diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php index 695e5a80..8af3b772 100644 --- a/phpseclib/File/X509.php +++ b/phpseclib/File/X509.php @@ -2541,22 +2541,12 @@ class X509 $currentCert = isset($this->currentCert) ? $this->currentCert : null; $signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null; $signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey); - if ($signatureAlgorithm != 'id-RSASSA-PSS') { - $signatureAlgorithm = ['algorithm' => $signatureAlgorithm]; - } else { - $r = PSS::load($issuer->privateKey->withPassword()->toString('PSS')); - $signatureAlgorithm = [ - 'algorithm' => 'id-RSASSA-PSS', - 'parameters' => PSS::savePSSParams($r) - ]; - } if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) { $this->currentCert = $subject->currentCert; $this->currentCert['tbsCertificate']['signature'] = $signatureAlgorithm; $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm; - if (!empty($this->startDate)) { $this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate); } @@ -2736,7 +2726,7 @@ class X509 $signatureAlgorithm = self::identifySignatureAlgorithm($this->privateKey); if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['certificationRequestInfo'])) { - $this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm; + $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm; if (!empty($this->dn)) { $this->currentCert['certificationRequestInfo']['subject'] = $this->dn; } @@ -2749,7 +2739,7 @@ class X509 'subject' => $this->dn, 'subjectPKInfo' => $publicKey ], - 'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm], + 'signatureAlgorithm' => $signatureAlgorithm, 'signature' => false // this is going to be overwritten later ]; } @@ -2791,7 +2781,7 @@ class X509 // re-signing a SPKAC seems silly but since everything else supports re-signing why not? if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['publicKeyAndChallenge'])) { - $this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm; + $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm; $this->currentCert['publicKeyAndChallenge']['spki'] = $publicKey; if (!empty($this->challenge)) { // the bitwise AND ensures that the output is a valid IA5String @@ -2809,7 +2799,7 @@ class X509 // Random::string(8) & str_repeat("\x7F", 8) 'challenge' => !empty($this->challenge) ? $this->challenge : '' ], - 'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm], + 'signatureAlgorithm' => $signatureAlgorithm, 'signature' => false // this is going to be overwritten later ]; } @@ -2851,18 +2841,18 @@ class X509 if (isset($crl->currentCert) && is_array($crl->currentCert) && isset($crl->currentCert['tbsCertList'])) { $this->currentCert = $crl->currentCert; - $this->currentCert['tbsCertList']['signature']['algorithm'] = $signatureAlgorithm; - $this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm; + $this->currentCert['tbsCertList']['signature'] = $signatureAlgorithm; + $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm; } else { $this->currentCert = [ 'tbsCertList' => [ 'version' => 'v2', - 'signature' => ['algorithm' => $signatureAlgorithm], + 'signature' => $signatureAlgorithm, 'issuer' => false, // this is going to be overwritten later 'thisUpdate' => $this->timeField($thisUpdate) // $this->setStartDate() ], - 'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm], + 'signatureAlgorithm' => $signatureAlgorithm, 'signature' => false // this is going to be overwritten later ]; } @@ -2971,7 +2961,11 @@ class X509 { if ($key instanceof RSA) { if ($key->getPadding() & RSA::SIGNATURE_PSS) { - return 'id-RSASSA-PSS'; + $r = PSS::load($key->withPassword()->toString('PSS')); + return [ + 'algorithm' => 'id-RSASSA-PSS', + 'parameters' => PSS::savePSSParams($r) + ]; } switch ($key->getHash()) { case 'md2': @@ -2981,7 +2975,7 @@ class X509 case 'sha256': case 'sha384': case 'sha512': - return $key->getHash() . 'WithRSAEncryption'; + return ['algorithm' => $key->getHash() . 'WithRSAEncryption']; } throw new UnsupportedAlgorithmException('The only supported hash algorithms for RSA are: md2, md5, sha1, sha224, sha256, sha384, sha512'); } @@ -2991,7 +2985,7 @@ class X509 case 'sha1': case 'sha224': case 'sha256': - return 'id-dsa-with-' . $key->getHash(); + return ['algorithm' => 'id-dsa-with-' . $key->getHash()]; } throw new UnsupportedAlgorithmException('The only supported hash algorithms for DSA are: sha1, sha224, sha256'); } @@ -3000,7 +2994,7 @@ class X509 switch ($key->getCurve()) { case 'Ed25519': case 'Ed448': - return 'id-' . $key->getCurve(); + return ['algorithm' => 'id-' . $key->getCurve()]; } switch ($key->getHash()) { case 'sha1': @@ -3008,7 +3002,7 @@ class X509 case 'sha256': case 'sha384': case 'sha512': - return 'ecdsa-with-' . strtoupper($key->getHash()); + return ['algorithm' => 'ecdsa-with-' . strtoupper($key->getHash())]; } throw new UnsupportedAlgorithmException('The only supported hash algorithms for EC are: sha1, sha224, sha256, sha384, sha512'); }