mirror of
https://github.com/danog/phpseclib.git
synced 2024-12-04 18:48:24 +01:00
RSA / X509: misc fixes (mostly related to PSS)
This commit is contained in:
terrafrost
parent
299f7b554d
commit
3ba5902046
@ -37,6 +37,14 @@
|
|||||||
* ?>
|
* ?>
|
||||||
* </code>
|
* </code>
|
||||||
*
|
*
|
||||||
|
* One thing to consider when using this: so phpseclib uses PSS mode by default.
|
||||||
|
* Technically, id-RSASSA-PSS has a different key format than rsaEncryption. So
|
||||||
|
* should phpseclib save to the id-RSASSA-PSS format by default or the
|
||||||
|
* rsaEncryption format? For stand-alone keys I figure rsaEncryption is better
|
||||||
|
* because SSH doesn't use PSS and idk how many SSH servers would be able to
|
||||||
|
* decode an id-RSASSA-PSS key. For X.509 certificates the id-RSASSA-PSS
|
||||||
|
* format is used by default (unless you change it up to use PKCS1 instead)
|
||||||
|
*
|
||||||
* @category Crypt
|
* @category Crypt
|
||||||
* @package RSA
|
* @package RSA
|
||||||
* @author Jim Wigginton <terrafrost@php.net>
|
* @author Jim Wigginton <terrafrost@php.net>
|
||||||
@ -660,7 +668,7 @@ abstract class RSA extends AsymmetricKey
|
|||||||
*
|
*
|
||||||
* @access public
|
* @access public
|
||||||
*/
|
*/
|
||||||
public function getHash()
|
public function getMGFHash()
|
||||||
{
|
{
|
||||||
return $this->mgfHash->getHash();
|
return $this->mgfHash->getHash();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -202,7 +202,7 @@ abstract class PSS extends Progenitor
|
|||||||
* @param array $options
|
* @param array $options
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
private static function savePSSParams(array $options)
|
public static function savePSSParams(array $options)
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
The trailerField field is an integer. It provides
|
The trailerField field is an integer. It provides
|
||||||
|
|||||||
@ -39,6 +39,7 @@ use phpseclib3\Exception\UnsupportedAlgorithmException;
|
|||||||
use phpseclib3\File\ASN1\Element;
|
use phpseclib3\File\ASN1\Element;
|
||||||
use phpseclib3\Math\BigInteger;
|
use phpseclib3\Math\BigInteger;
|
||||||
use phpseclib3\File\ASN1\Maps;
|
use phpseclib3\File\ASN1\Maps;
|
||||||
|
use phpseclib3\Crypt\RSA\Formats\Keys\PSS;
|
||||||
use DateTime;
|
use DateTime;
|
||||||
use DateTimeZone;
|
use DateTimeZone;
|
||||||
|
|
||||||
@ -2520,11 +2521,21 @@ class X509
|
|||||||
$currentCert = isset($this->currentCert) ? $this->currentCert : null;
|
$currentCert = isset($this->currentCert) ? $this->currentCert : null;
|
||||||
$signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null;
|
$signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null;
|
||||||
$signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey);
|
$signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey);
|
||||||
|
if ($signatureAlgorithm != 'id-RSASSA-PSS') {
|
||||||
|
$signatureAlgorithm = ['algorithm' => $signatureAlgorithm];
|
||||||
|
} else {
|
||||||
|
$r = PSS::load($issuer->privateKey->toString('PSS'));
|
||||||
|
$signatureAlgorithm = [
|
||||||
|
'algorithm' => 'id-RSASSA-PSS',
|
||||||
|
'parameters' => PSS::savePSSParams($r)
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
|
if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
|
||||||
$this->currentCert = $subject->currentCert;
|
$this->currentCert = $subject->currentCert;
|
||||||
$this->currentCert['tbsCertificate']['signature']['algorithm'] = $signatureAlgorithm;
|
$this->currentCert['tbsCertificate']['signature'] = $signatureAlgorithm;
|
||||||
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
|
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||||
|
|
||||||
|
|
||||||
if (!empty($this->startDate)) {
|
if (!empty($this->startDate)) {
|
||||||
$this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate);
|
$this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate);
|
||||||
@ -2574,7 +2585,7 @@ class X509
|
|||||||
[
|
[
|
||||||
'version' => 'v3',
|
'version' => 'v3',
|
||||||
'serialNumber' => $serialNumber, // $this->setSerialNumber()
|
'serialNumber' => $serialNumber, // $this->setSerialNumber()
|
||||||
'signature' => ['algorithm' => $signatureAlgorithm],
|
'signature' => $signatureAlgorithm,
|
||||||
'issuer' => false, // this is going to be overwritten later
|
'issuer' => false, // this is going to be overwritten later
|
||||||
'validity' => [
|
'validity' => [
|
||||||
'notBefore' => $this->timeField($startDate), // $this->setStartDate()
|
'notBefore' => $this->timeField($startDate), // $this->setStartDate()
|
||||||
@ -2583,7 +2594,7 @@ class X509
|
|||||||
'subject' => $subject->dn,
|
'subject' => $subject->dn,
|
||||||
'subjectPublicKeyInfo' => $subjectPublicKey
|
'subjectPublicKeyInfo' => $subjectPublicKey
|
||||||
],
|
],
|
||||||
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
|
'signatureAlgorithm' => $signatureAlgorithm,
|
||||||
'signature' => false // this is going to be overwritten later
|
'signature' => false // this is going to be overwritten later
|
||||||
];
|
];
|
||||||
|
|
||||||
@ -3959,4 +3970,4 @@ class X509
|
|||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -155,4 +155,32 @@ HERE;
|
|||||||
$payload = 'eyJraWQiOiJ0RkMyVUloRnBUTV9FYTNxY09kX01xUVQxY0JCbTlrRkxTRGZlSmhzUkc4IiwiYWxnIjoiUFMyNTYifQ.eyJhcHAiOiJhY2NvdW50cG9ydGFsIiwic3ViIjoiNTliOGM4YzA5NTVhNDA5MDg2MGRmYmM3ZGQwMjVjZWEiLCJjbGlkIjoiZTQ5ZTA2N2JiMTFjNDcyMmEzNGIyYjNiOGE2YTYzNTUiLCJhbSI6InBhc3N3b3JkIiwicCI6ImVOcDFrRUZQd3pBTWhmXC9QdEVOYU5kQkc2bUZDNHNpbENNNXU0aTNXMHFSS0hFVDU5V1JzcXpZRUp4XC84M3ZQbkIxcUg3Rm5CZVNabEtNME9saGVZVUVWTXlHOEVUOEZnWDI4dkdqWG4wWkcrV2hSK01rWVBicGZacHI2U3E0N0RFYjBLYkRFT21CSUZuOTZKN1ZDaWg1Q2p4dWNRZDJmdHJlMCt2cSthZFFObUluK0poWEl0UlBvQ0xya1wvZ05VV3N3T09vSVwva0Q5ZVk4c05jRHFPUzNkanFWb3RPU21oRUo5b0hZZmFqZmpSRzFGSWpGRFwvOExtT2pKbVF3d0tBMnQ0aXJBQ2NncHo0dzBuN3BtXC84YXV2T0dFM2twVFZ2d0IzdzlQZk1YZnJJUTBhejRsaEtIdVBUMU42XC9sb1FJPSIsImlhaSI6IjU5YjhjOGMwOTU1YTQwOTA4NjBkZmJjN2RkMDI1Y2VhIiwiY2xzdmMiOiJhY2NvdW50cG9ydGFsIiwibHB2IjoxNTQ3Njc1NDM4LCJ0IjoicyIsImljIjp0cnVlLCJleHAiOjE1NDc3MDQyMzgsImlhdCI6MTU0NzY3NTQzOCwianRpIjoiZTE0N2UzM2UzNzVhNDkyNWJjMzdjZTRjMDIwMmJjNDYifQ';
|
$payload = 'eyJraWQiOiJ0RkMyVUloRnBUTV9FYTNxY09kX01xUVQxY0JCbTlrRkxTRGZlSmhzUkc4IiwiYWxnIjoiUFMyNTYifQ.eyJhcHAiOiJhY2NvdW50cG9ydGFsIiwic3ViIjoiNTliOGM4YzA5NTVhNDA5MDg2MGRmYmM3ZGQwMjVjZWEiLCJjbGlkIjoiZTQ5ZTA2N2JiMTFjNDcyMmEzNGIyYjNiOGE2YTYzNTUiLCJhbSI6InBhc3N3b3JkIiwicCI6ImVOcDFrRUZQd3pBTWhmXC9QdEVOYU5kQkc2bUZDNHNpbENNNXU0aTNXMHFSS0hFVDU5V1JzcXpZRUp4XC84M3ZQbkIxcUg3Rm5CZVNabEtNME9saGVZVUVWTXlHOEVUOEZnWDI4dkdqWG4wWkcrV2hSK01rWVBicGZacHI2U3E0N0RFYjBLYkRFT21CSUZuOTZKN1ZDaWg1Q2p4dWNRZDJmdHJlMCt2cSthZFFObUluK0poWEl0UlBvQ0xya1wvZ05VV3N3T09vSVwva0Q5ZVk4c05jRHFPUzNkanFWb3RPU21oRUo5b0hZZmFqZmpSRzFGSWpGRFwvOExtT2pKbVF3d0tBMnQ0aXJBQ2NncHo0dzBuN3BtXC84YXV2T0dFM2twVFZ2d0IzdzlQZk1YZnJJUTBhejRsaEtIdVBUMU42XC9sb1FJPSIsImlhaSI6IjU5YjhjOGMwOTU1YTQwOTA4NjBkZmJjN2RkMDI1Y2VhIiwiY2xzdmMiOiJhY2NvdW50cG9ydGFsIiwibHB2IjoxNTQ3Njc1NDM4LCJ0IjoicyIsImljIjp0cnVlLCJleHAiOjE1NDc3MDQyMzgsImlhdCI6MTU0NzY3NTQzOCwianRpIjoiZTE0N2UzM2UzNzVhNDkyNWJjMzdjZTRjMDIwMmJjNDYifQ';
|
||||||
$this->assertTrue($rsa->verify($payload, $sig));
|
$this->assertTrue($rsa->verify($payload, $sig));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testHash()
|
||||||
|
{
|
||||||
|
$pub = <<<HERE
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MF0wDQYJKoZIhvcNAQEBBQADTAAwSQJCAmdYuOvii3I6ya3q/zSeZFoJprgF9fIq
|
||||||
|
k12yS6pCS3c+1wZ9cYFVtgfpSL4XpylLe9EnRT2GRVYCqUkR4AUeTuvnAgMBAAE=
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
|
HERE;
|
||||||
|
|
||||||
|
$rsa = PublicKeyLoader::load($pub)
|
||||||
|
->withHash('sha1')
|
||||||
|
->withSaltLength(5)
|
||||||
|
->withMGFHash('sha512');
|
||||||
|
|
||||||
|
$this->assertSame('sha1', $rsa->getHash());
|
||||||
|
$this->assertSame(5, $rsa->getSaltLength());
|
||||||
|
$this->assertSame('sha512', $rsa->getMGFHash());
|
||||||
|
|
||||||
|
$rsa = $rsa
|
||||||
|
->withHash('sha512')
|
||||||
|
->withSaltLength(6)
|
||||||
|
->withMGFHash('sha1');
|
||||||
|
|
||||||
|
$this->assertSame('sha512', $rsa->getHash());
|
||||||
|
$this->assertSame(6, $rsa->getSaltLength());
|
||||||
|
$this->assertSame('sha1', $rsa->getMGFHash());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -939,8 +939,52 @@ U9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ
|
|||||||
|
|
||||||
$r = $x509->loadX509($result);
|
$r = $x509->loadX509($result);
|
||||||
$this->assertSame('id-RSASSA-PSS', $r['tbsCertificate']['signature']['algorithm']);
|
$this->assertSame('id-RSASSA-PSS', $r['tbsCertificate']['signature']['algorithm']);
|
||||||
|
$this->assertArrayHasKey('parameters', $r['tbsCertificate']['signature']);
|
||||||
$this->assertSame('id-RSASSA-PSS', $r['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm']);
|
$this->assertSame('id-RSASSA-PSS', $r['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm']);
|
||||||
|
$this->assertArrayHasKey('parameters', $r['tbsCertificate']['subjectPublicKeyInfo']['algorithm']);
|
||||||
$this->assertSame('id-RSASSA-PSS', $r['signatureAlgorithm']['algorithm']);
|
$this->assertSame('id-RSASSA-PSS', $r['signatureAlgorithm']['algorithm']);
|
||||||
|
$this->assertArrayHasKey('parameters', $r['signatureAlgorithm']);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testPKCS1Save()
|
||||||
|
{
|
||||||
|
$private = '-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIICXAIBAAKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUp
|
||||||
|
wmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ5
|
||||||
|
1s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQABAoGAFijko56+qGyN8M0RVyaRAXz++xTqHBLh
|
||||||
|
3tx4VgMtrQ+WEgCjhoTwo23KMBAuJGSYnRmoBZM3lMfTKevIkAidPExvYCdm5dYq3XToLkkLv5L2
|
||||||
|
pIIVOFMDG+KESnAFV7l2c+cnzRMW0+b6f8mR1CJzZuxVLL6Q02fvLi55/mbSYxECQQDeAw6fiIQX
|
||||||
|
GukBI4eMZZt4nscy2o12KyYner3VpoeE+Np2q+Z3pvAMd/aNzQ/W9WaI+NRfcxUJrmfPwIGm63il
|
||||||
|
AkEAxCL5HQb2bQr4ByorcMWm/hEP2MZzROV73yF41hPsRC9m66KrheO9HPTJuo3/9s5p+sqGxOlF
|
||||||
|
L0NDt4SkosjgGwJAFklyR1uZ/wPJjj611cdBcztlPdqoxssQGnh85BzCj/u3WqBpE2vjvyyvyI5k
|
||||||
|
X6zk7S0ljKtt2jny2+00VsBerQJBAJGC1Mg5Oydo5NwD6BiROrPxGo2bpTbu/fhrT8ebHkTz2epl
|
||||||
|
U9VQQSQzY1oZMVX8i1m5WUTLPz2yLJIBQVdXqhMCQBGoiuSoSjafUhV7i1cEGpb88h5NBYZzWXGZ
|
||||||
|
37sJ5QsW+sJyoNde3xH8vdXhzU7eT82D6X/scw9RZz+/6rCJ4p0=
|
||||||
|
-----END RSA PRIVATE KEY-----';
|
||||||
|
$private = PublicKeyLoader::load($private)
|
||||||
|
->withPadding(RSA::SIGNATURE_PKCS1)
|
||||||
|
->withHash('sha256');
|
||||||
|
$public = $private->getPublicKey();
|
||||||
|
|
||||||
|
$subject = new X509();
|
||||||
|
$subject->setDNProp('id-at-organizationName', 'phpseclib demo cert');
|
||||||
|
$subject->setPublicKey($public);
|
||||||
|
|
||||||
|
$issuer = new X509();
|
||||||
|
$issuer->setPrivateKey($private);
|
||||||
|
$issuer->setDN($subject->getDN());
|
||||||
|
|
||||||
|
$x509 = new X509();
|
||||||
|
|
||||||
|
$result = $x509->sign($issuer, $subject);
|
||||||
|
$result = $x509->saveX509($result);
|
||||||
|
|
||||||
|
$this->assertInternalType('string', $result);
|
||||||
|
|
||||||
|
$r = $x509->loadX509($result);
|
||||||
|
$this->assertSame('sha256WithRSAEncryption', $r['tbsCertificate']['signature']['algorithm']);
|
||||||
|
$this->assertSame('rsaEncryption', $r['tbsCertificate']['subjectPublicKeyInfo']['algorithm']['algorithm']);
|
||||||
|
$this->assertSame('sha256WithRSAEncryption', $r['signatureAlgorithm']['algorithm']);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testLongTagOnBadCert()
|
public function testLongTagOnBadCert()
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user