mirror of
https://github.com/phpseclib/phpseclib.git
synced 2024-12-29 04:23:34 +00:00
X509: make it so CRLs, CSRs and SPKACs can support PSS keys
This commit is contained in:
parent
ea5a4c3c62
commit
b54eeb8e35
@ -2541,22 +2541,12 @@ class X509
|
|||||||
$currentCert = isset($this->currentCert) ? $this->currentCert : null;
|
$currentCert = isset($this->currentCert) ? $this->currentCert : null;
|
||||||
$signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null;
|
$signatureSubject = isset($this->signatureSubject) ? $this->signatureSubject : null;
|
||||||
$signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey);
|
$signatureAlgorithm = self::identifySignatureAlgorithm($issuer->privateKey);
|
||||||
if ($signatureAlgorithm != 'id-RSASSA-PSS') {
|
|
||||||
$signatureAlgorithm = ['algorithm' => $signatureAlgorithm];
|
|
||||||
} else {
|
|
||||||
$r = PSS::load($issuer->privateKey->withPassword()->toString('PSS'));
|
|
||||||
$signatureAlgorithm = [
|
|
||||||
'algorithm' => 'id-RSASSA-PSS',
|
|
||||||
'parameters' => PSS::savePSSParams($r)
|
|
||||||
];
|
|
||||||
}
|
|
||||||
|
|
||||||
if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
|
if (isset($subject->currentCert) && is_array($subject->currentCert) && isset($subject->currentCert['tbsCertificate'])) {
|
||||||
$this->currentCert = $subject->currentCert;
|
$this->currentCert = $subject->currentCert;
|
||||||
$this->currentCert['tbsCertificate']['signature'] = $signatureAlgorithm;
|
$this->currentCert['tbsCertificate']['signature'] = $signatureAlgorithm;
|
||||||
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||||
|
|
||||||
|
|
||||||
if (!empty($this->startDate)) {
|
if (!empty($this->startDate)) {
|
||||||
$this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate);
|
$this->currentCert['tbsCertificate']['validity']['notBefore'] = $this->timeField($this->startDate);
|
||||||
}
|
}
|
||||||
@ -2736,7 +2726,7 @@ class X509
|
|||||||
$signatureAlgorithm = self::identifySignatureAlgorithm($this->privateKey);
|
$signatureAlgorithm = self::identifySignatureAlgorithm($this->privateKey);
|
||||||
|
|
||||||
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['certificationRequestInfo'])) {
|
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['certificationRequestInfo'])) {
|
||||||
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
|
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||||
if (!empty($this->dn)) {
|
if (!empty($this->dn)) {
|
||||||
$this->currentCert['certificationRequestInfo']['subject'] = $this->dn;
|
$this->currentCert['certificationRequestInfo']['subject'] = $this->dn;
|
||||||
}
|
}
|
||||||
@ -2749,7 +2739,7 @@ class X509
|
|||||||
'subject' => $this->dn,
|
'subject' => $this->dn,
|
||||||
'subjectPKInfo' => $publicKey
|
'subjectPKInfo' => $publicKey
|
||||||
],
|
],
|
||||||
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
|
'signatureAlgorithm' => $signatureAlgorithm,
|
||||||
'signature' => false // this is going to be overwritten later
|
'signature' => false // this is going to be overwritten later
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
@ -2791,7 +2781,7 @@ class X509
|
|||||||
|
|
||||||
// re-signing a SPKAC seems silly but since everything else supports re-signing why not?
|
// re-signing a SPKAC seems silly but since everything else supports re-signing why not?
|
||||||
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['publicKeyAndChallenge'])) {
|
if (isset($this->currentCert) && is_array($this->currentCert) && isset($this->currentCert['publicKeyAndChallenge'])) {
|
||||||
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
|
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||||
$this->currentCert['publicKeyAndChallenge']['spki'] = $publicKey;
|
$this->currentCert['publicKeyAndChallenge']['spki'] = $publicKey;
|
||||||
if (!empty($this->challenge)) {
|
if (!empty($this->challenge)) {
|
||||||
// the bitwise AND ensures that the output is a valid IA5String
|
// the bitwise AND ensures that the output is a valid IA5String
|
||||||
@ -2809,7 +2799,7 @@ class X509
|
|||||||
// Random::string(8) & str_repeat("\x7F", 8)
|
// Random::string(8) & str_repeat("\x7F", 8)
|
||||||
'challenge' => !empty($this->challenge) ? $this->challenge : ''
|
'challenge' => !empty($this->challenge) ? $this->challenge : ''
|
||||||
],
|
],
|
||||||
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
|
'signatureAlgorithm' => $signatureAlgorithm,
|
||||||
'signature' => false // this is going to be overwritten later
|
'signature' => false // this is going to be overwritten later
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
@ -2851,18 +2841,18 @@ class X509
|
|||||||
|
|
||||||
if (isset($crl->currentCert) && is_array($crl->currentCert) && isset($crl->currentCert['tbsCertList'])) {
|
if (isset($crl->currentCert) && is_array($crl->currentCert) && isset($crl->currentCert['tbsCertList'])) {
|
||||||
$this->currentCert = $crl->currentCert;
|
$this->currentCert = $crl->currentCert;
|
||||||
$this->currentCert['tbsCertList']['signature']['algorithm'] = $signatureAlgorithm;
|
$this->currentCert['tbsCertList']['signature'] = $signatureAlgorithm;
|
||||||
$this->currentCert['signatureAlgorithm']['algorithm'] = $signatureAlgorithm;
|
$this->currentCert['signatureAlgorithm'] = $signatureAlgorithm;
|
||||||
} else {
|
} else {
|
||||||
$this->currentCert = [
|
$this->currentCert = [
|
||||||
'tbsCertList' =>
|
'tbsCertList' =>
|
||||||
[
|
[
|
||||||
'version' => 'v2',
|
'version' => 'v2',
|
||||||
'signature' => ['algorithm' => $signatureAlgorithm],
|
'signature' => $signatureAlgorithm,
|
||||||
'issuer' => false, // this is going to be overwritten later
|
'issuer' => false, // this is going to be overwritten later
|
||||||
'thisUpdate' => $this->timeField($thisUpdate) // $this->setStartDate()
|
'thisUpdate' => $this->timeField($thisUpdate) // $this->setStartDate()
|
||||||
],
|
],
|
||||||
'signatureAlgorithm' => ['algorithm' => $signatureAlgorithm],
|
'signatureAlgorithm' => $signatureAlgorithm,
|
||||||
'signature' => false // this is going to be overwritten later
|
'signature' => false // this is going to be overwritten later
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
@ -2971,7 +2961,11 @@ class X509
|
|||||||
{
|
{
|
||||||
if ($key instanceof RSA) {
|
if ($key instanceof RSA) {
|
||||||
if ($key->getPadding() & RSA::SIGNATURE_PSS) {
|
if ($key->getPadding() & RSA::SIGNATURE_PSS) {
|
||||||
return 'id-RSASSA-PSS';
|
$r = PSS::load($key->withPassword()->toString('PSS'));
|
||||||
|
return [
|
||||||
|
'algorithm' => 'id-RSASSA-PSS',
|
||||||
|
'parameters' => PSS::savePSSParams($r)
|
||||||
|
];
|
||||||
}
|
}
|
||||||
switch ($key->getHash()) {
|
switch ($key->getHash()) {
|
||||||
case 'md2':
|
case 'md2':
|
||||||
@ -2981,7 +2975,7 @@ class X509
|
|||||||
case 'sha256':
|
case 'sha256':
|
||||||
case 'sha384':
|
case 'sha384':
|
||||||
case 'sha512':
|
case 'sha512':
|
||||||
return $key->getHash() . 'WithRSAEncryption';
|
return ['algorithm' => $key->getHash() . 'WithRSAEncryption'];
|
||||||
}
|
}
|
||||||
throw new UnsupportedAlgorithmException('The only supported hash algorithms for RSA are: md2, md5, sha1, sha224, sha256, sha384, sha512');
|
throw new UnsupportedAlgorithmException('The only supported hash algorithms for RSA are: md2, md5, sha1, sha224, sha256, sha384, sha512');
|
||||||
}
|
}
|
||||||
@ -2991,7 +2985,7 @@ class X509
|
|||||||
case 'sha1':
|
case 'sha1':
|
||||||
case 'sha224':
|
case 'sha224':
|
||||||
case 'sha256':
|
case 'sha256':
|
||||||
return 'id-dsa-with-' . $key->getHash();
|
return ['algorithm' => 'id-dsa-with-' . $key->getHash()];
|
||||||
}
|
}
|
||||||
throw new UnsupportedAlgorithmException('The only supported hash algorithms for DSA are: sha1, sha224, sha256');
|
throw new UnsupportedAlgorithmException('The only supported hash algorithms for DSA are: sha1, sha224, sha256');
|
||||||
}
|
}
|
||||||
@ -3000,7 +2994,7 @@ class X509
|
|||||||
switch ($key->getCurve()) {
|
switch ($key->getCurve()) {
|
||||||
case 'Ed25519':
|
case 'Ed25519':
|
||||||
case 'Ed448':
|
case 'Ed448':
|
||||||
return 'id-' . $key->getCurve();
|
return ['algorithm' => 'id-' . $key->getCurve()];
|
||||||
}
|
}
|
||||||
switch ($key->getHash()) {
|
switch ($key->getHash()) {
|
||||||
case 'sha1':
|
case 'sha1':
|
||||||
@ -3008,7 +3002,7 @@ class X509
|
|||||||
case 'sha256':
|
case 'sha256':
|
||||||
case 'sha384':
|
case 'sha384':
|
||||||
case 'sha512':
|
case 'sha512':
|
||||||
return 'ecdsa-with-' . strtoupper($key->getHash());
|
return ['algorithm' => 'ecdsa-with-' . strtoupper($key->getHash())];
|
||||||
}
|
}
|
||||||
throw new UnsupportedAlgorithmException('The only supported hash algorithms for EC are: sha1, sha224, sha256, sha384, sha512');
|
throw new UnsupportedAlgorithmException('The only supported hash algorithms for EC are: sha1, sha224, sha256, sha384, sha512');
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user