From 4a069f7c8546ae24f514c5d72806490ae56f2de5 Mon Sep 17 00:00:00 2001 From: terrafrost Date: Sat, 15 Apr 2017 19:35:07 -0500 Subject: [PATCH] rm redundant files --- phpseclib/Crypt/Common/PKCS.php | 80 ----- phpseclib/Crypt/Common/PKCS1.php | 224 ------------ phpseclib/Crypt/Common/PKCS8.php | 598 ------------------------------- 3 files changed, 902 deletions(-) delete mode 100644 phpseclib/Crypt/Common/PKCS.php delete mode 100644 phpseclib/Crypt/Common/PKCS1.php delete mode 100644 phpseclib/Crypt/Common/PKCS8.php diff --git a/phpseclib/Crypt/Common/PKCS.php b/phpseclib/Crypt/Common/PKCS.php deleted file mode 100644 index 937287e4..00000000 --- a/phpseclib/Crypt/Common/PKCS.php +++ /dev/null @@ -1,80 +0,0 @@ - - * @copyright 2015 Jim Wigginton - * @license http://www.opensource.org/licenses/mit-license.html MIT License - * @link http://phpseclib.sourceforge.net - */ - -namespace phpseclib\Crypt\Common; - -/** - * PKCS1 Formatted Key Handler - * - * @package RSA - * @author Jim Wigginton - * @access public - */ -abstract class PKCS -{ - /** - * Auto-detect the format - */ - const MODE_ANY = 0; - /** - * Require base64-encoded PEM's be supplied - */ - const MODE_PEM = 1; - /** - * Require raw DER's be supplied - */ - const MODE_DER = 2; - /**#@-*/ - - /** - * Is the key a base-64 encoded PEM, DER or should it be auto-detected? - * - * @access private - * @param int - */ - protected static $format = self::MODE_ANY; - - /** - * Require base64-encoded PEM's be supplied - * - * @access public - */ - public static function requirePEM() - { - self::$format = self::MODE_PEM; - } - - /** - * Require raw DER's be supplied - * - * @access public - */ - public static function requireDER() - { - self::$format = self::MODE_DER; - } - - /** - * Accept any format and auto detect the format - * - * This is the default setting - * - * @access public - */ - public static function requireAny() - { - self::$format = self::MODE_ANY; - } -} \ No newline at end of file diff --git a/phpseclib/Crypt/Common/PKCS1.php b/phpseclib/Crypt/Common/PKCS1.php deleted file mode 100644 index e331481f..00000000 --- a/phpseclib/Crypt/Common/PKCS1.php +++ /dev/null @@ -1,224 +0,0 @@ - - * @copyright 2015 Jim Wigginton - * @license http://www.opensource.org/licenses/mit-license.html MIT License - * @link http://phpseclib.sourceforge.net - */ - -namespace phpseclib\Crypt\Common; - -use ParagonIE\ConstantTime\Base64; -use ParagonIE\ConstantTime\Hex; -use phpseclib\Crypt\Common\BlockCipher; -use phpseclib\Crypt\Random; -use phpseclib\Crypt\AES; -use phpseclib\Crypt\Base; -use phpseclib\Crypt\DES; -use phpseclib\Crypt\TripleDES; -use phpseclib\File\ASN1; - -/** - * PKCS1 Formatted Key Handler - * - * @package RSA - * @author Jim Wigginton - * @access public - */ -abstract class PKCS1 extends PKCS -{ - /** - * Default encryption algorithm - * - * @var string - * @access private - */ - private static $defaultEncryptionAlgorithm = 'AES-128-CBC'; - - /** - * Sets the default encryption algorithm - * - * @access public - * @param string $algo - */ - public static function setEncryptionAlgorithm($algo) - { - self::$defaultEncryptionAlgorithm = $algo; - } - - /** - * Returns the mode constant corresponding to the mode string - * - * @access public - * @param string $mode - * @return int - * @throws \UnexpectedValueException if the block cipher mode is unsupported - */ - private static function getEncryptionMode($mode) - { - switch ($mode) { - case 'CBC': - return BlockCipher::MODE_CBC; - case 'ECB': - return BlockCipher::MODE_ECB; - case 'CFB': - return BlockCipher::MODE_CFB; - case 'OFB': - return BlockCipher::MODE_OFB; - case 'CTR': - return BlockCipher::MODE_CTR; - } - throw new \UnexpectedValueException('Unsupported block cipher mode of operation'); - } - - /** - * Returns a cipher object corresponding to a string - * - * @access public - * @param string $algo - * @return string - * @throws \UnexpectedValueException if the encryption algorithm is unsupported - */ - private static function getEncryptionObject($algo) - { - $modes = '(CBC|ECB|CFB|OFB|CTR)'; - switch (true) { - case preg_match("#^AES-(128|192|256)-$modes$#", $algo, $matches): - $cipher = new AES(self::getEncryptionMode($matches[2])); - $cipher->setKeyLength($matches[1]); - return $cipher; - case preg_match("#^DES-EDE3-$modes$#", $algo, $matches): - return new TripleDES(self::getEncryptionMode($matches[1])); - case preg_match("#^DES-$modes$#", $algo, $matches): - return new DES(self::getEncryptionMode($matches[1])); - default: - throw new \UnexpectedValueException('Unsupported encryption algorithmn'); - } - } - - /** - * Generate a symmetric key for PKCS#1 keys - * - * @access public - * @param string $password - * @param string $iv - * @param int $length - * @return string - */ - private static function generateSymmetricKey($password, $iv, $length) - { - $symkey = ''; - $iv = substr($iv, 0, 8); - while (strlen($symkey) < $length) { - $symkey.= md5($symkey . $password . $iv, true); - } - return substr($symkey, 0, $length); - } - - /** - * Break a public or private key down into its constituent components - * - * @access public - * @param string $key - * @param string $password optional - * @return array - */ - protected static function load($key, $password) - { - if (!is_string($key)) { - return false; - } - - /* Although PKCS#1 proposes a format that public and private keys can use, encrypting them is - "outside the scope" of PKCS#1. PKCS#1 then refers you to PKCS#12 and PKCS#15 if you're wanting to - protect private keys, however, that's not what OpenSSL* does. OpenSSL protects private keys by adding - two new "fields" to the key - DEK-Info and Proc-Type. These fields are discussed here: - - http://tools.ietf.org/html/rfc1421#section-4.6.1.1 - http://tools.ietf.org/html/rfc1421#section-4.6.1.3 - - DES-EDE3-CBC as an algorithm, however, is not discussed anywhere, near as I can tell. - DES-CBC and DES-EDE are discussed in RFC1423, however, DES-EDE3-CBC isn't, nor is its key derivation - function. As is, the definitive authority on this encoding scheme isn't the IETF but rather OpenSSL's - own implementation. ie. the implementation *is* the standard and any bugs that may exist in that - implementation are part of the standard, as well. - - * OpenSSL is the de facto standard. It's utilized by OpenSSH and other projects */ - if (preg_match('#DEK-Info: (.+),(.+)#', $key, $matches)) { - $iv = Hex::decode(trim($matches[2])); - // remove the Proc-Type / DEK-Info sections as they're no longer needed - $key = preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $key); - $ciphertext = ASN1::extractBER($key); - if ($ciphertext === false) { - $ciphertext = $key; - } - $crypto = self::getEncryptionObject($matches[1]); - $crypto->setKey(self::generateSymmetricKey($password, $iv, $crypto->getKeyLength() >> 3)); - $crypto->setIV($iv); - $key = $crypto->decrypt($ciphertext); - } else { - if (self::$format != self::MODE_DER) { - $decoded = ASN1::extractBER($key); - if ($decoded !== false) { - $key = $decoded; - } elseif (self::$format == self::MODE_PEM) { - return false; - } - } - } - - return $key; - } - - /** - * Wrap a private key appropriately - * - * @access public - * @param string $key - * @param string $type - * @param string $password - * @return string - */ - protected static function wrapPrivateKey($key, $type, $password) - { - if (empty($password) || !is_string($password)) { - return "-----BEGIN $type PRIVATE KEY-----\r\n" . - chunk_split(Base64::encode($key), 64) . - "-----END $type PRIVATE KEY-----"; - } - - $cipher = self::getEncryptionObject(self::$defaultEncryptionAlgorithm); - $iv = Random::string($cipher->getBlockLength() >> 3); - $cipher->setKey(self::generateSymmetricKey($password, $iv, $cipher->getKeyLength() >> 3)); - $cipher->setIV($iv); - $iv = strtoupper(Hex::encode($iv)); - return "-----BEGIN $type PRIVATE KEY-----\r\n" . - "Proc-Type: 4,ENCRYPTED\r\n" . - "DEK-Info: " . self::$defaultEncryptionAlgorithm . ",$iv\r\n" . - "\r\n" . - chunk_split(Base64::encode($cipher->encrypt($key)), 64) . - "-----END $type PRIVATE KEY-----"; - } - - /** - * Wrap a public key appropriately - * - * @access public - * @param string $key - * @param string $type - * @return string - */ - protected static function wrapPublicKey($key, $type) - { - return "-----BEGIN $type PUBLIC KEY-----\r\n" . - chunk_split(Base64::encode($key), 64) . - "-----END $type PUBLIC KEY-----"; - } -} \ No newline at end of file diff --git a/phpseclib/Crypt/Common/PKCS8.php b/phpseclib/Crypt/Common/PKCS8.php deleted file mode 100644 index 81a2b95f..00000000 --- a/phpseclib/Crypt/Common/PKCS8.php +++ /dev/null @@ -1,598 +0,0 @@ - - * @copyright 2015 Jim Wigginton - * @license http://www.opensource.org/licenses/mit-license.html MIT License - * @link http://phpseclib.sourceforge.net - */ - -namespace phpseclib\Crypt\Common; - -use ParagonIE\ConstantTime\Base64; -use phpseclib\Crypt\DES; -use phpseclib\Crypt\RC2; -use phpseclib\Crypt\RC4; -use phpseclib\Crypt\AES; -use phpseclib\Crypt\TripleDES; -use phpseclib\Crypt\Common\BlockCipher; -use phpseclib\Crypt\Random; -use phpseclib\Math\BigInteger; -use phpseclib\File\ASN1; -use phpseclib\File\ASN1\Maps; -use phpseclib\Exception\UnsupportedAlgorithmException; - -/** - * PKCS#8 Formatted Key Handler - * - * @package Common - * @author Jim Wigginton - * @access public - */ -abstract class PKCS8 extends PKCS -{ - /** - * Default encryption algorithm - * - * @var string - * @access private - */ - private static $defaultEncryptionAlgorithm = 'id-PBES2'; - - /** - * Default encryption scheme - * - * Only used when defaultEncryptionAlgorithm is id-PBES2 - * - * @var string - * @access private - */ - private static $defaultEncryptionScheme = 'aes128-CBC-PAD'; - - /** - * Default PRF - * - * Only used when defaultEncryptionAlgorithm is id-PBES2 - * - * @var string - * @access private - */ - private static $defaultPRF = 'id-hmacWithSHA256'; - - /** - * Default Iteration Count - * - * @var int - * @access private - */ - private static $defaultIterationCount = 2048; - - /** - * OIDs loaded - * - * @var bool - * @access private - */ - private static $oidsLoaded = false; - - /** - * Sets the default encryption algorithm - * - * @access public - * @param string $algo - */ - public static function setEncryptionAlgorithm($algo) - { - self::$defaultEncryptionAlgorithm = $algo; - } - - /** - * Sets the default encryption algorithm for PBES2 - * - * @access public - * @param string $algo - */ - public static function setEncryptionScheme($algo) - { - self::$defaultEncryptionScheme = $algo; - } - - /** - * Sets the iteration count - * - * @access public - * @param int $count - */ - public static function setIterationCount($count) - { - self::$defaultIterationCount = $count; - } - - /** - * Sets the PRF for PBES2 - * - * @access public - * @param string $algo - */ - public static function setPRF($algo) - { - self::$defaultPRF = $algo; - } - - /** - * Returns a SymmetricKey object based on a PBES1 $algo - * - * @access public - * @param string $algo - */ - private static function getPBES1EncryptionObject($algo) - { - $algo = preg_match('#^pbeWith(?:MD2|MD5|SHA1|SHA)And(.*?)-CBC$#', $algo, $matches) ? - $matches[1] : - substr($algo, 13); // strlen('pbeWithSHAAnd') == 13 - - switch ($algo) { - case 'DES': - $cipher = new DES(BlockCipher::MODE_CBC); - break; - case 'RC2': - $cipher = new RC2(BlockCipher::MODE_CBC); - break; - case '3-KeyTripleDES': - $cipher = new TripleDES(BlockCipher::MODE_CBC); - break; - case '2-KeyTripleDES': - $cipher = new TripleDES(BlockCipher::MODE_CBC); - $cipher->setKeyLength(128); - break; - case '128BitRC2': - $cipher = new RC2(BlockCipher::MODE_CBC); - $cipher->setKeyLength(128); - break; - case '40BitRC2': - $cipher = new RC2(BlockCipher::MODE_CBC); - $cipher->setKeyLength(40); - break; - case '128BitRC4': - $cipher = new RC4(); - $cipher->setKeyLength(128); - break; - case '40BitRC4': - $cipher = new RC4(); - $cipher->setKeyLength(40); - break; - default: - throw new UnsupportedAlgorithmException("$algo is not a supported algorithm"); - } - - return $cipher; - } - - /** - * Returns a hash based on a PBES1 $algo - * - * @access public - * @param string $algo - */ - private static function getPBES1Hash($algo) - { - if (preg_match('#^pbeWith(MD2|MD5|SHA1|SHA)And.*?-CBC$#', $algo, $matches)) { - return $matches[1] == 'SHA' ? 'sha1' : $matches[1]; - } - - return 'sha1'; - } - - /** - * Returns a KDF baesd on a PBES1 $algo - * - * @access public - * @param string $algo - */ - private static function getPBES1KDF($algo) - { - switch ($algo) { - case 'pbeWithMD2AndDES-CBC': - case 'pbeWithMD2AndRC2-CBC': - case 'pbeWithMD5AndDES-CBC': - case 'pbeWithMD5AndRC2-CBC': - case 'pbeWithSHA1AndDES-CBC': - case 'pbeWithSHA1AndRC2-CBC': - return 'pbkdf1'; - } - - return 'pkcs12'; - } - - /** - * Returns a SymmetricKey object baesd on a PBES2 $algo - * - * @access public - * @param string $algo - */ - private static function getPBES2EncryptionObject($algo) - { - switch ($algo) { - case 'desCBC': - $cipher = new TripleDES(BlockCipher::MODE_CBC); - break; - case 'des-EDE3-CBC': - $cipher = new TripleDES(BlockCipher::MODE_CBC); - break; - case 'rc2CBC': - $cipher = new RC2(BlockCipher::MODE_CBC); - // in theory this can be changed - $cipher->setKeyLength(128); - break; - case 'rc5-CBC-PAD': - throw new UnsupportedAlgorithmException('rc5-CBC-PAD is not supported for PBES2 PKCS#8 keys'); - case 'aes128-CBC-PAD': - case 'aes192-CBC-PAD': - case 'aes256-CBC-PAD': - $cipher = new AES(BlockCipher::MODE_CBC); - $cipher->setKeyLength(substr($algo, 3, 3)); - break; - default: - throw new UnsupportedAlgorithmException("$algo is not supported"); - } - - return $cipher; - } - - /** - * Initialize static variables - * - * @access private - */ - private static function initialize_static_variables() - { - if (!self::$oidsLoaded) { - // from https://tools.ietf.org/html/rfc2898 - ASN1::loadOIDs([ - // PBES1 encryption schemes - '1.2.840.113549.1.5.1' => 'pbeWithMD2AndDES-CBC', - '1.2.840.113549.1.5.4' => 'pbeWithMD2AndRC2-CBC', - '1.2.840.113549.1.5.3' => 'pbeWithMD5AndDES-CBC', - '1.2.840.113549.1.5.6' => 'pbeWithMD5AndRC2-CBC', - '1.2.840.113549.1.5.10'=> 'pbeWithSHA1AndDES-CBC', - '1.2.840.113549.1.5.11'=> 'pbeWithSHA1AndRC2-CBC', - - // from PKCS#12: - // https://tools.ietf.org/html/rfc7292 - '1.2.840.113549.1.12.1.1' => 'pbeWithSHAAnd128BitRC4', - '1.2.840.113549.1.12.1.2' => 'pbeWithSHAAnd40BitRC4', - '1.2.840.113549.1.12.1.3' => 'pbeWithSHAAnd3-KeyTripleDES-CBC', - '1.2.840.113549.1.12.1.4' => 'pbeWithSHAAnd2-KeyTripleDES-CBC', - '1.2.840.113549.1.12.1.5' => 'pbeWithSHAAnd128BitRC2-CBC', - '1.2.840.113549.1.12.1.6' => 'pbeWithSHAAnd40BitRC2-CBC', - - '1.2.840.113549.1.5.12' => 'id-PBKDF2', - '1.2.840.113549.1.5.13' => 'id-PBES2', - '1.2.840.113549.1.5.14' => 'id-PBMAC1', - - // from PKCS#5 v2.1: - // http://www.rsa.com/rsalabs/pkcs/files/h11302-wp-pkcs5v2-1-password-based-cryptography-standard.pdf - '1.2.840.113549.2.7' => 'id-hmacWithSHA1', - '1.2.840.113549.2.8' => 'id-hmacWithSHA224', - '1.2.840.113549.2.9' => 'id-hmacWithSHA256', - '1.2.840.113549.2.10'=> 'id-hmacWithSHA384', - '1.2.840.113549.2.11'=> 'id-hmacWithSHA512', - '1.2.840.113549.2.12'=> 'id-hmacWithSHA512-224', - '1.2.840.113549.2.13'=> 'id-hmacWithSHA512-256', - - '1.3.14.3.2.7' => 'desCBC', - '1.2.840.113549.3.7' => 'des-EDE3-CBC', - '1.2.840.113549.3.2' => 'rc2CBC', - '1.2.840.113549.3.9' => 'rc5-CBC-PAD', - - '2.16.840.1.101.3.4.1.2' => 'aes128-CBC-PAD', - '2.16.840.1.101.3.4.1.22'=> 'aes192-CBC-PAD', - '2.16.840.1.101.3.4.1.42'=> 'aes256-CBC-PAD' - ]); - } - } - - /** - * Break a public or private key down into its constituent components - * - * @access public - * @param string $key - * @param string $password optional - * @return array - */ - protected static function load($key, $password = '') - { - self::initialize_static_variables(); - - if (!is_string($key)) { - return false; - } - - if (self::$format != self::MODE_DER) { - $decoded = ASN1::extractBER($key); - if ($decoded !== false) { - $key = $decoded; - } elseif (self::$format == self::MODE_PEM) { - return false; - } - } - - $decoded = ASN1::decodeBER($key); - if (empty($decoded)) { - return false; - } - - $meta = []; - - $decrypted = ASN1::asn1map($decoded[0], Maps\EncryptedPrivateKeyInfo::MAP); - if (strlen($password) && is_array($decrypted)) { - $algorithm = $decrypted['encryptionAlgorithm']['algorithm']; - switch ($algorithm) { - // PBES1 - case 'pbeWithMD2AndDES-CBC': - case 'pbeWithMD2AndRC2-CBC': - case 'pbeWithMD5AndDES-CBC': - case 'pbeWithMD5AndRC2-CBC': - case 'pbeWithSHA1AndDES-CBC': - case 'pbeWithSHA1AndRC2-CBC': - case 'pbeWithSHAAnd3-KeyTripleDES-CBC': - case 'pbeWithSHAAnd2-KeyTripleDES-CBC': - case 'pbeWithSHAAnd128BitRC2-CBC': - case 'pbeWithSHAAnd40BitRC2-CBC': - case 'pbeWithSHAAnd128BitRC4': - case 'pbeWithSHAAnd40BitRC4': - $cipher = self::getPBES1EncryptionObject($algorithm); - $hash = self::getPBES1Hash($algorithm); - $kdf = self::getPBES1KDF($algorithm); - - $meta['meta']['algorithm'] = $algorithm; - - $temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']); - extract(ASN1::asn1map($temp[0], Maps\PBEParameter::MAP)); - $iterationCount = (int) $iterationCount->toString(); - $cipher->setPassword($password, $kdf, $hash, $salt, $iterationCount); - $key = $cipher->decrypt($decrypted['encryptedData']); - $decoded = ASN1::decodeBER($key); - if (empty($decoded)) { - return false; - } - - break; - case 'id-PBES2': - $meta['meta']['algorithm'] = $algorithm; - - $temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']); - $temp = ASN1::asn1map($temp[0], Maps\PBES2params::MAP); - extract($temp); - - $cipher = self::getPBES2EncryptionObject($encryptionScheme['algorithm']); - $meta['meta']['cipher'] = $encryptionScheme['algorithm']; - - $temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']); - $temp = ASN1::asn1map($temp[0], Maps\PBES2params::MAP); - extract($temp); - - if (!$cipher instanceof RC2) { - $cipher->setIV($encryptionScheme['parameters']['octetString']); - } else { - $temp = ASN1::decodeBER($encryptionScheme['parameters']); - extract(ASN1::asn1map($temp[0], Maps\RC2CBCParameter::MAP)); - $effectiveKeyLength = (int) $rc2ParametersVersion->toString(); - switch ($effectiveKeyLength) { - case 160: - $effectiveKeyLength = 40; - break; - case 120: - $effectiveKeyLength = 64; - break; - case 58: - $effectiveKeyLength = 128; - break; - //default: // should be >= 256 - } - $cipher->setIV($iv); - $cipher->setKeyLength($effectiveKeyLength); - } - - $meta['meta']['keyDerivationFunc'] = $keyDerivationFunc['algorithm']; - switch ($keyDerivationFunc['algorithm']) { - case 'id-PBKDF2': - $temp = ASN1::decodeBER($keyDerivationFunc['parameters']); - $prf = ['algorithm' => 'id-hmacWithSHA1']; - $params = ASN1::asn1map($temp[0], Maps\PBKDF2params::MAP); - extract($params); - $meta['meta']['prf'] = $prf['algorithm']; - $hash = str_replace('-', '/', substr($prf['algorithm'], 11)); - $params = [ - $password, - 'pbkdf2', - $hash, - $salt, - (int) $iterationCount->toString() - ]; - if (isset($keyLength)) { - $params[] = (int) $keyLength->toString(); - } - call_user_func_array([$cipher, 'setPassword'], $params); - $key = $cipher->decrypt($decrypted['encryptedData']); - $decoded = ASN1::decodeBER($key); - if (empty($decoded)) { - return false; - } - break; - default: - throw new UnsupportedAlgorithmException('Only PBKDF2 is supported for PBES2 PKCS#8 keys'); - } - break; - case 'id-PBMAC1': - //$temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']); - //$value = ASN1::asn1map($temp[0], Maps\PBMAC1params::MAP); - // since i can't find any implementation that does PBMAC1 it is unsupported - throw new UnsupportedAlgorithmException('Only PBES1 and PBES2 PKCS#8 keys are supported.'); - // at this point we'll assume that the key conforms to PublicKeyInfo - } - } - - $private = ASN1::asn1map($decoded[0], Maps\PrivateKeyInfo::MAP); - if (is_array($private)) { - return $private + $meta; - } - - // EncryptedPrivateKeyInfo and PublicKeyInfo have largely identical "signatures". the only difference - // is that the former has an octet string and the later has a bit string. the first byte of a bit - // string represents the number of bits in the last byte that are to be ignored but, currently, - // bit strings wanting a non-zero amount of bits trimmed are not supported - $public = ASN1::asn1map($decoded[0], Maps\PublicKeyInfo::MAP); - if (is_array($public)) { - if ($public['publicKey'][0] != "\0") { - return false; - } - $public['publicKey'] = substr($public['publicKey'], 1); - return $public; - } - - return false; - } - - /** - * Wrap a private key appropriately - * - * @access public - * @param string $algorithm - * @param string $key - * @param string $attr - * @param string $password - * @return string - */ - protected static function wrapPrivateKey($key, $algorithm, $attr, $password) - { - self::initialize_static_variables(); - - $key = [ - 'version' => 'v1', - 'privateKeyAlgorithm' => ['algorithm' => $algorithm], // parameters are not currently supported - 'privateKey' => $key - ]; - if (!empty($attr)) { - $key['attributes'] = $attr; - } - $key = ASN1::encodeDER($key, Maps\PrivateKeyInfo::MAP); - if (!empty($password) && is_string($password)) { - $salt = Random::string(8); - $iterationCount = self::$defaultIterationCount; - - if (self::$defaultEncryptionAlgorithm == 'id-PBES2') { - $crypto = self::getPBES2EncryptionObject(self::$defaultEncryptionScheme); - $hash = str_replace('-', '/', substr(self::$defaultPRF, 11)); - $kdf = 'pbkdf2'; - $iv = Random::string($crypto->getBlockLength() >> 3); - - $PBKDF2params = [ - 'salt' => $salt, - 'iterationCount' => $iterationCount, - 'prf' => ['algorithm' => self::$defaultPRF, 'parameters' => null] - ]; - $PBKDF2params = ASN1::encodeDER($PBKDF2params, Maps\PBKDF2params::MAP); - - if (!$crypto instanceof RC2) { - $params = ['octetString' => $iv]; - } else { - $params = [ - 'rc2ParametersVersion' => 58, - 'iv' => $iv - ]; - $params = ASN1::encodeDER($params, Maps\RC2CBCParameter::MAP); - $params = new ASN1\Element($params); - } - - $params = [ - 'keyDerivationFunc' => [ - 'algorithm' => 'id-PBKDF2', - 'parameters' => new ASN1\Element($PBKDF2params) - ], - 'encryptionScheme' => [ - 'algorithm' => self::$defaultEncryptionScheme, - 'parameters' => $params - ] - ]; - $params = ASN1::encodeDER($params, Maps\PBES2params::MAP); - - $crypto->setIV($iv); - } else { - $crypto = self::getPBES1EncryptionObject(self::$defaultEncryptionAlgorithm); - $hash = self::getPBES1Hash(self::$defaultEncryptionAlgorithm); - $kdf = self::getPBES1KDF(self::$defaultEncryptionAlgorithm); - - $params = [ - 'salt' => $salt, - 'iterationCount' => $iterationCount - ]; - $params = ASN1::encodeDER($params, Maps\PBEParameter::MAP); - } - $crypto->setPassword($password, $kdf, $hash, $salt, $iterationCount); - $key = $crypto->encrypt($key); - - $key = [ - 'encryptionAlgorithm' => [ - 'algorithm' => self::$defaultEncryptionAlgorithm, - 'parameters' => new ASN1\Element($params) - ], - 'encryptedData' => $key - ]; - - $key = ASN1::encodeDER($key, Maps\EncryptedPrivateKeyInfo::MAP); - - return "-----BEGIN ENCRYPTED PRIVATE KEY-----\r\n" . - chunk_split(Base64::encode($key), 64) . - "-----END ENCRYPTED PRIVATE KEY-----"; - } - - return "-----BEGIN PRIVATE KEY-----\r\n" . - chunk_split(Base64::encode($key), 64) . - "-----END PRIVATE KEY-----"; - } - - /** - * Wrap a public key appropriately - * - * @access public - * @param string $key - * @return string - */ - protected static function wrapPublicKey($key, $algorithm) - { - self::initialize_static_variables(); - - $key = [ - 'publicKeyAlgorithm' => [ - 'algorithm' => $algorithm, - 'parameters' => null // parameters are not currently supported - ], - 'publicKey' => "\0" . $key - ]; - - $key = ASN1::encodeDER($key, Maps\PublicKeyInfo::MAP); - - return "-----BEGIN PUBLIC KEY-----\r\n" . - chunk_split(Base64::encode($key), 64) . - "-----END PUBLIC KEY-----"; - } -}