refactor: added tryDecryptWithFallback method in BaseHandler

patel-vansh · patel-vansh · commit 5f63c3f42151 · 2025-12-30T10:07:43.000+05:30
diff --git a/system/Encryption/Handlers/BaseHandler.php b/system/Encryption/Handlers/BaseHandler.php
@@ -14,13 +14,22 @@
 namespace CodeIgniter\Encryption\Handlers;
 
 use CodeIgniter\Encryption\EncrypterInterface;
+use CodeIgniter\Encryption\Exceptions\EncryptionException;
 use Config\Encryption;
+use SensitiveParameter;
 
 /**
  * Base class for encryption handling
  */
 abstract class BaseHandler implements EncrypterInterface
 {
+    /**
+     * List of previous keys for fallback decryption.
+     *
+     * @var list<string>
+     */
+    protected array $previousKeys = [];
+
     /**
      * Constructor
      */
@@ -50,6 +59,47 @@ protected static function substr($str, $start, $length = null)
         return mb_substr($str, $start, $length, '8bit');
     }
 
+    /**
+     * Attempts to decrypt using the provided callback, and if it fails,
+     * tries again with any previous keys we may have.
+     *
+     * @param string            $data            Data to decrypt
+     * @param array|string|null $params          Decryption parameters
+     * @param callable          $decryptCallback Callback that performs decryption
+     *
+     * @return string Decrypted data
+     *
+     * @throws EncryptionException
+     */
+    protected function tryDecryptWithFallback($data, #[SensitiveParameter] $params, callable $decryptCallback)
+    {
+        try {
+            return $decryptCallback($data, $params);
+        } catch (EncryptionException $e) {
+            if ($this->previousKeys === []) {
+                throw $e;
+            }
+
+            if (is_string($params) || (is_array($params) && isset($params['key']))) {
+                throw $e;
+            }
+
+            foreach ($this->previousKeys as $previousKey) {
+                try {
+                    $previousParams = is_array($params)
+                        ? array_merge($params, ['key' => $previousKey])
+                        : $previousKey;
+
+                    return $decryptCallback($data, $previousParams);
+                } catch (EncryptionException) {
+                    continue;
+                }
+            }
+
+            throw $e;
+        }
+    }
+
     /**
      * __get() magic, providing readonly access to some of our properties
      *
diff --git a/system/Encryption/Handlers/OpenSSLHandler.php b/system/Encryption/Handlers/OpenSSLHandler.php
@@ -23,6 +23,22 @@
  */
 class OpenSSLHandler extends BaseHandler
 {
+    /**
+     * Encryption key info.
+     * This setting is only used by OpenSSLHandler.
+     *
+     * Set to 'encryption' for CI3 Encryption compatibility.
+     */
+    public string $encryptKeyInfo = '';
+
+    /**
+     * Authentication key info.
+     * This setting is only used by OpenSSLHandler.
+     *
+     * Set to 'authentication' for CI3 Encryption compatibility.
+     */
+    public string $authKeyInfo = '';
+
     /**
      * HMAC digest to use
      *
@@ -56,34 +72,11 @@ class OpenSSLHandler extends BaseHandler
      */
     protected $key = '';
 
-    /**
-     * List of previous keys for fallback decryption.
-     *
-     * @var list<string>|string
-     */
-    protected array|string $previousKeys = '';
-
     /**
      * Whether the cipher-text should be raw. If set to false, then it will be base64 encoded.
      */
     protected bool $rawData = true;
 
-    /**
-     * Encryption key info.
-     * This setting is only used by OpenSSLHandler.
-     *
-     * Set to 'encryption' for CI3 Encryption compatibility.
-     */
-    public string $encryptKeyInfo = '';
-
-    /**
-     * Authentication key info.
-     * This setting is only used by OpenSSLHandler.
-     *
-     * Set to 'authentication' for CI3 Encryption compatibility.
-     */
-    public string $authKeyInfo = '';
-
     /**
      * {@inheritDoc}
      */
@@ -125,90 +118,48 @@ public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $para
      */
     public function decrypt($data, #[SensitiveParameter] $params = null)
     {
-        // Allow key override
-        if ($params !== null) {
-            $this->key = is_array($params) && isset($params['key']) ? $params['key'] : $params;
-        }
+        $decryptParams = $params ?? $this->key;
 
-        if (empty($this->key)) {
+        if (empty($decryptParams)) {
             throw EncryptionException::forNeedsStarterKey();
         }
 
-        // Only use fallback keys if no custom key was provided in params
-        $useFallback = ! isset($params['key']);
-
-        $attemptDecrypt = function ($key) use ($data): array {
-            try {
-                $result = $this->decryptWithKey($data, $key);
-
-                return ['success' => true, 'data' => $result];
-            } catch (EncryptionException $e) {
-                return ['success' => false, 'exception' => $e];
-            }
-        };
-
-        $result = $attemptDecrypt($this->key);
+        return $this->tryDecryptWithFallback($data, $decryptParams, function ($data, $params): string {
+            $key = is_array($params) && isset($params['key']) ? $params['key'] : $params;
 
-        if ($result['success']) {
-            return $result['data'];
-        }
+            $authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);
 
-        $originalException = $result['exception'];
+            $hmacLength = $this->rawData
+                ? $this->digestSize[$this->digest]
+                : $this->digestSize[$this->digest] * 2;
 
-        // If primary key failed and fallback is allowed, try previous keys
-        if ($useFallback && ! in_array($this->previousKeys, ['', '0', []], true)) {
-            foreach ($this->previousKeys as $previousKey) {
-                $fallbackResult = $attemptDecrypt($previousKey);
+            $hmacKey  = self::substr($data, 0, $hmacLength);
+            $data     = self::substr($data, $hmacLength);
+            $hmacCalc = \hash_hmac($this->digest, $data, $authKey, $this->rawData);
 
-                if ($fallbackResult['success']) {
-                    return $fallbackResult['data'];
-                }
+            if (! hash_equals($hmacKey, $hmacCalc)) {
+                throw EncryptionException::forAuthenticationFailed();
             }
-        }
 
-        // All attempts failed - throw the original exception
-        throw $originalException;
-    }
+            $data = $this->rawData ? $data : base64_decode($data, true);
 
-    /**
-     * Decrypt the data with the provided key
-     *
-     * @param string $data
-     * @param string $key
-     *
-     * @return false|string
-     *
-     * @throws EncryptionException
-     */
-    protected function decryptWithKey($data, #[SensitiveParameter] $key)
-    {
-        // derive a secret key
-        $authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);
-
-        $hmacLength = $this->rawData
-            ? $this->digestSize[$this->digest]
-            : $this->digestSize[$this->digest] * 2;
-
-        $hmacKey  = self::substr($data, 0, $hmacLength);
-        $data     = self::substr($data, $hmacLength);
-        $hmacCalc = \hash_hmac($this->digest, $data, $authKey, $this->rawData);
+            if ($ivSize = \openssl_cipher_iv_length($this->cipher)) {
+                $iv   = self::substr($data, 0, $ivSize);
+                $data = self::substr($data, $ivSize);
+            } else {
+                $iv = null;
+            }
 
-        if (! hash_equals($hmacKey, $hmacCalc)) {
-            throw EncryptionException::forAuthenticationFailed();
-        }
+            // derive a secret key
+            $encryptKey = \hash_hkdf($this->digest, $key, 0, $this->encryptKeyInfo);
 
-        $data = $this->rawData ? $data : base64_decode($data, true);
+            $decryptedData = \openssl_decrypt($data, $this->cipher, $encryptKey, OPENSSL_RAW_DATA, $iv);
 
-        if ($ivSize = \openssl_cipher_iv_length($this->cipher)) {
-            $iv   = self::substr($data, 0, $ivSize);
-            $data = self::substr($data, $ivSize);
-        } else {
-            $iv = null;
-        }
-
-        // derive a secret key
-        $encryptKey = \hash_hkdf($this->digest, $key, 0, $this->encryptKeyInfo);
+            if ($decryptedData === false) {
+                throw EncryptionException::forDecryptionFailed();
+            }
 
-        return \openssl_decrypt($data, $this->cipher, $encryptKey, OPENSSL_RAW_DATA, $iv);
+            return $decryptedData;
+        });
     }
 }
diff --git a/system/Encryption/Handlers/SodiumHandler.php b/system/Encryption/Handlers/SodiumHandler.php
@@ -31,13 +31,6 @@ class SodiumHandler extends BaseHandler
      */
     protected $key = '';
 
-    /**
-     * List of previous keys for fallback decryption.
-     *
-     * @var list<string>|string
-     */
-    protected array|string $previousKeys = '';
-
     /**
      * Block size for padding message.
      *
@@ -83,88 +76,44 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
     {
         $this->parseParams($params);
 
-        if (empty($this->key)) {
+        $decryptParams = $params ?? $this->key;
+
+        if (empty($decryptParams)) {
             throw EncryptionException::forNeedsStarterKey();
         }
 
-        // Only use fallback keys if no custom key was provided in params
-        $useFallback = ! isset($params['key']);
-
-        $attemptDecrypt = function ($key) use ($data): array {
-            try {
-                $result = $this->decryptWithKey($data, $key);
-                sodium_memzero($key);
-
-                return ['success' => true, 'data' => $result];
-            } catch (EncryptionException $e) {
-                sodium_memzero($key);
+        return $this->tryDecryptWithFallback($data, $decryptParams, function ($data, $params): string {
+            $key = is_array($params) && isset($params['key']) ? $params['key'] : $params;
 
-                return ['success' => false, 'exception' => $e];
+            if (mb_strlen($data, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
+                // message was truncated
+                throw EncryptionException::forAuthenticationFailed();
             }
-        };
 
-        $result = $attemptDecrypt($this->key);
+            // Extract info from encrypted data
+            $nonce      = self::substr($data, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
+            $ciphertext = self::substr($data, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
 
-        if ($result['success']) {
-            return $result['data'];
-        }
-
-        $originalException = $result['exception'];
+            // decrypt data
+            $data = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
 
-        // If primary key failed and fallback is allowed, try previous keys
-        if ($useFallback && ! in_array($this->previousKeys, ['', '0', []], true)) {
-            foreach ($this->previousKeys as $previousKey) {
-                $fallbackResult = $attemptDecrypt($previousKey);
-
-                if ($fallbackResult['success']) {
-                    return $fallbackResult['data'];
-                }
+            if ($data === false) {
+                // message was tampered in transit
+                throw EncryptionException::forAuthenticationFailed(); // @codeCoverageIgnore
             }
-        }
-
-        throw $originalException;
-    }
-
-    /**
-     * Decrypt the data with the provided key
-     *
-     * @param string $data
-     * @param string $key
-     *
-     * @return string
-     *
-     * @throws EncryptionException
-     */
-    protected function decryptWithKey($data, #[SensitiveParameter] $key)
-    {
-        if (mb_strlen($data, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
-            // message was truncated
-            throw EncryptionException::forAuthenticationFailed();
-        }
-
-        // Extract info from encrypted data
-        $nonce      = self::substr($data, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
-        $ciphertext = self::substr($data, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
 
-        // decrypt data
-        $data = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
-
-        if ($data === false) {
-            // message was tampered in transit
-            throw EncryptionException::forAuthenticationFailed(); // @codeCoverageIgnore
-        }
-
-        // remove extra padding during encryption
-        if ($this->blockSize <= 0) {
-            throw EncryptionException::forAuthenticationFailed();
-        }
+            // remove extra padding during encryption
+            if ($this->blockSize <= 0) {
+                throw EncryptionException::forAuthenticationFailed();
+            }
 
-        $data = sodium_unpad($data, $this->blockSize);
+            $data = sodium_unpad($data, $this->blockSize);
 
-        // cleanup buffers
-        sodium_memzero($ciphertext);
+            // cleanup buffers
+            sodium_memzero($ciphertext);
 
-        return $data;
+            return $data;
+        });
     }
 
     /**
