Merge pull request #23 from genecommerce/harden-key-invalidation

Harden the key invalidation process

Console/InvalidateOldEncryptionKeys.php

@@ -8,6 +8,7 @@
 use Magento\Framework\App\DeploymentConfig;
 use Magento\Framework\App\CacheInterface;
 use Magento\Framework\Console\Cli;
+use Magento\Framework\Math\Random;
 use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputInterface;
@@ -25,6 +26,7 @@ class InvalidateOldEncryptionKeys extends Command
     public function __construct(
         private readonly Writer $writer,
         private readonly CacheInterface $cache,
+        private readonly Random $random,
         private readonly DeploymentConfig $deploymentConfig
     ) {
         parent::__construct();
@@ -87,17 +89,19 @@ protected function execute(InputInterface $input, OutputInterface $output): int
              * - keep a record of it for storing in 'crypt/invalidated_key'
              */
             $changes = false;
+            $keySize = SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_IETF_KEYBYTES;
             foreach ($keys as $id => $key) {
                 if ($id === count($keys) - 1) {
                     break; // last key needs to remain usable
                 }
-                if (str_starts_with($key, 'geneinvalidatedkeys')) {
+                if (str_starts_with($key, 'invalid')) {
                     continue; // already been invalidated
                 }
                 $changes = true;
                 $invalidatedKeys[] = $key; // this key needs to be added to the invalidated list
-                $keys[$id] = uniqid('geneinvalidatedkeys');
-                if (strlen($keys[$id]) !== SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_IETF_KEYBYTES) {
+                $newKey = 'invalid' . $this->random->getRandomString($keySize - 7);
+                $keys[$id] = $newKey;
+                if (strlen($keys[$id]) !== $keySize) {
                     throw new \Exception('Failed to invalidate the key with an appropriate length');
                 }
             }

README.md

@@ -133,24 +133,21 @@ You can use `php bin/magento gene:encryption-key-manager:invalidate` to invalida
 
 This will create a new section to store the old `invalidated_key` within your `env.php` as well as stub out the `crypt/key` path with nonsense text, so that the numerical ordering of the keys is maintained.
 
-```diff
---- app/etc/env.php   2024-07-14 06:03:14.194370013 +0000
-+++ app/etc/env.php   2024-07-14 06:04:12.775458013 +0000
-@@ -50,9 +50,11 @@
-         'table_prefix' => ''
-     ],
-     'crypt' => [
--        'key' => 'f00e29e230c723afbdaef0fb5d3e6134
--d59b93bf844ebe700ae8202f67e56e34
-+        'key' => 'geneinvalidatedkeys669368519467b
-+geneinvalidatedkeys6693685194682
- 412b0ad1190572ff9f3c58f595ed1f3e',
-+        'invalidated_key' => 'f00e29e230c723afbdaef0fb5d3e6134
-+d59b93bf844ebe700ae8202f67e56e34'
-     ],
-     'resource' => [
-         'default_setup' => [
+Before invalidation
+```php
+    'crypt' => [
+        'key' => '84c9d7c0b305adf9ea7e19a05478bf11
+2951b41e2b7f4c26e60a8e7ee00ca17b'
+    ],
+```
 
+After invalidation
+```php
+    'crypt' => [
+        'key' => 'invalidpwecbVeGpoL3Jxa4PXEOdn1ej
+2951b41e2b7f4c26e60a8e7ee00ca17b',
+        'invalidated_key' => '84c9d7c0b305adf9ea7e19a05478bf11'
+    ],
 ```
 
 ## bin/magento gene:encryption-key-manager:reencrypt-unhandled-core-config-data