X509: make it so CRLs, CSRs and SPKACs can support PSS keys

This commit is contained in:
terrafrost 2022-09-23 15:03:37 -05:00
parent ea5a4c3c62
commit b54eeb8e35

View File

@ -2541,22 +2541,12 @@ class X509
$currentCert = isset($this->currentCert) ? $this->currentCert : null;
$signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null;
$signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey);
if ($signatureAlgorithm != 'id-RSASSA-PSS') {
$signatureAlgorithm = ['algorithm' => $signatureAlgorithm];
} else {
$r = PSS::load($issuer->privateKey->withPassword()->toString('PSS'));
$signatureAlgorithm = [
'algorithm' => 'id-RSASSA-PSS',
'parameters' => PSS::savePSSParams($r)
];
}
if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
$this->currentCert = $subject->currentCert;
$this->currentCert['tbsCertificate']['signature'] = $signatureAlgorithm;
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
if (!empty($this->startDate)) {
$this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate);
}
@ -2736,7 +2726,7 @@ class X509
$signatureAlgorithm = self::identifySignatureAlgorithm($this->privateKey);
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['certificationRequestInfo'])) {
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
if (!empty($this->dn)) {
$this->currentCert['certificationRequestInfo']['subject'] = $this->dn;
}
@ -2749,7 +2739,7 @@ class X509
'subject' => $this->dn,
'subjectPKInfo' => $publicKey
],
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
'signatureAlgorithm' => $signatureAlgorithm,
'signature' => false // this is going to be overwritten later
];
}
@ -2791,7 +2781,7 @@ class X509
// re-signing a SPKAC seems silly but since everything else supports re-signing why not?
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['publicKeyAndChallenge'])) {
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
$this->currentCert['publicKeyAndChallenge']['spki'] = $publicKey;
if (!empty($this->challenge)) {
// the bitwise AND ensures that the output is a valid IA5String
@ -2809,7 +2799,7 @@ class X509
// Random::string(8) & str_repeat("\x7F", 8)
'challenge' => !empty($this->challenge) ? $this->challenge : ''
],
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
'signatureAlgorithm' => $signatureAlgorithm,
'signature' => false // this is going to be overwritten later
];
}
@ -2851,18 +2841,18 @@ class X509
if (isset($crl->currentCert) && is_array($crl->currentCert) && isset($crl->currentCert['tbsCertList'])) {
$this->currentCert = $crl->currentCert;
$this->currentCert['tbsCertList']['signature']['algorithm'] = $signatureAlgorithm;
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
$this->currentCert['tbsCertList']['signature'] = $signatureAlgorithm;
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
} else {
$this->currentCert = [
'tbsCertList' =>
[
'version' => 'v2',
'signature' => ['algorithm' => $signatureAlgorithm],
'signature' => $signatureAlgorithm,
'issuer' => false, // this is going to be overwritten later
'thisUpdate' => $this->timeField($thisUpdate) // $this->setStartDate()
],
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
'signatureAlgorithm' => $signatureAlgorithm,
'signature' => false // this is going to be overwritten later
];
}
@ -2971,7 +2961,11 @@ class X509
{
if ($key instanceof RSA) {
if ($key->getPadding() & RSA::SIGNATURE_PSS) {
return 'id-RSASSA-PSS';
$r = PSS::load($key->withPassword()->toString('PSS'));
return [
'algorithm' => 'id-RSASSA-PSS',
'parameters' => PSS::savePSSParams($r)
];
}
switch ($key->getHash()) {
case 'md2':
@ -2981,7 +2975,7 @@ class X509
case 'sha256':
case 'sha384':
case 'sha512':
return $key->getHash() . 'WithRSAEncryption';
return ['algorithm' => $key->getHash() . 'WithRSAEncryption'];
}
throw new UnsupportedAlgorithmException('The only supported hash algorithms for RSA are: md2, md5, sha1, sha224, sha256, sha384, sha512');
}
@ -2991,7 +2985,7 @@ class X509
case 'sha1':
case 'sha224':
case 'sha256':
return 'id-dsa-with-' . $key->getHash();
return ['algorithm' => 'id-dsa-with-' . $key->getHash()];
}
throw new UnsupportedAlgorithmException('The only supported hash algorithms for DSA are: sha1, sha224, sha256');
}
@ -3000,7 +2994,7 @@ class X509
switch ($key->getCurve()) {
case 'Ed25519':
case 'Ed448':
return 'id-' . $key->getCurve();
return ['algorithm' => 'id-' . $key->getCurve()];
}
switch ($key->getHash()) {
case 'sha1':
@ -3008,7 +3002,7 @@ class X509
case 'sha256':
case 'sha384':
case 'sha512':
return 'ecdsa-with-' . strtoupper($key->getHash());
return ['algorithm' => 'ecdsa-with-' . strtoupper($key->getHash())];
}
throw new UnsupportedAlgorithmException('The only supported hash algorithms for EC are: sha1, sha224, sha256, sha384, sha512');
}