From c596078d7aa6bc4f710734781fbebccce9def8e1 Mon Sep 17 00:00:00 2001 From: Kyle Date: Tue, 20 Apr 2021 14:28:47 +0200 Subject: [PATCH 1/2] Create tbsCertificate/extensions if missing Fix #1642 Create tbsCertificate/extensions if missing when extensions values are proceeded --- phpseclib/File/X509.php | 2 +- tests/Unit/File/X509/X509ExtensionTest.php | 34 ++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php index 38e0a97b..88dd1a80 100644 --- a/phpseclib/File/X509.php +++ b/phpseclib/File/X509.php @@ -670,7 +670,7 @@ class X509 */ private function mapOutExtensions(&$root, $path) { - $extensions = &$this->subArray($root, $path); + $extensions = &$this->subArray($root, $path, true); foreach ($this->extensionValues as $id => $data) { extract($data); diff --git a/tests/Unit/File/X509/X509ExtensionTest.php b/tests/Unit/File/X509/X509ExtensionTest.php index 4613d9e3..74a062db 100644 --- a/tests/Unit/File/X509/X509ExtensionTest.php +++ b/tests/Unit/File/X509/X509ExtensionTest.php @@ -5,6 +5,7 @@ * @license http://www.opensource.org/licenses/mit-license.html MIT License */ +use phpseclib3\Crypt\EC; use phpseclib3\Crypt\RSA; use phpseclib3\File\ASN1; use phpseclib3\File\X509; @@ -114,4 +115,37 @@ class Unit_File_X509_X509ExtensionTest extends PhpseclibTestCase X509::registerExtension('bar', ['type' => ASN1::TYPE_OCTET_STRING]); X509::registerExtension('bar', ['type' => ASN1::TYPE_ANY]); } + + public function testExtensionsAreInitializedIfMissing() + { + $issuerKey = EC::createKey('ed25519'); + $subjectKey = EC::createKey('ed25519')->getPublicKey(); + + $subject = new X509(); + $subject->setPublicKey($subjectKey); + $subject->setDN(['commonName' => 'subject']); + + $issuer = new X509(); + $issuer->setPrivateKey($issuerKey); + $issuer->setDN(['commonName' => 'issuer']); + + $authority = new X509(); + + $authority->setExtensionValue('id-ce-keyUsage', ['digitalSignature']); + + $cert = $authority->saveX509($authority->sign($issuer, $subject)); + + $loader = new X509(); + + $this->assertSame( + [ + [ + 'extnId' => 'id-ce-keyUsage', + 'critical' => false, + 'extnValue' => ['digitalSignature'], + ], + ], + $loader->loadX509($cert)['tbsCertificate']['extensions'] + ); + } } From 7d3b0a21821eb1be394efb9cf78dc84f21614357 Mon Sep 17 00:00:00 2001 From: terrafrost Date: Tue, 20 Apr 2021 16:01:45 -0500 Subject: [PATCH 2/2] X509: tweaks to mapOutExtensions --- phpseclib/File/X509.php | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php index 88dd1a80..2e1620c1 100644 --- a/phpseclib/File/X509.php +++ b/phpseclib/File/X509.php @@ -670,7 +670,7 @@ class X509 */ private function mapOutExtensions(&$root, $path) { - $extensions = &$this->subArray($root, $path, true); + $extensions = &$this->subArray($root, $path, !empty($this->extensionValues)); foreach ($this->extensionValues as $id => $data) { extract($data); @@ -679,16 +679,15 @@ class X509 'extnValue' => $value, 'critical' => $critical ]; - if (!$replace) { - $extensions[] = $newext; - continue; - } - foreach ($extensions as $key => $value) { - if ($value['extnId'] == $id) { - $extensions[$key] = $newext; - break; - } + if ($replace) { + foreach ($extensions as $key => $value) { + if ($value['extnId'] == $id) { + $extensions[$key] = $newext; + continue 2; + } + } } + $extensions[] = $newext; } if (is_array($extensions)) {