From 81e3a0d7ed7a8e7b3fecfa752ca5e1b9af80dc90 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Thu, 14 Apr 2022 23:50:51 -0700
Subject: [PATCH] Overview --------

The setting `CIVICRM_SIGN_KEYS` was introduced circa 5.36.  However, it is
defined in `civicrm.settings.php`, which makes it difficult to reliably
configure in an automated upgrade.  Consequently, some sites may not have
this setting, and we must rely on the sysadmin to provide it.

The setting is required for the `crypto.jwt` API (which in turn is used by
some core extensions, like `authx` and `afform`).

Before
------

There is a pre-upgrade message when somebody passes through v5.36.

If you missed the message in 5.36, then you would be unaware of the missing
setting (until you hit some failure because you use some new/update
code-path that relies on it).

After
-----

There is a system status-check.  If you don't have `CIVICRM_SIGN_KEYS`, then
it will show a link to https://docs.civicrm.org/sysadmin/en/latest/setup/secret-keys/.
---
 CRM/Utils/Check/Component/Security.php | 35 ++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php
index da8735e78ac5..f449a09518ac 100644
--- a/CRM/Utils/Check/Component/Security.php
+++ b/CRM/Utils/Check/Component/Security.php
@@ -187,6 +187,41 @@ public function checkDirectoriesAreNotBrowseable() {
     return $messages;
   }
 
+  /**
+   * Check that the site is configured with a signing-key.
+   *
+   * The current infrastructure for signatures was introduced circa 5.36. Specifically,
+   * most sites should now define `CIVICRM_SIGN_KEYS`. However, this could be missing for
+   * sites which either (a) upgraded from an earlier release or (b) used an unpatched installer.
+   *
+   * @return CRM_Utils_Check_Message[]
+   */
+  public function checkSigningKey(): array {
+    $messages = [];
+
+    try {
+      $found = !empty(Civi::service('crypto.registry')->findKey('SIGN'));
+      // Subtle point: We really want to know if there are any `SIGN`ing keys. The most
+      // typical way to define `SIGN`ing keys is to configure `CIVICRM_SIGN_KEYS`.
+    }
+    catch (\Civi\Crypto\Exception\CryptoException $e) {
+      $found = FALSE;
+    }
+    if (!$found) {
+      $messages[] = new CRM_Utils_Check_Message(
+        __FUNCTION__,
+        ts('Some components and extensions may need to generate cryptographic signatures. Please configure <a %1>CIVICRM_SIGN_KEYS</a>. ',
+          [1 => 'href="https://docs.civicrm.org/sysadmin/en/latest/setup/secret-keys/" target="_blank"']
+        ),
+        ts('Signing Key Recommended'),
+        \Psr\Log\LogLevel::NOTICE,
+        'fa-lock'
+      );
+    }
+
+    return $messages;
+  }
+
   /**
    * Check that some files are not present.
    *