New property on AuthorizationServer to receive an encryption key whic…

…h is used for future encryption/decryption instead of keybased encryption/decryption

composer.json

@@ -9,7 +9,8 @@
         "league/event": "^2.1",
         "lcobucci/jwt": "^3.1",
         "paragonie/random_compat": "^1.1 || ^2.0",
-        "psr/http-message": "^1.0"
+        "psr/http-message": "^1.0",
+        "defuse/php-encryption": "^2.1"
     },
     "require-dev": {
         "phpunit/phpunit": "^4.8 || ^5.0",

src/AuthorizationServer.php

@@ -26,6 +26,8 @@ class AuthorizationServer implements EmitterAwareInterface
 {
     use EmitterAwareTrait;
 
+    const ENCRYPTION_KEY_ERROR = 'You must set the encryption key going forward to improve the security of this library - see this page for more information https://xxxx/xxxx';
+
     /**
      * @var GrantTypeInterface[]
      */
@@ -66,6 +68,11 @@ class AuthorizationServer implements EmitterAwareInterface
      */
     private $scopeRepository;
 
+    /**
+     * @var string
+     */
+    private $encryptionKey;
+
     /**
      * New server instance.
      *
@@ -101,6 +108,16 @@ public function __construct(
         $this->responseType = $responseType;
     }
 
+    /**
+     * Set the encryption key
+     *
+     * @param string $key
+     */
+    public function setEncryptionKey($key)
+    {
+        $this->encryptionKey = $key;
+    }
+
     /**
      * Enable a grant type on the server.
      *
@@ -120,6 +137,11 @@ public function enableGrantType(GrantTypeInterface $grantType, \DateInterval $ac
         $grantType->setPublicKey($this->publicKey);
         $grantType->setEmitter($this->getEmitter());
 
+        if ($this->encryptionKey === null) {
+            error_log(self::ENCRYPTION_KEY_ERROR);
+        }
+        $grantType->setEncryptionKey($this->encryptionKey);
+
         $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
         $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
     }
@@ -135,6 +157,10 @@ public function enableGrantType(GrantTypeInterface $grantType, \DateInterval $ac
      */
     public function validateAuthorizationRequest(ServerRequestInterface $request)
     {
+        if ($this->encryptionKey === null) {
+            error_log(self::ENCRYPTION_KEY_ERROR);
+        }
+
         foreach ($this->enabledGrantTypes as $grantType) {
             if ($grantType->canRespondToAuthorizationRequest($request)) {
                 return $grantType->validateAuthorizationRequest($request);

src/CryptTrait.php

@@ -11,6 +11,8 @@
 
 namespace League\OAuth2\Server;
 
+use Defuse\Crypto\Crypto;
+
 trait CryptTrait
 {
     /**
@@ -23,6 +25,11 @@ trait CryptTrait
      */
     protected $publicKey;
 
+    /**
+     * @var string
+     */
+    protected $encryptionKey;
+
     /**
      * Set path to private key.
      *
@@ -54,6 +61,10 @@ public function setPublicKey(CryptKey $publicKey)
      */
     protected function encrypt($unencryptedData)
     {
+        if ($this->encryptionKey !== null) {
+            return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
+        }
+
         $privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
         $privateKeyDetails = @openssl_pkey_get_details($privateKey);
         if ($privateKeyDetails === null) {
@@ -91,6 +102,10 @@ protected function encrypt($unencryptedData)
      */
     protected function decrypt($encryptedData)
     {
+        if ($this->encryptionKey !== null) {
+            return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
+        }
+
         $publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath());
         $publicKeyDetails = @openssl_pkey_get_details($publicKey);
         if ($publicKeyDetails === null) {
@@ -118,4 +133,14 @@ protected function decrypt($encryptedData)
 
         return $output;
     }
+
+    /**
+     * Set the encryption key
+     *
+     * @param string $key
+     */
+    public function setEncryptionKey($key = null)
+    {
+        $this->encryptionKey = $key;
+    }
 }

src/Grant/GrantTypeInterface.php

@@ -132,4 +132,11 @@ public function setPrivateKey(CryptKey $privateKey);
      * @param CryptKey $publicKey
      */
     public function setPublicKey(CryptKey $publicKey);
+
+    /**
+     * Set the encryption key
+     *
+     * @param string|null $key
+     */
+    public function setEncryptionKey($key = null);
 }

tests/AuthorizationServerTest.php

@@ -36,6 +36,7 @@ public function testRespondToRequestInvalidGrantType()
             'file://' . __DIR__ . '/Stubs/public.key',
             new StubResponseType()
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
 
@@ -66,6 +67,7 @@ public function testRespondToRequest()
             'file://' . __DIR__ . '/Stubs/public.key',
             new StubResponseType()
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
 
@@ -87,6 +89,7 @@ public function testGetResponseType()
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $abstractGrantReflection = new \ReflectionClass($server);
         $method = $abstractGrantReflection->getMethod('getResponseType');
@@ -106,6 +109,7 @@ public function testCompleteAuthorizationRequest()
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $authCodeRepository = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock();
         $authCodeRepository->method('getNewAuthCode')->willReturn(new AuthCodeEntity());
@@ -152,6 +156,7 @@ public function testValidateAuthorizationRequest()
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
         $server->enableGrantType($grant);
 
         $request = new ServerRequest(
@@ -184,6 +189,7 @@ public function testValidateAuthorizationRequestUnregistered()
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $request = new ServerRequest(
             [],

tests/Middleware/AuthorizationServerMiddlewareTest.php

@@ -36,6 +36,7 @@ public function testValidResponse()
             'file://' . __DIR__ . '/../Stubs/public.key',
             new StubResponseType()
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant());
 
@@ -69,6 +70,7 @@ public function testOAuthErrorResponse()
             'file://' . __DIR__ . '/../Stubs/public.key',
             new StubResponseType()
         );
+        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));