feat(encryption): Implement the main logic of using previous keys if decryption failed

patel-vansh · patel-vansh · commit 486bf5794cd0 · 2025-12-21T18:38:25.000+05:30
diff --git a/system/Encryption/Handlers/OpenSSLHandler.php b/system/Encryption/Handlers/OpenSSLHandler.php
@@ -14,7 +14,6 @@
 namespace CodeIgniter\Encryption\Handlers;
 
 use CodeIgniter\Encryption\Exceptions\EncryptionException;
-use SensitiveParameter;
 
 /**
  * Encryption handling for OpenSSL library
@@ -56,6 +55,20 @@ class OpenSSLHandler extends BaseHandler
      */
     protected $key = '';
 
+    /**
+     * Whether to fall back to previous keys when decryption fails.
+     *
+     * @var bool
+     */
+    protected bool $previousKeysFallbackEnabled = false;
+
+    /**
+     * List of previous keys for fallback decryption.
+     *
+     * @var string[]
+     */
+    protected array $previousKeys = [];
+
     /**
      * Whether the cipher-text should be raw. If set to false, then it will be base64 encoded.
      */
@@ -127,8 +140,46 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
             throw EncryptionException::forNeedsStarterKey();
         }
 
+        try {
+            $result = $this->decryptWithKey($data, $this->key);
+        } catch (EncryptionException $e) {
+            $result    = false;
+            $exception = $e;
+        }
+
+        if ($result === false && $this->previousKeysFallbackEnabled && ! empty($this->previousKeys)) {
+            foreach ($this->previousKeys as $previousKey) {
+                try {
+                    $result = $this->decryptWithKey($data, $previousKey);
+                    if ($result !== false) {
+                        return $result;
+                    }
+                } catch (EncryptionException) {
+                    // Try next key
+                }
+            }
+        }
+
+        if (isset($exception)) {
+            throw $exception;
+        }
+
+        return $result;
+    }
+
+    /**
+     * Decrypt the data with the provided key
+     *
+     * @param string $data
+     * @param string $key
+     *
+     * @return false|string
+     * @throws EncryptionException
+     */
+    protected function decryptWithKey($data, #[SensitiveParameter] $key)
+    {
         // derive a secret key
-        $authKey = \hash_hkdf($this->digest, $this->key, 0, $this->authKeyInfo);
+        $authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);
 
         $hmacLength = $this->rawData
             ? $this->digestSize[$this->digest]
@@ -152,7 +203,7 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
         }
 
         // derive a secret key
-        $encryptKey = \hash_hkdf($this->digest, $this->key, 0, $this->encryptKeyInfo);
+        $encryptKey = \hash_hkdf($this->digest, $key, 0, $this->encryptKeyInfo);
 
         return \openssl_decrypt($data, $this->cipher, $encryptKey, OPENSSL_RAW_DATA, $iv);
     }
diff --git a/system/Encryption/Handlers/SodiumHandler.php b/system/Encryption/Handlers/SodiumHandler.php
@@ -14,7 +14,6 @@
 namespace CodeIgniter\Encryption\Handlers;
 
 use CodeIgniter\Encryption\Exceptions\EncryptionException;
-use SensitiveParameter;
 
 /**
  * SodiumHandler uses libsodium in encryption.
@@ -80,6 +79,46 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
             throw EncryptionException::forNeedsStarterKey();
         }
 
+        try {
+            $result = $this->decryptWithKey($data, $this->key);
+            sodium_memzero($this->key);
+        } catch (EncryptionException $e) {
+            $result    = false;
+            $exception = $e;
+            sodium_memzero($this->key);
+        }
+
+        if ($result === false && $this->previousKeysFallbackEnabled && ! empty($this->previousKeys)) {
+            foreach ($this->previousKeys as $previousKey) {
+                try {
+                    $result = $this->decryptWithKey($data, $previousKey);
+                    if (isset($result)) {
+                        return $result;
+                    }
+                } catch (EncryptionException) {
+                    // Try next key
+                }
+            }
+        }
+
+        if (isset($exception)) {
+            throw $exception;
+        }
+
+        return $result;
+    }
+
+    /**
+     * Decrypt the data with the provided key
+     *
+     * @param string $data
+     * @param string $key
+     *
+     * @return string
+     * @throws EncryptionException
+     */
+    protected function decryptWithKey($data, #[SensitiveParameter] $key)
+    {
         if (mb_strlen($data, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
             // message was truncated
             throw EncryptionException::forAuthenticationFailed();
@@ -90,7 +129,7 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
         $ciphertext = self::substr($data, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
 
         // decrypt data
-        $data = sodium_crypto_secretbox_open($ciphertext, $nonce, $this->key);
+        $data = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
 
         if ($data === false) {
             // message was tampered in transit
@@ -106,7 +145,6 @@ public function decrypt($data, #[SensitiveParameter] $params = null)
 
         // cleanup buffers
         sodium_memzero($ciphertext);
-        sodium_memzero($this->key);
 
         return $data;
     }
