Merge pull request #19236 from totten/master-crypt-svc

dev/core#2258 - Add services to support encryption

CRM/Utils/Hook.php

@@ -1759,6 +1759,26 @@ public static function alterTemplateFile($formName, &$form, $context, &$tplName)
     );
   }
 
+  /**
+   * Register cryptographic resources, such as keys and cipher-suites.
+   *
+   * Ex: $crypto->addSymmetricKey([
+   *   'key' => hash_hkdf('sha256', 'abcd1234'),
+   *   'suite' => 'aes-cbc-hs',
+   * ]);
+   *
+   * @param \Civi\Crypto\CryptoRegistry $crypto
+   *
+   * @return mixed
+   */
+  public static function crypto($crypto) {
+    return self::singleton()->invoke(['crypto'], $crypto, self::$_nullObject,
+      self::$_nullObject, self::$_nullObject, self::$_nullObject,
+      self::$_nullObject,
+      'civicrm_crypto'
+    );
+  }
+
   /**
    * This hook collects the trigger definition from all components.
    *

CRM/Utils/String.php

@@ -221,6 +221,31 @@ public static function isAscii($str, $utf8 = TRUE) {
     }
   }
 
+  /**
+   * Encode string using URL-safe Base64.
+   *
+   * @param string $v
+   *
+   * @return string
+   * @see https://tools.ietf.org/html/rfc4648#section-5
+   */
+  public static function base64UrlEncode($v) {
+    return rtrim(str_replace(['+', '/'], ['-', '_'], base64_encode($v)), '=');
+  }
+
+  /**
+   * Decode string using URL-safe Base64.
+   *
+   * @param string $v
+   *
+   * @return false|string
+   * @see https://tools.ietf.org/html/rfc4648#section-5
+   */
+  public static function base64UrlDecode($v) {
+    // PHP base64_decode() is already forgiving about padding ("=").
+    return base64_decode(str_replace(['-', '_'], ['+', '/'], $v));
+  }
+
   /**
    * Determine the string replacements for redaction.
    * on the basis of the regular expressions

Civi/Core/Container.php

@@ -218,6 +218,12 @@ public function createContainer() {
     $container->setDefinition('pear_mail', new Definition('Mail'))
       ->setFactory('CRM_Utils_Mail::createMailer')->setPublic(TRUE);
 
+    $container->setDefinition('crypto.registry', new Definition('Civi\Crypto\CryptoService'))
+      ->setFactory('Civi\Crypto\CryptoRegistry::createDefaultRegistry')->setPublic(TRUE);
+
+    $container->setDefinition('crypto.token', new Definition('Civi\Crypto\CryptoToken', []))
+      ->setPublic(TRUE);
+
     if (empty(\Civi::$statics[__CLASS__]['boot'])) {
       throw new \RuntimeException('Cannot initialize container. Boot services are undefined.');
     }

Civi/Crypto/CipherSuiteInterface.php

@@ -0,0 +1,51 @@
+<?php
+/*
+ +--------------------------------------------------------------------+
+ | Copyright CiviCRM LLC. All rights reserved.                        |
+ |                                                                    |
+ | This work is published under the GNU AGPLv3 license with some      |
+ | permitted exceptions and without any warranty. For full license    |
+ | and copyright information, see https://civicrm.org/licensing       |
+ +--------------------------------------------------------------------+
+ */
+namespace Civi\Crypto;
+
+/**
+ * @package Civi\Crypt
+ */
+interface CipherSuiteInterface {
+
+  /**
+   * Get a list of supported cipher suites.
+   *
+   * @return array
+   *   Ex: ['aes-cbc', 'aes-bbc', 'aes-pbs']
+   */
+  public function getSuites(): array;
+
+  /**
+   * Encrypt a string
+   *
+   * @param string $plainText
+   * @param array $key
+   *
+   * @return string
+   *   Encrypted content as a binary string.
+   *   Depending on the suite, this may include related values (eg HMAC + IV).
+   */
+  public function encrypt(string $plainText, array $key): string;
+
+  /**
+   * Decrypt a string
+   *
+   * @param string $cipherText
+   *   Encrypted content as a binary string.
+   *   Depending on the suite, this may include related values (eg HMAC + IV).
+   * @param array $key
+   *
+   * @return string
+   *   Decrypted string
+   */
+  public function decrypt(string $cipherText, array $key): string;
+
+}