Implemented re-keying of CustomerPortal. See PHPCRED-38
[PHPCredLocker.git] / utils / rekey.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
<?php
/** PHPCredLocker Re-Key Utility
*
* Re-Generates Crypto keys and re-encrypts all stored data - Likely to be a long process!
*
* Copyright (C) 2014 B Tasker
* Released under GNU AGPL V3
* See LICENSE
*
*/
 
require_once 'cli_only.php';
 
define('_CREDLOCK',"1");
error_reporting(0);
 
 
 
/** Wrapper class so that keys can be read from different sources
*
*/
class cryptokeyscli{
 
        function __construct(){
                require 'conf/crypto.php';
                $this->keys = $crypt;
                $this->cipher = $cipher;
        }
 
 
        function writekeyfile(){
 
                $fh = fopen('conf/crypto.php','w');
 
                fwrite($fh,"<?php\n /** Crypto Keys\n * KEEP THIS FILE SECRET\n * \n */\n defined('_CREDLOCK') or die; \n");
 
                fwrite($fh,"\n\n/** Cipher settings */\n\n");
 
                foreach ($this->cipher as $k=>$v){
 
                        if (!is_object($v)){
                                fwrite($fh,"\$cipher->$k = '$v';\n");
                        }else{
                                foreach ($v as $vk => $vv){
                                        fwrite($fh,"\$cipher->$k->$vk = '$vv';\n");
                                }
                        }
 
                }
 
 
                fwrite($fh,"\n\n/** KEYS FOLLOW */\n");
                
                foreach ($this->keys as $k=>$v){
                        fwrite($fh,"\$crypt->$k = '$v';\n\n");
                }
 
                fclose($fh);
        }
 
}
 
 
 
class Utils{
        static function genKey($len){
              $newkey = null;
              while ($len > 0){
 
                $key = Crypto::generateNum(32,254);
                if ($key == 127 ){
                // Skip the delete char
                        continue;
                }
 
                $newkey .= chr($key);
                $len--;
 
              }
 
                return base64_encode($newkey);
 
        }
}
 
 
 
 
// Set the working directory to the root
chdir(dirname(__FILE__)."/../");
 
// Load the framework and config etc
require_once 'lib/Framework/main.php';
require_once 'lib/crypto.php';
 
 
$output = new CLIOutput;
$input = new CLIInput;
 
$output->_("PHPCredlocker Re-Key Script\n==========================\n");
$output->_("Note: This script may take some time to complete, and the WebUI may not function correctly until complete");
 
$confirm = $input->read("Type YES to continue");
 
if ($confirm != "YES"){
        $output->_("Aborting");
        die;
}
 
 
$output->_("Backing up crypto.php");
if (!copy("conf/crypto.php","conf/crypto.backup.php")){
        $output->_("Could not back up keyfile. Aborting");
        die;
}
 
 
 
$db = new BTDB;
$crypt = new Crypto;
$currentkeys = new cryptokeyscli(); // We use this object to make sure we've got a copy of the original
$newkeys = new cryptokeyscli(); // We'll be making the changes in here
 
 
$keylength = $newkeys->cipher->keyLength;
 
$output->_("Preparing to Re-Key Users");
 
$db->setQuery("SELECT * FROM #__Users");
$users = $db->loadResults();
 
// For users, it's as simple as re-encrypting the Password hash
$passes = array();
 
foreach ($users as $user){
        $passes[$user->username] = $crypt->decrypt($user->pass,'auth'); 
}
 
 
$output->_("Generating new encryption key");
 
$newkeys->keys->auth = Utils::genKey($keylength);
 
// Write the key
$newkeys->writekeyfile();
 
// Encrypt using the new key and update the database
foreach ($passes as $user=>$pass){
        $cpass = $crypt->encrypt($pass,'auth');
 
        $sql = "UPDATE #__Users SET pass='".$db->stringEscape($cpass)."' WHERE username='".$db->stringEscape($user)."'";
        $db->setQuery($sql);
        $db->runQuery();
}
 
unset($passes);
$output->_("");
$confirm = $input->read("User database has been re-keyed. Please LOG IN to the web interface to check it's worked. If it has type YES to continue");
 
 
// Probably need to do a little more to hold the users hand here really
if ($confirm != "YES"){
        $output->_("Aborting");
        die;
}
 
 
 
 
// Credtypes are similarly simple, just the name to switch
 
$output->_("Preparing to Re-Key Credential Types");
 
$db->setQuery("SELECT * FROM #__CredTypes");
$credtypes = $db->loadResults();
 
$ctypes = array();
 
foreach ($credtypes as $credtype){
        $credtype->Name = $crypt->decrypt($credtype->Name,'CredType');
        $ctypes[] = $credtype;
}
 
 
$output->_("Generating new encryption key");
$newkeys->keys->CredType = Utils::genKey($keylength);
$newkeys->writekeyfile();
 
// Encrypt and update
 
foreach ($ctypes as $credtype){
        $name = $crypt->encrypt($credtype->Name,'CredType');
        $db->setQuery("UPDATE #__CredTypes SET `Name`='".$db->stringEscape($name)."' WHERE `id`=".(int)$credtype->id);
        $db->runQuery();
}
unset($ctypes);
unset($credtypes);
 
$output->_("");
$confirm = $input->read("CredTypes have been re-keyed, Please log into the front end and ensure that you can view Credential Type names correctly");
 
 
// Probably need to do a little more to hold the users hand here really
if ($confirm != "YES"){
        $output->_("Aborting");
        die;
}
 
 
// Customers require a little more work!
 
$output->_("Preparing to Re-Key Customers");
 
$db->setQuery("SELECT * FROM #__Cust");
$customers = $db->loadResults();
$ccustomers = array();
 
foreach ($customers as $customer){
 
        $customer->Name = $crypt->decrypt($customer->Name,'Customer');
        $customer->ContactName = $crypt->decrypt($customer->ContactName,'Customer');
        $customer->ContactSurname = $crypt->decrypt($customer->ContactSurname,'Customer');
        $customer->Email = $crypt->decrypt($customer->Email,'Customer');
        $ccustomers[] = $customer;
 
}
 
 
$output->_("Generating new encryption key");
$newkeys->keys->Customer = Utils::genKey($keylength);
$newkeys->writekeyfile();
 
 
// Encrypt and update
 
foreach ($ccustomers as $customer){
 
        $customer->Name = $crypt->encrypt($customer->Name,'Customer');
        $customer->ContactName = $crypt->encrypt($customer->ContactName,'Customer');
        $customer->ContactSurname = $crypt->encrypt($customer->ContactSurname,'Customer');
        $customer->Email = $crypt->encrypt($customer->Email,'Customer');
 
 
        $sql = "UPDATE #__Cust SET `Name`='".$db->stringEscape($customer->Name)."', `ContactName`='".$db->stringEscape($customer->ContactName)."',".
                "`ContactSurname`='".$db->stringEscape($customer->ContactSurname)."',`Email`='".$db->stringEscape($customer->Email)."' WHERE `id`=".(int)$customer->id;
        $db->setQuery($sql);
        $db->runQuery();
}
unset($ccustomers);
unset($customers);
$output->_("");
$confirm = $input->read("Customers have been re-keyed, Please log into the front end and ensure that you can view Customer names and details correctly");
 
// Probably need to do a little more to hold the users hand here really
if ($confirm != "YES"){
        $output->_("Aborting");
        die;
}
 
 
 
 
// Groups next, relatively straight forward
 
$output->_("Preparing to Re-Key Groups");
$db->setQuery("SELECT * FROM #__Groups");
$groups = $db->loadResults();
$cgroups = array();
 
foreach ($groups as $group){
 
        $group->Name = $crypt->decrypt($group->Name,'Groups');
        $cgroups[] = $group;
}
 
$output->_("Generating new encryption key");
$newkeys->keys->Groups = Utils::genKey($keylength);
$newkeys->writekeyfile();
 
 
foreach ($cgroups as $group){
 
        $group->Name = $crypt->encrypt($group->Name,'Groups');
        $sql = "UPDATE #__Groups SET `Name`='".$group->Name."' WHERE `id`=".(int)$group->id;
        $db->setQuery($sql);
        $db->runQuery();
 
}
 
unset($cgroups);
unset($groups);
$output->_("");
$confirm = $input->read("Groups have been re-keyed, Please log into the front end and ensure that you can view Group names correctly");
 
// Probably need to do a little more to hold the users hand here really
if ($confirm != "YES"){
        $output->_("Aborting");
        die;
}