Fixed unit testing, simplified parameters

jim-parry · jim-parry · commit 5f546faecf90 · 2017-07-16T07:40:53.000-07:00
diff --git a/application/Config/Encryption.php b/application/Config/Encryption.php
@@ -30,8 +30,8 @@ class Encryption extends BaseConfig
 	  | Encryption driver to use
 	  |--------------------------------------------------------------------------
 	  |
-	  | One of the supported drivers, eg 'openssl' or 'mcrypt'.
-	  | The default driver, if you don't specify one, is 'openssl'.
+	  | One of the supported drivers, eg 'OpenSSL' or 'Sodium'.
+	  | The default driver, if you don't specify one, is 'OpenSSL'.
 	 */
 	public $driver = 'OpenSSL';
 
@@ -40,35 +40,30 @@ class Encryption extends BaseConfig
 	  | Encryption Cipher
 	  |--------------------------------------------------------------------------
 	  |
-	  | Name of the encryption cipher to use, eg 'aes-256' or 'blowfish'
+	  | Name of the encryption cipher to use, eg 'aes-256' or 'blowfish'.
+	  | The cipher must be supported by your designated driver.
 	 */
 	public $cipher = 'AES-256-CBC';
 
 	/*
 	  |--------------------------------------------------------------------------
-	  | Authentication
+	  | Authentication digest
 	  |--------------------------------------------------------------------------
 	  |
-	  | Use HMAC message authentication (true/false)
-	 */
-	public $hmac = 'HMAC';
-
-	/*
-	  |--------------------------------------------------------------------------
-	  | HMAC digest
-	  |--------------------------------------------------------------------------
-	  |
-	  | HMAC digest algorithm to use
+	  | HMAC digest algorithm to use, empty for none.
+	  | Values: SHA512, SHA384, SHA256, or SHA224.
 	 */
 	public $digest = 'SHA512';
 
 	/*
 	  |--------------------------------------------------------------------------
-	  | Base64 encoding?
+	  | Result encoding
 	  |--------------------------------------------------------------------------
 	  |
-	  | If true, base64 encode results, and expect base64-encoded ciphertext.
+	  | Which, if any, encoding to apply to encrypted results and to assume
+	  | provided ciphertext.
+	  | Values; empty (for no encoding), base64 or hex.
 	 */
-	public $base64 = 'base64';
+	public $encoding = 'base64';
 
 }
diff --git a/system/Encryption/Encryption.php b/system/Encryption/Encryption.php
@@ -80,14 +80,13 @@ class Encryption
 	 * Our default configuration
 	 */
 	protected $default = [
-		'driver' => 'OpenSSL', // The PHP extension we plan to use
-		'key'	 => '', // no starting key material
-		'cipher' => 'AES-256-CBC', // Encryption cipher
-		'hmac'	 => 'HMAC', // Use HMAC message authentication (true/false)
-		'digest' => 'SHA512', // HMAC digest algorithm to use
-		'base64' => 'base64', // Base64 encoding?
+		'driver'	 => 'OpenSSL', // The PHP extension we plan to use
+		'key'		 => '', // no starting key material
+		'cipher'	 => 'AES-256-CBC', // Encryption cipher
+		'digest'	 => 'SHA512', // HMAC digest algorithm to use
+		'encoding'	 => 'base64', // Base64 encoding
 	];
-	protected $driver, $key, $cipher, $hmac, $digest, $base64;
+	protected $driver, $key, $cipher, $digest, $base64;
 
 	/**
 	 * Map of drivers to handler classes, in preference order
@@ -112,6 +111,11 @@ class Encryption
 		'SHA512' => 64
 	];
 
+	/**
+	 * List of acceptable encodings
+	 */
+	protected $encodings = ['base64', 'hex'];
+
 	// --------------------------------------------------------------------
 
 	/**
@@ -169,11 +173,17 @@ public function initialize(array $params = [])
 			throw new EncryptionException("Driver '" . $params['driver'] . "' is not available.");
 
 		// Check for a bad digest
-		if ( ! isset($this->digests[$params['digest']]))
-			throw new EncryptionException("Unknown digest '" . $params['digest'] . "' specified.");
+		if ( ! empty($params['digest']))
+			if ( ! isset($this->digests[$params['digest']]))
+				throw new EncryptionException("Unknown digest '" . $params['digest'] . "' specified.");
+
+		// Check for valid encoding
+		if (!empty($param['encoding']))
+			if (! in_array($params['encoding'],$this->encodings))
+				throw new EncryptionException("Unknown encoding '" . $params['encoding'] . "' specified.");
 
 		// Derive a secret key for the encrypter
-		$params['secret'] = bin2hex(hash_hkdf($this->digest, $params['key']));
+		$params['secret'] = bin2hex(\hash_hkdf($this->digest, $params['key']));
 
 		$handlerName = 'CodeIgniter\\Encryption\\Handlers\\' . $this->driver . 'Handler';
 		$this->encrypter = new $handlerName($params);
@@ -225,7 +235,7 @@ protected function properParams($params = null)
 	 */
 	public static function createKey($length = 32)
 	{
-		return openssl_random_pseudo_bytes($length);
+		return \openssl_random_pseudo_bytes($length);
 	}
 
 	// --------------------------------------------------------------------
@@ -238,7 +248,7 @@ public static function createKey($length = 32)
 	 */
 	public function __get($key)
 	{
-		if (in_array($key, ['config', 'cipher', 'key', 'driver', 'drivers', 'digest', 'digests', 'default', 'hmac', 'base64'], true))
+		if (in_array($key, ['config', 'cipher', 'key', 'driver', 'drivers', 'digest', 'digests', 'default', 'encoding'], true))
 		{
 			return $this->{$key};
 		}
diff --git a/system/Encryption/Handlers/OpenSSLHandler.php b/system/Encryption/Handlers/OpenSSLHandler.php
@@ -56,12 +56,6 @@ public function __construct($params = [])
 
 		if (empty($this->key))
 			throw new \CodeIgniter\Encryption\EncryptionException("OpenSSL handler configuration missing key.");
-		if (empty($this->hmac))
-			throw new \CodeIgniter\Encryption\EncryptionException("OpenSSL handler configuration missing HMAC control.");
-		if (empty($this->digest))
-			throw new \CodeIgniter\Encryption\EncryptionException("OpenSSL handler configuration missing HMAC digest.");
-		if (empty($this->base64))
-			throw new \CodeIgniter\Encryption\EncryptionException("OpenSSL handler configuration missing base64 control.");
 
 		$this->logger->info('OpenSSL handler initialized with cipher ' . $this->cipher . '.');
 	}
@@ -75,24 +69,27 @@ public function __construct($params = [])
 	public function encrypt($data)
 	{
 		// basic encryption	
-		$iv = ($iv_size = openssl_cipher_iv_length($this->cipher)) ? openssl_random_pseudo_bytes($iv_size) : null;
+		$iv = ($iv_size = \openssl_cipher_iv_length($this->cipher)) ? \openssl_random_pseudo_bytes($iv_size) : null;
 
-		$data = openssl_encrypt($data, $this->cipher, $this->secret, OPENSSL_RAW_DATA, $iv);
+		$data = \openssl_encrypt($data, $this->cipher, $this->secret, OPENSSL_RAW_DATA, $iv);
 
 		if ($data === false)
 			return false;
 
 		$result = $iv . $data;
 
 		// HMAC?
-		if ($this->hmac == 'hmac')
+		if ( ! empty($this->digest))
 		{
-			$hmacKey = hash_hmac($this->digest, $result, $this->secret,true);
+			$hmacKey = \hash_hmac($this->digest, $result, $this->secret, true);
 			$result = $hmacKey . $result;
 		}
 
-		if ($this->base64 == 'base64')
-			$result = base64_encode($result);
+		if ( ! empty($this->encoding))
+			if ($this->encoding == 'base64')
+				$result = \base64_encode($result);
+			elseif ($this->encoding == 'hex')
+				$result = \bin2hex($result);
 
 		return $result;
 	}
@@ -107,21 +104,24 @@ public function encrypt($data)
 	 */
 	public function decrypt($data)
 	{
-		if ($this->base64 == 'base64')
-			$data = base64_decode($data);
+		if ( ! empty($this->encoding))
+			if ($this->encoding == 'base64')
+				$data = \base64_decode($data);
+			elseif ($this->encoding == 'hex')
+				$data = \hex2bin($data);
 
 		// HMAC?
-		if ($this->hmac == 'hmac')
+		if ( ! empty($this->digest))
 		{
-			$hmacLength = self::substr($this->digest,3) / 8;
-			$hmacKey = self::substr($data,0,$hmacLength);
-			$data = self::substr($data,$hmacLength);
-			$hmacCalc = hash_hmac($this->digest, $data, $this->secret,true);
+			$hmacLength = self::substr($this->digest, 3) / 8;
+			$hmacKey = self::substr($data, 0, $hmacLength);
+			$data = self::substr($data, $hmacLength);
+			$hmacCalc = \hash_hmac($this->digest, $data, $this->secret, true);
 			if ($hmacKey != $hmacCalc)
 				throw new \CodeIgniter\Encryption\EncryptionException("Message authentication failed.");
 		}
-		
-		if ($iv_size = openssl_cipher_iv_length($this->cipher))
+
+		if ($iv_size = \openssl_cipher_iv_length($this->cipher))
 		{
 			$iv = self::substr($data, 0, $iv_size);
 			$data = self::substr($data, $iv_size);
@@ -131,7 +131,7 @@ public function decrypt($data)
 			$iv = null;
 		}
 
-		return openssl_decrypt($data, $this->cipher, $this->secret, OPENSSL_RAW_DATA, $iv);
+		return \openssl_decrypt($data, $this->cipher, $this->secret, OPENSSL_RAW_DATA, $iv);
 	}
 
 }
diff --git a/tests/system/Encryption/EncryptionTest.php b/tests/system/Encryption/EncryptionTest.php
@@ -84,12 +84,11 @@ public function testParameters()
 		// make sure we can over-ride any parameter
 		// change the driver once we have more than 1
 		$expected = [
-			'driver' => 'OpenSSL', // The PHP extension we plan to use
-			'key'	 => 'Top banana', // no starting key material
-			'cipher' => 'AES-128-CBC', // Encryption cipher
-			'hmac'	 => false, // Use HMAC message authentication (true/false)
-			'digest' => 'SHA128', // HMAC digest algorithm to use
-			'base64' => false, // Base64 encoding?
+			'driver'	 => 'OpenSSL', // The PHP extension we plan to use
+			'key'		 => 'Top banana', // no starting key material
+			'cipher'	 => 'AES-128-CBC', // Encryption cipher
+			'digest'	 => '', // HMAC digest algorithm to use
+			'encoding'	 => '', // Base64 encoding?
 		];
 		$this->encrypt = new \CodeIgniter\Encryption\Encryption($expected);
 		foreach ($expected as $key => $value)
@@ -115,12 +114,11 @@ public function testInitialization()
 		// make sure we can over-ride any parameter
 		// change the driver once we have more than 1
 		$expected = [
-			'driver' => 'OpenSSL', // The PHP extension we plan to use
-			'key'	 => 'Top banana', // no starting key material
-			'cipher' => 'AES-256-CBC', // Encryption cipher
-			'hmac'	 => 'HMAC', // Use HMAC message authentication (true/false)
-			'digest' => 'SHA512', // HMAC digest algorithm to use
-			'base64' => 'base64', // Base64 encoding?
+			'driver'	 => 'OpenSSL', // The PHP extension we plan to use
+			'key'		 => 'Top banana', // no starting key material
+			'cipher'	 => 'AES-256-CBC', // Encryption cipher
+			'digest'	 => 'SHA512', // HMAC digest algorithm to use
+			'encoding'	 => 'base64', // Base64 encoding?
 		];
 		$this->encrypt = $this->encryption->initialize($expected);
 		foreach ($expected as $key => $value)
diff --git a/tests/system/Encryption/OpenSSLHandlerTest.php b/tests/system/Encryption/OpenSSLHandlerTest.php
@@ -81,12 +81,12 @@ public function testWithDES()
 	/**
 	 * test with & without HMAC
 	 */
-	public function testAuthentication()
+	public function testWithAuthentication()
 	{
 		$params = [
 			'driver' => 'OpenSSL',
-			'hmac' => 'hmac',
-			'key'	 => '\xd0\xc9\x08\xc4\xde\x52\x12\x6e\xf8\xcc\xdb\x03\xea\xa0\x3a\x5c'			
+			'digest' => 'SHA512',
+			'key'	 => '\xd0\xc9\x08\xc4\xde\x52\x12\x6e\xf8\xcc\xdb\x03\xea\xa0\x3a\x5c'
 		];
 
 		$encrypter = $this->encryption->initialize($params);
@@ -99,13 +99,13 @@ public function testAuthentication()
 	}
 
 	/**
-	 * test with & without encoding
+	 * test with & without HMAC
 	 */
-	public function testWithoutEncoding()
+	public function testWithoutAuthentication()
 	{
 		$params = [
 			'driver' => 'OpenSSL',
-			'base64' => 'none',
+			'digest' => '',
 			'key'	 => '\xd0\xc9\x08\xc4\xde\x52\x12\x6e\xf8\xcc\xdb\x03\xea\xa0\x3a\x5c'
 		];
 
@@ -118,15 +118,35 @@ public function testWithoutEncoding()
 		$this->assertEquals($message, $encrypter->decrypt($encrypter->encrypt($message)));
 	}
 
+	/**
+	 * test with & without encoding
+	 */
+	public function testWithoutEncoding()
+	{
+		$params = [
+			'driver'	 => 'OpenSSL',
+			'encoding'	 => '',
+			'key'		 => '\xd0\xc9\x08\xc4\xde\x52\x12\x6e\xf8\xcc\xdb\x03\xea\xa0\x3a\x5c'
+		];
+
+		$encrypter = $this->encryption->initialize($params);
+
+		// simple encrypt/decrypt, default parameters
+		$message = 'This is a plain-text message.';
+		$this->assertEquals($message, $encrypter->decrypt($encrypter->encrypt($message)));
+		$message = 'This is a different plain-text message.';
+		$this->assertEquals($message, $encrypter->decrypt($encrypter->encrypt($message)));
+	}
+
 	/**
 	 * test with & without encoding
 	 */
 	public function testWithEncoding()
 	{
 		$params = [
-			'driver' => 'OpenSSL',
-			'base64' => 'base64',
-			'key'	 => '\xd0\xc9\x08\xc4\xde\x52\x12\x6e\xf8\xcc\xdb\x03\xea\xa0\x3a\x5c'
+			'driver'	 => 'OpenSSL',
+			'encoding'	 => 'base64',
+			'key'		 => '\xd0\xc9\x08\xc4\xde\x52\x12\x6e\xf8\xcc\xdb\x03\xea\xa0\x3a\x5c'
 		];
 
 		$encrypter = $this->encryption->initialize($params);
@@ -138,5 +158,24 @@ public function testWithEncoding()
 		$this->assertEquals($message, $encrypter->decrypt($encrypter->encrypt($message)));
 	}
 
+	/**
+	 * test with & without encoding
+	 */
+	public function testWithHexEncoding()
+	{
+		$params = [
+			'driver'	 => 'OpenSSL',
+			'encoding'	 => 'hex',
+			'key'		 => '\xd0\xc9\x08\xc4\xde\x52\x12\x6e\xf8\xcc\xdb\x03\xea\xa0\x3a\x5c'
+		];
+
+		$encrypter = $this->encryption->initialize($params);
+
+		// simple encrypt/decrypt, default parameters
+		$message = 'This is a plain-text message.';
+		$this->assertEquals($message, $encrypter->decrypt($encrypter->encrypt($message)));
+		$message = 'This is a different plain-text message.';
+		$this->assertEquals($message, $encrypter->decrypt($encrypter->encrypt($message)));
+	}
 
 }
diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst
