Modules

Encrypt_Engine_Openssl
extends Kohana_Encrypt_Engine_Openssl
extends Kohana_Encrypt_Engine

The Encrypt Openssl engine provides two-way encryption of text and binary strings using the OpenSSL extension, which consists of two parts: the key and the cipher.

The Key
A secret passphrase that is used for encoding and decoding
The Cipher
A cipher determines how the encryption is mathematically calculated. By default, the "AES-256-CBC" cipher is used.
package
Kohana
category
Security
author
Kohana Team
copyright
© Kohana Team
license
https://koseven.ga/LICENSE.md

Class declared in MODPATH/encrypt/classes/Encrypt/Engine/Openssl.php on line 3.

Properties

protected string $_cipher

mcrypt cipher

Default value:
NULL

protected int $_iv_size

the size of the Initialization Vector (IV) in bytes

Default value:
NULL

protected string $_key

Encryption key

Default value:
NULL

protected string $_mode

mcrypt mode

Default value:
NULL

Methods

public __construct( string $key_config [, string $mode = NULL , string $cipher = NULL ] ) (defined in Kohana_Encrypt_Engine_Openssl)

Creates a new openssl wrapper.

Parameters

  • string $key_config required - $key encryption key
  • string $mode = NULL - Openssl mode
  • string $cipher = NULL - Openssl cipher

Source Code

public function __construct($key_config, $mode = NULL, $cipher = NULL)
{
	if ($cipher === NULL)
	{
		// Add the default cipher
		$cipher = 'AES-256-CBC';
	}

	parent::__construct($key_config, $mode, $cipher);

	$this->_iv_size = openssl_cipher_iv_length($this->_cipher);

	$length = mb_strlen($this->_key, '8bit');

	// Validate configuration
	if ($this->_cipher === 'AES-128-CBC')
	{
		if ($length !== 16)
		{
			// No valid encryption key is provided!
			throw new Kohana_Exception('No valid encryption key is defined in the encryption configuration: length should be 16 for AES-128-CBC');
		}
	}
		
	elseif ($this->_cipher === 'AES-256-CBC')
	{
		if ($length !== 32)
		{
			// No valid encryption key is provided!
			throw new Kohana_Exception('No valid encryption key is defined in the encryption configuration: length should be 32 for AES-256-CBC');
		}
	}
	
	else
	{
		// No valid encryption cipher is provided!
		throw new Kohana_Exception('No valid encryption cipher is defined in the encryption configuration.');
	}
}

public create_iv( ) (defined in Kohana_Encrypt_Engine_Openssl)

Proxy for the random_bytes function - to allow mocking and testing against KAT vectors

Return Values

  • string - The initialization vector or FALSE on error

Source Code

public function create_iv()
{
	if (function_exists('random_bytes'))
	{
		return random_bytes($this->_iv_size);
	}

	if (function_exists('mcrypt_create_iv'))
	{
		$key = mcrypt_create_iv($this->_iv_size, MCRYPT_DEV_URANDOM);
		if (mb_strlen($key, '8bit') === $this->_iv_size)
		{
			return $key;
		}
	}

	throw new Kohana_Exception('Could not create initialization vector.');
}

public decrypt( string $data ) (defined in Kohana_Encrypt_Engine_Openssl)

Decrypts an encoded string back to its original value.

Parameters

  • string $data required - Encoded string to be decrypted

Return Values

  • FALSE - If decryption fails
  • string

Source Code

public function decrypt($data)
{
	// Convert the data back to binary
	$data = json_decode(base64_decode($data), TRUE);

	// If the payload is not valid JSON or does not have the proper keys set we will
	// assume it is invalid and bail out of the routine since we will not be able
	// to decrypt the given value. We'll also check the MAC for this encryption.
	if ( ! $this->valid_payload($data))
	{
		// Decryption failed
		return FALSE;
	}

	if ( ! $this->valid_mac($data))
	{
		// Decryption failed
		return FALSE;
	}

	$iv = base64_decode($data['iv']);
	if ( ! $iv)
	{
		// Invalid base64 data
		return FALSE;
	}

	// Here we will decrypt the value. If we are able to successfully decrypt it
	// we will then unserialize it and return it out to the caller. If we are
	// unable to decrypt this value we will throw out an exception message.
	$decrypted = \openssl_decrypt($data['value'], $this->_cipher, $this->_key, 0, $iv);

	if ($decrypted === FALSE)
	{
		return FALSE;
	}

	return $decrypted;
}

public encrypt( string $data , $iv ) (defined in Kohana_Encrypt_Engine_Openssl)

Encrypts a string and returns an encrypted string that can be decoded.

Parameters

  • string $data required - Data to be encrypted
  • unknown $iv required

Return Values

  • string

Source Code

public function encrypt($data, $iv)
{
	// First we will encrypt the value using OpenSSL. After this is encrypted we
	// will proceed to calculating a MAC for the encrypted value so that this
	// value can be verified later as not having been changed by the users.
	$value = \openssl_encrypt($data, $this->_cipher, $this->_key, 0, $iv);

	if ($value === FALSE)
	{
		// Encryption failed
		return FALSE;
	}

	// Once we have the encrypted value we will go ahead base64_encode the input
	// vector and create the MAC for the encrypted value so we can verify its
	// authenticity. Then, we'll JSON encode the data in a "payload" array.
	$mac = $this->hash($iv = base64_encode($iv), $value);

	$json = json_encode(compact('iv', 'value', 'mac'));

	if (! is_string($json))
	{
		// Encryption failed
		return FALSE;
	}

	return base64_encode($json);
}

protected hash( string $iv , mixed $value ) (defined in Kohana_Encrypt_Engine_Openssl)

Create a MAC for the given value.

Parameters

  • string $iv required - $iv
  • mixed $value required - $value

Return Values

  • string

Source Code

protected function hash($iv, $value)
{
	return hash_hmac('sha256', $iv.$value, $this->_key);
}

protected valid_mac( array $payload ) (defined in Kohana_Encrypt_Engine_Openssl)

Determine if the MAC for the given payload is valid.

Parameters

  • array $payload required - $payload

Return Values

  • bool

Source Code

protected function valid_mac(array $payload)
{
	$bytes = $this->create_iv($this->_iv_size);
	$calculated = hash_hmac('sha256', $this->hash($payload['iv'], $payload['value']), $bytes, TRUE);

	return hash_equals(hash_hmac('sha256', $payload['mac'], $bytes, TRUE), $calculated);
}

protected valid_payload( mixed $payload ) (defined in Kohana_Encrypt_Engine_Openssl)

Verify that the encryption payload is valid.

Parameters

  • mixed $payload required - $payload

Return Values

  • bool

Source Code

protected function valid_payload($payload)
{
	return is_array($payload) AND
			isset($payload['iv'], $payload['value'], $payload['mac']) AND
			strlen(base64_decode($payload['iv'], TRUE)) === $this->_iv_size;
}