable()
+	{
+		return new static(lang('Encryption.noHandlerAvailable'));
+	}
+
+	public static function forUnKnownHandler(string $driver = null)
+	{
+		return new static(lang('Encryption.unKnownHandler', [$driver]));
+	}
+
+	public static function forNeedsStarterKey()
+	{
+		return new static(lang('Encryption.starterKeyNeeded'));
+	}
+
+	public static function forAuthenticationFailed()
+	{
+		return new static(lang('Encryption.authenticationFailed'));
+	}
+	public static function forEncryptionFailed()
+	{
+		return new static(lang('Encryption.encryptionFailed'));
+	}
+
+}