X509: make it so CRLs, CSRs and SPKACs can support PSS keys

2024-12-11 16:49:42 +01:00 · 2022-09-23 15:03:37 -05:00 · 2022-09-23 15:03:37 -05:00 · b54eeb8e35
commit b54eeb8e35
parent ea5a4c3c62
1 changed files with 17 additions and 23 deletions
--- a/phpseclib/File/X509.php
+++ b/phpseclib/File/X509.php
@ -2541,22 +2541,12 @@ class X509
        $currentCert = isset($this->currentCert) ? $this->currentCert : null;
        $signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null;
        $signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey);
        if ($signatureAlgorithm != 'id-RSASSA-PSS') {
            $signatureAlgorithm = ['algorithm' => $signatureAlgorithm];
        } else {
            $r = PSS::load($issuer->privateKey->withPassword()->toString('PSS'));
            $signatureAlgorithm = [
                'algorithm' => 'id-RSASSA-PSS',
                'parameters' => PSS::savePSSParams($r)
            ];
        }
        if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
            $this->currentCert = $subject->currentCert;
            $this->currentCert['tbsCertificate']['signature'] = $signatureAlgorithm;
            $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
            if (!empty($this->startDate)) {
                $this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate);
            }
@ -2736,7 +2726,7 @@ class X509
        $signatureAlgorithm = self::identifySignatureAlgorithm($this->privateKey);
        if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['certificationRequestInfo'])) {
-            $this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
+            $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
            if (!empty($this->dn)) {
                $this->currentCert['certificationRequestInfo']['subject'] = $this->dn;
            }
@ -2749,7 +2739,7 @@ class X509
                        'subject' => $this->dn,
                        'subjectPKInfo' => $publicKey
                    ],
-                    'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
+                    'signatureAlgorithm' => $signatureAlgorithm,
                    'signature'          => false // this is going to be overwritten later
            ];
        }
@ -2791,7 +2781,7 @@ class X509
        // re-signing a SPKAC seems silly but since everything else supports re-signing why not?
        if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['publicKeyAndChallenge'])) {
-            $this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
+            $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
            $this->currentCert['publicKeyAndChallenge']['spki'] = $publicKey;
            if (!empty($this->challenge)) {
                // the bitwise AND ensures that the output is a valid IA5String
@ -2809,7 +2799,7 @@ class X509
                        // Random::string(8) & str_repeat("\x7F", 8)
                        'challenge' => !empty($this->challenge) ? $this->challenge : ''
                    ],
-                    'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
+                    'signatureAlgorithm' => $signatureAlgorithm,
                    'signature'          => false // this is going to be overwritten later
            ];
        }
@ -2851,18 +2841,18 @@ class X509
        if (isset($crl->currentCert) && is_array($crl->currentCert) && isset($crl->currentCert['tbsCertList'])) {
            $this->currentCert = $crl->currentCert;
-            $this->currentCert['tbsCertList']['signature']['algorithm'] = $signatureAlgorithm;
+            $this->currentCert['tbsCertList']['signature'] = $signatureAlgorithm;
-            $this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
+            $this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
        } else {
            $this->currentCert = [
                'tbsCertList' =>
                    [
                        'version' => 'v2',
-                        'signature' => ['algorithm' => $signatureAlgorithm],
+                        'signature' => $signatureAlgorithm,
                        'issuer' => false, // this is going to be overwritten later
                        'thisUpdate' => $this->timeField($thisUpdate) // $this->setStartDate()
                    ],
-                    'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
+                    'signatureAlgorithm' => $signatureAlgorithm,
                    'signature'          => false // this is going to be overwritten later
            ];
        }
@ -2971,7 +2961,11 @@ class X509
    {
        if ($key instanceof RSA) {
            if ($key->getPadding() & RSA::SIGNATURE_PSS) {
-                return 'id-RSASSA-PSS';
+                $r = PSS::load($key->withPassword()->toString('PSS'));
                return [
                    'algorithm' => 'id-RSASSA-PSS',
                    'parameters' => PSS::savePSSParams($r)
                ];
            }
            switch ($key->getHash()) {
                case 'md2':
@ -2981,7 +2975,7 @@ class X509
                case 'sha256':
                case 'sha384':
                case 'sha512':
-                    return $key->getHash() . 'WithRSAEncryption';
+                    return ['algorithm' => $key->getHash() . 'WithRSAEncryption'];
            }
            throw new UnsupportedAlgorithmException('The only supported hash algorithms for RSA are: md2, md5, sha1, sha224, sha256, sha384, sha512');
        }
@ -2991,7 +2985,7 @@ class X509
                case 'sha1':
                case 'sha224':
                case 'sha256':
-                    return 'id-dsa-with-' . $key->getHash();
+                    return ['algorithm' => 'id-dsa-with-' . $key->getHash()];
            }
            throw new UnsupportedAlgorithmException('The only supported hash algorithms for DSA are: sha1, sha224, sha256');
        }
@ -3000,7 +2994,7 @@ class X509
            switch ($key->getCurve()) {
                case 'Ed25519':
                case 'Ed448':
-                    return 'id-' . $key->getCurve();
+                    return ['algorithm' => 'id-' . $key->getCurve()];
            }
            switch ($key->getHash()) {
                case 'sha1':
@ -3008,7 +3002,7 @@ class X509
                case 'sha256':
                case 'sha384':
                case 'sha512':
-                    return 'ecdsa-with-' . strtoupper($key->getHash());
+                    return ['algorithm' => 'ecdsa-with-' . strtoupper($key->getHash())];
            }
            throw new UnsupportedAlgorithmException('The only supported hash algorithms for EC are: sha1, sha224, sha256, sha384, sha512');
        }