Symfony 4 - Encrypted and decrypted key is the same.

[Volmarg]

Hello,

I've just added Your bundle to my symfony project 4.3 i think. I will skip issues with key generating but I've managed to make 256 bit one.

Now I've got a problem that actually encrypted and decrypted key is the same. Am i doing something wrong or any idea?

I'm just doing tests now, so You can recreate it with this key: encrypt_key: 'kXp2s5v8y/A?D(G+KbPehVmYq3t6whVmYq3tt6wShVw9z' encrypted string: test

Same for twig: {{ 'WlCj153fQK1yzp1qZXByLBaUL9T2vw7nq7fbSXruZ8Q=' | decrypt }} Result: WlCj153fQK1yzp1qZXByLBaUL9T2vw7nq7fbSXruZ8Q=

[Volmarg]

Yeah it's a bug or some incompatibillity.

This saved such string into database: oQzacpgt4sPRTyu0kHMOYf7tc1fh1YQecmZ+tO4IJfM=<ENC>

Now when i use this string for tests

 $decrypted = $this->encryptor->decrypt('oQzacpgt4sPRTyu0kHMOYf7tc1fh1YQecmZ+tO4IJfM=<ENC>');

So it looks like the encrypted keys in controller are missing this <ENC> thing,

[mogilvie]

Hi Volmarg, There is only one encryption key, unique to your installation. The key is used to both encrypt and decrypt the stored value, see the encryptor

When decrypting the decryptor looks for 5 characters at the end of the persisted string "\<ENC>". If it finds this string fragment, then it knows the value is encrypted and runs the decrypt process. Otherwise it returns the raw stored value

     // If the value does not have the suffix <ENC> then ignore.
    if(substr($data, -5) !== DoctrineEncryptSubscriberInterface::ENCRYPTED_SUFFIX) {
        return $data;
    }

Your initial test didn't contain the suffix "\<ENC>" so it wasn't decrypted.

[Volmarg]

Thanks for response.

Yeah I've figured it out but what I mean is that encryptor actually created that string without ENC. And then decryptor couldnt handle it.

[mogilvie]

OK. Understand. I'll look into it tonight.

[mogilvie]

Just had a quick look now. The \<ENC> suffix is added to the the encrypted value during the doctrine persistence event. As you are not persisting the encypted string in the tests, then it is not being appended. I think it would make more sense to add the suffix in the decryptor/encryptor. The encryptor needs to add the suffix, and to maintain BC the DoctrineEncryptSubscriber will need a check to add the suffix only if it doesnt already exist. I can make the changes on friday, or if you need it done quickly, then submit a pull request. Thanks for raising.

[Volmarg]

Nah it does the job for me with entity. Just had this issue so I wrote info. Thanks.

[mogilvie]

Fixed in v1.1.1