Allow multi-tenant providers to use static blind index keys

paragonie-security · paragonie-security · commit b45c629ae94a · 2025-06-17T05:52:57.000-04:00
diff --git a/src/CipherSweet.php b/src/CipherSweet.php
@@ -10,7 +10,8 @@
     BackendInterface,
     KeyProviderInterface,
     MultiTenantAwareProviderInterface,
-    MultiTenantSafeBackendInterface
+    MultiTenantSafeBackendInterface,
+    StaticBlindIndexKeyProviderInterface
 };
 use ParagonIE\CipherSweet\Exception\{
     CipherSweetException,
@@ -81,12 +82,21 @@ public function getIndexTypeColumn(
      *
      * Uses a 32 byte prefix for the HKDF "info" parameter, for domain
      * separation.
+     *
+     * @throws CipherSweetException
      */
     public function getBlindIndexRootKey(string $tableName, string $fieldName): SymmetricKey
     {
+        $key = $this->keyProvider->getSymmetricKey();
+        if ($this->keyProvider instanceof StaticBlindIndexKeyProviderInterface) {
+            $tenant = $this->keyProvider->getStaticBlindIndexTenant();
+            if (!is_null($tenant)) {
+                $key = $this->keyProvider->getTenant($tenant)->getSymmetricKey();
+            }
+        }
         return new SymmetricKey(
             Util::HKDF(
-                $this->keyProvider->getSymmetricKey(),
+                $key,
                 $tableName,
                 Constants::DS_BIDX . $fieldName
             )
diff --git a/src/Contract/StaticBlindIndexKeyProviderInterface.php b/src/Contract/StaticBlindIndexKeyProviderInterface.php
@@ -0,0 +1,13 @@
+<?php
+declare(strict_types=1);
+namespace ParagonIE\CipherSweet\Contract;
+
+/**
+ * Enables Key Providers to enable/disable using a specific, static "Tenant" for deriving the root keys
+ * for Blind Indexes and Compound Indexes.
+ */
+interface StaticBlindIndexKeyProviderInterface extends MultiTenantAwareProviderInterface
+{
+    public function getStaticBlindIndexTenant(): string|int|null;
+    public function setStaticBlindIndexTenant(string|int|null $tenant = null): void;
+}
diff --git a/tests/MultiTenant/MultiTenantTest.php b/tests/MultiTenant/MultiTenantTest.php
@@ -27,22 +27,37 @@ class MultiTenantTest extends TestCase
 {
     /** @var CipherSweet $csBoring */
     private $csBoring;
+    /** @var CipherSweet $csBoring2 */
+    private $csBoring2;
     /** @var CipherSweet $csFips */
     private $csFips;
+    /** @var CipherSweet $csFips2 */
+    private $csFips2;
 
     /**
      * @before
      */
     public function before()
     {
+        $foo = new StringProvider(random_bytes(32));
         $provider = new TestMultiTenantKeyProvider([
-            'foo' => new StringProvider(random_bytes(32)),
+            'foo' => $foo,
             'bar' => new StringProvider(random_bytes(32)),
             'baz' => new StringProvider(random_bytes(32)),
         ]);
         $provider->setActiveTenant('foo');
         $this->csBoring = new CipherSweet($provider, new BoringCrypto());
         $this->csFips = new CipherSweet($provider, new FIPSCrypto());
+
+        $provider2 = new SBKP([
+            'foo' => $foo,
+            'bar' => new StringProvider(random_bytes(32)),
+            'baz' => new StringProvider(random_bytes(32)),
+        ]);
+        $provider2->setStaticBlindIndexTenant('foo');
+
+        $this->csBoring2 = new CipherSweet($provider2, new BoringCrypto());
+        $this->csFips2 = new CipherSweet($provider2, new FIPSCrypto());
     }
 
     /**
@@ -288,4 +303,37 @@ public function testEncryptedMultiRows()
             $this->assertTrue($decryptFailed, 'Swapping out tenant identifiers should fail decryption');
         }
     }
+
+    public function testStaticBlindIndexKey(): void
+    {
+        // These keys should differ
+        /** @var CipherSweet $cs */
+        foreach ([$this->csBoring, $this->csFips] as $cs) {
+            $cs->setActiveTenant('bar');
+            $k1 = $cs->getBlindIndexRootKey('a', 'b')->getRawKey();
+            $cs->setActiveTenant('baz');
+            $k2 = $cs->getBlindIndexRootKey('a', 'b')->getRawKey();
+            $this->assertNotSame($k1, $k2);
+        }
+
+        // These keys should be the same:
+        /** @var CipherSweet $cs */
+        foreach ([$this->csBoring2, $this->csFips2] as $cs) {
+            $cs->setActiveTenant('bar');
+            $k1 = $cs->getBlindIndexRootKey('a', 'b')->getRawKey();
+            $cs->setActiveTenant('baz');
+            $k2 = $cs->getBlindIndexRootKey('a', 'b')->getRawKey();
+            $this->assertSame($k1, $k2);
+        }
+
+        // These should all differ:
+
+        foreach ([$this->csBoring, $this->csFips, $this->csBoring2, $this->csFips2] as $cs) {
+            $cs->setActiveTenant('bar');
+            $k1 = $cs->getFieldSymmetricKey('a', 'b')->getRawKey();
+            $cs->setActiveTenant('baz');
+            $k2 = $cs->getFieldSymmetricKey('a', 'b')->getRawKey();
+            $this->assertNotSame($k1, $k2);
+        }
+    }
 }
diff --git a/tests/MultiTenant/SBKP.php b/tests/MultiTenant/SBKP.php
@@ -0,0 +1,23 @@
+<?php
+namespace ParagonIE\CipherSweet\Tests\MultiTenant;
+
+use ParagonIE\CipherSweet\Contract\StaticBlindIndexKeyProviderInterface;
+
+/**
+ * Class TestMultiTenantKeyProvider
+ * @package ParagonIE\CipherSweet\Tests\MultiTenant
+ */
+class SBKP extends TestMultiTenantKeyProvider implements StaticBlindIndexKeyProviderInterface
+{
+    protected string|int|null $blindIndexTenant = null;
+
+    public function getStaticBlindIndexTenant(): string|int|null
+    {
+        return $this->blindIndexTenant;
+    }
+
+    public function setStaticBlindIndexTenant(int|string|null $tenant = null): void
+    {
+        $this->blindIndexTenant = $tenant;
+    }
+}
