Pass column names as associated data for AesGcm.

Create a defaultAssociatedData for encryption without.
mogilvie · May 28, 2024 · b597209 · b597209
1 parent 91e93fd
commit b597209
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 36 deletions.
diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -23,29 +23,30 @@ public function getConfigTreeBuilder(): TreeBuilder
 
         $rootNode
             ->children()
-            ->scalarNode('encrypt_key')->end()
-            ->scalarNode('method')->defaultValue('OpenSSL')->end()
-            ->scalarNode('subscriber_class')->defaultValue(DoctrineEncryptSubscriber::class)->end()
-            ->scalarNode('encryptor_class')->defaultValue(AesCbcEncryptor::class)->end()
-            ->scalarNode('is_disabled')->defaultValue(false)->end()
-            ->arrayNode('connections')
-            ->treatNullLike([])
-            ->prototype('scalar')->end()
-            ->defaultValue([
-                'default',
-            ])
-            ->end()
-            ->arrayNode('annotation_classes')
-            ->treatNullLike([])
-            ->prototype('scalar')->end()
-            ->defaultValue([
-                Encrypted::class,
-            ])
-            ->end()
-            ->booleanNode('enable_twig')
-            ->defaultTrue()
-            ->info('Enable or disable Twig functionality')
-            ->end()
+                ->scalarNode('encrypt_key')->end()
+                ->scalarNode('default_associated_data')->defaultValue(null)->end()
+                ->scalarNode('method')->defaultValue('OpenSSL')->end()
+                ->scalarNode('subscriber_class')->defaultValue(DoctrineEncryptSubscriber::class)->end()
+                ->scalarNode('encryptor_class')->defaultValue(AesCbcEncryptor::class)->end()
+                ->scalarNode('is_disabled')->defaultValue(false)->end()
+                ->arrayNode('connections')
+                ->treatNullLike([])
+                ->prototype('scalar')->end()
+                ->defaultValue([
+                    'default',
+                ])
+                ->end()
+                ->arrayNode('annotation_classes')
+                ->treatNullLike([])
+                ->prototype('scalar')->end()
+                ->defaultValue([
+                    Encrypted::class,
+                ])
+                ->end()
+                ->booleanNode('enable_twig')
+                ->defaultTrue()
+                ->info('Enable or disable Twig functionality')
+                ->end()
             ->end()
         ;
 

diff --git a/src/DependencyInjection/SpecShaperEncryptExtension.php b/src/DependencyInjection/SpecShaperEncryptExtension.php
@@ -38,6 +38,7 @@ public function load(array $configs, ContainerBuilder $container)
         }
 
         $container->setParameter($this->getAlias().'.encrypt_key', $encryptKey);
+        $container->setParameter($this->getAlias().'.default_associated_data', $config['default_associated_data']);
         $container->setParameter($this->getAlias().'.method', $config['method']);
         $container->setParameter($this->getAlias().'.subscriber_class', $config['subscriber_class']);
         $container->setParameter($this->getAlias().'.encryptor_class', $config['encryptor_class']);

diff --git a/src/Encryptors/AesCbcEncryptor.php b/src/Encryptors/AesCbcEncryptor.php
@@ -45,7 +45,7 @@ public function setSecretKey(string $secretKey): void
     /**
      * @throws \Exception
      */
-    public function encrypt(?string $data): ?string
+    public function encrypt(?string $data, ?string $columnName = null): ?string
     {
         // If not data return data (null)
         if (is_null($data)) {
@@ -79,7 +79,7 @@ public function encrypt(?string $data): ?string
     /**
      * @throws \Exception
      */
-    public function decrypt(?string $data): ?string
+    public function decrypt(?string $data, ?string $columnName = null): ?string
     {
         // If the value is an object or null then ignore
         if (is_null($data)) {

diff --git a/src/Encryptors/AesGcmEncryptor.php b/src/Encryptors/AesGcmEncryptor.php
@@ -20,6 +20,8 @@ class AesGcmEncryptor implements EncryptorInterface
 
     private EventDispatcherInterface $dispatcher;
 
+    private ?string $defaultAssociatedData;
+
     /**
      * OpenSslEncryptor constructor.
      */
@@ -38,10 +40,15 @@ public function setSecretKey(string $secretKey): void
         $this->secretKey = $secretKey;
     }
 
+    public function setDefaultAssociatedData(?string $defaultAssociatedData): void
+    {
+        $this->defaultAssociatedData = $defaultAssociatedData;
+    }
+
     /**
      * @throws \Exception
      */
-    public function encrypt(?string $data): ?string
+    public function encrypt(?string $data, ?string $columnName): ?string
     {
         if (is_null($data)) {
             return null;
@@ -55,14 +62,16 @@ public function encrypt(?string $data): ?string
         $ivsize = openssl_cipher_iv_length(self::METHOD);
         $iv = openssl_random_pseudo_bytes($ivsize);
         $tag = '';
+        $associatedData = $columnName ?? $this->defaultAssociatedData;
 
         $ciphertext = openssl_encrypt(
             $data,
             self::METHOD,
             $key,
             OPENSSL_RAW_DATA,
             $iv,
-            $tag
+            $tag,
+            $associatedData
         );
 
         if ($ciphertext === false) {
@@ -75,7 +84,7 @@ public function encrypt(?string $data): ?string
     /**
      * @throws \Exception
      */
-    public function decrypt(?string $data): ?string
+    public function decrypt(?string $data, ?string $columnName): ?string
     {
         if (is_null($data)) {
             return null;
@@ -103,7 +112,8 @@ public function decrypt(?string $data): ?string
             $key,
             OPENSSL_RAW_DATA,
             $iv,
-            $tag
+            $tag,
+            $columnName
         );
 
         if ($plaintext === false) {

diff --git a/src/Encryptors/EncryptorFactory.php b/src/Encryptors/EncryptorFactory.php
@@ -19,13 +19,18 @@ public function __construct(EventDispatcherInterface $dispatcher)
      * Create service will return the desired encryption service.
      *
      * @param string      $encryptKey     256-bit encryption key
+     * @param string      $defaultAssociatedData     A fallback string used for AES-GBC-256 encryption.
      * @param string|null $encryptorClass the desired encryptor, defaults to OpenSSL, but can be overridden by passing a classname
      */
-    public function createService(string $encryptKey, ?string $encryptorClass = self::SUPPORTED_EXTENSION_OPENSSL): EncryptorInterface
+    public function createService(string $encryptKey, ?string $defaultAssociatedData = null, ?string $encryptorClass = self::SUPPORTED_EXTENSION_OPENSSL): EncryptorInterface
     {
         $encryptor = new $encryptorClass($this->dispatcher);
         $encryptor->setSecretKey($encryptKey);
 
+        if(method_exists($encryptorClass, 'setDefaultAssociatedData')){
+            $encryptor->setDefaultAssociatedData($defaultAssociatedData);
+        }
+
         return $encryptor;
     }
 }
diff --git a/src/Encryptors/EncryptorInterface.php b/src/Encryptors/EncryptorInterface.php
@@ -16,7 +16,7 @@ public function setSecretKey(string $key): void;
      *
      * @return string|null Encrypted string
      */
-    public function encrypt(?string $data): ?string;
+    public function encrypt(?string $data, ?string $columnName): ?string;
 
     /**
      * Must accept data and return decrypted data.
@@ -25,5 +25,5 @@ public function encrypt(?string $data): ?string;
      *
      * @return string Unencrypted string
      */
-    public function decrypt(?string $data): ?string;
+    public function decrypt(?string $data, ?string $columnName): ?string;
 }
diff --git a/src/Subscribers/DoctrineEncryptSubscriber.php b/src/Subscribers/DoctrineEncryptSubscriber.php
@@ -124,10 +124,10 @@ public function postLoad(LifecycleEventArgs $args): void
      * If the value is an object, or if it does not contain the suffic <ENC> then return the value iteslf back.
      * Otherwise, decrypt the value and return.
      */
-    public function decryptValue(?string $value): ?string
+    public function decryptValue(?string $value, ?string $columnName): ?string
     {
         // Else decrypt value and return.
-        return $this->encryptor->decrypt($value);
+        return $this->encryptor->decrypt($value, $columnName);
     }
 
     public function getEncryptionableProperties(array $allProperties): array
@@ -182,7 +182,7 @@ protected function processFields(object $entity, EntityManagerInterface $em, boo
 
                 // Encrypt value only if change has been detected by Doctrine (comparing unencrypted values, see postLoad flow)
                 if (isset($changeSet[$field])) {
-                    $encryptedValue = $this->encryptor->encrypt($value);
+                    $encryptedValue = $this->encryptor->encrypt($value, $field);
                     $refProperty->setValue($entity, $encryptedValue);
                     $unitOfWork->recomputeSingleEntityChangeSet($meta, $entity);
 
@@ -191,7 +191,7 @@ protected function processFields(object $entity, EntityManagerInterface $em, boo
                 }
             } else {
                 // Decryption is fired by onLoad and postFlush events.
-                $decryptedValue = $this->decryptValue($value);
+                $decryptedValue = $this->decryptValue($value, $field);
                 $refProperty->setValue($entity, $decryptedValue);
 
                 // Tell Doctrine the original value was the decrypted one.