Use libsodium to encrypt data, stored in jwt tokens

2025-01-11 06:22:16 +05:30 · 2019-12-05 19:37:46 +03:00 · 2019-12-05 19:37:46 +03:00 · 642db2e045
commit 642db2e045
parent c3ffb08c4a
5 changed files with 27 additions and 8 deletions
--- a/api/components/Tokens/Component.php
+++ b/api/components/Tokens/Component.php
@ -4,7 +4,6 @@ declare(strict_types=1);
 namespace api\components\Tokens;

 use Carbon\Carbon;
-use Defuse\Crypto\Crypto;
 use Exception;
 use Lcobucci\JWT\Builder;
 use Lcobucci\JWT\Parser;
@ -92,8 +91,27 @@ class Component extends BaseComponent {
        }
    }

+    public function encryptValue(string $rawValue): string {
+        /** @noinspection PhpUnhandledExceptionInspection */
+        $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+        $cipher = base64_encode($nonce . sodium_crypto_secretbox($rawValue, $nonce, $this->encryptionKey));
+        sodium_memzero($rawValue);
+
+        return $cipher;
+    }
+
    public function decryptValue(string $encryptedValue): string {
-        return Crypto::decryptWithPassword($encryptedValue, $this->encryptionKey);
+        $decoded = base64_decode($encryptedValue);
+        Assert::true($decoded !== false, 'passed value has an invalid base64 encoding');
+        Assert::true(mb_strlen($decoded, '8bit') >= (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES));
+        $nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
+        $cipherText = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
+
+        $rawValue = sodium_crypto_secretbox_open($cipherText, $nonce, $this->encryptionKey);
+        Assert::true($rawValue !== false);
+        sodium_memzero($cipherText);
+
+        return $rawValue;
    }

    private function getAlgorithmManager(): AlgorithmsManager {
@ -113,7 +131,7 @@ class Component extends BaseComponent {

    private function prepareValue($value) {
        if ($value instanceof EncryptedValue) {
-            return Crypto::encryptWithPassword($value->getValue(), $this->encryptionKey);
+            return $this->encryptValue($value->getValue());
        }

        return $value;
--- a/api/config/config-test.php
+++ b/api/config/config-test.php
@ -9,7 +9,7 @@ return [
            'privateKeyPath' => codecept_data_dir('certs/private.pem'),
            'privateKeyPass' => null,
            'publicKeyPath' => codecept_data_dir('certs/public.pem'),
-            'encryptionKey' => 'mock-encryption-key',
+            'encryptionKey' => 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
        ],
        'reCaptcha' => [
            'public' => 'public-key',
--- a/api/tests/functional/authserver/RefreshCest.php
+++ b/api/tests/functional/authserver/RefreshCest.php
@ -54,7 +54,7 @@ class RefreshCest {
    }

    /**
-     * @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU0Nzk1NTMsImV4cCI6MTU3NTY1MjM1MywiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiJkZWY1MDIwMDE2ZTEzMTBmMzM2YzVjYWQzZDdiMTJmYjcyNmVhYzdlYjgyOGUzMzg1MzBhMmFmODdkZTJhMjRiMTVmNzAxNWQ1MjU1MjhiNGZiMjgzMTgxOTA2ODhlMWE4Njk5MjAwMzBlMTQyZmQ5ZWM5ODBlZDkzMWI1Mzc2MzgyMTliMjVjMjI1MjQyYzdmMjgzMjE0NjcyNDg3ZDQ4MTYxYjMwMGU1MGIzYWJlMTYwYjVkMmE4ZWMyMzMwMGJhMGNlMTg3MzYyYTgyMjJiYjQ4OTU0MzM4MDJiNTBlZDBhYzFhMWUwZDk3NDgxNDciLCJzdWIiOiJlbHl8MSJ9.PuM-8rzj4qtD9l0lUANSIWC8yjJe8ifarOYsAjc3r4iYFt0P6za-gzJEPncDC80oCXsYVlJHtrEypcsB9wJFSg", "clientToken": "d1b1162c-3d73-4b35-b64f-7bf68bd0e853"}
+     * @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU1NjE1MjgsImV4cCI6MTU3NTU2MTUyOCwiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiJZQU1YZ3kwQXBCOWdnVC9VWDYzSWk3SnBrTXdmcE5sWmhPMlVVRHhGd2ExZmdoOHZLMjdEbVdubzdsam5NaVlicENVbktPWFZ0dldWK1VYNXVkUFVRbCtOMWNwQWZSQS9hK2VtQWc9PSIsInN1YiI6ImVseXwxIn0.Yt3k9NpTthBVrrmcO6npd8n3zksolC2RI1m-NH2-_YEiaaCGC2vW8iszi3WB-g6f6Q64OYuQXxxXMl516PLTfA", "clientToken": "4f368b58-9097-4e56-80b1-f421ae4b53cf"}
     * @example {"accessToken": "6042634a-a1e2-4aed-866c-c661fe4e63e2", "clientToken": "47fb164a-2332-42c1-8bad-549e67bb210c"}
     */
    public function refreshExpiredToken(AuthserverSteps $I, Example $example) {
--- a/composer.json
+++ b/composer.json
@ -12,8 +12,8 @@
        "ext-mbstring": "*",
        "ext-pdo": "*",
        "ext-simplexml": "*",
+        "ext-sodium": "*",
        "bacon/bacon-qr-code": "^1.0",
-        "defuse/php-encryption": "^2.2",
        "domnikl/statsd": "^2.6",
        "ely/mojang-api": "^0.2.0",
        "ely/yii2-tempmail-validator": "^2.0",
--- a/composer.lock
+++ b/composer.lock
@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "10af6b999939a9f213664883387184ed",
+    "content-hash": "95971ae8836e4d182aae9e5c44021321",
    "packages": [
        {
            "name": "bacon/bacon-qr-code",
@ -6733,7 +6733,8 @@
        "ext-libxml": "*",
        "ext-mbstring": "*",
        "ext-pdo": "*",
-        "ext-simplexml": "*"
+        "ext-simplexml": "*",
+        "ext-sodium": "*"
    },
    "platform-dev": []
 }