implement encryption key rotation for JWE decryption

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/Service/JweService.php

@@ -24,13 +24,17 @@
 use Jose\Component\Encryption\JWETokenSupport;
 use Jose\Component\Encryption\Serializer\CompactSerializer;
 use Jose\Component\Encryption\Serializer\JWESerializerManager;
+use OCP\AppFramework\Services\IAppConfig;
+use Psr\Log\LoggerInterface;
 
 class JweService {
 
 	public const CONTENT_ENCRYPTION_ALGORITHM = 'A192CBC-HS384';
 
 	public function __construct(
 		private JwkService $jwkService,
+		private IAppConfig $appConfig,
+		private LoggerInterface $logger,
 	) {
 	}
 
@@ -165,9 +169,28 @@ public function decryptSerializedJwe(string $serializedJwe): string {
 		$myPemEncryptionKey = $this->jwkService->getMyEncryptionKey(true);
 		$sslEncryptionKey = openssl_pkey_get_private($myPemEncryptionKey);
 		$sslEncryptionKeyDetails = openssl_pkey_get_details($sslEncryptionKey);
-		$encPrivJwk = $this->jwkService->getJwkFromSslKey($sslEncryptionKeyDetails, isEncryptionKey: true, includePrivateKey: true);
-
-		return $this->decryptSerializedJweWithKey($serializedJwe, $encPrivJwk);
+		$encryptionPrivateJwk = $this->jwkService->getJwkFromSslKey($sslEncryptionKeyDetails, isEncryptionKey: true, includePrivateKey: true);
+
+		try {
+			return $this->decryptSerializedJweWithKey($serializedJwe, $encryptionPrivateJwk);
+		} catch (\Exception $e) {
+			// try the old expired key
+			$oldPemEncryptionKey = $this->appConfig->getAppValueString(JwkService::PEM_EXPIRED_ENC_KEY_SETTINGS_KEY, lazy: true);
+			$oldPemEncryptionKeyCreatedAt = $this->appConfig->getAppValueInt(JwkService::PEM_EXPIRED_ENC_KEY_CREATED_AT_SETTINGS_KEY, lazy: true);
+			if ($oldPemEncryptionKey === '' || $oldPemEncryptionKeyCreatedAt === 0) {
+				$this->logger->debug('JWE decryption failed with a fresh key and there is no old key');
+				throw $e;
+			}
+			// the old encryption key is expired for more than an hour, we can't use it
+			if (time() > $oldPemEncryptionKeyCreatedAt + JwkService::PEM_ENC_KEY_EXPIRES_AFTER_SECONDS + (60 * 60)) {
+				$this->logger->debug('JWE decryption failed with a fresh key and the old key is expired for more than an hour');
+				throw $e;
+			}
+			$oldSslEncryptionKey = openssl_pkey_get_private($oldPemEncryptionKey);
+			$oldSslEncryptionKeyDetails = openssl_pkey_get_details($oldSslEncryptionKey);
+			$oldEncryptionPrivateJwk = $this->jwkService->getJwkFromSslKey($oldSslEncryptionKeyDetails, isEncryptionKey: true, includePrivateKey: true);
+			return $this->decryptSerializedJweWithKey($serializedJwe, $oldEncryptionPrivateJwk);
+		}
 	}
 
 	public function createSerializedJwe(string $payload): string {

lib/Service/JwkService.php

@@ -19,16 +19,19 @@
 class JwkService {
 
 	public const PEM_SIG_KEY_SETTINGS_KEY = 'pemSignatureKey';
-	public const PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY = 'pemSignatureKeyExpiresAt';
-	public const PEM_SIG_KEY_EXPIRES_IN_SECONDS = 60 * 60;
+	public const PEM_SIG_KEY_CREATED_AT_SETTINGS_KEY = 'pemSignatureKeyCreatedAt';
+	public const PEM_SIG_KEY_EXPIRES_AFTER_SECONDS = 60 * 60;
 	public const PEM_SIG_KEY_ALGORITHM = 'ES384';
 	public const PEM_SIG_KEY_CURVE = 'P-384';
 
 	public const PEM_ENC_KEY_SETTINGS_KEY = 'pemEncryptionKey';
-	public const PEM_ENC_KEY_EXPIRES_AT_SETTINGS_KEY = 'pemEncryptionKeyExpiresAt';
-	public const PEM_ENC_KEY_EXPIRES_IN_SECONDS = 60 * 60;
+	public const PEM_ENC_KEY_CREATED_AT_SETTINGS_KEY = 'pemEncryptionKeyCreatedAt';
+	public const PEM_ENC_KEY_EXPIRES_AFTER_SECONDS = 60 * 60;
 	public const PEM_ENC_KEY_ALGORITHM = 'ECDH-ES+A192KW';
 	public const PEM_ENC_KEY_CURVE = 'P-384';
+	// we store the expired encryption key and can use it for one extra hour after a new one has been generated
+	public const PEM_EXPIRED_ENC_KEY_SETTINGS_KEY = 'pemExpiredEncryptionKey';
+	public const PEM_EXPIRED_ENC_KEY_CREATED_AT_SETTINGS_KEY = 'pemExpiredEncryptionKeyCreatedAt';
 
 	public function __construct(
 		private IAppConfig $appConfig,
@@ -44,13 +47,15 @@ public function __construct(
 	 */
 	public function getMyPemSignatureKey(bool $refresh = true): string {
 		$pemSignatureKey = $this->appConfig->getAppValueString(self::PEM_SIG_KEY_SETTINGS_KEY, lazy: true);
-		$pemSignatureKeyExpiresAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
+		$pemSignatureKeyCreatedAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_CREATED_AT_SETTINGS_KEY, lazy: true);
 
-		if ($pemSignatureKey === '' || $pemSignatureKeyExpiresAt === 0 || ($refresh && time() > $pemSignatureKeyExpiresAt)) {
+		if ($pemSignatureKey === ''
+			|| $pemSignatureKeyCreatedAt === 0
+			|| ($refresh && (time() > $pemSignatureKeyCreatedAt + self::PEM_SIG_KEY_EXPIRES_AFTER_SECONDS))) {
 			$pemSignatureKey = $this->generatePemPrivateKey();
 			// store the key
 			$this->appConfig->setAppValueString(self::PEM_SIG_KEY_SETTINGS_KEY, $pemSignatureKey, lazy: true);
-			$this->appConfig->setAppValueInt(self::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, time() + self::PEM_SIG_KEY_EXPIRES_IN_SECONDS, lazy: true);
+			$this->appConfig->setAppValueInt(self::PEM_SIG_KEY_CREATED_AT_SETTINGS_KEY, time(), lazy: true);
 		}
 		return $pemSignatureKey;
 	}
@@ -64,13 +69,24 @@ public function getMyPemSignatureKey(bool $refresh = true): string {
 	 */
 	public function getMyEncryptionKey(bool $refresh = true): string {
 		$pemEncryptionKey = $this->appConfig->getAppValueString(self::PEM_ENC_KEY_SETTINGS_KEY, lazy: true);
-		$pemEncryptionKeyExpiresAt = $this->appConfig->getAppValueInt(self::PEM_ENC_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
-
-		if ($pemEncryptionKey === '' || $pemEncryptionKeyExpiresAt === 0 || ($refresh && time() > $pemEncryptionKeyExpiresAt)) {
+		$pemEncryptionKeyCreatedAt = $this->appConfig->getAppValueInt(self::PEM_ENC_KEY_CREATED_AT_SETTINGS_KEY, lazy: true);
+
+		if ($pemEncryptionKey === ''
+			|| $pemEncryptionKeyCreatedAt === 0
+			|| ($refresh && (time() > $pemEncryptionKeyCreatedAt + self::PEM_ENC_KEY_EXPIRES_AFTER_SECONDS))
+		) {
+			// if we have an old expired key, keep it for one hour
+			if ($pemEncryptionKey !== ''
+				&& $pemEncryptionKeyCreatedAt !== 0
+				&& (time() > $pemEncryptionKeyCreatedAt + self::PEM_ENC_KEY_EXPIRES_AFTER_SECONDS)) {
+				$this->appConfig->setAppValueString(self::PEM_EXPIRED_ENC_KEY_SETTINGS_KEY, $pemEncryptionKey, lazy: true);
+				$this->appConfig->setAppValueInt(self::PEM_EXPIRED_ENC_KEY_CREATED_AT_SETTINGS_KEY, $pemEncryptionKeyCreatedAt, lazy: true);
+			}
+			// generate a new key
 			$pemEncryptionKey = $this->generatePemPrivateKey();
 			// store the key
 			$this->appConfig->setAppValueString(self::PEM_ENC_KEY_SETTINGS_KEY, $pemEncryptionKey, lazy: true);
-			$this->appConfig->setAppValueInt(self::PEM_ENC_KEY_EXPIRES_AT_SETTINGS_KEY, time() + self::PEM_ENC_KEY_EXPIRES_IN_SECONDS, lazy: true);
+			$this->appConfig->setAppValueInt(self::PEM_ENC_KEY_CREATED_AT_SETTINGS_KEY, time(), lazy: true);
 		}
 		return $pemEncryptionKey;
 	}
@@ -122,11 +138,14 @@ public function getJwks(): array {
 	}
 
 	public function getJwkFromSslKey(array $sslKeyDetails, bool $isEncryptionKey = false, bool $includePrivateKey = false): array {
-		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
+		$pemPrivateKeyCreatedAt = $this->appConfig->getAppValueInt(
+			$isEncryptionKey ? self::PEM_ENC_KEY_CREATED_AT_SETTINGS_KEY : self::PEM_SIG_KEY_CREATED_AT_SETTINGS_KEY,
+			lazy: true,
+		);
 		$jwk = [
 			'kty' => 'EC',
 			'use' => $isEncryptionKey ? 'enc' : 'sig',
-			'kid' => ($isEncryptionKey ? 'enc' : 'sig') . '_key_' . $pemPrivateKeyExpiresAt,
+			'kid' => ($isEncryptionKey ? 'enc' : 'sig') . '_key_' . $pemPrivateKeyCreatedAt,
 			'crv' => $isEncryptionKey ? self::PEM_ENC_KEY_CURVE : self::PEM_SIG_KEY_CURVE,
 			'x' => \rtrim(\strtr(\base64_encode($sslKeyDetails['ec']['x']), '+/', '-_'), '='),
 			'y' => \rtrim(\strtr(\base64_encode($sslKeyDetails['ec']['y']), '+/', '-_'), '='),
@@ -155,7 +174,7 @@ public function generateClientAssertion(Provider $provider, string $discoveryIss
 		// we refresh (if needed) here to make sure we use a key that will be served to the IdP in a few seconds
 		$myPemPrivateKey = $this->getMyPemSignatureKey();
 		$sslPrivateKey = openssl_pkey_get_private($myPemPrivateKey);
-		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
+		$pemSignatureKeyCreatedAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_CREATED_AT_SETTINGS_KEY, lazy: true);
 
 		$payload = [
 			'sub' => $provider->getClientId(),
@@ -170,7 +189,7 @@ public function generateClientAssertion(Provider $provider, string $discoveryIss
 			$payload['code'] = $code;
 		}
 
-		return $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemPrivateKeyExpiresAt, self::PEM_SIG_KEY_ALGORITHM);
+		return $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemSignatureKeyCreatedAt, self::PEM_SIG_KEY_ALGORITHM);
 	}
 
 	public function debug(): array {
@@ -180,8 +199,8 @@ public function debug(): array {
 		$pubKeyPem = $pubKey['key'];
 
 		$payload = ['lll' => 'aaa'];
-		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
-		$signedJwtToken = $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemPrivateKeyExpiresAt, self::PEM_SIG_KEY_ALGORITHM);
+		$pemSignatureKeyCreatedAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_CREATED_AT_SETTINGS_KEY, lazy: true);
+		$signedJwtToken = $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemSignatureKeyCreatedAt, self::PEM_SIG_KEY_ALGORITHM);
 
 		// check content of JWT
 		$rawJwks = ['keys' => [$this->getJwkFromSslKey($pubKey)]];

tests/unit/Service/JweServiceTest.php

@@ -13,6 +13,7 @@
 use OCP\AppFramework\Services\IAppConfig;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
+use Psr\Log\LoggerInterface;
 
 class JweServiceTest extends TestCase {
 
@@ -27,7 +28,11 @@ public function setUp(): void {
 		parent::setUp();
 		$this->appConfig = $this->createMock(IAppConfig::class);
 		$this->jwkService = new JwkService($this->appConfig);
-		$this->jweService = new JweService($this->jwkService);
+		$this->jweService = new JweService(
+			$this->jwkService,
+			$this->appConfig,
+			$this->createMock(LoggerInterface::class),
+		);
 	}
 
 	public function testJweEncryptionDecryption() {

tests/unit/Service/JwkServiceTest.php

@@ -39,8 +39,8 @@ public function testSignatureKeyAndJwt() {
 		$this->assertStringContainsString('-----END PRIVATE KEY-----', $myPemPrivateKey);
 
 		$initialPayload = ['nice' => 'example'];
-		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(JwkService::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
-		$jwkId = 'sig_key_' . $pemPrivateKeyExpiresAt;
+		$pemSignatureKeyCreatedAt = $this->appConfig->getAppValueInt(JwkService::PEM_SIG_KEY_CREATED_AT_SETTINGS_KEY, lazy: true);
+		$jwkId = 'sig_key_' . $pemSignatureKeyCreatedAt;
 		$signedJwtToken = $this->jwkService->createJwt($initialPayload, $sslPrivateKey, $jwkId, JwkService::PEM_SIG_KEY_ALGORITHM);
 
 		// check JWK
@@ -72,8 +72,8 @@ public function testEncryptionKey() {
 		$sslEncryptionKeyDetails = openssl_pkey_get_details($sslEncryptionKey);
 		$encJwk = $this->jwkService->getJwkFromSslKey($sslEncryptionKeyDetails, isEncryptionKey: true);
 
-		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(JwkService::PEM_ENC_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
-		$encJwkId = 'enc_key_' . $pemPrivateKeyExpiresAt;
+		$pemEncryptionKeyCreatedAt = $this->appConfig->getAppValueInt(JwkService::PEM_ENC_KEY_CREATED_AT_SETTINGS_KEY, lazy: true);
+		$encJwkId = 'enc_key_' . $pemEncryptionKeyCreatedAt;
 
 		$this->assertEquals('EC', $encJwk['kty']);
 		$this->assertEquals('enc', $encJwk['use']);

tests/unit/Service/ProvisioningServiceTest.php

@@ -248,7 +248,6 @@ public function testProvisionUserInvalidProperties(): void {
 		$property->method('getName')->willReturn('twitter');
 		$property->method('getScope')->willReturn(IAccountManager::SCOPE_LOCAL);
 		$property->method('getValue')->willReturnCallback(function () use (&$twitterProperty) {
-			echo 'GETTING: ' . $twitterProperty;
 			return $twitterProperty;
 		});