refactor: add support for both string and array $previousKeys and made decrypt functions more readable.

patel-vansh · patel-vansh · commit 2f586229a7f9 · 2025-12-25T17:35:13.000+05:30
diff --git a/app/Config/Encryption.php b/app/Config/Encryption.php
@@ -30,7 +30,7 @@ class Encryption extends BaseConfig
      * If you want to enable decryption using previous keys, set them here.
      * See the user guide for more info.
      */
-    public string $previousKeys = '';
+    public string|array $previousKeys = '';
 
     /**
      * --------------------------------------------------------------------------
diff --git a/system/Config/BaseConfig.php b/system/Config/BaseConfig.php
@@ -134,13 +134,14 @@ public function __construct()
                 if ($property === 'key') {
                     $this->{$property} = $this->parseEncryptionKey($this->{$property});
                 } elseif ($property === 'previousKeys') {
-                    $keysArray  = array_map(trim(...), explode(',', $this->{$property}));
+                    $keysArray  = is_string($this->{$property}) ? array_map(trim(...), explode(',', $this->{$property})) : $this->{$property};
                     $parsedKeys = [];
 
                     foreach ($keysArray as $key) {
                         $parsedKeys[] = $this->parseEncryptionKey($key);
                     }
-                    $this->{$property} = implode(',', $parsedKeys);
+
+                    $this->{$property} = $parsedKeys;
                 }
             }
         }
diff --git a/system/Encryption/Encryption.php b/system/Encryption/Encryption.php
@@ -54,9 +54,11 @@ class Encryption
     protected $key;
 
     /**
-     * Comma-separated list of previous keys for fallback decryption.
+     * Array or Comma-separated list of previous keys for fallback decryption.
+     *
+     * @var string|array<string>
      */
-    protected string $previousKeys = '';
+    protected string|array $previousKeys = '';
 
     /**
      * The derived HMAC key
diff --git a/system/Encryption/Handlers/OpenSSLHandler.php b/system/Encryption/Handlers/OpenSSLHandler.php
@@ -59,7 +59,7 @@ class OpenSSLHandler extends BaseHandler
     /**
      * List of previous keys for fallback decryption.
      */
-    protected string $previousKeys = '';
+    protected string|array $previousKeys = '';
 
     /**
      * Whether the cipher-text should be raw. If set to false, then it will be base64 encoded.
@@ -132,32 +132,39 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
             throw EncryptionException::forNeedsStarterKey();
         }
 
-        $result = false;
+        // Only use fallback keys if no custom key was provided in params
+        $useFallback = !isset($params['key']);
 
-        try {
-            $result = $this->decryptWithKey($data, $this->key);
-        } catch (EncryptionException $e) {
-            $exception = $e;
+        $attemptDecrypt = function ($key) use ($data) {
+            try {
+                $result = $this->decryptWithKey($data, $key);
+                return ['success' => true, 'data' => $result];
+            } catch (EncryptionException $e) {
+                return ['success' => false, 'exception' => $e];
+            }
+        };
+
+        $result = $attemptDecrypt($this->key);
+
+        if ($result['success']) {
+            return $result['data'];
         }
 
-        if ($result === false && $this->previousKeys !== '') {
-            foreach (explode(',', $this->previousKeys) as $previousKey) {
-                try {
-                    $result = $this->decryptWithKey($data, $previousKey);
-                    if ($result !== false) {
-                        return $result;
-                    }
-                } catch (EncryptionException) {
-                    // Try next key
+        $originalException = $result['exception'];
+
+        // If primary key failed and fallback is allowed, try previous keys
+        if ($useFallback && !empty($this->previousKeys)) {
+            foreach ($this->previousKeys as $previousKey) {
+                $fallbackResult = $attemptDecrypt($previousKey);
+
+                if ($fallbackResult['success']) {
+                    return $fallbackResult['data'];
                 }
             }
         }
 
-        if (isset($exception)) {
-            throw $exception;
-        }
-
-        return $result;
+        // All attempts failed - throw the original exception
+        throw $originalException;
     }
 
     /**
diff --git a/system/Encryption/Handlers/SodiumHandler.php b/system/Encryption/Handlers/SodiumHandler.php
@@ -14,6 +14,7 @@
 namespace CodeIgniter\Encryption\Handlers;
 
 use CodeIgniter\Encryption\Exceptions\EncryptionException;
+use phpDocumentor\Reflection\PseudoTypes\NonEmptyString;
 use SensitiveParameter;
 
 /**
@@ -34,7 +35,7 @@ class SodiumHandler extends BaseHandler
     /**
      * List of previous keys for fallback decryption.
      */
-    protected string $previousKeys = '';
+    protected string|array $previousKeys = '';
 
     /**
      * Block size for padding message.
@@ -85,34 +86,40 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
             throw EncryptionException::forNeedsStarterKey();
         }
 
-        $result = false;
+        // Only use fallback keys if no custom key was provided in params
+        $useFallback = !isset($params['key']);
+
+        $attemptDecrypt = function ($key) use ($data) {
+            try {
+                $result = $this->decryptWithKey($data, $key);
+                sodium_memzero($key);
+                return ['success' => true, 'data' => $result];
+            } catch (EncryptionException $e) {
+                sodium_memzero($key);
+                return ['success' => false, 'exception' => $e];
+            }
+        };
+
+        $result = $attemptDecrypt($this->key);
 
-        try {
-            $result = $this->decryptWithKey($data, $this->key);
-            sodium_memzero($this->key);
-        } catch (EncryptionException $e) {
-            $exception = $e;
-            sodium_memzero($this->key);
+        if ($result['success']) {
+            return $result['data'];
         }
 
-        if ($result === false && $this->previousKeys !== '') {
-            foreach (explode(',', $this->previousKeys) as $previousKey) {
-                try {
-                    $result = $this->decryptWithKey($data, $previousKey);
-                    if (isset($result)) {
-                        return $result;
-                    }
-                } catch (EncryptionException) {
-                    // Try next key
+        $originalException = $result['exception'];
+
+        // If primary key failed and fallback is allowed, try previous keys
+        if ($useFallback && !empty($this->previousKeys)) {
+            foreach ($this->previousKeys as $previousKey) {
+                $fallbackResult = $attemptDecrypt($previousKey);
+
+                if ($fallbackResult['success']) {
+                    return $fallbackResult['data'];
                 }
             }
         }
 
-        if (isset($exception)) {
-            throw $exception;
-        }
-
-        return $result;
+        throw $originalException;
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -134,13 +134,14 @@ public function __construct()`
`134`	`134`	`if ($property === 'key') {`
`135`	`135`	`$this->{$property} = $this->parseEncryptionKey($this->{$property});`
`136`	`136`	`} elseif ($property === 'previousKeys') {`
`137`		`- $keysArray = array_map(trim(...), explode(',', $this->{$property}));`
	`137`	`+ $keysArray = is_string($this->{$property}) ? array_map(trim(...), explode(',', $this->{$property})) : $this->{$property};`
`138`	`138`	`$parsedKeys = [];`
`139`	`139`
`140`	`140`	`foreach ($keysArray as $key) {`
`141`	`141`	`$parsedKeys[] = $this->parseEncryptionKey($key);`
`142`	`142`	`}`
`143`		`- $this->{$property} = implode(',', $parsedKeys);`
	`143`	`+`
	`144`	`+ $this->{$property} = $parsedKeys;`
`144`	`145`	`}`
`145`	`146`	`}`
`146`	`147`	`}`