mirror of
https://github.com/phpseclib/phpseclib.git
synced 2024-12-28 12:10:59 +00:00
X509: make it so CRLs, CSRs and SPKACs can support PSS keys
This commit is contained in:
parent
ea5a4c3c62
commit
b54eeb8e35
@ -2541,22 +2541,12 @@ class X509
|
||||
$currentCert = isset($this->currentCert) ? $this->currentCert : null;
|
||||
$signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null;
|
||||
$signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey);
|
||||
if ($signatureAlgorithm != 'id-RSASSA-PSS') {
|
||||
$signatureAlgorithm = ['algorithm' => $signatureAlgorithm];
|
||||
} else {
|
||||
$r = PSS::load($issuer->privateKey->withPassword()->toString('PSS'));
|
||||
$signatureAlgorithm = [
|
||||
'algorithm' => 'id-RSASSA-PSS',
|
||||
'parameters' => PSS::savePSSParams($r)
|
||||
];
|
||||
}
|
||||
|
||||
if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
|
||||
$this->currentCert = $subject->currentCert;
|
||||
$this->currentCert['tbsCertificate']['signature'] = $signatureAlgorithm;
|
||||
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||
|
||||
|
||||
if (!empty($this->startDate)) {
|
||||
$this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate);
|
||||
}
|
||||
@ -2736,7 +2726,7 @@ class X509
|
||||
$signatureAlgorithm = self::identifySignatureAlgorithm($this->privateKey);
|
||||
|
||||
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['certificationRequestInfo'])) {
|
||||
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
|
||||
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||
if (!empty($this->dn)) {
|
||||
$this->currentCert['certificationRequestInfo']['subject'] = $this->dn;
|
||||
}
|
||||
@ -2749,7 +2739,7 @@ class X509
|
||||
'subject' => $this->dn,
|
||||
'subjectPKInfo' => $publicKey
|
||||
],
|
||||
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
|
||||
'signatureAlgorithm' => $signatureAlgorithm,
|
||||
'signature' => false // this is going to be overwritten later
|
||||
];
|
||||
}
|
||||
@ -2791,7 +2781,7 @@ class X509
|
||||
|
||||
// re-signing a SPKAC seems silly but since everything else supports re-signing why not?
|
||||
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['publicKeyAndChallenge'])) {
|
||||
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
|
||||
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||
$this->currentCert['publicKeyAndChallenge']['spki'] = $publicKey;
|
||||
if (!empty($this->challenge)) {
|
||||
// the bitwise AND ensures that the output is a valid IA5String
|
||||
@ -2809,7 +2799,7 @@ class X509
|
||||
// Random::string(8) & str_repeat("\x7F", 8)
|
||||
'challenge' => !empty($this->challenge) ? $this->challenge : ''
|
||||
],
|
||||
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
|
||||
'signatureAlgorithm' => $signatureAlgorithm,
|
||||
'signature' => false // this is going to be overwritten later
|
||||
];
|
||||
}
|
||||
@ -2851,18 +2841,18 @@ class X509
|
||||
|
||||
if (isset($crl->currentCert) && is_array($crl->currentCert) && isset($crl->currentCert['tbsCertList'])) {
|
||||
$this->currentCert = $crl->currentCert;
|
||||
$this->currentCert['tbsCertList']['signature']['algorithm'] = $signatureAlgorithm;
|
||||
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
|
||||
$this->currentCert['tbsCertList']['signature'] = $signatureAlgorithm;
|
||||
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||
} else {
|
||||
$this->currentCert = [
|
||||
'tbsCertList' =>
|
||||
[
|
||||
'version' => 'v2',
|
||||
'signature' => ['algorithm' => $signatureAlgorithm],
|
||||
'signature' => $signatureAlgorithm,
|
||||
'issuer' => false, // this is going to be overwritten later
|
||||
'thisUpdate' => $this->timeField($thisUpdate) // $this->setStartDate()
|
||||
],
|
||||
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
|
||||
'signatureAlgorithm' => $signatureAlgorithm,
|
||||
'signature' => false // this is going to be overwritten later
|
||||
];
|
||||
}
|
||||
@ -2971,7 +2961,11 @@ class X509
|
||||
{
|
||||
if ($key instanceof RSA) {
|
||||
if ($key->getPadding() & RSA::SIGNATURE_PSS) {
|
||||
return 'id-RSASSA-PSS';
|
||||
$r = PSS::load($key->withPassword()->toString('PSS'));
|
||||
return [
|
||||
'algorithm' => 'id-RSASSA-PSS',
|
||||
'parameters' => PSS::savePSSParams($r)
|
||||
];
|
||||
}
|
||||
switch ($key->getHash()) {
|
||||
case 'md2':
|
||||
@ -2981,7 +2975,7 @@ class X509
|
||||
case 'sha256':
|
||||
case 'sha384':
|
||||
case 'sha512':
|
||||
return $key->getHash() . 'WithRSAEncryption';
|
||||
return ['algorithm' => $key->getHash() . 'WithRSAEncryption'];
|
||||
}
|
||||
throw new UnsupportedAlgorithmException('The only supported hash algorithms for RSA are: md2, md5, sha1, sha224, sha256, sha384, sha512');
|
||||
}
|
||||
@ -2991,7 +2985,7 @@ class X509
|
||||
case 'sha1':
|
||||
case 'sha224':
|
||||
case 'sha256':
|
||||
return 'id-dsa-with-' . $key->getHash();
|
||||
return ['algorithm' => 'id-dsa-with-' . $key->getHash()];
|
||||
}
|
||||
throw new UnsupportedAlgorithmException('The only supported hash algorithms for DSA are: sha1, sha224, sha256');
|
||||
}
|
||||
@ -3000,7 +2994,7 @@ class X509
|
||||
switch ($key->getCurve()) {
|
||||
case 'Ed25519':
|
||||
case 'Ed448':
|
||||
return 'id-' . $key->getCurve();
|
||||
return ['algorithm' => 'id-' . $key->getCurve()];
|
||||
}
|
||||
switch ($key->getHash()) {
|
||||
case 'sha1':
|
||||
@ -3008,7 +3002,7 @@ class X509
|
||||
case 'sha256':
|
||||
case 'sha384':
|
||||
case 'sha512':
|
||||
return 'ecdsa-with-' . strtoupper($key->getHash());
|
||||
return ['algorithm' => 'ecdsa-with-' . strtoupper($key->getHash())];
|
||||
}
|
||||
throw new UnsupportedAlgorithmException('The only supported hash algorithms for EC are: sha1, sha224, sha256, sha384, sha512');
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user