Merge branch '3.0'

[PHP 8.4] Fixes for implicit nullability deprecation

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: terrafrost
+patreon: phpseclib
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: "packagist/phpseclib/phpseclib"
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/workflows/ci.yml

@@ -16,13 +16,39 @@ jobs:
                 uses: shivammathur/setup-php@v2
                 with:
                     php-version: ${{ matrix.php-version }}
-                    tools: php-parallel-lint/php-parallel-lint:1
+                env:
+                    update: true
+            -   name: Composer Install
+                run: composer install --classmap-authoritative --no-interaction --no-cache
             -   name: Lint
-                run: parallel-lint --show-deprecated build phpseclib tests
+                run: vendor/bin/parallel-lint --show-deprecated build phpseclib tests
         strategy:
             fail-fast: false
             matrix:
-                php-version: ['5.3', '5.4', '5.5', '5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2']
+                php-version: ['8.1', '8.2', '8.3']
+    quality_tools:
+        name: Quality Tools
+        timeout-minutes: 5
+        runs-on: ubuntu-latest
+        steps:
+            -   name: Checkout
+                uses: actions/checkout@v3
+            -   name: Setup PHP
+                uses: shivammathur/setup-php@v2
+                with:
+                    php-version: '8.1'
+                env:
+                    update: true
+            -   name: Composer Install
+                run: composer install --classmap-authoritative --no-interaction --no-cache
+            -   name: PHP_CodeSniffer
+                run: vendor/bin/phpcs --standard=build/php_codesniffer.xml
+            -   name: PHP CS Fixer
+                run: vendor/bin/php-cs-fixer fix --config=build/php-cs-fixer.php --diff --dry-run --using-cache=no
+            -   name: Psalm
+                run: vendor/bin/psalm --config=build/psalm.xml --no-cache --long-progress --report-show-info=false
+        strategy:
+            fail-fast: false
     tests:
         name: Tests
         timeout-minutes: 10
@@ -34,11 +60,10 @@ jobs:
                 uses: shivammathur/setup-php@v2
                 with:
                     php-version: ${{ matrix.php-version }}
+                env:
+                    update: true
             -   name: Composer Install
-                run: composer install --no-interaction --no-cache
-            -   name: Make Tests Compatiable With PHPUnit 9+
-                if: contains(fromJSON('["7.3", "7.4", "8.0", "8.1", "8.2"]'), matrix.php-version)
-                run: php tests/make_compatible_with_phpunit9.php
+                run: composer install --classmap-authoritative --no-interaction --no-cache --ignore-platform-req=php
             -   name: Setup Secure Shell Functional Tests
                 if: matrix.os == 'ubuntu-latest'
                 run: |
@@ -62,15 +87,9 @@ jobs:
                     echo "PHPSECLIB_SSH_HOME=/home/phpseclib" >> $GITHUB_ENV
                     echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> $GITHUB_ENV
             -   name: PHPUnit
-                run: vendor/bin/phpunit
+                run: vendor/bin/paratest --verbose --configuration=tests/phpunit.xml --runner=WrapperRunner
         strategy:
             fail-fast: false
             matrix:
                 os: [ubuntu-latest, windows-latest, macos-latest]
-                php-version: ['5.3', '5.4', '5.5', '5.6', '7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2']
-                exclude:
-                    # PHP 5.3 / 5.4 on windows don't have openssl or curl installed, which prevents composer from running
-                    - os: windows-latest
-                      php-version: '5.3'
-                    - os: windows-latest
-                      php-version: '5.4'
+                php-version: ['8.1', '8.2', '8.3']

.gitignore

@@ -1,3 +1,7 @@
-/vendor
+/.idea/
+/build/php-cs-fixer.cache
+/composer.lock
 /composer.phar
-composer.lock
+/tests/.phpunit.result.cache
+/vendor/
+.gitignore

AUTHORS

@@ -4,4 +4,4 @@ phpseclib Developers:      monnerat (Patrick Monnerat)
                            bantu (Andreas Fischer)
                            petrich (Hans-Jürgen Petrich)
                            GrahamCampbell (Graham Campbell)
-                           hc-jworman
+                           jack-worman (Jack Worman)

BACKERS.md

@@ -13,4 +13,5 @@ phpseclib ongoing development is made possible by [Tidelift](https://tidelift.co
 - [Rachel Fish](https://github.com/itsrachelfish)
 - Tharyrok
 - [cjhaas](https://github.com/cjhaas)
-- [istiak-tridip](https://github.com/istiak-tridip)
+- [istiak-tridip](https://github.com/istiak-tridip)
+- [Anna Filina](https://github.com/afilina)

CHANGELOG.md

@@ -1,5 +1,259 @@
 # Changelog
 
+## 3.0.37 - 2024-03-02
+
+- SSH2: don't set stream timeout if timeout is 0 (#1986)
+
+## 3.0.36 - 2024-02-25
+
+- BigInteger: put guardrails on isPrime() and randomPrime() (CVE-2024-27354)
+- ASN1: limit OID length (CVE-2024-27355)
+- EC: when using openssl to do signing use unencrypted key (#1979)
+- SSH2: add different options to isConnected() (#1983)
+
+## 3.0.35 - 2023-12-18
+
+- SSH2: implement terrapin attack countermeasures (#1972)
+- SSH2: only capture login info once (#1970)
+- Crypt/AsymmetricKey: loading hidden custom key plugins didn't work (#1971)
+
+## 3.0.34 - 2023-11-27
+
+- SSH2: add support for RFC8308 (#1960)
+- SSH2: don't use AES GCM for TurboFTP Server (#1957)
+- SSH2: reset more internal variables when connection is reset (#1961)
+- PKCS8: PBES1 / RC2 and PBES2 / DES keys didn't work (#1958)
+- EC/Signature/Format: add new IEEE format (#1956)
+- Math/BigInteger/Engines/PHP: PHP 8.2.13+ fixes Windows JIT issue
+- Math/BinaryField: fix for excessively large degrees (CVE-2023-49316)
+- Math/PrimeField: fix occasional error with squareRoot method
+
+## 3.0.33 - 2023-10-21
+
+- SSH2: fix for PHP 7.3 (#1953)
+- Crypt: improve ARM detection code (#1949)
+- Rijndael: fix for PHP 8.3+ compatability (#1944)
+- X509: fix for weird characters in subjaltname (#1943)
+- move JIT check to BigInteger (#1942)
+
+## 3.0.23 - 2023-09-18
+
+- fix "Undefined index: jit" error on Windows (#1940)
+
+## 3.0.22 - 2023-09-15
+
+- SFTP: make it so SFTP::RESUME also sets offset of local file (#1921)
+- SFTP: RESUME_START didn't work as described (#1921)
+- SFTP: fix SFTPv2 errors when logging errors (#1933)
+- SFTP: fix issue with get() downloading to files / streams (#1934)
+- BigInteger: use GMP if available (#1928)
+- Rijndael: fix E_DEPRECATED (#1935)
+- improve PHP32 compatibility (#1931)
+
+## 3.0.21 - 2023-07-09
+
+- BigInteger: speed up powMod() method (#1919)
+- SSH2: fix stream_select(): Unable to select [4]: Interrupted system call (max_fd=29) error (#1851)
+- SSH2: add EOF test isConnected() (#1926)
+- SFTP: make it so SFTP::RESUME also sets offset of local file (#1921)
+- SFTP: SFTP::RESUME_START didn't work as described (#1921)
+
+## 3.0.20 - 2023-06-13
+
+- SSH2: better support for multiple interactive channels & expose shell functions (#1888)
+- SFTP: add optional $recursive parameter to filesize() (#1782)
+- SFTP: fix NET_SFTP_ATTR_EXTENDED (#1907)
+- ASN1: speed up decodeBER (#1894)
+- X509: add support for EV DN's (#1916)
+- X509: getChain() should always return array of X509 objects (#1914)
+- RSA: setting sig padding broke enc padding and vice versa
+
+## 3.0.19 - 2023-03-05
+
+- AsymmetricKey: error out on unsupported operations (#1879)
+- Blowfish: fix issues on 32-bit PHP installs
+- BigInteger: fix for hex numbers with new lines in them
+- SFTP: fix "Creating default object from empty value" error (#1876)
+- SSH2: add getTimeout() method (#1889)
+- PrimeField: prevent infinite loop with composite primefields (CVE-2023-27560)
+
+## 3.0.18 - 2022-12-17
+
+- fix for PHP 8.2 deprecations (#1869, #1873)
+- SSH2: if logging in with rsa-sha2-256/512 fails, try ssh-rsa (#1865)
+- SSH/Agent: add support for named pipes on windows (for pageant) (#1866)
+- Crypt/Base: add a function to check continuous buffer status (#1870)
+- OpenSSL 3.0.1+ deprecated some algorithms (RC2, RC4, DES, Blowfish)
+
+## 3.0.17 - 2022-10-24
+
+- X509: make it so CRLs, CSRs and SPKACs can support PSS keys (#1837)
+- X509: make it so PKCS1 X509 certs can create PSS sigs (#1837)
+- SFTP: fix deprecated implicit float to int on 32-bit PHP 8.1 (#1841)
+- SFTP: restore orig behavior when deleting non-existant folder (#1847)
+- Random: fix fallback on PHP 8.1+
+
+## 3.0.16 - 2022-09-05
+
+- SSH2: fix type hinting for keyboard_interactive_process (#1836)
+
+## 3.0.15 - 2022-09-02
+
+- PublicKeyLoader: add support for OpenSSH encrypted keys (#1737, #1733, #1531, #1490)
+- PublicKeyLoader: add support for JSON Web Keys (#1817)
+- SSH2: make login method return false under rare situation (#1790)
+- SSH2: fix possibly undefined variable error (#1802)
+- SFTP: fix enableDatePreservation bug w.r.t. mtime (#1670)
+- SFTP: try to delete dir even if it can't be opened (#1791)
+- SFTP: try without path canonicalization if initial realpath() fails (#1796)
+- SFTP: detect if stream metadata has wrapper_type set for put() method (#1792)
+- BigInteger: tweak to the phpinfo checks (#1726)
+- BigInteger: fix behavior on 32-bit PHP installs (#1820)
+- EC/PKCS8: OpenSSL didn't like phpseclib formed Ed25519 public keys (#1819)
+- don't use dynamic properties, which are deprecated in PHP 8.2 (#1808, #1822)
+- fix deprecated implicit float to int on 32-bit PHP 8.1
+
+## 3.0.14 - 2022-04-04
+
+- RSA: add support for loading PuTTY v3 keys
+- Crypt/Base: fix CTR mode with continuous buffer with non-eval PHP
+- Crypt/Base: use sodium_increment in _increment_str
+- Crypt/Base: fix deprecation notice (#1770)
+- SSH2/Agent: rm unused parameter (#1757)
+- BigInteger: add precision to __debugInfo
+- BigInteger: fix random engine issues
+- call useBestEngine() when getEngine() is called
+
+## 3.0.13 - 2022-01-30
+
+- SSH2: make login() return false if no valid auth methods are found (#1744)
+- SSH2: show a more helpful error message when logging in with pubkey (#1718)
+- SSH2: rsa-sha2-256 and rsa-sha2-512 sigs weren't verifying (#1743)
+- SFTP: fix chgrp() for version < 4 (#1730)
+- Crypt/Base: add OFB8 as a new mode (phpseclib/mcrypt_compat#33)
+- Crypt/Salsa20: fix PHP 5.6 error (#1717)
+- RSA & BigInteger: check phpinfo() available before using it (#1726)
+- Fixed psalm level 6 errors in phpseclib/Net/ (#1746)
+
+## 3.0.12 - 2021-11-28
+
+- SSH2: add "smart multi factor" login mode (enabled by default) (#1648)
+- SSH2: error out when no data is received from the server (#1647)
+- SFTP: don't attempt to parse unsupported attributes (#1708)
+- SFTP: getSupportedVersions() call didn't work
+- EC: error out when scalar is out of range (#1712)
+- RSA: add support for raw private keys (#1711)
+- SymmetricKey: add getMode()
+
+## 3.0.11 - 2021-10-26
+
+- SSH2: add support for zlib and zlib@openssh.com compression
+- SFTP: add support for SFTPv4/5/6
+- SFTP: add option to allow arbitrary length packets (#1691)
+- SFTP: errors weren't being logged (#1702)
+- RSA: ssh-keygen -yf private.key fails if \r is present (#1698)
+
+## 3.0.10 - 2021-08-15
+
+- SFTP: don't check SFTP packet size after SFTP initialization (#1606)
+- SFTP: timeout during SFTP init should return false (#1684)
+- SFTP: return false if get_channel_packet returns false (#1678)
+- ASN1: return false when not enough bytes are available (#1676)
+- BigInteger: Serializable is being deprecated in PHP 8.1 (#1680)
+- explicitly define methods as being static (#1689)
+- plug memory leaks (#1672)
+
+## 3.0.9 - 2021-06-13
+
+- SSH2: add getAuthMethodsToContinue() method (#1648)
+- SSH2: timeout would occasionally infinitely loop
+- SSH2: fix PHP7.4 errors about accessing bool as string (#1656)
+- SSH2: fix issue with key re-exchange (#1644)
+- SFTP: reopen channel on channel closure (#1654)
+- X509: extra characters before cert weren't being removed (#1659)
+- X509: signing with pw protected PSS keys yielded errors (#1657)
+- ASN1: fix timezone issue when non-utc time is given (#1562)
+- ASN1: change how default values are processed for ints and enums (#1665)
+- RSA: OAEP decryption didn't check labels correctly (#1669)
+
+## 3.0.8 - 2021-04-20
+
+- AsymetrticKey: add getComment() method (#1638)
+- SymmetricKey: cipher_name_openssl_ecb shouldn't be static because of AES (#1636)
+- X509: don't filter basicConstraints on unique values (#1639)
+- X509: make it so extensions can be set as critical (#1640)
+
+## 3.0.7 - 2021-04-06
+
+- X509: always parse the first cert of a bundle (#1568)
+- SSH2: behave like putty with broken publickey auth (#1572)
+- SSH2: don't close channel on unexpected response to channel request (#1631)
+- RSA: cleanup RSA PKCS#1 v1.5 signature verification (CVE-2021-30130)
+- Crypt: use a custom error handler for mcrypt to avoid deprecation errors
+
+## 3.0.6 - 2021-03-13
+
+- SFTP/Stream: make it so you can write past the end of a file (#1618)
+- SFTP/Stream: fix undefined index notice in stream touch() (#1615)
+- SFTP/Stream: mkdir didn't work (#1617)
+- BigInteger: fix issue with toBits on 32-bit PHP 8 installs
+- SFTP: digit only filenames were converted to integers by php (#1623)
+
+## 3.0.5 - 2021-02-12
+
+- X509: add getCurrentCert method (since $currentCert is now private) (#1602)
+- PublicKeyLoader: add loadPrivateKey() and loadPublicKey() methods (#1603)
+- Rijndael: calling setIV() after setBlockLength() can result in err (#1599)
+- RSA: use OpenSSL for generating private keys (#1596)
+- BigInteger: big speedups for when OpenSSL is used (#1596)
+
+## 3.0.4 - 2021-01-25
+
+- Random: use v9.99.99 of random_compat if appropriate (#1585, #1571)
+- SSH/Agent: EC keys didn't work with agent (#1593)
+- X509: fix niche issue with computeKeyIdentifier (#1586)
+
+## 3.0.3 - 2021-01-16
+
+- X509: passing DateTime objects to setEndDate produced errors (#1578)
+- X509: always parse the first cert of a bundle (#1568)
+- X509: streamline the management of custom extensions (#1573)
+- EC: fix case sensitivity errors when using Symfony autoloader (#1570)
+- RSA: improve identification of public / private PKCS1 / PKCS8 keys (#1579)
+- RSA: add support for PSS keys that don't have parameters present (#1583)
+- RSA: tweaks to how the salt length works
+- RSA: throw exceptions instead of returning false
+- SSH2: behave like putty with broken publickey auth (#1572)
+
+## 3.0.2 - 2020-12-24
+
+- EC/PKCS1: throw exception when trying to load non-strings (#1559)
+- X509: make date methods accept DateTimeInterface instead of DateTime (#1562)
+- SSH2: suppress errors on stream_select calls (#1560)
+
+## 3.0.1 - 2020-12-19
+
+- PKCS8: fix E_WARNING (#1551)
+- SSH2/Stream: stream_select needs to be able to access $fsock (#1552)
+- SFTP: resuming uploads didn't work (#1553)
+
+## 3.0.0 - 2020-12-16
+
+- drop SSH1 and SCP support
+- add support for the following crypto algorithms:
+  - Ed25519 / Ed449 / Curve25519 / Curve449
+  - ECDSA / ECDH (66 curves)
+  - DSA / DH
+  - GCM / Poly1305
+  - Salsa20 / ChaCha20
+- namespace changed from `phpseclib\` to `\phpseclib3` to facilitate phpseclib 2 shim (phpseclib2_compat)
+
+## 2.0.47 - 2024-02-25
+
+- BigInteger: add getLength() and getLengthInBytes() methods
+- BigInteger: put guardrails on isPrime() and randomPrime() (CVE-2024-27354)
+- ASN1: limit OID length (CVE-2024-27355)
+
 ## 2.0.46 - 2023-12-28
 
 - SSH2: implement terrapin attack countermeasures (#1972)
@@ -366,6 +620,12 @@
 - Classes were renamed and namespaced ([#243](https://github.com/phpseclib/phpseclib/issues/243))
 - The use of an autoloader is now required (e.g. Composer)
 
+## 1.0.23 - 2024-02-25
+
+- BigInteger: add getLength() and getLengthInBytes() methods
+- BigInteger: put guardrails on isPrime() and randomPrime() (CVE-2024-27354)
+- ASN1: limit OID length (CVE-2024-27355)
+
 ## 1.0.22 - 2023-12-28
 
 - SFTP: fix issue with get() downloading to files / streams (#1934)

README.md

@@ -1,6 +1,6 @@
 # phpseclib - PHP Secure Communications Library
 
-[![Build Status](https://travis-ci.com/phpseclib/phpseclib.svg?branch=2.0)](https://travis-ci.com/github/phpseclib/phpseclib)
+[![CI Status](https://github.com/phpseclib/phpseclib/actions/workflows/ci.yml/badge.svg?branch=master&event=push "CI Status")](https://github.com/phpseclib/phpseclib/actions/workflows/ci.yml?query=branch%3Amaster)
 
 ## Supporting phpseclib
 
@@ -19,7 +19,7 @@ SSH-2, SFTP, X.509, an arbitrary-precision integer arithmetic library, Ed25519 /
 ## Documentation
 
 * [Documentation / Manual](https://phpseclib.com/)
-* [API Documentation](https://api.phpseclib.com/2.0/) (generated by Doctum)
+* [API Documentation](https://api.phpseclib.com/master/) (generated by Doctum)
 
 ## Branches
 
@@ -51,7 +51,7 @@ SSH-2, SFTP, X.509, an arbitrary-precision integer arithmetic library, Ed25519 /
 * PHP4 compatible
 * Composer compatible (PSR-0 autoloading)
 * Install using Composer: `composer require phpseclib/phpseclib:~1.0`
-* [Download 1.0.22 as ZIP](http://sourceforge.net/projects/phpseclib/files/phpseclib1.0.22.zip/download)
+* [Download 1.0.23 as ZIP](http://sourceforge.net/projects/phpseclib/files/phpseclib1.0.23.zip/download)
 
 ## Security contact information
 
@@ -79,22 +79,15 @@ Special Thanks to our $50+ sponsors!:
 2. Ensure you have Composer installed (see [Composer Download Instructions](https://getcomposer.org/download/))
 
 3. Install Development Dependencies
-
-    ``` sh
+    ```sh
     composer install
     ```
 
 4. Create a Feature Branch
 
-5. (Recommended) Run the Test Suite
-
-    ``` sh
-    vendor/bin/phpunit
-    ```
-6. (Recommended) Check whether your code conforms to our Coding Standards by running
-
-    ``` sh
-    vendor/bin/phing -f build/build.xml sniff
-    ```
-
-7. Send us a Pull Request
+5. Run continuous integration checks:
+   ```sh
+   composer run-script all-quality-tools
+   ```
+   
+6. Send us a Pull Request

appveyor.yml

@@ -1,27 +0,0 @@
-build: false
-shallow_clone: false
-platform:
-  - x86
-  - x64
-clone_folder: C:\projects\phpseclib
-
-install:
-  - cinst -y OpenSSL.Light
-  - SET PATH=C:\Program Files\OpenSSL;%PATH%
-  - sc config wuauserv start= auto
-  - net start wuauserv
-  - cinst -y php --version 5.6.30
-  - cd c:\tools\php56
-  - copy php.ini-production php.ini
-  - echo date.timezone="UTC" >> php.ini
-  - echo extension_dir=ext >> php.ini
-  - echo extension=php_openssl.dll >> php.ini
-  - echo extension=php_gmp.dll >> php.ini
-  - cd C:\projects\phpseclib
-  - SET PATH=C:\tools\php56;%PATH%
-  - php.exe -r "readfile('http://getcomposer.org/installer');" | php.exe
-  - php.exe composer.phar install --prefer-source --no-interaction
-
-test_script:
-  - cd C:\projects\phpseclib
-  - vendor\bin\phpunit.bat tests/Windows32Test.php

build/build.xml

@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project name="phpseclib"
-         description="PHP Secure Communications Library"
-         default="all"
->
-
-  <target name="all" depends="sniff" />
-
-  <!-- Code Sniffer -->
-  <target name="sniff" depends="sniff-php-code,sniff-php-tests" />
-  <target name="sniff-php-code">
-    <exec command="vendor/bin/phpcs -s
-        --extensions=php
-        --standard=build/code-sniffer-ruleset.xml
-        phpseclib/"
-      dir=".." checkreturn="true" passthru="true" />
-  </target>
-  <target name="sniff-php-tests">
-    <exec command="vendor/bin/phpcs -s
-        --extensions=php
-        --standard=build/code-sniffer-ruleset-tests.xml
-        tests/"
-      dir=".." checkreturn="true" passthru="true" />
-  </target>
-</project>

build/code-sniffer-ruleset-tests.xml

@@ -1,17 +0,0 @@
-<?xml version="1.0"?>
-<ruleset name="phpseclib Test Standard">
-
- <description>phpseclib coding standard for tests</description>
-
- <!-- In general rules that apply to library code also apply to tests. -->
- <rule ref="./code-sniffer-ruleset.xml">
-  <!-- Exceptions to the library coding standard follow. -->
-
-  <!-- Test classes do not have to be namespaced but may use pseudo-namespacing
-       using underscore. -->
-  <exclude name="PSR1.Classes.ClassDeclaration.MissingNamespace" />
-  <exclude name="Squiz.Classes.ValidClassName.NotCamelCaps" />
-  <exclude name="PSR1.Files.SideEffects.FoundWithSymbols" />
- </rule>
-
-</ruleset>

build/code-sniffer-ruleset.xml

@@ -1,35 +0,0 @@
-<?xml version="1.0"?>
-<ruleset name="phpseclib Standard">
-
- <description>phpseclib coding standard</description>
-
- <!-- We are using the PSR2 standard as a base -->
- <rule ref="PSR2">
-  <!-- Exceptions due to legacy code with PHP4 compatibility -->
-  <exclude name="PSR2.Classes.PropertyDeclaration.ScopeMissing" />
-  <exclude name="PSR2.Classes.PropertyDeclaration.VarUsed" />
-  <exclude name="Squiz.Scope.MethodScope.Missing" />
-
-  <!-- Exceptions for backward compatibility -->
-  <exclude name="PSR1.Methods.CamelCapsMethodName.NotCamelCaps" />
-  <exclude name="PSR2.Methods.MethodDeclaration.Underscore" />
-
-  <!-- Exceptions for whitespacing -->
-  <exclude name="Generic.Functions.FunctionCallArgumentSpacing.TooMuchSpaceAfterComma" />
-  <exclude name="PSR2.ControlStructures.SwitchDeclaration.SpaceBeforeColonCASE" />
-  <exclude name="PSR2.ControlStructures.SwitchDeclaration.SpaceBeforeColonDEFAULT" />
-
-  <!-- Other Exceptions -->
-  <exclude name="Generic.Files.LineLength.TooLong" />
-  <exclude name="PSR2.ControlStructures.SwitchDeclaration.TerminatingComment" />
- </rule>
-
- <!-- Useful additional rules follow -->
-
- <!-- "for (; bar; )" should be "while (bar)" instead -->
- <rule ref="Generic.CodeAnalysis.ForLoopShouldBeWhileLoop" />
-
- <!-- A method MUST not only call its parent -->
- <rule ref="Generic.CodeAnalysis.UselessOverridingMethod" />
-
-</ruleset>

build/php-cs-fixer.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+return (new PhpCsFixer\Config())
+    ->setFinder(PhpCsFixer\Finder::create()->in(__DIR__ . '/..'))
+    ->setCacheFile(__DIR__ . '/php-cs-fixer.cache')
+    ->setRiskyAllowed(true)
+    // https://github.com/FriendsOfPHP/PHP-CS-Fixer/blob/master/doc/rules/index.rst
+    ->setRules(
+        [
+            // Array
+            'array_syntax' => ['syntax' => 'short'],
+            // Function Notation
+            'native_function_invocation' => ['exclude' => [], 'include' => [], 'scope' => 'all', 'strict' => true],
+            // Import
+            'fully_qualified_strict_types' => true,
+            'global_namespace_import' => ['import_constants' => false, 'import_functions' => false, 'import_classes' => false],
+            'no_leading_import_slash' => true,
+            'no_unused_imports' => true,
+            'ordered_imports' => ['sort_algorithm' => 'alpha', 'imports_order' => ['class', 'const', 'function']],
+            'single_import_per_statement' => true,
+            'single_line_after_imports' => true,
+            // PHPDoc
+            'no_superfluous_phpdoc_tags' => true,
+            'phpdoc_trim_consecutive_blank_line_separation' => true,
+            'phpdoc_trim' => true,
+
+            '@PHP81Migration' => true,
+            '@PHP80Migration:risky' => true,
+        ]
+    );

build/php_codesniffer.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<ruleset name="phpseclib">
+    <file>../build/php-cs-fixer.php</file>
+    <file>../phpseclib/</file>
+    <file>../tests/</file>
+
+    <arg name="extensions" value="php"/>
+    <arg name="basepath" value=".."/>
+    <arg name="report" value="diff"/>
+    <arg value="s"/>
+    <arg value="n"/>
+    <arg value="p"/>
+
+    <rule ref="PSR12">
+        <exclude name="Squiz.Classes.ValidClassName.NotCamelCaps"/>
+        <exclude name="PSR1.Methods.CamelCapsMethodName.NotCamelCaps"/>
+        <exclude name="PSR2.Methods.MethodDeclaration.Underscore"/>
+        <exclude name="PSR12.Files.FileHeader.IncorrectOrder"/>
+    </rule>
+</ruleset>

build/psalm.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0"?>
+<psalm
+    xmlns="https://getpsalm.org/schema/config"
+    errorLevel="1"
+    errorBaseline="psalm_baseline.xml"
+    findUnusedCode="true"
+    findUnusedPsalmSuppress="true"
+    sealAllMethods="true"
+    ensureArrayStringOffsetsExist="true"
+    ensureArrayIntOffsetsExist="true"
+    ignoreInternalFunctionNullReturn="false"
+    ignoreInternalFunctionFalseReturn="false"
+>
+    <projectFiles>
+        <directory name="../phpseclib"/>
+        <directory name="../tests"/>
+    </projectFiles>
+    <issueHandlers>
+        <Trace>
+            <errorLevel type="error">
+                <directory name=".."/>
+            </errorLevel>
+        </Trace>
+    </issueHandlers>
+</psalm>

composer.json

@@ -20,8 +20,8 @@
         "asn1",
         "asn.1",
         "BigInteger"
-        ],
-    "homepage": "http://phpseclib.sourceforge.net",
+    ],
+    "homepage": "https://phpseclib.com/",
     "license": "MIT",
     "authors": [
         {
@@ -48,29 +48,63 @@
             "name": "Graham Campbell",
             "email": "graham@alt-three.com",
             "role": "Developer"
+        },
+        {
+            "name": "Jack Worman",
+            "email": "jack.worman@gmail.com",
+            "role": "Developer",
+            "homepage": "https://jackworman.com"
         }
     ],
     "require": {
-        "php": ">=5.3.3"
+        "php": ">=8.1",
+        "paragonie/constant_time_encoding": "^2|^3"
     },
     "require-dev": {
-        "phing/phing": "~2.7",
-        "phpunit/phpunit": "^4.8.35|^5.7|^6.0|^9.4",
-        "squizlabs/php_codesniffer": "~2.0"
+        "ext-xml": "*",
+        "brianium/paratest": "^6.6",
+        "friendsofphp/php-cs-fixer": "^3.12",
+        "php-parallel-lint/php-parallel-lint": "^1.3",
+        "squizlabs/php_codesniffer": "^3.7",
+        "vimeo/psalm": "^4.29"
     },
     "suggest": {
         "ext-libsodium": "SSH2/SFTP can make use of some algorithms provided by the libsodium-php extension.",
         "ext-openssl": "Install the OpenSSL extension in order to speed up a wide variety of cryptographic operations.",
-        "ext-mcrypt": "Install the Mcrypt extension in order to speed up a few other cryptographic operations.",
         "ext-gmp": "Install the GMP (GNU Multiple Precision) extension in order to speed up arbitrary precision integer arithmetic operations.",
-        "ext-xml": "Install the XML extension to load XML formatted public keys."
+        "ext-dom": "Install the DOM extension to load XML formatted public keys."
     },
     "autoload": {
         "files": [
             "phpseclib/bootstrap.php"
         ],
         "psr-4": {
-            "phpseclib\\": "phpseclib/"
+            "phpseclib3\\": "phpseclib/"
         }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "phpseclib3\\Tests\\": "tests/"
+        }
+    },
+    "config": {
+        "sort-packages": true
+    },
+    "scripts": {
+        "lint": "vendor/bin/parallel-lint --show-deprecated build phpseclib tests",
+        "php_codesniffer": "vendor/bin/phpcs --standard=build/php_codesniffer.xml",
+        "php_codesniffer-fix": "vendor/bin/phpcbf --standard=build/php_codesniffer.xml",
+        "php-cs-fixer": "vendor/bin/php-cs-fixer fix --config=build/php-cs-fixer.php --diff --using-cache=no --dry-run",
+        "php-cs-fixer-fix": "vendor/bin/php-cs-fixer fix --config=build/php-cs-fixer.php --diff --using-cache=no",
+        "psalm": "vendor/bin/psalm --config=build/psalm.xml --no-cache --long-progress --threads=4",
+        "psalm-set-baseline": "vendor/bin/psalm --config=build/psalm.xml --no-cache --long-progress --set-baseline=psalm_baseline.xml --threads=4",
+        "test": "vendor/bin/paratest --verbose --configuration=tests/phpunit.xml --runner=WrapperRunner",
+        "all-quality-tools": [
+            "@lint",
+            "@phpcs",
+            "@php-cs-fixer",
+            "@psalm",
+            "@test"
+        ]
     }
 }

phpseclib/Common/ConstantUtilityTrait.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpseclib3\Common;
+
+use phpseclib3\Exception\InvalidArgumentException;
+
+/**
+ * @internal
+ */
+trait ConstantUtilityTrait
+{
+    /** @var string[]|null */
+    private static $valueToConstantNameMap = null;
+
+    /**
+     * @param string|int $value
+     */
+    public static function findConstantNameByValue($value): ?string
+    {
+        if (!self::$valueToConstantNameMap) {
+            $reflectionClass = new \ReflectionClass(static::class);
+            $constantNameToValueMap = $reflectionClass->getConstants();
+            self::$valueToConstantNameMap = array_flip($constantNameToValueMap);
+        }
+        if (isset(self::$valueToConstantNameMap[$value])) {
+            return self::$valueToConstantNameMap[$value];
+        }
+        return null;
+    }
+
+    /**
+     * @param string|int $value
+     */
+    public static function getConstantNameByValue($value): string
+    {
+        $constantName = static::findConstantNameByValue($value);
+        if ($constantName === null) {
+            throw new InvalidArgumentException(sprintf('"%s" does not have constant with value "%s".', static::class, $value));
+        }
+        return $constantName;
+    }
+}

phpseclib/Common/Functions/Strings.php

@@ -0,0 +1,461 @@
+<?php
+
+/**
+ * Common String Functions
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Common\Functions;
+
+use ParagonIE\ConstantTime\Base64;
+use ParagonIE\ConstantTime\Base64UrlSafe;
+use ParagonIE\ConstantTime\Hex;
+use phpseclib3\Exception\InvalidArgumentException;
+use phpseclib3\Exception\LengthException;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\Common\FiniteField;
+
+/**
+ * Common String Functions
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class Strings
+{
+    /**
+     * String Shift
+     *
+     * Inspired by array_shift
+     */
+    public static function shift(string &$string, int $index = 1): string
+    {
+        $substr = substr($string, 0, $index);
+        $string = substr($string, $index);
+        return $substr;
+    }
+
+    /**
+     * String Pop
+     *
+     * Inspired by array_pop
+     */
+    public static function pop(string &$string, int $index = 1): string
+    {
+        $substr = substr($string, -$index);
+        $string = substr($string, 0, -$index);
+        return $substr;
+    }
+
+    /**
+     * Parse SSH2-style string
+     *
+     * Returns either an array or a boolean if $data is malformed.
+     *
+     * Valid characters for $format are as follows:
+     *
+     * C = byte
+     * b = boolean (true/false)
+     * N = uint32
+     * Q = uint64
+     * s = string
+     * i = mpint
+     * L = name-list
+     *
+     * uint64 is not supported.
+     */
+    public static function unpackSSH2(string $format, string &$data): array
+    {
+        $format = self::formatPack($format);
+        $result = [];
+        for ($i = 0; $i < strlen($format); $i++) {
+            switch ($format[$i]) {
+                case 'C':
+                case 'b':
+                    if (!strlen($data)) {
+                        throw new LengthException('At least one byte needs to be present for successful C / b decodes');
+                    }
+                    break;
+                case 'N':
+                case 'i':
+                case 's':
+                case 'L':
+                    if (strlen($data) < 4) {
+                        throw new LengthException('At least four byte needs to be present for successful N / i / s / L decodes');
+                    }
+                    break;
+                case 'Q':
+                    if (strlen($data) < 8) {
+                        throw new LengthException('At least eight byte needs to be present for successful N / i / s / L decodes');
+                    }
+                    break;
+
+                default:
+                    throw new InvalidArgumentException('$format contains an invalid character');
+            }
+            switch ($format[$i]) {
+                case 'C':
+                    $result[] = ord(self::shift($data));
+                    continue 2;
+                case 'b':
+                    $result[] = ord(self::shift($data)) != 0;
+                    continue 2;
+                case 'N':
+                    [, $temp] = unpack('N', self::shift($data, 4));
+                    $result[] = $temp;
+                    continue 2;
+                case 'Q':
+                    // pack() added support for Q in PHP 5.6.3 and PHP 5.6 is phpseclib 3's minimum version
+                    // so in theory we could support this BUT, "64-bit format codes are not available for
+                    // 32-bit versions" and phpseclib works on 32-bit installs. on 32-bit installs
+                    // 64-bit floats can be used to get larger numbers then 32-bit signed ints would allow
+                    // for. sure, you're not gonna get the full precision of 64-bit numbers but just because
+                    // you need > 32-bit precision doesn't mean you need the full 64-bit precision
+                    extract(unpack('Nupper/Nlower', self::shift($data, 8)));
+                    $temp = $upper ? 4294967296 * $upper : 0;
+                    $temp += $lower < 0 ? ($lower & 0x7FFFFFFFF) + 0x80000000 : $lower;
+                    // $temp = hexdec(bin2hex(self::shift($data, 8)));
+                    $result[] = $temp;
+                    continue 2;
+            }
+            [, $length] = unpack('N', self::shift($data, 4));
+            if (strlen($data) < $length) {
+                throw new LengthException("$length bytes needed; " . strlen($data) . ' bytes available');
+            }
+            $temp = self::shift($data, $length);
+            switch ($format[$i]) {
+                case 'i':
+                    $result[] = new BigInteger($temp, -256);
+                    break;
+                case 's':
+                    $result[] = $temp;
+                    break;
+                case 'L':
+                    $result[] = explode(',', $temp);
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * Create SSH2-style string
+     *
+     * @param string|int|float|array|bool ...$elements
+     */
+    public static function packSSH2(string $format, ...$elements): string
+    {
+        $format = self::formatPack($format);
+        if (strlen($format) != count($elements)) {
+            throw new InvalidArgumentException('There must be as many arguments as there are characters in the $format string');
+        }
+        $result = '';
+        for ($i = 0; $i < strlen($format); $i++) {
+            $element = $elements[$i];
+            switch ($format[$i]) {
+                case 'C':
+                    if (!is_int($element)) {
+                        throw new InvalidArgumentException('Bytes must be represented as an integer between 0 and 255, inclusive.');
+                    }
+                    $result .= pack('C', $element);
+                    break;
+                case 'b':
+                    if (!is_bool($element)) {
+                        throw new InvalidArgumentException('A boolean parameter was expected.');
+                    }
+                    $result .= $element ? "\1" : "\0";
+                    break;
+                case 'Q':
+                    if (!is_int($element) && !is_float($element)) {
+                        throw new InvalidArgumentException('An integer was expected.');
+                    }
+                    // 4294967296 == 1 << 32
+                    $result .= pack('NN', $element / 4294967296, $element);
+                    break;
+                case 'N':
+                    if (is_float($element)) {
+                        $element = (int) $element;
+                    }
+                    if (!is_int($element)) {
+                        throw new InvalidArgumentException('An integer was expected.');
+                    }
+                    $result .= pack('N', $element);
+                    break;
+                case 's':
+                    if (!self::is_stringable($element)) {
+                        throw new InvalidArgumentException('A string was expected.');
+                    }
+                    $result .= pack('Na*', strlen($element), $element);
+                    break;
+                case 'i':
+                    if (!$element instanceof BigInteger && !$element instanceof FiniteField\Integer) {
+                        throw new InvalidArgumentException('A phpseclib3\Math\BigInteger or phpseclib3\Math\Common\FiniteField\Integer object was expected.');
+                    }
+                    $element = $element->toBytes(true);
+                    $result .= pack('Na*', strlen($element), $element);
+                    break;
+                case 'L':
+                    if (!is_array($element)) {
+                        throw new InvalidArgumentException('An array was expected.');
+                    }
+                    $element = implode(',', $element);
+                    $result .= pack('Na*', strlen($element), $element);
+                    break;
+                default:
+                    throw new InvalidArgumentException('$format contains an invalid character');
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * Expand a pack string
+     *
+     * Converts C5 to CCCCC, for example.
+     */
+    private static function formatPack(string $format): string
+    {
+        $parts = preg_split('#(\d+)#', $format, -1, PREG_SPLIT_DELIM_CAPTURE);
+        $format = '';
+        for ($i = 1; $i < count($parts); $i += 2) {
+            $format .= substr($parts[$i - 1], 0, -1) . str_repeat($parts[$i - 1][-1], (int) $parts[$i]);
+        }
+        $format .= $parts[$i - 1];
+
+        return $format;
+    }
+
+    /**
+     * Convert binary data into bits
+     *
+     * bin2hex / hex2bin refer to base-256 encoded data as binary, whilst
+     * decbin / bindec refer to base-2 encoded data as binary. For the purposes
+     * of this function, bin refers to base-256 encoded data whilst bits refers
+     * to base-2 encoded data
+     */
+    public static function bits2bin(string $x): string
+    {
+        /*
+        // the pure-PHP approach is faster than the GMP approach
+        if (function_exists('gmp_export')) {
+             return strlen($x) ? gmp_export(gmp_init($x, 2)) : gmp_init(0);
+        }
+        */
+
+        if (preg_match('#[^01]#', $x)) {
+            throw new RuntimeException('The only valid characters are 0 and 1');
+        }
+
+        if (!defined('PHP_INT_MIN')) {
+            define('PHP_INT_MIN', ~PHP_INT_MAX);
+        }
+
+        $length = strlen($x);
+        if (!$length) {
+            return '';
+        }
+        $block_size = PHP_INT_SIZE << 3;
+        $pad = $block_size - ($length % $block_size);
+        if ($pad != $block_size) {
+            $x = str_repeat('0', $pad) . $x;
+        }
+
+        $parts = str_split($x, $block_size);
+        $str = '';
+        foreach ($parts as $part) {
+            $xor = $part[0] == '1' ? PHP_INT_MIN : 0;
+            $part[0] = '0';
+            $str .= pack(
+                PHP_INT_SIZE == 4 ? 'N' : 'J',
+                $xor ^ eval('return 0b' . $part . ';')
+            );
+        }
+        return ltrim($str, "\0");
+    }
+
+    /**
+     * Convert bits to binary data
+     */
+    public static function bin2bits(string $x, bool $trim = true): string
+    {
+        /*
+        // the pure-PHP approach is slower than the GMP approach BUT
+        // i want to the pure-PHP version to be easily unit tested as well
+        if (function_exists('gmp_import')) {
+            return gmp_strval(gmp_import($x), 2);
+        }
+        */
+
+        $len = strlen($x);
+        $mod = $len % PHP_INT_SIZE;
+        if ($mod) {
+            $x = str_pad($x, $len + PHP_INT_SIZE - $mod, "\0", STR_PAD_LEFT);
+        }
+
+        $bits = '';
+        if (PHP_INT_SIZE == 4) {
+            $digits = unpack('N*', $x);
+            foreach ($digits as $digit) {
+                $bits .= sprintf('%032b', $digit);
+            }
+        } else {
+            $digits = unpack('J*', $x);
+            foreach ($digits as $digit) {
+                $bits .= sprintf('%064b', $digit);
+            }
+        }
+
+        return $trim ? ltrim($bits, '0') : $bits;
+    }
+
+    /**
+     * Switch Endianness Bit Order
+     */
+    public static function switchEndianness(string $x): string
+    {
+        $r = '';
+        for ($i = strlen($x) - 1; $i >= 0; $i--) {
+            $b = ord($x[$i]);
+            if (PHP_INT_SIZE === 8) {
+                // 3 operations
+                // from http://graphics.stanford.edu/~seander/bithacks.html#ReverseByteWith64BitsDiv
+                $r .= chr((($b * 0x0202020202) & 0x010884422010) % 1023);
+            } else {
+                // 7 operations
+                // from http://graphics.stanford.edu/~seander/bithacks.html#ReverseByteWith32Bits
+                $p1 = ($b * 0x0802) & 0x22110;
+                $p2 = ($b * 0x8020) & 0x88440;
+                $r .= chr(
+                    (($p1 | $p2) * 0x10101) >> 16
+                );
+            }
+        }
+        return $r;
+    }
+
+    /**
+     * Increment the current string
+     */
+    public static function increment_str(string &$var): string
+    {
+        if (function_exists('sodium_increment')) {
+            $var = strrev($var);
+            sodium_increment($var);
+            $var = strrev($var);
+            return $var;
+        }
+
+        for ($i = 4; $i <= strlen($var); $i += 4) {
+            $temp = substr($var, -$i, 4);
+            switch ($temp) {
+                case "\xFF\xFF\xFF\xFF":
+                    $var = substr_replace($var, "\x00\x00\x00\x00", -$i, 4);
+                    break;
+                case "\x7F\xFF\xFF\xFF":
+                    $var = substr_replace($var, "\x80\x00\x00\x00", -$i, 4);
+                    return $var;
+                default:
+                    $temp = unpack('Nnum', $temp);
+                    $var = substr_replace($var, pack('N', $temp['num'] + 1), -$i, 4);
+                    return $var;
+            }
+        }
+
+        $remainder = strlen($var) % 4;
+
+        if ($remainder == 0) {
+            return $var;
+        }
+
+        $temp = unpack('Nnum', str_pad(substr($var, 0, $remainder), 4, "\0", STR_PAD_LEFT));
+        $temp = substr(pack('N', $temp['num'] + 1), -$remainder);
+        $var = substr_replace($var, $temp, 0, $remainder);
+
+        return $var;
+    }
+
+    /**
+     * Find whether the type of a variable is string (or could be converted to one)
+     *
+     * @psalm-assert-if-true string|\Stringable $var
+     */
+    public static function is_stringable($var): bool
+    {
+        return is_string($var) || (is_object($var) && method_exists($var, '__toString'));
+    }
+
+    /**
+     * Constant Time Base64-decoding
+     *
+     * ParagoneIE\ConstantTime doesn't use libsodium if it's available so we'll do so
+     * ourselves. see https://github.com/paragonie/constant_time_encoding/issues/39
+     */
+    public static function base64_decode(string $data): string
+    {
+        return function_exists('sodium_base642bin') ?
+            sodium_base642bin($data, SODIUM_BASE64_VARIANT_ORIGINAL_NO_PADDING, '=') :
+            Base64::decode($data);
+    }
+
+    /**
+     * Constant Time Base64-decoding (URL safe)
+     */
+    public static function base64url_decode(string $data): string
+    {
+        // return self::base64_decode(str_replace(['-', '_'], ['+', '/'], $data));
+
+        return function_exists('sodium_base642bin') ?
+            sodium_base642bin($data, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING, '=') :
+            Base64UrlSafe::decode($data);
+    }
+
+    /**
+     * Constant Time Base64-encoding
+     */
+    public static function base64_encode(string $data): string
+    {
+        return function_exists('sodium_bin2base64') ?
+            sodium_bin2base64($data, SODIUM_BASE64_VARIANT_ORIGINAL) :
+            Base64::encode($data);
+    }
+
+    /**
+     * Constant Time Base64-encoding (URL safe)
+     */
+    public static function base64url_encode(string $data): string
+    {
+        // return str_replace(['+', '/'], ['-', '_'], self::base64_encode($data));
+
+        return function_exists('sodium_bin2base64') ?
+            sodium_bin2base64($data, SODIUM_BASE64_VARIANT_URLSAFE) :
+            Base64UrlSafe::encode($data);
+    }
+
+    /**
+     * Constant Time Hex Decoder
+     */
+    public static function hex2bin(string $data): string
+    {
+        return function_exists('sodium_hex2bin') ?
+            sodium_hex2bin($data) :
+            Hex::decode($data);
+    }
+
+    /**
+     * Constant Time Hex Encoder
+     */
+    public static function bin2hex(string $data): string
+    {
+        return function_exists('sodium_bin2hex') ?
+            sodium_bin2hex($data) :
+            Hex::encode($data);
+    }
+}

phpseclib/Crypt/AES.php

@@ -3,7 +3,7 @@
 /**
  * Pure-PHP implementation of AES.
  *
- * Uses mcrypt, if available/possible, and an internal implementation, otherwise.
+ * Uses OpenSSL, if available/possible, and an internal implementation, otherwise
  *
  * PHP version 5
  *
@@ -16,7 +16,7 @@
  * it'll be null-padded to 192-bits and 192 bits will be the key length until {@link self::setKey() setKey()}
  * is called, again, at which point, it'll be recalculated.
  *
- * Since \phpseclib\Crypt\AES extends \phpseclib\Crypt\Rijndael, some functions are available to be called that, in the context of AES, don't
+ * Since \phpseclib3\Crypt\AES extends \phpseclib3\Crypt\Rijndael, some functions are available to be called that, in the context of AES, don't
  * make a whole lot of sense.  {@link self::setBlockLength() setBlockLength()}, for instance.  Calling that function,
  * however possible, won't do anything (AES has a fixed block length whereas Rijndael has a variable one).
  *
@@ -25,7 +25,7 @@
  * <?php
  *    include 'vendor/autoload.php';
  *
- *    $aes = new \phpseclib\Crypt\AES();
+ *    $aes = new \phpseclib3\Crypt\AES('ctr');
  *
  *    $aes->setKey('abcdefghijklmnop');
  *
@@ -39,58 +39,80 @@
  * ?>
  * </code>
  *
- * @category  Crypt
- * @package   AES
  * @author    Jim Wigginton <terrafrost@php.net>
  * @copyright 2008 Jim Wigginton
  * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
  * @link      http://phpseclib.sourceforge.net
  */
 
-namespace phpseclib\Crypt;
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt;
+
+use phpseclib3\Exception\BadMethodCallException;
+use phpseclib3\Exception\LengthException;
 
 /**
  * Pure-PHP implementation of AES.
  *
- * @package AES
  * @author  Jim Wigginton <terrafrost@php.net>
- * @access  public
  */
 class AES extends Rijndael
 {
     /**
      * Dummy function
      *
-     * Since \phpseclib\Crypt\AES extends \phpseclib\Crypt\Rijndael, this function is, technically, available, but it doesn't do anything.
+     * Since \phpseclib3\Crypt\AES extends \phpseclib3\Crypt\Rijndael, this function is, technically, available, but it doesn't do anything.
      *
-     * @see \phpseclib\Crypt\Rijndael::setBlockLength()
-     * @access public
-     * @param int $length
+     * @throws BadMethodCallException anytime it's called
+     * @see \phpseclib3\Crypt\Rijndael::setBlockLength()
      */
-    function setBlockLength($length)
+    public function setBlockLength(int $length): void
     {
-        return;
+        throw new BadMethodCallException('The block length cannot be set for AES.');
     }
 
     /**
      * Sets the key length
      *
-     * Valid key lengths are 128, 192, and 256.  If the length is less than 128, it will be rounded up to
-     * 128.  If the length is greater than 128 and invalid, it will be rounded down to the closest valid amount.
+     * Valid key lengths are 128, 192, and 256.  Set the link to bool(false) to disable a fixed key length
      *
-     * @see \phpseclib\Crypt\Rijndael:setKeyLength()
-     * @access public
-     * @param int $length
+     * @throws LengthException if the key length isn't supported
+     * @see \phpseclib3\Crypt\Rijndael:setKeyLength()
      */
-    function setKeyLength($length)
+    public function setKeyLength(int $length): void
     {
-        parent::setKeyLength($length);
-        switch ($this->key_length) {
-            case 20:
-                $this->key_length = 24;
+        switch ($length) {
+            case 128:
+            case 192:
+            case 256:
                 break;
-            case 28:
-                $this->key_length = 32;
+            default:
+                throw new LengthException('Key of size ' . $length . ' not supported by this algorithm. Only keys of sizes 128, 192 or 256 supported');
         }
+        parent::setKeyLength($length);
+    }
+
+    /**
+     * Sets the key.
+     *
+     * Rijndael supports five different key lengths, AES only supports three.
+     *
+     * @throws LengthException if the key length isn't supported
+     * @see \phpseclib3\Crypt\Rijndael:setKey()
+     * @see setKeyLength()
+     */
+    public function setKey(string $key): void
+    {
+        switch (strlen($key)) {
+            case 16:
+            case 24:
+            case 32:
+                break;
+            default:
+                throw new LengthException('Key of size ' . strlen($key) . ' not supported by this algorithm. Only keys of sizes 16, 24 or 32 supported');
+        }
+
+        parent::setKey($key);
     }
 }

phpseclib/Crypt/ChaCha20.php

@@ -0,0 +1,788 @@
+<?php
+
+/**
+ * Pure-PHP implementation of ChaCha20.
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2019 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt;
+
+use phpseclib3\Exception\BadDecryptionException;
+use phpseclib3\Exception\InsufficientSetupException;
+use phpseclib3\Exception\LengthException;
+use phpseclib3\Exception\UnexpectedValueException;
+
+/**
+ * Pure-PHP implementation of ChaCha20.
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+class ChaCha20 extends Salsa20
+{
+    /**
+     * The OpenSSL specific name of the cipher
+     *
+     * @var string
+     */
+    protected $cipher_name_openssl = 'chacha20';
+
+    /**
+     * Test for engine validity
+     *
+     * This is mainly just a wrapper to set things up for \phpseclib3\Crypt\Common\SymmetricKey::isValidEngine()
+     *
+     * @see \phpseclib3\Crypt\Common\SymmetricKey::__construct()
+     */
+    protected function isValidEngineHelper(int $engine): bool
+    {
+        switch ($engine) {
+            case self::ENGINE_LIBSODIUM:
+                // PHP 7.2.0 (30 Nov 2017) added support for libsodium
+
+                // we could probably make it so that if $this->counter == 0 then the first block would be done with either OpenSSL
+                // or PHP and then subsequent blocks would then be done with libsodium but idk - it's not a high priority atm
+
+                // we could also make it so that if $this->counter == 0 and $this->continuousBuffer then do the first string
+                // with libsodium and subsequent strings with openssl or pure-PHP but again not a high priority
+                return function_exists('sodium_crypto_aead_chacha20poly1305_ietf_encrypt') &&
+                       $this->key_length == 32 &&
+                       (($this->usePoly1305 && !isset($this->poly1305Key) && $this->counter == 0) || $this->counter == 1) &&
+                       !$this->continuousBuffer;
+            case self::ENGINE_OPENSSL:
+                // OpenSSL 1.1.0 (released 25 Aug 2016) added support for chacha20.
+                // PHP didn't support OpenSSL 1.1.0 until 7.0.19 (11 May 2017)
+
+                // if you attempt to provide openssl with a 128 bit key (as opposed to a 256 bit key) openssl will null
+                // pad the key to 256 bits and still use the expansion constant for 256-bit keys. the fact that
+                // openssl treats the IV as both the counter and nonce, however, let's us use openssl in continuous mode
+                // whereas libsodium does not
+                if ($this->key_length != 32) {
+                    return false;
+                }
+        }
+
+        return parent::isValidEngineHelper($engine);
+    }
+
+    /**
+     * Encrypts a message.
+     *
+     * @return string $ciphertext
+     * @see \phpseclib3\Crypt\Common\SymmetricKey::decrypt()
+     * @see self::crypt()
+     */
+    public function encrypt(string $plaintext): string
+    {
+        $this->setup();
+
+        if ($this->engine == self::ENGINE_LIBSODIUM) {
+            return $this->encrypt_with_libsodium($plaintext);
+        }
+
+        return parent::encrypt($plaintext);
+    }
+
+    /**
+     * Decrypts a message.
+     *
+     * $this->decrypt($this->encrypt($plaintext)) == $this->encrypt($this->encrypt($plaintext)).
+     * At least if the continuous buffer is disabled.
+     *
+     * @return string $plaintext
+     * @see \phpseclib3\Crypt\Common\SymmetricKey::encrypt()
+     * @see self::crypt()
+     */
+    public function decrypt(string $ciphertext): string
+    {
+        $this->setup();
+
+        if ($this->engine == self::ENGINE_LIBSODIUM) {
+            return $this->decrypt_with_libsodium($ciphertext);
+        }
+
+        return parent::decrypt($ciphertext);
+    }
+
+    /**
+     * Encrypts a message with libsodium
+     *
+     * @return string $text
+     * @see self::encrypt()
+     */
+    private function encrypt_with_libsodium(string $plaintext): string
+    {
+        $params = [$plaintext, $this->aad, $this->nonce, $this->key];
+        $ciphertext = strlen($this->nonce) == 8 ?
+            sodium_crypto_aead_chacha20poly1305_encrypt(...$params) :
+            sodium_crypto_aead_chacha20poly1305_ietf_encrypt(...$params);
+        if (!$this->usePoly1305) {
+            return substr($ciphertext, 0, strlen($plaintext));
+        }
+
+        $newciphertext = substr($ciphertext, 0, strlen($plaintext));
+
+        $this->newtag = $this->usingGeneratedPoly1305Key && strlen($this->nonce) == 12 ?
+            substr($ciphertext, strlen($plaintext)) :
+            $this->poly1305($newciphertext);
+
+        return $newciphertext;
+    }
+
+    /**
+     * Decrypts a message with libsodium
+     *
+     * @return string $text
+     * @see self::decrypt()
+     */
+    private function decrypt_with_libsodium(string $ciphertext): string
+    {
+        $params = [$ciphertext, $this->aad, $this->nonce, $this->key];
+
+        if (isset($this->poly1305Key)) {
+            if ($this->oldtag === false) {
+                throw new InsufficientSetupException('Authentication Tag has not been set');
+            }
+            if ($this->usingGeneratedPoly1305Key && strlen($this->nonce) == 12) {
+                $plaintext = sodium_crypto_aead_chacha20poly1305_ietf_decrypt(...$params);
+                $this->oldtag = false;
+                if ($plaintext === false) {
+                    throw new BadDecryptionException('Derived authentication tag and supplied authentication tag do not match');
+                }
+                return $plaintext;
+            }
+            $newtag = $this->poly1305($ciphertext);
+            if ($this->oldtag != substr($newtag, 0, strlen($this->oldtag))) {
+                $this->oldtag = false;
+                throw new BadDecryptionException('Derived authentication tag and supplied authentication tag do not match');
+            }
+            $this->oldtag = false;
+        }
+
+        $plaintext = strlen($this->nonce) == 8 ?
+            sodium_crypto_aead_chacha20poly1305_encrypt(...$params) :
+            sodium_crypto_aead_chacha20poly1305_ietf_encrypt(...$params);
+
+        return substr($plaintext, 0, strlen($ciphertext));
+    }
+
+    /**
+     * Sets the nonce.
+     */
+    public function setNonce(string $nonce): void
+    {
+        if (!is_string($nonce)) {
+            throw new UnexpectedValueException('The nonce should be a string');
+        }
+
+        /*
+          from https://tools.ietf.org/html/rfc7539#page-7
+
+          "Note also that the original ChaCha had a 64-bit nonce and 64-bit
+           block count.  We have modified this here to be more consistent with
+           recommendations in Section 3.2 of [RFC5116]."
+         */
+        switch (strlen($nonce)) {
+            case 8:  // 64 bits
+            case 12: // 96 bits
+                break;
+            default:
+                throw new LengthException('Nonce of size ' . strlen($nonce) . ' not supported by this algorithm. Only 64-bit nonces or 96-bit nonces are supported');
+        }
+
+        $this->nonce = $nonce;
+        $this->changed = true;
+        $this->setEngine();
+    }
+
+    /**
+     * Setup the self::ENGINE_INTERNAL $engine
+     *
+     * (re)init, if necessary, the internal cipher $engine
+     *
+     * _setup() will be called each time if $changed === true
+     * typically this happens when using one or more of following public methods:
+     *
+     * - setKey()
+     *
+     * - setNonce()
+     *
+     * - First run of encrypt() / decrypt() with no init-settings
+     *
+     * @see self::setKey()
+     * @see self::setNonce()
+     * @see self::disableContinuousBuffer()
+     */
+    protected function setup(): void
+    {
+        if (!$this->changed) {
+            return;
+        }
+
+        $this->enbuffer = $this->debuffer = ['ciphertext' => '', 'counter' => $this->counter];
+
+        $this->changed = $this->nonIVChanged = false;
+
+        if ($this->nonce === false) {
+            throw new InsufficientSetupException('No nonce has been defined');
+        }
+
+        if ($this->key === false) {
+            throw new InsufficientSetupException('No key has been defined');
+        }
+
+        if ($this->usePoly1305 && !isset($this->poly1305Key)) {
+            $this->usingGeneratedPoly1305Key = true;
+            if ($this->engine == self::ENGINE_LIBSODIUM) {
+                return;
+            }
+            $this->createPoly1305Key();
+        }
+
+        $key = $this->key;
+        if (strlen($key) == 16) {
+            $constant = 'expand 16-byte k';
+            $key .= $key;
+        } else {
+            $constant = 'expand 32-byte k';
+        }
+
+        $this->p1 = $constant . $key;
+        $this->p2 = $this->nonce;
+        if (strlen($this->nonce) == 8) {
+            $this->p2 = "\0\0\0\0" . $this->p2;
+        }
+    }
+
+    /**
+     * The quarterround function
+     */
+    protected static function quarterRound(int &$a, int &$b, int &$c, int &$d): void
+    {
+        // in https://datatracker.ietf.org/doc/html/rfc7539#section-2.1 the addition,
+        // xor'ing and rotation are all on the same line so i'm keeping it on the same
+        // line here as well
+        // @codingStandardsIgnoreStart
+        $a+= $b; $d = self::leftRotate(intval($d) ^ intval($a), 16);
+        $c+= $d; $b = self::leftRotate(intval($b) ^ intval($c), 12);
+        $a+= $b; $d = self::leftRotate(intval($d) ^ intval($a), 8);
+        $c+= $d; $b = self::leftRotate(intval($b) ^ intval($c), 7);
+        // @codingStandardsIgnoreEnd
+    }
+
+    /**
+     * The doubleround function
+     *
+     * @param int $x0 (by reference)
+     * @param int $x1 (by reference)
+     * @param int $x2 (by reference)
+     * @param int $x3 (by reference)
+     * @param int $x4 (by reference)
+     * @param int $x5 (by reference)
+     * @param int $x6 (by reference)
+     * @param int $x7 (by reference)
+     * @param int $x8 (by reference)
+     * @param int $x9 (by reference)
+     * @param int $x10 (by reference)
+     * @param int $x11 (by reference)
+     * @param int $x12 (by reference)
+     * @param int $x13 (by reference)
+     * @param int $x14 (by reference)
+     * @param int $x15 (by reference)
+     */
+    protected static function doubleRound(int &$x0, int &$x1, int &$x2, int &$x3, int &$x4, int &$x5, int &$x6, int &$x7, int &$x8, int &$x9, int &$x10, int &$x11, int &$x12, int &$x13, int &$x14, int &$x15): void
+    {
+        // columnRound
+        static::quarterRound($x0, $x4, $x8, $x12);
+        static::quarterRound($x1, $x5, $x9, $x13);
+        static::quarterRound($x2, $x6, $x10, $x14);
+        static::quarterRound($x3, $x7, $x11, $x15);
+        // rowRound
+        static::quarterRound($x0, $x5, $x10, $x15);
+        static::quarterRound($x1, $x6, $x11, $x12);
+        static::quarterRound($x2, $x7, $x8, $x13);
+        static::quarterRound($x3, $x4, $x9, $x14);
+    }
+
+    /**
+     * The Salsa20 hash function function
+     *
+     * On my laptop this loop unrolled / function dereferenced version of parent::salsa20 encrypts 1mb of text in
+     * 0.65s vs the 0.85s that it takes with the parent method.
+     *
+     * If we were free to assume that the host OS would always be 64-bits then the if condition in leftRotate could
+     * be eliminated and we could knock this done to 0.60s.
+     *
+     * For comparison purposes, RC4 takes 0.16s and AES in CTR mode with the Eval engine takes 0.48s.
+     * AES in CTR mode with the PHP engine takes 1.19s. Salsa20 / ChaCha20 do not benefit as much from the Eval
+     * approach due to the fact that there are a lot less variables to de-reference, fewer loops to unroll, etc
+     */
+    protected static function salsa20(string $x)
+    {
+        [, $x0, $x1, $x2, $x3, $x4, $x5, $x6, $x7, $x8, $x9, $x10, $x11, $x12, $x13, $x14, $x15] = unpack('V*', $x);
+        $z0 = $x0;
+        $z1 = $x1;
+        $z2 = $x2;
+        $z3 = $x3;
+        $z4 = $x4;
+        $z5 = $x5;
+        $z6 = $x6;
+        $z7 = $x7;
+        $z8 = $x8;
+        $z9 = $x9;
+        $z10 = $x10;
+        $z11 = $x11;
+        $z12 = $x12;
+        $z13 = $x13;
+        $z14 = $x14;
+        $z15 = $x15;
+
+        // @codingStandardsIgnoreStart
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+
+        // columnRound
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 16);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 12);
+        $x0+= $x4; $x12 = self::leftRotate(intval($x12) ^ intval($x0), 8);
+        $x8+= $x12; $x4 = self::leftRotate(intval($x4) ^ intval($x8), 7);
+
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 16);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 12);
+        $x1+= $x5; $x13 = self::leftRotate(intval($x13) ^ intval($x1), 8);
+        $x9+= $x13; $x5 = self::leftRotate(intval($x5) ^ intval($x9), 7);
+
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 16);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 12);
+        $x2+= $x6; $x14 = self::leftRotate(intval($x14) ^ intval($x2), 8);
+        $x10+= $x14; $x6 = self::leftRotate(intval($x6) ^ intval($x10), 7);
+
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 16);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 12);
+        $x3+= $x7; $x15 = self::leftRotate(intval($x15) ^ intval($x3), 8);
+        $x11+= $x15; $x7 = self::leftRotate(intval($x7) ^ intval($x11), 7);
+
+        // rowRound
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 16);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 12);
+        $x0+= $x5; $x15 = self::leftRotate(intval($x15) ^ intval($x0), 8);
+        $x10+= $x15; $x5 = self::leftRotate(intval($x5) ^ intval($x10), 7);
+
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 16);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 12);
+        $x1+= $x6; $x12 = self::leftRotate(intval($x12) ^ intval($x1), 8);
+        $x11+= $x12; $x6 = self::leftRotate(intval($x6) ^ intval($x11), 7);
+
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 16);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 12);
+        $x2+= $x7; $x13 = self::leftRotate(intval($x13) ^ intval($x2), 8);
+        $x8+= $x13; $x7 = self::leftRotate(intval($x7) ^ intval($x8), 7);
+
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 16);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 12);
+        $x3+= $x4; $x14 = self::leftRotate(intval($x14) ^ intval($x3), 8);
+        $x9+= $x14; $x4 = self::leftRotate(intval($x4) ^ intval($x9), 7);
+        // @codingStandardsIgnoreEnd
+
+        $x0 += $z0;
+        $x1 += $z1;
+        $x2 += $z2;
+        $x3 += $z3;
+        $x4 += $z4;
+        $x5 += $z5;
+        $x6 += $z6;
+        $x7 += $z7;
+        $x8 += $z8;
+        $x9 += $z9;
+        $x10 += $z10;
+        $x11 += $z11;
+        $x12 += $z12;
+        $x13 += $z13;
+        $x14 += $z14;
+        $x15 += $z15;
+
+        return pack('V*', $x0, $x1, $x2, $x3, $x4, $x5, $x6, $x7, $x8, $x9, $x10, $x11, $x12, $x13, $x14, $x15);
+    }
+}

phpseclib/Crypt/Common/AsymmetricKey.php

@@ -0,0 +1,532 @@
+<?php
+
+/**
+ * Base Class for all asymmetric key ciphers
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common;
+
+use phpseclib3\Crypt\Hash;
+use phpseclib3\Exception\NoKeyLoadedException;
+use phpseclib3\Exception\UnsupportedFormatException;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * Base Class for all asymmetric cipher classes
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class AsymmetricKey
+{
+    /**
+     * Precomputed Zero
+     *
+     * @var BigInteger
+     */
+    protected static $zero;
+
+    /**
+     * Precomputed One
+     *
+     * @var BigInteger
+     */
+    protected static $one;
+
+    /**
+     * Format of the loaded key
+     *
+     * @var string
+     */
+    protected $format;
+
+    /**
+     * Hash function
+     *
+     * @var Hash
+     */
+    protected $hash;
+
+    /**
+     * HMAC function
+     *
+     * @var Hash
+     */
+    private $hmac;
+
+    /**
+     * Supported plugins (lower case)
+     *
+     * @see self::initialize_static_variables()
+     * @var array
+     */
+    private static $plugins = [];
+
+    /**
+     * Invisible plugins
+     *
+     * @see self::initialize_static_variables()
+     * @var array
+     */
+    private static $invisiblePlugins = [];
+
+    /**
+     * Available Engines
+     *
+     * @var boolean[]
+     */
+    protected static $engines = [];
+
+    /**
+     * Key Comment
+     *
+     * @var null|string
+     */
+    private $comment;
+
+    abstract public function toString(string $type, array $options = []): array|string;
+
+    /**
+     * The constructor
+     */
+    protected function __construct()
+    {
+        self::initialize_static_variables();
+
+        $this->hash = new Hash('sha256');
+        $this->hmac = new Hash('sha256');
+    }
+
+    /**
+     * Initialize static variables
+     */
+    protected static function initialize_static_variables(): void
+    {
+        if (!isset(self::$zero)) {
+            self::$zero = new BigInteger(0);
+            self::$one = new BigInteger(1);
+        }
+
+        self::loadPlugins('Keys');
+        if (static::ALGORITHM != 'RSA' && static::ALGORITHM != 'DH') {
+            self::loadPlugins('Signature');
+        }
+    }
+
+    /**
+     * Load the key
+     *
+     * @param string|array $key
+     * @return \phpseclib3\Crypt\Common\PublicKey|\phpseclib3\Crypt\Common\PrivateKey
+     */
+    public static function load($key, ?string $password = null): AsymmetricKey
+    {
+        self::initialize_static_variables();
+
+        $class = new \ReflectionClass(static::class);
+        if ($class->isFinal()) {
+            throw new \RuntimeException('load() should not be called from final classes (' . static::class . ')');
+        }
+
+        $components = false;
+        foreach (self::$plugins[static::ALGORITHM]['Keys'] as $format) {
+            if (isset(self::$invisiblePlugins[static::ALGORITHM]) && in_array($format, self::$invisiblePlugins[static::ALGORITHM])) {
+                continue;
+            }
+            try {
+                $components = $format::load($key, $password);
+            } catch (\Exception $e) {
+                $components = false;
+            }
+            if ($components !== false) {
+                break;
+            }
+        }
+
+        if ($components === false) {
+            throw new NoKeyLoadedException('Unable to read key');
+        }
+
+        $components['format'] = $format;
+        $components['secret'] ??= '';
+        $comment = $components['comment'] ?? null;
+        $new = static::onLoad($components);
+        $new->format = $format;
+        $new->comment = $comment;
+        return $new instanceof PrivateKey ?
+            $new->withPassword($password) :
+            $new;
+    }
+
+    /**
+     * Loads a private key
+     *
+     * @param string|array $key
+     * @param string $password optional
+     */
+    public static function loadPrivateKey($key, string $password = ''): PrivateKey
+    {
+        $key = self::load($key, $password);
+        if (!$key instanceof PrivateKey) {
+            throw new NoKeyLoadedException('The key that was loaded was not a private key');
+        }
+        return $key;
+    }
+
+    /**
+     * Loads a public key
+     *
+     * @param string|array $key
+     */
+    public static function loadPublicKey($key): PublicKey
+    {
+        $key = self::load($key);
+        if (!$key instanceof PublicKey) {
+            throw new NoKeyLoadedException('The key that was loaded was not a public key');
+        }
+        return $key;
+    }
+
+    /**
+     * Loads parameters
+     *
+     * @param string|array $key
+     */
+    public static function loadParameters($key): AsymmetricKey
+    {
+        $key = self::load($key);
+        if (!$key instanceof PrivateKey && !$key instanceof PublicKey) {
+            throw new NoKeyLoadedException('The key that was loaded was not a parameter');
+        }
+        return $key;
+    }
+
+    /**
+     * Load the key, assuming a specific format
+     *
+     * @return static
+     */
+    public static function loadFormat(string $type, string $key, ?string $password = null): AsymmetricKey
+    {
+        self::initialize_static_variables();
+
+        $components = false;
+        $format = strtolower($type);
+        if (isset(self::$plugins[static::ALGORITHM]['Keys'][$format])) {
+            $format = self::$plugins[static::ALGORITHM]['Keys'][$format];
+            $components = $format::load($key, $password);
+        }
+
+        if ($components === false) {
+            throw new NoKeyLoadedException('Unable to read key');
+        }
+
+        $components['format'] = $format;
+        $components['secret'] ??= '';
+
+        $new = static::onLoad($components);
+        $new->format = $format;
+        return $new instanceof PrivateKey ?
+            $new->withPassword($password) :
+            $new;
+    }
+
+    /**
+     * Loads a private key
+     */
+    public static function loadPrivateKeyFormat(string $type, string $key, ?string $password = null): PrivateKey
+    {
+        $key = self::loadFormat($type, $key, $password);
+        if (!$key instanceof PrivateKey) {
+            throw new NoKeyLoadedException('The key that was loaded was not a private key');
+        }
+        return $key;
+    }
+
+    /**
+     * Loads a public key
+     */
+    public static function loadPublicKeyFormat(string $type, string $key): PublicKey
+    {
+        $key = self::loadFormat($type, $key);
+        if (!$key instanceof PublicKey) {
+            throw new NoKeyLoadedException('The key that was loaded was not a public key');
+        }
+        return $key;
+    }
+
+    /**
+     * Loads parameters
+     *
+     * @param string|array $key
+     */
+    public static function loadParametersFormat(string $type, $key): AsymmetricKey
+    {
+        $key = self::loadFormat($type, $key);
+        if (!$key instanceof PrivateKey && !$key instanceof PublicKey) {
+            throw new NoKeyLoadedException('The key that was loaded was not a parameter');
+        }
+        return $key;
+    }
+
+    /**
+     * Validate Plugin
+     *
+     * @param string|null $method optional
+     */
+    protected static function validatePlugin(string $format, string $type, ?string $method = null)
+    {
+        $type = strtolower($type);
+        if (!isset(self::$plugins[static::ALGORITHM][$format][$type])) {
+            throw new UnsupportedFormatException("$type is not a supported format");
+        }
+        $type = self::$plugins[static::ALGORITHM][$format][$type];
+        if (isset($method) && !method_exists($type, $method)) {
+            throw new UnsupportedFormatException("$type does not implement $method");
+        }
+
+        return $type;
+    }
+
+    /**
+     * Load Plugins
+     */
+    private static function loadPlugins(string $format): void
+    {
+        if (!isset(self::$plugins[static::ALGORITHM][$format])) {
+            self::$plugins[static::ALGORITHM][$format] = [];
+            foreach (new \DirectoryIterator(__DIR__ . '/../' . static::ALGORITHM . '/Formats/' . $format . '/') as $file) {
+                if ($file->getExtension() != 'php') {
+                    continue;
+                }
+                $name = $file->getBasename('.php');
+                if ($name[0] == '.') {
+                    continue;
+                }
+                $type = 'phpseclib3\Crypt\\' . static::ALGORITHM . '\\Formats\\' . $format . '\\' . $name;
+                $reflect = new \ReflectionClass($type);
+                if ($reflect->isTrait()) {
+                    continue;
+                }
+                self::$plugins[static::ALGORITHM][$format][strtolower($name)] = $type;
+                if ($reflect->hasConstant('IS_INVISIBLE')) {
+                    self::$invisiblePlugins[static::ALGORITHM][] = $type;
+                }
+            }
+        }
+    }
+
+    /**
+     * Returns a list of supported formats.
+     */
+    public static function getSupportedKeyFormats(): array
+    {
+        self::initialize_static_variables();
+
+        return self::$plugins[static::ALGORITHM]['Keys'];
+    }
+
+    /**
+     * Add a fileformat plugin
+     *
+     * The plugin needs to either already be loaded or be auto-loadable.
+     * Loading a plugin whose shortname overwrite an existing shortname will overwrite the old plugin.
+     *
+     * @see self::load()
+     */
+    public static function addFileFormat(string $fullname): void
+    {
+        self::initialize_static_variables();
+
+        if (class_exists($fullname)) {
+            $meta = new \ReflectionClass($fullname);
+            $shortname = $meta->getShortName();
+            self::$plugins[static::ALGORITHM]['Keys'][strtolower($shortname)] = $fullname;
+            if ($meta->hasConstant('IS_INVISIBLE')) {
+                self::$invisiblePlugins[static::ALGORITHM][] = strtolower($shortname);
+            }
+        }
+    }
+
+    /**
+     * Returns the format of the loaded key.
+     *
+     * If the key that was loaded wasn't in a valid or if the key was auto-generated
+     * with RSA::createKey() then this will throw an exception.
+     *
+     * @see self::load()
+     */
+    public function getLoadedFormat(): string
+    {
+        if (empty($this->format)) {
+            throw new NoKeyLoadedException('This key was created with createKey - it was not loaded with load. Therefore there is no "loaded format"');
+        }
+
+        $meta = new \ReflectionClass($this->format);
+        return $meta->getShortName();
+    }
+
+    /**
+     * Returns the key's comment
+     *
+     * Not all key formats support comments. If you want to set a comment use toString()
+     */
+    public function getComment(): ?string
+    {
+        return $this->comment;
+    }
+
+    /**
+     * Tests engine validity
+     */
+    public static function useBestEngine(): array
+    {
+        static::$engines = [
+            'PHP' => true,
+            'OpenSSL' => extension_loaded('openssl'),
+            // this test can be satisfied by either of the following:
+            // http://php.net/manual/en/book.sodium.php
+            // https://github.com/paragonie/sodium_compat
+            'libsodium' => function_exists('sodium_crypto_sign_keypair'),
+        ];
+
+        return static::$engines;
+    }
+
+    /**
+     * Flag to use internal engine only (useful for unit testing)
+     */
+    public static function useInternalEngine(): void
+    {
+        static::$engines = [
+            'PHP' => true,
+            'OpenSSL' => false,
+            'libsodium' => false,
+        ];
+    }
+
+    /**
+     * __toString() magic method
+     *
+     * @return string
+     */
+    public function __toString()
+    {
+        return $this->toString('PKCS8');
+    }
+
+    /**
+     * Determines which hashing function should be used
+     */
+    public function withHash(string $hash): AsymmetricKey
+    {
+        $new = clone $this;
+
+        $new->hash = new Hash($hash);
+        $new->hmac = new Hash($hash);
+
+        return $new;
+    }
+
+    /**
+     * Returns the hash algorithm currently being used
+     */
+    public function getHash(): Hash
+    {
+        return clone $this->hash;
+    }
+
+    /**
+     * Compute the pseudorandom k for signature generation,
+     * using the process specified for deterministic DSA.
+     *
+     * @return string
+     */
+    protected function computek(string $h1)
+    {
+        $v = str_repeat("\1", strlen($h1));
+
+        $k = str_repeat("\0", strlen($h1));
+
+        $x = $this->int2octets($this->x);
+        $h1 = $this->bits2octets($h1);
+
+        $this->hmac->setKey($k);
+        $k = $this->hmac->hash($v . "\0" . $x . $h1);
+        $this->hmac->setKey($k);
+        $v = $this->hmac->hash($v);
+        $k = $this->hmac->hash($v . "\1" . $x . $h1);
+        $this->hmac->setKey($k);
+        $v = $this->hmac->hash($v);
+
+        $qlen = $this->q->getLengthInBytes();
+
+        while (true) {
+            $t = '';
+            while (strlen($t) < $qlen) {
+                $v = $this->hmac->hash($v);
+                $t = $t . $v;
+            }
+            $k = $this->bits2int($t);
+
+            if (!$k->equals(self::$zero) && $k->compare($this->q) < 0) {
+                break;
+            }
+            $k = $this->hmac->hash($v . "\0");
+            $this->hmac->setKey($k);
+            $v = $this->hmac->hash($v);
+        }
+
+        return $k;
+    }
+
+    /**
+     * Integer to Octet String
+     */
+    private function int2octets(BigInteger $v): string
+    {
+        $out = $v->toBytes();
+        $rolen = $this->q->getLengthInBytes();
+        if (strlen($out) < $rolen) {
+            return str_pad($out, $rolen, "\0", STR_PAD_LEFT);
+        } elseif (strlen($out) > $rolen) {
+            return substr($out, -$rolen);
+        } else {
+            return $out;
+        }
+    }
+
+    /**
+     * Bit String to Integer
+     */
+    protected function bits2int(string $in): BigInteger
+    {
+        $v = new BigInteger($in, 256);
+        $vlen = strlen($in) << 3;
+        $qlen = $this->q->getLength();
+        if ($vlen > $qlen) {
+            return $v->bitwise_rightShift($vlen - $qlen);
+        }
+        return $v;
+    }
+
+    /**
+     * Bit String to Octet String
+     */
+    private function bits2octets(string $in): string
+    {
+        $z1 = $this->bits2int($in);
+        $z2 = $z1->subtract($this->q);
+        return $z2->compare(self::$zero) < 0 ?
+            $this->int2octets($z1) :
+            $this->int2octets($z2);
+    }
+}

phpseclib/Crypt/Common/BlockCipher.php

@@ -0,0 +1,26 @@
+<?php
+
+/**
+ * Base Class for all block ciphers
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @author    Hans-Juergen Petrich <petrich@tronic-media.com>
+ * @copyright 2007 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common;
+
+/**
+ * Base Class for all block cipher classes
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class BlockCipher extends SymmetricKey
+{
+}

phpseclib/Crypt/Common/Formats/Keys/JWK.php

@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * JSON Web Key (RFC7517) Handler
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+
+/**
+ * JSON Web Key Formatted Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class JWK
+{
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    protected static function loadHelper($key): \stdClass
+    {
+        if (!Strings::is_stringable($key)) {
+            throw new \UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        $key = preg_replace('#\s#', '', $key); // remove whitespace
+
+        $key = json_decode($key, null, 512, JSON_THROW_ON_ERROR);
+
+        if (isset($key->kty)) {
+            return $key;
+        }
+
+        if (count($key->keys) != 1) {
+            throw new \RuntimeException('Although the JWK key format supports multiple keys phpseclib does not');
+        }
+
+        return $key->keys[0];
+    }
+
+    /**
+     * Wrap a key appropriately
+     */
+    protected static function wrapKey(array $key, array $options): string
+    {
+        return json_encode(['keys' => [$key + $options]]);
+    }
+}

phpseclib/Crypt/Common/Formats/Keys/OpenSSH.php

@@ -0,0 +1,217 @@
+<?php
+
+/**
+ * OpenSSH Key Handler
+ *
+ * PHP version 5
+ *
+ * Place in $HOME/.ssh/authorized_keys
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Crypt\AES;
+use phpseclib3\Crypt\Random;
+use phpseclib3\Exception\BadDecryptionException;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Exception\UnexpectedValueException;
+
+/**
+ * OpenSSH Formatted RSA Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class OpenSSH
+{
+    /**
+     * Default comment
+     *
+     * @var string
+     */
+    protected static $comment = 'phpseclib-generated-key';
+
+    /**
+     * Binary key flag
+     *
+     * @var bool
+     */
+    protected static $binary = false;
+
+    /**
+     * Sets the default comment
+     */
+    public static function setComment(string $comment): void
+    {
+        self::$comment = str_replace(["\r", "\n"], '', $comment);
+    }
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * $type can be either ssh-dss or ssh-rsa
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): array
+    {
+        if (!Strings::is_stringable($key)) {
+            throw new UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        // key format is described here:
+        // https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD
+
+        if (str_contains($key, 'BEGIN OPENSSH PRIVATE KEY')) {
+            $key = preg_replace('#(?:^-.*?-[\r\n]*$)|\s#ms', '', $key);
+            $key = Strings::base64_decode($key);
+            $magic = Strings::shift($key, 15);
+            if ($magic != "openssh-key-v1\0") {
+                throw new RuntimeException('Expected openssh-key-v1');
+            }
+            [$ciphername, $kdfname, $kdfoptions, $numKeys] = Strings::unpackSSH2('sssN', $key);
+            if ($numKeys != 1) {
+                // if we wanted to support multiple keys we could update PublicKeyLoader to preview what the # of keys
+                // would be; it'd then call Common\Keys\OpenSSH.php::load() and get the paddedKey. it'd then pass
+                // that to the appropriate key loading parser $numKey times or something
+                throw new RuntimeException('Although the OpenSSH private key format supports multiple keys phpseclib does not');
+            }
+
+            switch ($ciphername) {
+                case 'none':
+                    break;
+                case 'aes256-ctr':
+                    if ($kdfname != 'bcrypt') {
+                        throw new RuntimeException('Only the bcrypt kdf is supported (' . $kdfname . ' encountered)');
+                    }
+                    [$salt, $rounds] = Strings::unpackSSH2('sN', $kdfoptions);
+                    $crypto = new AES('ctr');
+                    //$crypto->setKeyLength(256);
+                    //$crypto->disablePadding();
+                    $crypto->setPassword($password, 'bcrypt', $salt, $rounds, 32);
+                    break;
+                default:
+                    throw new RuntimeException('The only supported ciphers are: none, aes256-ctr (' . $ciphername . ' is being used)');
+            }
+
+            [$publicKey, $paddedKey] = Strings::unpackSSH2('ss', $key);
+            [$type] = Strings::unpackSSH2('s', $publicKey);
+            if (isset($crypto)) {
+                $paddedKey = $crypto->decrypt($paddedKey);
+            }
+            [$checkint1, $checkint2] = Strings::unpackSSH2('NN', $paddedKey);
+            // any leftover bytes in $paddedKey are for padding? but they should be sequential bytes. eg. 1, 2, 3, etc.
+            if ($checkint1 != $checkint2) {
+                if (isset($crypto)) {
+                    throw new BadDecryptionException('Unable to decrypt key - please verify the password you are using');
+                }
+                throw new RuntimeException("The two checkints do not match ($checkint1 vs. $checkint2)");
+            }
+            self::checkType($type);
+
+            return compact('type', 'publicKey', 'paddedKey');
+        }
+
+        $parts = explode(' ', $key, 3);
+
+        if (!isset($parts[1])) {
+            $key = base64_decode($parts[0]);
+            $comment = false;
+        } else {
+            $asciiType = $parts[0];
+            self::checkType($parts[0]);
+            $key = base64_decode($parts[1]);
+            $comment = $parts[2] ?? false;
+        }
+        if ($key === false) {
+            throw new UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        [$type] = Strings::unpackSSH2('s', $key);
+        self::checkType($type);
+        if (isset($asciiType) && $asciiType != $type) {
+            throw new RuntimeException('Two different types of keys are claimed: ' . $asciiType . ' and ' . $type);
+        }
+        if (strlen($key) <= 4) {
+            throw new UnexpectedValueException('Key appears to be malformed');
+        }
+
+        $publicKey = $key;
+
+        return compact('type', 'publicKey', 'comment');
+    }
+
+    /**
+     * Toggle between binary and printable keys
+     *
+     * Printable keys are what are generated by default. These are the ones that go in
+     * $HOME/.ssh/authorized_key.
+     */
+    public static function setBinaryOutput(bool $enabled): void
+    {
+        self::$binary = $enabled;
+    }
+
+    /**
+     * Checks to see if the type is valid
+     */
+    private static function checkType(string $candidate): void
+    {
+        if (!in_array($candidate, static::$types)) {
+            throw new RuntimeException("The key type ($candidate) is not equal to: " . implode(',', static::$types));
+        }
+    }
+
+    /**
+     * Wrap a private key appropriately
+     *
+     * @param string|false $password
+     */
+    protected static function wrapPrivateKey(string $publicKey, string $privateKey, $password, array $options): string
+    {
+        [, $checkint] = unpack('N', Random::string(4));
+
+        $comment = $options['comment'] ?? self::$comment;
+        $paddedKey = Strings::packSSH2('NN', $checkint, $checkint) .
+                     $privateKey .
+                     Strings::packSSH2('s', $comment);
+
+        $usesEncryption = !empty($password) && is_string($password);
+
+        /*
+           from http://tools.ietf.org/html/rfc4253#section-6 :
+
+           Note that the length of the concatenation of 'packet_length',
+           'padding_length', 'payload', and 'random padding' MUST be a multiple
+           of the cipher block size or 8, whichever is larger.
+         */
+        $blockSize = $usesEncryption ? 16 : 8;
+        $paddingLength = (($blockSize - 1) * strlen($paddedKey)) % $blockSize;
+        for ($i = 1; $i <= $paddingLength; $i++) {
+            $paddedKey .= chr($i);
+        }
+        if (!$usesEncryption) {
+            $key = Strings::packSSH2('sssNss', 'none', 'none', '', 1, $publicKey, $paddedKey);
+        } else {
+            $rounds = $options['rounds'] ?? 16;
+            $salt = Random::string(16);
+            $kdfoptions = Strings::packSSH2('sN', $salt, $rounds);
+            $crypto = new AES('ctr');
+            $crypto->setPassword($password, 'bcrypt', $salt, $rounds, 32);
+            $paddedKey = $crypto->encrypt($paddedKey);
+            $key = Strings::packSSH2('sssNss', 'aes256-ctr', 'bcrypt', $kdfoptions, 1, $publicKey, $paddedKey);
+        }
+        $key = "openssh-key-v1\0$key";
+
+        return "-----BEGIN OPENSSH PRIVATE KEY-----\n" .
+               chunk_split(Strings::base64_encode($key), 70, "\n") .
+               "-----END OPENSSH PRIVATE KEY-----\n";
+    }
+}

phpseclib/Crypt/Common/Formats/Keys/PKCS.php

@@ -0,0 +1,71 @@
+<?php
+
+/**
+ * PKCS Formatted Key Handler
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Formats\Keys;
+
+/**
+ * PKCS1 Formatted Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PKCS
+{
+    /**
+     * Auto-detect the format
+     */
+    public const MODE_ANY = 0;
+    /**
+     * Require base64-encoded PEM's be supplied
+     */
+    public const MODE_PEM = 1;
+    /**
+     * Require raw DER's be supplied
+     */
+    public const MODE_DER = 2;
+    /**#@-*/
+
+    /**
+     * Is the key a base-64 encoded PEM, DER or should it be auto-detected?
+     *
+     * @var int
+     */
+    protected static $format = self::MODE_ANY;
+
+    /**
+     * Require base64-encoded PEM's be supplied
+     */
+    public static function requirePEM(): void
+    {
+        self::$format = self::MODE_PEM;
+    }
+
+    /**
+     * Require raw DER's be supplied
+     */
+    public static function requireDER(): void
+    {
+        self::$format = self::MODE_DER;
+    }
+
+    /**
+     * Accept any format and auto detect the format
+     *
+     * This is the default setting
+     */
+    public static function requireAny(): void
+    {
+        self::$format = self::MODE_ANY;
+    }
+}

phpseclib/Crypt/Common/Formats/Keys/PKCS1.php

@@ -0,0 +1,195 @@
+<?php
+
+/**
+ * PKCS1 Formatted Key Handler
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Crypt\AES;
+use phpseclib3\Crypt\DES;
+use phpseclib3\Crypt\Random;
+use phpseclib3\Crypt\TripleDES;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Exception\UnsupportedAlgorithmException;
+use phpseclib3\File\ASN1;
+
+/**
+ * PKCS1 Formatted Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PKCS1 extends PKCS
+{
+    /**
+     * Default encryption algorithm
+     *
+     * @var string
+     */
+    private static $defaultEncryptionAlgorithm = 'AES-128-CBC';
+
+    /**
+     * Sets the default encryption algorithm
+     */
+    public static function setEncryptionAlgorithm(string $algo): void
+    {
+        self::$defaultEncryptionAlgorithm = $algo;
+    }
+
+    /**
+     * Returns the mode constant corresponding to the mode string
+     *
+     * @return int
+     * @throws UnexpectedValueException if the block cipher mode is unsupported
+     */
+    private static function getEncryptionMode(string $mode)
+    {
+        switch ($mode) {
+            case 'CBC':
+            case 'ECB':
+            case 'CFB':
+            case 'OFB':
+            case 'CTR':
+                return $mode;
+        }
+        throw new UnexpectedValueException('Unsupported block cipher mode of operation');
+    }
+
+    /**
+     * Returns a cipher object corresponding to a string
+     *
+     * @return AES|DES|TripleDES
+     * @throws UnexpectedValueException if the encryption algorithm is unsupported
+     */
+    private static function getEncryptionObject(string $algo)
+    {
+        $modes = '(CBC|ECB|CFB|OFB|CTR)';
+        switch (true) {
+            case preg_match("#^AES-(128|192|256)-$modes$#", $algo, $matches):
+                $cipher = new AES(self::getEncryptionMode($matches[2]));
+                $cipher->setKeyLength((int) $matches[1]);
+                return $cipher;
+            case preg_match("#^DES-EDE3-$modes$#", $algo, $matches):
+                return new TripleDES(self::getEncryptionMode($matches[1]));
+            case preg_match("#^DES-$modes$#", $algo, $matches):
+                return new DES(self::getEncryptionMode($matches[1]));
+            default:
+                throw new UnsupportedAlgorithmException($algo . ' is not a supported algorithm');
+        }
+    }
+
+    /**
+     * Generate a symmetric key for PKCS#1 keys
+     */
+    private static function generateSymmetricKey(string $password, string $iv, int $length): string
+    {
+        $symkey = '';
+        $iv = substr($iv, 0, 8);
+        while (strlen($symkey) < $length) {
+            $symkey .= md5($symkey . $password . $iv, true);
+        }
+        return substr($symkey, 0, $length);
+    }
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     * @return array|string
+     */
+    protected static function load($key, ?string $password = null)
+    {
+        if (!Strings::is_stringable($key)) {
+            throw new UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        /* Although PKCS#1 proposes a format that public and private keys can use, encrypting them is
+           "outside the scope" of PKCS#1.  PKCS#1 then refers you to PKCS#12 and PKCS#15 if you're wanting to
+           protect private keys, however, that's not what OpenSSL* does.  OpenSSL protects private keys by adding
+           two new "fields" to the key - DEK-Info and Proc-Type.  These fields are discussed here:
+
+           http://tools.ietf.org/html/rfc1421#section-4.6.1.1
+           http://tools.ietf.org/html/rfc1421#section-4.6.1.3
+
+           DES-EDE3-CBC as an algorithm, however, is not discussed anywhere, near as I can tell.
+           DES-CBC and DES-EDE are discussed in RFC1423, however, DES-EDE3-CBC isn't, nor is its key derivation
+           function.  As is, the definitive authority on this encoding scheme isn't the IETF but rather OpenSSL's
+           own implementation.  ie. the implementation *is* the standard and any bugs that may exist in that
+           implementation are part of the standard, as well.
+
+           * OpenSSL is the de facto standard.  It's utilized by OpenSSH and other projects */
+        if (preg_match('#DEK-Info: (.+),(.+)#', $key, $matches)) {
+            $iv = Strings::hex2bin(trim($matches[2]));
+            // remove the Proc-Type / DEK-Info sections as they're no longer needed
+            $key = preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $key);
+            $ciphertext = ASN1::extractBER($key);
+            if ($ciphertext === false) {
+                $ciphertext = $key;
+            }
+            $crypto = self::getEncryptionObject($matches[1]);
+            $crypto->setKey(self::generateSymmetricKey($password, $iv, $crypto->getKeyLength() >> 3));
+            $crypto->setIV($iv);
+            $key = $crypto->decrypt($ciphertext);
+        } else {
+            if (self::$format != self::MODE_DER) {
+                $decoded = ASN1::extractBER($key);
+                if ($decoded !== false) {
+                    $key = $decoded;
+                } elseif (self::$format == self::MODE_PEM) {
+                    throw new UnexpectedValueException('Expected base64-encoded PEM format but was unable to decode base64 text');
+                }
+            }
+        }
+
+        return $key;
+    }
+
+    /**
+     * Wrap a private key appropriately
+     *
+     * @param string|false $password
+     * @param array $options optional
+     */
+    protected static function wrapPrivateKey(string $key, string $type, $password, array $options = []): string
+    {
+        if (empty($password) || !is_string($password)) {
+            return "-----BEGIN $type PRIVATE KEY-----\r\n" .
+                   chunk_split(Strings::base64_encode($key), 64) .
+                   "-----END $type PRIVATE KEY-----";
+        }
+
+        $encryptionAlgorithm = $options['encryptionAlgorithm'] ?? self::$defaultEncryptionAlgorithm;
+
+        $cipher = self::getEncryptionObject($encryptionAlgorithm);
+        $iv = Random::string($cipher->getBlockLength() >> 3);
+        $cipher->setKey(self::generateSymmetricKey($password, $iv, $cipher->getKeyLength() >> 3));
+        $cipher->setIV($iv);
+        $iv = strtoupper(Strings::bin2hex($iv));
+        return "-----BEGIN $type PRIVATE KEY-----\r\n" .
+               "Proc-Type: 4,ENCRYPTED\r\n" .
+               "DEK-Info: " . $encryptionAlgorithm . ",$iv\r\n" .
+               "\r\n" .
+               chunk_split(Strings::base64_encode($cipher->encrypt($key)), 64) .
+               "-----END $type PRIVATE KEY-----";
+    }
+
+    /**
+     * Wrap a public key appropriately
+     */
+    protected static function wrapPublicKey(string $key, string $type): string
+    {
+        return "-----BEGIN $type PUBLIC KEY-----\r\n" .
+               chunk_split(Strings::base64_encode($key), 64) .
+               "-----END $type PUBLIC KEY-----";
+    }
+}

phpseclib/Crypt/Common/Formats/Keys/PKCS8.php

@@ -0,0 +1,697 @@
+<?php
+
+/**
+ * PKCS#8 Formatted Key Handler
+ *
+ * PHP version 5
+ *
+ * Used by PHP's openssl_public_encrypt() and openssl's rsautl (when -pubin is set)
+ *
+ * Processes keys with the following headers:
+ *
+ * -----BEGIN ENCRYPTED PRIVATE KEY-----
+ * -----BEGIN PRIVATE KEY-----
+ * -----BEGIN PUBLIC KEY-----
+ *
+ * Analogous to ssh-keygen's pkcs8 format (as specified by -m). Although PKCS8
+ * is specific to private keys it's basically creating a DER-encoded wrapper
+ * for keys. This just extends that same concept to public keys (much like ssh-keygen)
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Crypt\AES;
+use phpseclib3\Crypt\Common\SymmetricKey;
+use phpseclib3\Crypt\DES;
+use phpseclib3\Crypt\Random;
+use phpseclib3\Crypt\RC2;
+use phpseclib3\Crypt\RC4;
+use phpseclib3\Crypt\TripleDES;
+use phpseclib3\Exception\InsufficientSetupException;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Exception\UnsupportedAlgorithmException;
+use phpseclib3\File\ASN1;
+use phpseclib3\File\ASN1\Maps;
+
+/**
+ * PKCS#8 Formatted Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PKCS8 extends PKCS
+{
+    /**
+     * Default encryption algorithm
+     *
+     * @var string
+     */
+    private static $defaultEncryptionAlgorithm = 'id-PBES2';
+
+    /**
+     * Default encryption scheme
+     *
+     * Only used when defaultEncryptionAlgorithm is id-PBES2
+     *
+     * @var string
+     */
+    private static $defaultEncryptionScheme = 'aes128-CBC-PAD';
+
+    /**
+     * Default PRF
+     *
+     * Only used when defaultEncryptionAlgorithm is id-PBES2
+     *
+     * @var string
+     */
+    private static $defaultPRF = 'id-hmacWithSHA256';
+
+    /**
+     * Default Iteration Count
+     *
+     * @var int
+     */
+    private static $defaultIterationCount = 2048;
+
+    /**
+     * OIDs loaded
+     *
+     * @var bool
+     */
+    private static $oidsLoaded = false;
+
+    /**
+     * Sets the default encryption algorithm
+     */
+    public static function setEncryptionAlgorithm(string $algo): void
+    {
+        self::$defaultEncryptionAlgorithm = $algo;
+    }
+
+    /**
+     * Sets the default encryption algorithm for PBES2
+     */
+    public static function setEncryptionScheme(string $algo): void
+    {
+        self::$defaultEncryptionScheme = $algo;
+    }
+
+    /**
+     * Sets the iteration count
+     */
+    public static function setIterationCount(int $count): void
+    {
+        self::$defaultIterationCount = $count;
+    }
+
+    /**
+     * Sets the PRF for PBES2
+     */
+    public static function setPRF(string $algo): void
+    {
+        self::$defaultPRF = $algo;
+    }
+
+    /**
+     * Returns a SymmetricKey object based on a PBES1 $algo
+     *
+     * @return SymmetricKey
+     */
+    private static function getPBES1EncryptionObject(string $algo)
+    {
+        $algo = preg_match('#^pbeWith(?:MD2|MD5|SHA1|SHA)And(.*?)-CBC$#', $algo, $matches) ?
+            $matches[1] :
+            substr($algo, 13); // strlen('pbeWithSHAAnd') == 13
+
+        switch ($algo) {
+            case 'DES':
+                $cipher = new DES('cbc');
+                break;
+            case 'RC2':
+                $cipher = new RC2('cbc');
+                $cipher->setKeyLength(64);
+                break;
+            case '3-KeyTripleDES':
+                $cipher = new TripleDES('cbc');
+                break;
+            case '2-KeyTripleDES':
+                $cipher = new TripleDES('cbc');
+                $cipher->setKeyLength(128);
+                break;
+            case '128BitRC2':
+                $cipher = new RC2('cbc');
+                $cipher->setKeyLength(128);
+                break;
+            case '40BitRC2':
+                $cipher = new RC2('cbc');
+                $cipher->setKeyLength(40);
+                break;
+            case '128BitRC4':
+                $cipher = new RC4();
+                $cipher->setKeyLength(128);
+                break;
+            case '40BitRC4':
+                $cipher = new RC4();
+                $cipher->setKeyLength(40);
+                break;
+            default:
+                throw new UnsupportedAlgorithmException("$algo is not a supported algorithm");
+        }
+
+        return $cipher;
+    }
+
+    /**
+     * Returns a hash based on a PBES1 $algo
+     */
+    private static function getPBES1Hash(string $algo): string
+    {
+        if (preg_match('#^pbeWith(MD2|MD5|SHA1|SHA)And.*?-CBC$#', $algo, $matches)) {
+            return $matches[1] == 'SHA' ? 'sha1' : $matches[1];
+        }
+
+        return 'sha1';
+    }
+
+    /**
+     * Returns a KDF baesd on a PBES1 $algo
+     */
+    private static function getPBES1KDF(string $algo): string
+    {
+        switch ($algo) {
+            case 'pbeWithMD2AndDES-CBC':
+            case 'pbeWithMD2AndRC2-CBC':
+            case 'pbeWithMD5AndDES-CBC':
+            case 'pbeWithMD5AndRC2-CBC':
+            case 'pbeWithSHA1AndDES-CBC':
+            case 'pbeWithSHA1AndRC2-CBC':
+                return 'pbkdf1';
+        }
+
+        return 'pkcs12';
+    }
+
+    /**
+     * Returns a SymmetricKey object baesd on a PBES2 $algo
+     */
+    private static function getPBES2EncryptionObject(string $algo): SymmetricKey
+    {
+        switch ($algo) {
+            case 'desCBC':
+                $cipher = new DES('cbc');
+                break;
+            case 'des-EDE3-CBC':
+                $cipher = new TripleDES('cbc');
+                break;
+            case 'rc2CBC':
+                $cipher = new RC2('cbc');
+                // in theory this can be changed
+                $cipher->setKeyLength(128);
+                break;
+            case 'rc5-CBC-PAD':
+                throw new UnsupportedAlgorithmException('rc5-CBC-PAD is not supported for PBES2 PKCS#8 keys');
+            case 'aes128-CBC-PAD':
+            case 'aes192-CBC-PAD':
+            case 'aes256-CBC-PAD':
+                $cipher = new AES('cbc');
+                $cipher->setKeyLength((int) substr($algo, 3, 3));
+                break;
+            default:
+                throw new UnsupportedAlgorithmException("$algo is not supported");
+        }
+
+        return $cipher;
+    }
+
+    /**
+     * Initialize static variables
+     */
+    private static function initialize_static_variables(): void
+    {
+        if (!isset(static::$childOIDsLoaded)) {
+            throw new InsufficientSetupException('This class should not be called directly');
+        }
+
+        if (!static::$childOIDsLoaded) {
+            ASN1::loadOIDs(is_array(static::OID_NAME) ?
+                array_combine(static::OID_NAME, static::OID_VALUE) :
+                [static::OID_NAME => static::OID_VALUE]);
+            static::$childOIDsLoaded = true;
+        }
+        if (!self::$oidsLoaded) {
+            // from https://tools.ietf.org/html/rfc2898
+            ASN1::loadOIDs([
+               // PBES1 encryption schemes
+               'pbeWithMD2AndDES-CBC' => '1.2.840.113549.1.5.1',
+               'pbeWithMD2AndRC2-CBC' => '1.2.840.113549.1.5.4',
+               'pbeWithMD5AndDES-CBC' => '1.2.840.113549.1.5.3',
+               'pbeWithMD5AndRC2-CBC' => '1.2.840.113549.1.5.6',
+               'pbeWithSHA1AndDES-CBC' => '1.2.840.113549.1.5.10',
+               'pbeWithSHA1AndRC2-CBC' => '1.2.840.113549.1.5.11',
+
+               // from PKCS#12:
+               // https://tools.ietf.org/html/rfc7292
+               'pbeWithSHAAnd128BitRC4' => '1.2.840.113549.1.12.1.1',
+               'pbeWithSHAAnd40BitRC4' => '1.2.840.113549.1.12.1.2',
+               'pbeWithSHAAnd3-KeyTripleDES-CBC' => '1.2.840.113549.1.12.1.3',
+               'pbeWithSHAAnd2-KeyTripleDES-CBC' => '1.2.840.113549.1.12.1.4',
+               'pbeWithSHAAnd128BitRC2-CBC' => '1.2.840.113549.1.12.1.5',
+               'pbeWithSHAAnd40BitRC2-CBC' => '1.2.840.113549.1.12.1.6',
+
+               'id-PBKDF2' => '1.2.840.113549.1.5.12',
+               'id-PBES2' => '1.2.840.113549.1.5.13',
+               'id-PBMAC1' => '1.2.840.113549.1.5.14',
+
+               // from PKCS#5 v2.1:
+               // http://www.rsa.com/rsalabs/pkcs/files/h11302-wp-pkcs5v2-1-password-based-cryptography-standard.pdf
+               'id-hmacWithSHA1' => '1.2.840.113549.2.7',
+               'id-hmacWithSHA224' => '1.2.840.113549.2.8',
+               'id-hmacWithSHA256' => '1.2.840.113549.2.9',
+               'id-hmacWithSHA384' => '1.2.840.113549.2.10',
+               'id-hmacWithSHA512' => '1.2.840.113549.2.11',
+               'id-hmacWithSHA512-224' => '1.2.840.113549.2.12',
+               'id-hmacWithSHA512-256' => '1.2.840.113549.2.13',
+
+               'desCBC'       => '1.3.14.3.2.7',
+               'des-EDE3-CBC' => '1.2.840.113549.3.7',
+               'rc2CBC' => '1.2.840.113549.3.2',
+               'rc5-CBC-PAD' => '1.2.840.113549.3.9',
+
+               'aes128-CBC-PAD' => '2.16.840.1.101.3.4.1.2',
+               'aes192-CBC-PAD' => '2.16.840.1.101.3.4.1.22',
+               'aes256-CBC-PAD' => '2.16.840.1.101.3.4.1.42',
+            ]);
+            self::$oidsLoaded = true;
+        }
+    }
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    protected static function load($key, ?string $password = null): array
+    {
+        if (!Strings::is_stringable($key)) {
+            throw new UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        $isPublic = str_contains($key, 'PUBLIC');
+        $isPrivate = str_contains($key, 'PRIVATE');
+
+        $decoded = self::preParse($key);
+
+        $meta = [];
+
+        $decrypted = ASN1::asn1map($decoded[0], Maps\EncryptedPrivateKeyInfo::MAP);
+        if ($password !== null && strlen($password) && is_array($decrypted)) {
+            $algorithm = $decrypted['encryptionAlgorithm']['algorithm'];
+            switch ($algorithm) {
+                // PBES1
+                case 'pbeWithMD2AndDES-CBC':
+                case 'pbeWithMD2AndRC2-CBC':
+                case 'pbeWithMD5AndDES-CBC':
+                case 'pbeWithMD5AndRC2-CBC':
+                case 'pbeWithSHA1AndDES-CBC':
+                case 'pbeWithSHA1AndRC2-CBC':
+                case 'pbeWithSHAAnd3-KeyTripleDES-CBC':
+                case 'pbeWithSHAAnd2-KeyTripleDES-CBC':
+                case 'pbeWithSHAAnd128BitRC2-CBC':
+                case 'pbeWithSHAAnd40BitRC2-CBC':
+                case 'pbeWithSHAAnd128BitRC4':
+                case 'pbeWithSHAAnd40BitRC4':
+                    $cipher = self::getPBES1EncryptionObject($algorithm);
+                    $hash = self::getPBES1Hash($algorithm);
+                    $kdf = self::getPBES1KDF($algorithm);
+
+                    $meta['meta']['algorithm'] = $algorithm;
+
+                    $temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']);
+                    if (!$temp) {
+                        throw new RuntimeException('Unable to decode BER');
+                    }
+                    extract(ASN1::asn1map($temp[0], Maps\PBEParameter::MAP));
+                    $iterationCount = (int) $iterationCount->toString();
+                    $cipher->setPassword($password, $kdf, $hash, $salt, $iterationCount);
+                    $key = $cipher->decrypt($decrypted['encryptedData']);
+                    $decoded = ASN1::decodeBER($key);
+                    if (!$decoded) {
+                        throw new RuntimeException('Unable to decode BER 2');
+                    }
+
+                    break;
+                case 'id-PBES2':
+                    $meta['meta']['algorithm'] = $algorithm;
+
+                    $temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']);
+                    if (!$temp) {
+                        throw new RuntimeException('Unable to decode BER');
+                    }
+                    $temp = ASN1::asn1map($temp[0], Maps\PBES2params::MAP);
+                    extract($temp);
+
+                    $cipher = self::getPBES2EncryptionObject($encryptionScheme['algorithm']);
+                    $meta['meta']['cipher'] = $encryptionScheme['algorithm'];
+
+                    $temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']);
+                    if (!$temp) {
+                        throw new RuntimeException('Unable to decode BER');
+                    }
+                    $temp = ASN1::asn1map($temp[0], Maps\PBES2params::MAP);
+                    extract($temp);
+
+                    if (!$cipher instanceof RC2) {
+                        $cipher->setIV($encryptionScheme['parameters']['octetString']);
+                    } else {
+                        $temp = ASN1::decodeBER($encryptionScheme['parameters']);
+                        if (!$temp) {
+                            throw new RuntimeException('Unable to decode BER');
+                        }
+                        extract(ASN1::asn1map($temp[0], Maps\RC2CBCParameter::MAP));
+                        $effectiveKeyLength = (int) $rc2ParametersVersion->toString();
+                        switch ($effectiveKeyLength) {
+                            case 160:
+                                $effectiveKeyLength = 40;
+                                break;
+                            case 120:
+                                $effectiveKeyLength = 64;
+                                break;
+                            case 58:
+                                $effectiveKeyLength = 128;
+                                break;
+                            //default: // should be >= 256
+                        }
+                        $cipher->setIV($iv);
+                        $cipher->setKeyLength($effectiveKeyLength);
+                    }
+
+                    $meta['meta']['keyDerivationFunc'] = $keyDerivationFunc['algorithm'];
+                    switch ($keyDerivationFunc['algorithm']) {
+                        case 'id-PBKDF2':
+                            $temp = ASN1::decodeBER($keyDerivationFunc['parameters']);
+                            if (!$temp) {
+                                throw new RuntimeException('Unable to decode BER');
+                            }
+                            $prf = ['algorithm' => 'id-hmacWithSHA1'];
+                            $params = ASN1::asn1map($temp[0], Maps\PBKDF2params::MAP);
+                            extract($params);
+                            $meta['meta']['prf'] = $prf['algorithm'];
+                            $hash = str_replace('-', '/', substr($prf['algorithm'], 11));
+                            $params = [
+                                $password,
+                                'pbkdf2',
+                                $hash,
+                                $salt,
+                                (int) $iterationCount->toString(),
+                            ];
+                            if (isset($keyLength)) {
+                                $params[] = (int) $keyLength->toString();
+                            }
+                            $cipher->setPassword(...$params);
+                            $key = $cipher->decrypt($decrypted['encryptedData']);
+                            $decoded = ASN1::decodeBER($key);
+                            if (!$decoded) {
+                                throw new RuntimeException('Unable to decode BER 3');
+                            }
+                            break;
+                        default:
+                            throw new UnsupportedAlgorithmException('Only PBKDF2 is supported for PBES2 PKCS#8 keys');
+                    }
+                    break;
+                case 'id-PBMAC1':
+                    //$temp = ASN1::decodeBER($decrypted['encryptionAlgorithm']['parameters']);
+                    //$value = ASN1::asn1map($temp[0], Maps\PBMAC1params::MAP);
+                    // since i can't find any implementation that does PBMAC1 it is unsupported
+                    throw new UnsupportedAlgorithmException('Only PBES1 and PBES2 PKCS#8 keys are supported.');
+                // at this point we'll assume that the key conforms to PublicKeyInfo
+            }
+        }
+
+        $private = ASN1::asn1map($decoded[0], Maps\OneAsymmetricKey::MAP);
+        if (is_array($private)) {
+            if ($isPublic) {
+                throw new UnexpectedValueException('Human readable string claims public key but DER encoded string claims private key');
+            }
+
+            if (isset($private['privateKeyAlgorithm']['parameters']) && !$private['privateKeyAlgorithm']['parameters'] instanceof ASN1\Element && isset($decoded[0]['content'][1]['content'][1])) {
+                $temp = $decoded[0]['content'][1]['content'][1];
+                $private['privateKeyAlgorithm']['parameters'] = new ASN1\Element(substr($key, $temp['start'], $temp['length']));
+            }
+            if (is_array(static::OID_NAME)) {
+                if (!in_array($private['privateKeyAlgorithm']['algorithm'], static::OID_NAME)) {
+                    throw new UnsupportedAlgorithmException($private['privateKeyAlgorithm']['algorithm'] . ' is not a supported key type');
+                }
+            } else {
+                if ($private['privateKeyAlgorithm']['algorithm'] != static::OID_NAME) {
+                    throw new UnsupportedAlgorithmException('Only ' . static::OID_NAME . ' keys are supported; this is a ' . $private['privateKeyAlgorithm']['algorithm'] . ' key');
+                }
+            }
+            if (isset($private['publicKey'])) {
+                if ($private['publicKey'][0] != "\0") {
+                    throw new UnexpectedValueException('The first byte of the public key should be null - not ' . bin2hex($private['publicKey'][0]));
+                }
+                $private['publicKey'] = substr($private['publicKey'], 1);
+            }
+            return $private + $meta;
+        }
+
+        // EncryptedPrivateKeyInfo and PublicKeyInfo have largely identical "signatures". the only difference
+        // is that the former has an octet string and the later has a bit string. the first byte of a bit
+        // string represents the number of bits in the last byte that are to be ignored but, currently,
+        // bit strings wanting a non-zero amount of bits trimmed are not supported
+        $public = ASN1::asn1map($decoded[0], Maps\PublicKeyInfo::MAP);
+
+        if (is_array($public)) {
+            if ($isPrivate) {
+                throw new UnexpectedValueException('Human readable string claims private key but DER encoded string claims public key');
+            }
+
+            if ($public['publicKey'][0] != "\0") {
+                throw new UnexpectedValueException('The first byte of the public key should be null - not ' . bin2hex($public['publicKey'][0]));
+            }
+            if (is_array(static::OID_NAME)) {
+                if (!in_array($public['publicKeyAlgorithm']['algorithm'], static::OID_NAME)) {
+                    throw new UnsupportedAlgorithmException($public['publicKeyAlgorithm']['algorithm'] . ' is not a supported key type');
+                }
+            } else {
+                if ($public['publicKeyAlgorithm']['algorithm'] != static::OID_NAME) {
+                    throw new UnsupportedAlgorithmException('Only ' . static::OID_NAME . ' keys are supported; this is a ' . $public['publicKeyAlgorithm']['algorithm'] . ' key');
+                }
+            }
+            if (isset($public['publicKeyAlgorithm']['parameters']) && !$public['publicKeyAlgorithm']['parameters'] instanceof ASN1\Element && isset($decoded[0]['content'][0]['content'][1])) {
+                $temp = $decoded[0]['content'][0]['content'][1];
+                $public['publicKeyAlgorithm']['parameters'] = new ASN1\Element(substr($key, $temp['start'], $temp['length']));
+            }
+            $public['publicKey'] = substr($public['publicKey'], 1);
+            return $public;
+        }
+
+        throw new RuntimeException('Unable to parse using either OneAsymmetricKey or PublicKeyInfo ASN1 maps');
+    }
+
+    /**
+     * Wrap a private key appropriately
+     *
+     * @param array|string $attr
+     * @param string|false $password
+     * @param string|null $oid optional
+     * @param string $publicKey optional
+     * @param array $options optional
+     */
+    protected static function wrapPrivateKey(string $key, $attr, $params, $password, ?string $oid = null, string $publicKey = '', array $options = []): string
+    {
+        self::initialize_static_variables();
+
+        $key = [
+            'version' => 'v1',
+            'privateKeyAlgorithm' => [
+                'algorithm' => is_string(static::OID_NAME) ? static::OID_NAME : $oid,
+             ],
+            'privateKey' => $key,
+        ];
+        if ($oid != 'id-Ed25519' && $oid != 'id-Ed448') {
+            $key['privateKeyAlgorithm']['parameters'] = $params;
+        }
+        if (!empty($attr)) {
+            $key['attributes'] = $attr;
+        }
+        if (!empty($publicKey)) {
+            $key['version'] = 'v2';
+            $key['publicKey'] = $publicKey;
+        }
+        $key = ASN1::encodeDER($key, Maps\OneAsymmetricKey::MAP);
+        if (!empty($password) && is_string($password)) {
+            $salt = Random::string(8);
+
+            $iterationCount = $options['iterationCount'] ?? self::$defaultIterationCount;
+            $encryptionAlgorithm = $options['encryptionAlgorithm'] ?? self::$defaultEncryptionAlgorithm;
+            $encryptionScheme = $options['encryptionScheme'] ?? self::$defaultEncryptionScheme;
+            $prf = $options['PRF'] ?? self::$defaultPRF;
+
+            if ($encryptionAlgorithm == 'id-PBES2') {
+                $crypto = self::getPBES2EncryptionObject($encryptionScheme);
+                $hash = str_replace('-', '/', substr($prf, 11));
+                $kdf = 'pbkdf2';
+                $iv = Random::string($crypto->getBlockLength() >> 3);
+
+                $PBKDF2params = [
+                    'salt' => $salt,
+                    'iterationCount' => $iterationCount,
+                    'prf' => ['algorithm' => $prf, 'parameters' => null],
+                ];
+                $PBKDF2params = ASN1::encodeDER($PBKDF2params, Maps\PBKDF2params::MAP);
+
+                if (!$crypto instanceof RC2) {
+                    $params = ['octetString' => $iv];
+                } else {
+                    $params = [
+                        'rc2ParametersVersion' => 58,
+                        'iv' => $iv,
+                    ];
+                    $params = ASN1::encodeDER($params, Maps\RC2CBCParameter::MAP);
+                    $params = new ASN1\Element($params);
+                }
+
+                $params = [
+                    'keyDerivationFunc' => [
+                        'algorithm' => 'id-PBKDF2',
+                        'parameters' => new ASN1\Element($PBKDF2params),
+                    ],
+                    'encryptionScheme' => [
+                        'algorithm' => $encryptionScheme,
+                        'parameters' => $params,
+                    ],
+                ];
+                $params = ASN1::encodeDER($params, Maps\PBES2params::MAP);
+
+                $crypto->setIV($iv);
+            } else {
+                $crypto = self::getPBES1EncryptionObject($encryptionAlgorithm);
+                $hash = self::getPBES1Hash($encryptionAlgorithm);
+                $kdf = self::getPBES1KDF($encryptionAlgorithm);
+
+                $params = [
+                    'salt' => $salt,
+                    'iterationCount' => $iterationCount,
+                ];
+                $params = ASN1::encodeDER($params, Maps\PBEParameter::MAP);
+            }
+            $crypto->setPassword($password, $kdf, $hash, $salt, $iterationCount);
+            $key = $crypto->encrypt($key);
+
+            $key = [
+                'encryptionAlgorithm' => [
+                    'algorithm' => $encryptionAlgorithm,
+                    'parameters' => new ASN1\Element($params),
+                ],
+                'encryptedData' => $key,
+            ];
+
+            $key = ASN1::encodeDER($key, Maps\EncryptedPrivateKeyInfo::MAP);
+
+            return "-----BEGIN ENCRYPTED PRIVATE KEY-----\r\n" .
+                   chunk_split(Strings::base64_encode($key), 64) .
+                   "-----END ENCRYPTED PRIVATE KEY-----";
+        }
+
+        return "-----BEGIN PRIVATE KEY-----\r\n" .
+               chunk_split(Strings::base64_encode($key), 64) .
+               "-----END PRIVATE KEY-----";
+    }
+
+    /**
+     * Wrap a public key appropriately
+     */
+    protected static function wrapPublicKey(string $key, $params, ?string $oid = null): string
+    {
+        self::initialize_static_variables();
+
+        $key = [
+            'publicKeyAlgorithm' => [
+                'algorithm' => is_string(static::OID_NAME) ? static::OID_NAME : $oid,
+            ],
+            'publicKey' => "\0" . $key,
+        ];
+
+        if ($oid != 'id-Ed25519' && $oid != 'id-Ed448') {
+            $key['publicKeyAlgorithm']['parameters'] = $params;
+        }
+
+        $key = ASN1::encodeDER($key, Maps\PublicKeyInfo::MAP);
+
+        return "-----BEGIN PUBLIC KEY-----\r\n" .
+               chunk_split(Strings::base64_encode($key), 64) .
+               "-----END PUBLIC KEY-----";
+    }
+
+    /**
+     * Perform some preliminary parsing of the key
+     *
+     * @param string|array $key
+     */
+    private static function preParse(&$key): array
+    {
+        self::initialize_static_variables();
+
+        if (self::$format != self::MODE_DER) {
+            $decoded = ASN1::extractBER($key);
+            if ($decoded !== false) {
+                $key = $decoded;
+            } elseif (self::$format == self::MODE_PEM) {
+                throw new UnexpectedValueException('Expected base64-encoded PEM format but was unable to decode base64 text');
+            }
+        }
+
+        $decoded = ASN1::decodeBER($key);
+        if (!$decoded) {
+            throw new RuntimeException('Unable to decode BER');
+        }
+
+        return $decoded;
+    }
+
+    /**
+     * Returns the encryption parameters used by the key
+     */
+    public static function extractEncryptionAlgorithm(string $key): array
+    {
+        if (!Strings::is_stringable($key)) {
+            throw new UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        $decoded = self::preParse($key);
+
+        $r = ASN1::asn1map($decoded[0], ASN1\Maps\EncryptedPrivateKeyInfo::MAP);
+        if (!is_array($r)) {
+            throw new RuntimeException('Unable to parse using EncryptedPrivateKeyInfo map');
+        }
+
+        if ($r['encryptionAlgorithm']['algorithm'] == 'id-PBES2') {
+            $decoded = ASN1::decodeBER($r['encryptionAlgorithm']['parameters']->element);
+            if (!$decoded) {
+                throw new RuntimeException('Unable to decode BER');
+            }
+            $r['encryptionAlgorithm']['parameters'] = ASN1::asn1map($decoded[0], ASN1\Maps\PBES2params::MAP);
+
+            $kdf = &$r['encryptionAlgorithm']['parameters']['keyDerivationFunc'];
+            switch ($kdf['algorithm']) {
+                case 'id-PBKDF2':
+                    $decoded = ASN1::decodeBER($kdf['parameters']->element);
+                    if (!$decoded) {
+                        throw new RuntimeException('Unable to decode BER');
+                    }
+                    $kdf['parameters'] = ASN1::asn1map($decoded[0], Maps\PBKDF2params::MAP);
+            }
+        }
+
+        return $r['encryptionAlgorithm'];
+    }
+}

phpseclib/Crypt/Common/Formats/Keys/PuTTY.php

@@ -0,0 +1,353 @@
+<?php
+
+/**
+ * PuTTY Formatted Key Handler
+ *
+ * See PuTTY's SSHPUBK.C and https://tartarus.org/~simon/putty-snapshots/htmldoc/AppendixC.html
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Crypt\AES;
+use phpseclib3\Crypt\Hash;
+use phpseclib3\Crypt\Random;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Exception\UnsupportedAlgorithmException;
+
+/**
+ * PuTTY Formatted Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PuTTY
+{
+    /**
+     * Default comment
+     *
+     * @var string
+     */
+    private static $comment = 'phpseclib-generated-key';
+
+    /**
+     * Default version
+     *
+     * @var int
+     */
+    private static $version = 2;
+
+    /**
+     * Sets the default comment
+     */
+    public static function setComment(string $comment): void
+    {
+        self::$comment = str_replace(["\r", "\n"], '', $comment);
+    }
+
+    /**
+     * Sets the default version
+     */
+    public static function setVersion(int $version): void
+    {
+        if ($version != 2 && $version != 3) {
+            throw new RuntimeException('Only supported versions are 2 and 3');
+        }
+        self::$version = $version;
+    }
+
+    /**
+     * Generate a symmetric key for PuTTY v2 keys
+     */
+    private static function generateV2Key(string $password, int $length): string
+    {
+        $symkey = '';
+        $sequence = 0;
+        while (strlen($symkey) < $length) {
+            $temp = pack('Na*', $sequence++, $password);
+            $symkey .= Strings::hex2bin(sha1($temp));
+        }
+        return substr($symkey, 0, $length);
+    }
+
+    /**
+     * Generate a symmetric key for PuTTY v3 keys
+     */
+    private static function generateV3Key(string $password, string $flavour, int $memory, int $passes, string $salt): array
+    {
+        if (!function_exists('sodium_crypto_pwhash')) {
+            throw new RuntimeException('sodium_crypto_pwhash needs to exist for Argon2 password hasing');
+        }
+
+        switch ($flavour) {
+            case 'Argon2i':
+                $flavour = SODIUM_CRYPTO_PWHASH_ALG_ARGON2I13;
+                break;
+            case 'Argon2id':
+                $flavour = SODIUM_CRYPTO_PWHASH_ALG_ARGON2ID13;
+                break;
+            default:
+                throw new UnsupportedAlgorithmException('Only Argon2i and Argon2id are supported');
+        }
+
+        $length = 80; // keylen + ivlen + mac_keylen
+        $temp = sodium_crypto_pwhash($length, $password, $salt, $passes, $memory << 10, $flavour);
+
+        $symkey = substr($temp, 0, 32);
+        $symiv = substr($temp, 32, 16);
+        $hashkey = substr($temp, -32);
+
+        return compact('symkey', 'symiv', 'hashkey');
+    }
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param array|string $key
+     * @param string|false $password
+     * @return array|false
+     */
+    public static function load($key, $password)
+    {
+        if (!Strings::is_stringable($key)) {
+            throw new UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        if (str_contains($key, 'BEGIN SSH2 PUBLIC KEY')) {
+            $lines = preg_split('#[\r\n]+#', $key);
+            switch (true) {
+                case $lines[0] != '---- BEGIN SSH2 PUBLIC KEY ----':
+                    throw new UnexpectedValueException('Key doesn\'t start with ---- BEGIN SSH2 PUBLIC KEY ----');
+                case $lines[count($lines) - 1] != '---- END SSH2 PUBLIC KEY ----':
+                    throw new UnexpectedValueException('Key doesn\'t end with ---- END SSH2 PUBLIC KEY ----');
+            }
+            $lines = array_splice($lines, 1, -1);
+            $lines = array_map(fn ($line) => rtrim($line, "\r\n"), $lines);
+            $data = $current = '';
+            $values = [];
+            $in_value = false;
+            foreach ($lines as $line) {
+                switch (true) {
+                    case preg_match('#^(.*?): (.*)#', $line, $match):
+                        $in_value = $line[-1] == '\\';
+                        $current = strtolower($match[1]);
+                        $values[$current] = $in_value ? substr($match[2], 0, -1) : $match[2];
+                        break;
+                    case $in_value:
+                        $in_value = $line[-1] == '\\';
+                        $values[$current] .= $in_value ? substr($line, 0, -1) : $line;
+                        break;
+                    default:
+                        $data .= $line;
+                }
+            }
+
+            $components = call_user_func([static::PUBLIC_HANDLER, 'load'], $data);
+            if ($components === false) {
+                throw new UnexpectedValueException('Unable to decode public key');
+            }
+            $components += $values;
+            $components['comment'] = str_replace(['\\\\', '\"'], ['\\', '"'], $values['comment']);
+
+            return $components;
+        }
+
+        $components = [];
+
+        $key = preg_split('#\r\n|\r|\n#', trim($key));
+        if (Strings::shift($key[0], strlen('PuTTY-User-Key-File-')) != 'PuTTY-User-Key-File-') {
+            return false;
+        }
+        $version = (int) Strings::shift($key[0], 3); // should be either "2: " or "3: 0" prior to int casting
+        if ($version != 2 && $version != 3) {
+            throw new RuntimeException('Only v2 and v3 PuTTY private keys are supported');
+        }
+        $components['type'] = $type = rtrim($key[0]);
+        if (!in_array($type, static::$types)) {
+            $error = count(static::$types) == 1 ?
+                'Only ' . static::$types[0] . ' keys are supported. ' :
+                '';
+            throw new UnsupportedAlgorithmException($error . 'This is an unsupported ' . $type . ' key');
+        }
+        $encryption = trim(preg_replace('#Encryption: (.+)#', '$1', $key[1]));
+        $components['comment'] = trim(preg_replace('#Comment: (.+)#', '$1', $key[2]));
+
+        $publicLength = (int) trim(preg_replace('#Public-Lines: (\d+)#', '$1', $key[3]));
+        $public = Strings::base64_decode(implode('', array_map('trim', array_slice($key, 4, $publicLength))));
+
+        $source = Strings::packSSH2('ssss', $type, $encryption, $components['comment'], $public);
+
+        extract(unpack('Nlength', Strings::shift($public, 4)));
+        $newtype = Strings::shift($public, $length);
+        if ($newtype != $type) {
+            throw new RuntimeException('The binary type does not match the human readable type field');
+        }
+
+        $components['public'] = $public;
+
+        switch ($version) {
+            case 3:
+                $hashkey = '';
+                break;
+            case 2:
+                $hashkey = 'putty-private-key-file-mac-key';
+        }
+
+        $offset = $publicLength + 4;
+        switch ($encryption) {
+            case 'aes256-cbc':
+                $crypto = new AES('cbc');
+                switch ($version) {
+                    case 3:
+                        $flavour = trim(preg_replace('#Key-Derivation: (.*)#', '$1', $key[$offset++]));
+                        $memory = trim(preg_replace('#Argon2-Memory: (\d+)#', '$1', $key[$offset++]));
+                        $passes = trim(preg_replace('#Argon2-Passes: (\d+)#', '$1', $key[$offset++]));
+                        $parallelism = trim(preg_replace('#Argon2-Parallelism: (\d+)#', '$1', $key[$offset++]));
+                        $salt = Strings::hex2bin(trim(preg_replace('#Argon2-Salt: ([0-9a-f]+)#', '$1', $key[$offset++])));
+
+                        extract(self::generateV3Key($password, $flavour, (int)$memory, (int)$passes, $salt));
+
+                        break;
+                    case 2:
+                        $symkey = self::generateV2Key($password, 32);
+                        $symiv = str_repeat("\0", $crypto->getBlockLength() >> 3);
+                        $hashkey .= $password;
+                }
+        }
+
+        switch ($version) {
+            case 3:
+                $hash = new Hash('sha256');
+                $hash->setKey($hashkey);
+                break;
+            case 2:
+                $hash = new Hash('sha1');
+                $hash->setKey(sha1($hashkey, true));
+        }
+
+        $privateLength = (int) trim(preg_replace('#Private-Lines: (\d+)#', '$1', $key[$offset++]));
+        $private = Strings::base64_decode(implode('', array_map('trim', array_slice($key, $offset, $privateLength))));
+
+        if ($encryption != 'none') {
+            $crypto->setKey($symkey);
+            $crypto->setIV($symiv);
+            $crypto->disablePadding();
+            $private = $crypto->decrypt($private);
+        }
+
+        $source .= Strings::packSSH2('s', $private);
+
+        $hmac = trim(preg_replace('#Private-MAC: (.+)#', '$1', $key[$offset + $privateLength]));
+        $hmac = Strings::hex2bin($hmac);
+
+        if (!hash_equals($hash->hash($source), $hmac)) {
+            throw new UnexpectedValueException('MAC validation error');
+        }
+
+        $components['private'] = $private;
+
+        return $components;
+    }
+
+    /**
+     * Wrap a private key appropriately
+     *
+     * @param string|false $password
+     * @param array $options optional
+     */
+    protected static function wrapPrivateKey(string $public, string $private, string $type, $password, array $options = []): string
+    {
+        $encryption = (!empty($password) || is_string($password)) ? 'aes256-cbc' : 'none';
+        $comment = $options['comment'] ?? self::$comment;
+        $version = $options['version'] ?? self::$version;
+
+        $key = "PuTTY-User-Key-File-$version: $type\r\n";
+        $key .= "Encryption: $encryption\r\n";
+        $key .= "Comment: $comment\r\n";
+
+        $public = Strings::packSSH2('s', $type) . $public;
+
+        $source = Strings::packSSH2('ssss', $type, $encryption, $comment, $public);
+
+        $public = Strings::base64_encode($public);
+        $key .= "Public-Lines: " . ((strlen($public) + 63) >> 6) . "\r\n";
+        $key .= chunk_split($public, 64);
+
+        if (empty($password) && !is_string($password)) {
+            $source .= Strings::packSSH2('s', $private);
+            switch ($version) {
+                case 3:
+                    $hash = new Hash('sha256');
+                    $hash->setKey('');
+                    break;
+                case 2:
+                    $hash = new Hash('sha1');
+                    $hash->setKey(sha1('putty-private-key-file-mac-key', true));
+            }
+        } else {
+            $private .= Random::string(16 - (strlen($private) & 15));
+            $source .= Strings::packSSH2('s', $private);
+            $crypto = new AES('cbc');
+
+            switch ($version) {
+                case 3:
+                    $salt = Random::string(16);
+                    $key .= "Key-Derivation: Argon2id\r\n";
+                    $key .= "Argon2-Memory: 8192\r\n";
+                    $key .= "Argon2-Passes: 13\r\n";
+                    $key .= "Argon2-Parallelism: 1\r\n";
+                    $key .= "Argon2-Salt: " . Strings::bin2hex($salt) . "\r\n";
+                    extract(self::generateV3Key($password, 'Argon2id', 8192, 13, $salt));
+
+                    $hash = new Hash('sha256');
+                    $hash->setKey($hashkey);
+
+                    break;
+                case 2:
+                    $symkey = self::generateV2Key($password, 32);
+                    $symiv = str_repeat("\0", $crypto->getBlockLength() >> 3);
+                    $hashkey = 'putty-private-key-file-mac-key' . $password;
+
+                    $hash = new Hash('sha1');
+                    $hash->setKey(sha1($hashkey, true));
+            }
+
+            $crypto->setKey($symkey);
+            $crypto->setIV($symiv);
+            $crypto->disablePadding();
+            $private = $crypto->encrypt($private);
+            $mac = $hash->hash($source);
+        }
+
+        $private = Strings::base64_encode($private);
+        $key .= 'Private-Lines: ' . ((strlen($private) + 63) >> 6) . "\r\n";
+        $key .= chunk_split($private, 64);
+        $key .= 'Private-MAC: ' . Strings::bin2hex($hash->hash($source)) . "\r\n";
+
+        return $key;
+    }
+
+    /**
+     * Wrap a public key appropriately
+     *
+     * This is basically the format described in RFC 4716 (https://tools.ietf.org/html/rfc4716)
+     */
+    protected static function wrapPublicKey(string $key, string $type): string
+    {
+        $key = pack('Na*a*', strlen($type), $type, $key);
+        $key = "---- BEGIN SSH2 PUBLIC KEY ----\r\n" .
+               'Comment: "' . str_replace(['\\', '"'], ['\\\\', '\"'], self::$comment) . "\"\r\n" .
+               chunk_split(Strings::base64_encode($key), 64) .
+               '---- END SSH2 PUBLIC KEY ----';
+        return $key;
+    }
+}

phpseclib/Crypt/Common/Formats/Signature/Raw.php

@@ -0,0 +1,57 @@
+<?php
+
+/**
+ * Raw Signature Handler
+ *
+ * PHP version 5
+ *
+ * Handles signatures as arrays
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Formats\Signature;
+
+use phpseclib3\Math\BigInteger;
+
+/**
+ * Raw Signature Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class Raw
+{
+    /**
+     * Loads a signature
+     *
+     * @return array|bool
+     */
+    public static function load(array $sig)
+    {
+        switch (true) {
+            case !is_array($sig):
+            case !isset($sig['r']) || !isset($sig['s']):
+            case !$sig['r'] instanceof BigInteger:
+            case !$sig['s'] instanceof BigInteger:
+                return false;
+        }
+
+        return [
+            'r' => $sig['r'],
+            's' => $sig['s'],
+        ];
+    }
+
+    /**
+     * Returns a signature in the appropriate format
+     */
+    public static function save(BigInteger $r, BigInteger $s): string
+    {
+        return compact('r', 's');
+    }
+}

phpseclib/Crypt/Common/PrivateKey.php

@@ -0,0 +1,32 @@
+<?php
+
+/**
+ * PrivateKey interface
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2009 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common;
+
+/**
+ * PrivateKey interface
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+interface PrivateKey
+{
+    public function sign($message);
+    //public function decrypt($ciphertext);
+    public function getPublicKey();
+    public function toString(string $type, array $options = []): string;
+
+    /**
+     * @return static
+     */
+    public function withPassword(?string $password = null): PrivateKey;
+}

phpseclib/Crypt/Common/PublicKey.php

@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * PublicKey interface
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2009 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common;
+
+/**
+ * PublicKey interface
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+interface PublicKey
+{
+    public function verify($message, $signature);
+    //public function encrypt($plaintext);
+    public function toString(string $type, array $options = []): string;
+    public function getFingerprint($algorithm);
+}

phpseclib/Crypt/Common/StreamCipher.php

@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * Base Class for all stream ciphers
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @author    Hans-Juergen Petrich <petrich@tronic-media.com>
+ * @copyright 2007 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common;
+
+/**
+ * Base Class for all stream cipher classes
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class StreamCipher extends SymmetricKey
+{
+    /**
+     * Block Length of the cipher
+     *
+     * Stream ciphers do not have a block size
+     *
+     * @see \phpseclib3\Crypt\Common\SymmetricKey::block_size
+     * @var int
+     */
+    protected $block_size = 0;
+
+    /**
+     * Default Constructor.
+     *
+     * @see \phpseclib3\Crypt\Common\SymmetricKey::__construct()
+     * @return StreamCipher
+     */
+    public function __construct()
+    {
+        parent::__construct('stream');
+    }
+
+    /**
+     * Stream ciphers not use an IV
+     */
+    public function usesIV(): bool
+    {
+        return false;
+    }
+}

phpseclib/Crypt/Common/Traits/Fingerprint.php

@@ -0,0 +1,58 @@
+<?php
+
+/**
+ * Fingerprint Trait for Public Keys
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Traits;
+
+use phpseclib3\Crypt\Hash;
+
+/**
+ * Fingerprint Trait for Private Keys
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+trait Fingerprint
+{
+    /**
+     * Returns the public key's fingerprint
+     *
+     * The public key's fingerprint is returned, which is equivalent to running `ssh-keygen -lf rsa.pub`. If there is
+     * no public key currently loaded, false is returned.
+     * Example output (md5): "c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:87" (as specified by RFC 4716)
+     *
+     * @param string $algorithm The hashing algorithm to be used. Valid options are 'md5' and 'sha256'. False is returned
+     * for invalid values.
+     */
+    public function getFingerprint($algorithm = 'md5')
+    {
+        $type = self::validatePlugin('Keys', 'OpenSSH', 'savePublicKey');
+        if ($type === false) {
+            return false;
+        }
+        $key = $this->toString('OpenSSH', ['binary' => true]);
+        if ($key === false) {
+            return false;
+        }
+        switch ($algorithm) {
+            case 'sha256':
+                $hash = new Hash('sha256');
+                $base = base64_encode($hash->hash($key));
+                return substr($base, 0, strlen($base) - 1);
+            case 'md5':
+                return substr(chunk_split(md5($key), 2, ':'), 0, -1);
+            default:
+                return false;
+        }
+    }
+}

phpseclib/Crypt/Common/Traits/PasswordProtected.php

@@ -0,0 +1,47 @@
+<?php
+
+/**
+ * Password Protected Trait for Private Keys
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\Common\Traits;
+
+/**
+ * Password Protected Trait for Private Keys
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+trait PasswordProtected
+{
+    /**
+     * @var string|null
+     */
+    private $password = null;
+
+    /**
+     * Sets the password
+     *
+     * Private keys can be encrypted with a password.  To unset the password, pass in the empty string or false.
+     * Or rather, pass in $password such that empty($password) && !is_string($password) is true.
+     *
+     * @see self::createKey()
+     * @see self::load()
+     *
+     * @return static
+     */
+    public function withPassword(?string $password = null): self
+    {
+        $new = clone $this;
+        $new->password = $password;
+        return $new;
+    }
+}

phpseclib/Crypt/DH.php

@@ -0,0 +1,397 @@
+<?php
+
+/**
+ * Pure-PHP (EC)DH implementation
+ *
+ * PHP version 5
+ *
+ * Here's an example of how to compute a shared secret with this library:
+ * <code>
+ * <?php
+ * include 'vendor/autoload.php';
+ *
+ * $ourPrivate = \phpseclib3\Crypt\DH::createKey();
+ * $secret = DH::computeSecret($ourPrivate, $theirPublic);
+ *
+ * ?>
+ * </code>
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt;
+
+use phpseclib3\Crypt\Common\AsymmetricKey;
+use phpseclib3\Crypt\DH\Parameters;
+use phpseclib3\Crypt\DH\PrivateKey;
+use phpseclib3\Crypt\DH\PublicKey;
+use phpseclib3\Exception\InvalidArgumentException;
+use phpseclib3\Exception\NoKeyLoadedException;
+use phpseclib3\Exception\UnsupportedOperationException;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * Pure-PHP (EC)DH implementation
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class DH extends AsymmetricKey
+{
+    /**
+     * Algorithm Name
+     *
+     * @var string
+     */
+    public const ALGORITHM = 'DH';
+
+    /**
+     * DH prime
+     *
+     * @var BigInteger
+     */
+    protected $prime;
+
+    /**
+     * DH Base
+     *
+     * Prime divisor of p-1
+     *
+     * @var BigInteger
+     */
+    protected $base;
+
+    /**
+     * Public Key
+     *
+     * @var BigInteger
+     */
+    protected $publicKey;
+
+    /**
+     * Create DH parameters
+     *
+     * This method is a bit polymorphic. It can take any of the following:
+     *  - two BigInteger's (prime and base)
+     *  - an integer representing the size of the prime in bits (the base is assumed to be 2)
+     *  - a string (eg. diffie-hellman-group14-sha1)
+     */
+    public static function createParameters(...$args): Parameters
+    {
+        $class = new \ReflectionClass(static::class);
+        if ($class->isFinal()) {
+            throw new \RuntimeException('createParameters() should not be called from final classes (' . static::class . ')');
+        }
+
+        $params = new Parameters();
+        if (count($args) == 2 && $args[0] instanceof BigInteger && $args[1] instanceof BigInteger) {
+            //if (!$args[0]->isPrime()) {
+            //    throw new \phpseclib3\Exception\InvalidArgumentException('The first parameter should be a prime number');
+            //}
+            $params->prime = $args[0];
+            $params->base = $args[1];
+            return $params;
+        } elseif (count($args) == 1 && is_numeric($args[0])) {
+            $params->prime = BigInteger::randomPrime($args[0]);
+            $params->base = new BigInteger(2);
+            return $params;
+        } elseif (count($args) != 1 || !is_string($args[0])) {
+            throw new InvalidArgumentException('Valid parameters are either: two BigInteger\'s (prime and base), a single integer (the length of the prime; base is assumed to be 2) or a string');
+        }
+        switch ($args[0]) {
+            // see http://tools.ietf.org/html/rfc2409#section-6.2 and
+            // http://tools.ietf.org/html/rfc2412, appendex E
+            case 'diffie-hellman-group1-sha1':
+                $prime = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' .
+                         '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' .
+                         '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' .
+                         'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF';
+                break;
+            // see http://tools.ietf.org/html/rfc3526#section-3
+            case 'diffie-hellman-group14-sha1': // 2048-bit MODP Group
+            case 'diffie-hellman-group14-sha256':
+                $prime = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' .
+                         '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' .
+                         '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' .
+                         'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05' .
+                         '98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB' .
+                         '9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B' .
+                         'E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718' .
+                         '3995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF';
+                break;
+            // see https://tools.ietf.org/html/rfc3526#section-4
+            case 'diffie-hellman-group15-sha512': // 3072-bit MODP Group
+                $prime = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' .
+                         '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' .
+                         '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' .
+                         'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05' .
+                         '98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB' .
+                         '9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B' .
+                         'E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718' .
+                         '3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33' .
+                         'A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7' .
+                         'ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864' .
+                         'D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E2' .
+                         '08E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF';
+                break;
+            // see https://tools.ietf.org/html/rfc3526#section-5
+            case 'diffie-hellman-group16-sha512': // 4096-bit MODP Group
+                $prime = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' .
+                         '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' .
+                         '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' .
+                         'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05' .
+                         '98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB' .
+                         '9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B' .
+                         'E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718' .
+                         '3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33' .
+                         'A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7' .
+                         'ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864' .
+                         'D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E2' .
+                         '08E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7' .
+                         '88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8' .
+                         'DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2' .
+                         '233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9' .
+                         '93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF';
+                break;
+            // see https://tools.ietf.org/html/rfc3526#section-6
+            case 'diffie-hellman-group17-sha512': // 6144-bit MODP Group
+                $prime = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' .
+                         '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' .
+                         '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' .
+                         'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05' .
+                         '98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB' .
+                         '9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B' .
+                         'E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718' .
+                         '3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33' .
+                         'A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7' .
+                         'ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864' .
+                         'D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E2' .
+                         '08E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7' .
+                         '88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8' .
+                         'DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2' .
+                         '233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9' .
+                         '93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026' .
+                         'C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AE' .
+                         'B06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B' .
+                         'DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92EC' .
+                         'F032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E' .
+                         '59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA' .
+                         'CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76' .
+                         'F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468' .
+                         '043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DCC4024FFFFFFFFFFFFFFFF';
+                break;
+            // see https://tools.ietf.org/html/rfc3526#section-7
+            case 'diffie-hellman-group18-sha512': // 8192-bit MODP Group
+                $prime = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' .
+                         '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' .
+                         '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' .
+                         'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05' .
+                         '98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB' .
+                         '9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B' .
+                         'E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718' .
+                         '3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33' .
+                         'A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7' .
+                         'ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864' .
+                         'D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E2' .
+                         '08E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7' .
+                         '88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8' .
+                         'DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2' .
+                         '233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9' .
+                         '93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026' .
+                         'C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AE' .
+                         'B06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B' .
+                         'DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92EC' .
+                         'F032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E' .
+                         '59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA' .
+                         'CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76' .
+                         'F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468' .
+                         '043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E4' .
+                         '38777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED' .
+                         '2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652D' .
+                         'E3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B' .
+                         '4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A6' .
+                         '6D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851D' .
+                         'F9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F92' .
+                         '4009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA' .
+                         '9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF';
+                break;
+            default:
+                throw new InvalidArgumentException('Invalid named prime provided');
+        }
+
+        $params->prime = new BigInteger($prime, 16);
+        $params->base = new BigInteger(2);
+
+        return $params;
+    }
+
+    /**
+     * Create public / private key pair.
+     *
+     * The rationale for the second parameter is described in http://tools.ietf.org/html/rfc4419#section-6.2 :
+     *
+     * "To increase the speed of the key exchange, both client and server may
+     *  reduce the size of their private exponents.  It should be at least
+     *  twice as long as the key material that is generated from the shared
+     *  secret.  For more details, see the paper by van Oorschot and Wiener
+     *  [VAN-OORSCHOT]."
+     *
+     * $length is in bits
+     *
+     * @param int $length optional
+     */
+    public static function createKey(Parameters $params, int $length = 0): PrivateKey
+    {
+        $class = new \ReflectionClass(static::class);
+        if ($class->isFinal()) {
+            throw new \RuntimeException('createKey() should not be called from final classes (' . static::class . ')');
+        }
+
+        $one = new BigInteger(1);
+        if ($length) {
+            $max = $one->bitwise_leftShift($length);
+            $max = $max->subtract($one);
+        } else {
+            $max = $params->prime->subtract($one);
+        }
+
+        $key = new PrivateKey();
+        $key->prime = $params->prime;
+        $key->base = $params->base;
+        $key->privateKey = BigInteger::randomRange($one, $max);
+        $key->publicKey = $key->base->powMod($key->privateKey, $key->prime);
+        return $key;
+    }
+
+    /**
+     * Compute Shared Secret
+     *
+     * @param PrivateKey|EC $private
+     * @param PublicKey|BigInteger|string $public
+     */
+    public static function computeSecret($private, $public)
+    {
+        if ($private instanceof PrivateKey) { // DH\PrivateKey
+            switch (true) {
+                case $public instanceof PublicKey:
+                    if (!$private->prime->equals($public->prime) || !$private->base->equals($public->base)) {
+                        throw new InvalidArgumentException('The public and private key do not share the same prime and / or base numbers');
+                    }
+                    return $public->publicKey->powMod($private->privateKey, $private->prime)->toBytes(true);
+                case is_string($public):
+                    $public = new BigInteger($public, -256);
+                    // fall-through
+                case $public instanceof BigInteger:
+                    return $public->powMod($private->privateKey, $private->prime)->toBytes(true);
+                default:
+                    throw new InvalidArgumentException('$public needs to be an instance of DH\PublicKey, a BigInteger or a string');
+            }
+        }
+
+        if ($private instanceof EC\PrivateKey) {
+            switch (true) {
+                case $public instanceof EC\PublicKey:
+                    $public = $public->getEncodedCoordinates();
+                    // fall-through
+                case is_string($public):
+                    $point = $private->multiply($public);
+                    switch ($private->getCurve()) {
+                        case 'Curve25519':
+                        case 'Curve448':
+                            $secret = $point;
+                            break;
+                        default:
+                            // according to https://www.secg.org/sec1-v2.pdf#page=33 only X is returned
+                            $secret = substr($point, 1, (strlen($point) - 1) >> 1);
+                    }
+                    /*
+                    if (($secret[0] & "\x80") === "\x80") {
+                        $secret = "\0$secret";
+                    }
+                    */
+                    return $secret;
+                default:
+                    throw new InvalidArgumentException('$public needs to be an instance of EC\PublicKey or a string (an encoded coordinate)');
+            }
+        }
+    }
+
+    /**
+     * Load the key
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): AsymmetricKey
+    {
+        try {
+            return EC::load($key, $password);
+        } catch (NoKeyLoadedException $e) {
+        }
+
+        return parent::load($key, $password);
+    }
+
+    /**
+     * OnLoad Handler
+     *
+     * @return Parameters|PrivateKey|PublicKey
+     */
+    protected static function onLoad(array $components)
+    {
+        if (!isset($components['privateKey']) && !isset($components['publicKey'])) {
+            $new = new Parameters();
+        } else {
+            $new = isset($components['privateKey']) ?
+                new PrivateKey() :
+                new PublicKey();
+        }
+
+        $new->prime = $components['prime'];
+        $new->base = $components['base'];
+
+        if (isset($components['privateKey'])) {
+            $new->privateKey = $components['privateKey'];
+        }
+        if (isset($components['publicKey'])) {
+            $new->publicKey = $components['publicKey'];
+        }
+
+        return $new;
+    }
+
+    /**
+     * Determines which hashing function should be used
+     */
+    public function withHash(string $hash): AsymmetricKey
+    {
+        throw new UnsupportedOperationException('DH does not use a hash algorithm');
+    }
+
+    /**
+     * Returns the hash algorithm currently being used
+     */
+    public function getHash(): Hash
+    {
+        throw new UnsupportedOperationException('DH does not use a hash algorithm');
+    }
+
+    /**
+     * Returns the parameters
+     *
+     * A public / private key is only returned if the currently loaded "key" contains an x or y
+     * value.
+     *
+     * @see self::getPublicKey()
+     */
+    public function getParameters(): AsymmetricKey
+    {
+        $type = DH::validatePlugin('Keys', 'PKCS1', 'saveParameters');
+
+        $key = $type::saveParameters($this->prime, $this->base);
+        return DH::load($key, 'PKCS1');
+    }
+}

phpseclib/Crypt/DH/Formats/Keys/PKCS1.php

@@ -0,0 +1,76 @@
+<?php
+
+/**
+ * "PKCS1" Formatted EC Key Handler
+ *
+ * PHP version 5
+ *
+ * Processes keys with the following headers:
+ *
+ * -----BEGIN DH PARAMETERS-----
+ *
+ * Technically, PKCS1 is for RSA keys, only, but we're using PKCS1 to describe
+ * DSA, whose format isn't really formally described anywhere, so might as well
+ * use it to describe this, too.
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DH\Formats\Keys;
+
+use phpseclib3\Crypt\Common\Formats\Keys\PKCS1 as Progenitor;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\File\ASN1;
+use phpseclib3\File\ASN1\Maps;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * "PKCS1" Formatted DH Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PKCS1 extends Progenitor
+{
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): array
+    {
+        $key = parent::load($key, $password);
+
+        $decoded = ASN1::decodeBER($key);
+        if (!$decoded) {
+            throw new RuntimeException('Unable to decode BER');
+        }
+
+        $components = ASN1::asn1map($decoded[0], Maps\DHParameter::MAP);
+        if (!is_array($components)) {
+            throw new RuntimeException('Unable to perform ASN1 mapping on parameters');
+        }
+
+        return $components;
+    }
+
+    /**
+     * Convert EC parameters to the appropriate format
+     */
+    public static function saveParameters(BigInteger $prime, BigInteger $base, array $options = []): string
+    {
+        $params = [
+            'prime' => $prime,
+            'base' => $base,
+        ];
+        $params = ASN1::encodeDER($params, Maps\DHParameter::MAP);
+
+        return "-----BEGIN DH PARAMETERS-----\r\n" .
+               chunk_split(base64_encode($params), 64) .
+               "-----END DH PARAMETERS-----\r\n";
+    }
+}

phpseclib/Crypt/DH/Formats/Keys/PKCS8.php

@@ -0,0 +1,121 @@
+<?php
+
+/**
+ * PKCS#8 Formatted DH Key Handler
+ *
+ * PHP version 5
+ *
+ * Processes keys with the following headers:
+ *
+ * -----BEGIN ENCRYPTED PRIVATE KEY-----
+ * -----BEGIN PRIVATE KEY-----
+ * -----BEGIN PUBLIC KEY-----
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DH\Formats\Keys;
+
+use phpseclib3\Crypt\Common\Formats\Keys\PKCS8 as Progenitor;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\File\ASN1;
+use phpseclib3\File\ASN1\Maps;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * PKCS#8 Formatted DH Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PKCS8 extends Progenitor
+{
+    /**
+     * OID Name
+     *
+     * @var string
+     */
+    public const OID_NAME = 'dhKeyAgreement';
+
+    /**
+     * OID Value
+     *
+     * @var string
+     */
+    public const OID_VALUE = '1.2.840.113549.1.3.1';
+
+    /**
+     * Child OIDs loaded
+     *
+     * @var bool
+     */
+    protected static $childOIDsLoaded = false;
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): array
+    {
+        $key = parent::load($key, $password);
+
+        $type = isset($key['privateKey']) ? 'privateKey' : 'publicKey';
+
+        $decoded = ASN1::decodeBER($key[$type . 'Algorithm']['parameters']->element);
+        if (empty($decoded)) {
+            throw new RuntimeException('Unable to decode BER of parameters');
+        }
+        $components = ASN1::asn1map($decoded[0], Maps\DHParameter::MAP);
+        if (!is_array($components)) {
+            throw new RuntimeException('Unable to perform ASN1 mapping on parameters');
+        }
+
+        $decoded = ASN1::decodeBER($key[$type]);
+        switch (true) {
+            case !isset($decoded):
+            case !isset($decoded[0]['content']):
+            case !$decoded[0]['content'] instanceof BigInteger:
+                throw new RuntimeException('Unable to decode BER of parameters');
+        }
+        $components[$type] = $decoded[0]['content'];
+
+        return $components;
+    }
+
+    /**
+     * Convert a private key to the appropriate format.
+     */
+    public static function savePrivateKey(BigInteger $prime, BigInteger $base, BigInteger $privateKey, BigInteger $publicKey, ?string $password = null, array $options = []): string
+    {
+        $params = [
+            'prime' => $prime,
+            'base' => $base,
+        ];
+        $params = ASN1::encodeDER($params, Maps\DHParameter::MAP);
+        $params = new ASN1\Element($params);
+        $key = ASN1::encodeDER($privateKey, ['type' => ASN1::TYPE_INTEGER]);
+        return self::wrapPrivateKey($key, [], $params, $password, null, '', $options);
+    }
+
+    /**
+     * Convert a public key to the appropriate format
+     *
+     * @param array $options optional
+     */
+    public static function savePublicKey(BigInteger $prime, BigInteger $base, BigInteger $publicKey, array $options = []): string
+    {
+        $params = [
+            'prime' => $prime,
+            'base' => $base,
+        ];
+        $params = ASN1::encodeDER($params, Maps\DHParameter::MAP);
+        $params = new ASN1\Element($params);
+        $key = ASN1::encodeDER($publicKey, ['type' => ASN1::TYPE_INTEGER]);
+        return self::wrapPublicKey($key, $params);
+    }
+}

phpseclib/Crypt/DH/Parameters.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * DH Parameters
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DH;
+
+use phpseclib3\Crypt\DH;
+
+/**
+ * DH Parameters
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+final class Parameters extends DH
+{
+    /**
+     * Returns the parameters
+     *
+     * @param array $options optional
+     */
+    public function toString(string $type = 'PKCS1', array $options = []): string
+    {
+        $type = self::validatePlugin('Keys', 'PKCS1', 'saveParameters');
+
+        return $type::saveParameters($this->prime, $this->base, $options);
+    }
+}

phpseclib/Crypt/DH/PrivateKey.php

@@ -0,0 +1,76 @@
+<?php
+
+/**
+ * DH Private Key
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DH;
+
+use phpseclib3\Crypt\Common;
+use phpseclib3\Crypt\DH;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * DH Private Key
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+final class PrivateKey extends DH
+{
+    use Common\Traits\PasswordProtected;
+
+    /**
+     * Private Key
+     *
+     * @var BigInteger
+     */
+    protected $privateKey;
+
+    /**
+     * Public Key
+     *
+     * @var BigInteger
+     */
+    protected $publicKey;
+
+    /**
+     * Returns the public key
+     *
+     * @return DH\PublicKey
+     */
+    public function getPublicKey(): PublicKey
+    {
+        $type = self::validatePlugin('Keys', 'PKCS8', 'savePublicKey');
+
+        if (!isset($this->publicKey)) {
+            $this->publicKey = $this->base->powMod($this->privateKey, $this->prime);
+        }
+
+        $key = $type::savePublicKey($this->prime, $this->base, $this->publicKey);
+
+        return DH::loadFormat('PKCS8', $key);
+    }
+
+    /**
+     * Returns the private key
+     *
+     * @param array $options optional
+     */
+    public function toString(string $type, array $options = []): string
+    {
+        $type = self::validatePlugin('Keys', $type, 'savePrivateKey');
+
+        if (!isset($this->publicKey)) {
+            $this->publicKey = $this->base->powMod($this->privateKey, $this->prime);
+        }
+
+        return $type::savePrivateKey($this->prime, $this->base, $this->privateKey, $this->publicKey, $this->password, $options);
+    }
+}

phpseclib/Crypt/DH/PublicKey.php

@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * DH Public Key
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DH;
+
+use phpseclib3\Crypt\Common;
+use phpseclib3\Crypt\DH;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * DH Public Key
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+final class PublicKey extends DH
+{
+    use Common\Traits\Fingerprint;
+
+    /**
+     * Returns the public key
+     *
+     * @param array $options optional
+     */
+    public function toString(string $type, array $options = []): string
+    {
+        $type = self::validatePlugin('Keys', $type, 'savePublicKey');
+
+        return $type::savePublicKey($this->prime, $this->base, $this->publicKey, $options);
+    }
+
+    /**
+     * Returns the public key as a BigInteger
+     */
+    public function toBigInteger(): BigInteger
+    {
+        return $this->publicKey;
+    }
+}

phpseclib/Crypt/DSA.php

@@ -0,0 +1,330 @@
+<?php
+
+/**
+ * Pure-PHP FIPS 186-4 compliant implementation of DSA.
+ *
+ * PHP version 5
+ *
+ * Here's an example of how to create signatures and verify signatures with this library:
+ * <code>
+ * <?php
+ * include 'vendor/autoload.php';
+ *
+ * $private = \phpseclib3\Crypt\DSA::createKey();
+ * $public = $private->getPublicKey();
+ *
+ * $plaintext = 'terrafrost';
+ *
+ * $signature = $private->sign($plaintext);
+ *
+ * echo $public->verify($plaintext, $signature) ? 'verified' : 'unverified';
+ * ?>
+ * </code>
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt;
+
+use phpseclib3\Crypt\Common\AsymmetricKey;
+use phpseclib3\Crypt\DSA\Parameters;
+use phpseclib3\Crypt\DSA\PrivateKey;
+use phpseclib3\Crypt\DSA\PublicKey;
+use phpseclib3\Exception\InsufficientSetupException;
+use phpseclib3\Exception\InvalidArgumentException;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * Pure-PHP FIPS 186-4 compliant implementation of DSA.
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class DSA extends AsymmetricKey
+{
+    /**
+     * Algorithm Name
+     *
+     * @var string
+     */
+    public const ALGORITHM = 'DSA';
+
+    /**
+     * DSA Prime P
+     *
+     * @var BigInteger
+     */
+    protected $p;
+
+    /**
+     * DSA Group Order q
+     *
+     * Prime divisor of p-1
+     *
+     * @var BigInteger
+     */
+    protected $q;
+
+    /**
+     * DSA Group Generator G
+     *
+     * @var BigInteger
+     */
+    protected $g;
+
+    /**
+     * DSA public key value y
+     *
+     * @var BigInteger
+     */
+    protected $y;
+
+    /**
+     * Signature Format
+     *
+     * @var string
+     */
+    protected $sigFormat;
+
+    /**
+     * Signature Format (Short)
+     *
+     * @var string
+     */
+    protected $shortFormat;
+
+    /**
+     * Create DSA parameters
+     *
+     * @return DSA|bool
+     */
+    public static function createParameters(int $L = 2048, int $N = 224)
+    {
+        self::initialize_static_variables();
+
+        $class = new \ReflectionClass(static::class);
+        if ($class->isFinal()) {
+            throw new \RuntimeException('createParameters() should not be called from final classes (' . static::class . ')');
+        }
+
+        if (!isset(self::$engines['PHP'])) {
+            self::useBestEngine();
+        }
+
+        switch (true) {
+            case $N == 160:
+            /*
+              in FIPS 186-1 and 186-2 N was fixed at 160 whereas K had an upper bound of 1024.
+              RFC 4253 (SSH Transport Layer Protocol) references FIPS 186-2 and as such most
+              SSH DSA implementations only support keys with an N of 160.
+              puttygen let's you set the size of L (but not the size of N) and uses 2048 as the
+              default L value. that's not really compliant with any of the FIPS standards, however,
+              for the purposes of maintaining compatibility with puttygen, we'll support it
+            */
+            //case ($L >= 512 || $L <= 1024) && (($L & 0x3F) == 0) && $N == 160:
+            // FIPS 186-3 changed this as follows:
+            //case $L == 1024 && $N == 160:
+            case $L == 2048 && $N == 224:
+            case $L == 2048 && $N == 256:
+            case $L == 3072 && $N == 256:
+                break;
+            default:
+                throw new InvalidArgumentException('Invalid values for N and L');
+        }
+
+        $two = new BigInteger(2);
+
+        $q = BigInteger::randomPrime($N);
+        $divisor = $q->multiply($two);
+
+        do {
+            $x = BigInteger::random($L);
+            [, $c] = $x->divide($divisor);
+            $p = $x->subtract($c->subtract(self::$one));
+        } while ($p->getLength() != $L || !$p->isPrime());
+
+        $p_1 = $p->subtract(self::$one);
+        [$e] = $p_1->divide($q);
+
+        // quoting http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=50 ,
+        // "h could be obtained from a random number generator or from a counter that
+        //  changes after each use". PuTTY (sshdssg.c) starts h off at 1 and increments
+        // it on each loop. wikipedia says "commonly h = 2 is used" so we'll just do that
+        $h = clone $two;
+        while (true) {
+            $g = $h->powMod($e, $p);
+            if (!$g->equals(self::$one)) {
+                break;
+            }
+            $h = $h->add(self::$one);
+        }
+
+        $dsa = new Parameters();
+        $dsa->p = $p;
+        $dsa->q = $q;
+        $dsa->g = $g;
+
+        return $dsa;
+    }
+
+    /**
+     * Create public / private key pair.
+     *
+     * This method is a bit polymorphic. It can take a DSA/Parameters object, L / N as two distinct parameters or
+     * no parameters (at which point L and N will be generated with this method)
+     *
+     * Returns the private key, from which the publickey can be extracted
+     *
+     * @param int[] ...$args
+     */
+    public static function createKey(...$args): PrivateKey
+    {
+        self::initialize_static_variables();
+
+        $class = new \ReflectionClass(static::class);
+        if ($class->isFinal()) {
+            throw new \RuntimeException('createKey() should not be called from final classes (' . static::class . ')');
+        }
+
+        if (!isset(self::$engines['PHP'])) {
+            self::useBestEngine();
+        }
+
+        if (count($args) == 2 && is_int($args[0]) && is_int($args[1])) {
+            $params = self::createParameters($args[0], $args[1]);
+        } elseif (count($args) == 1 && $args[0] instanceof Parameters) {
+            $params = $args[0];
+        } elseif (!count($args)) {
+            $params = self::createParameters();
+        } else {
+            throw new InsufficientSetupException('Valid parameters are either two integers (L and N), a single DSA object or no parameters at all.');
+        }
+
+        $private = new PrivateKey();
+        $private->p = $params->p;
+        $private->q = $params->q;
+        $private->g = $params->g;
+
+        $private->x = BigInteger::randomRange(self::$one, $private->q->subtract(self::$one));
+        $private->y = $private->g->powMod($private->x, $private->p);
+
+        //$public = clone $private;
+        //unset($public->x);
+
+        return $private
+            ->withHash($params->hash->getHash())
+            ->withSignatureFormat($params->shortFormat);
+    }
+
+    /**
+     * OnLoad Handler
+     *
+     * @return Parameters|PrivateKey|PublicKey
+     */
+    protected static function onLoad(array $components)
+    {
+        if (!isset(self::$engines['PHP'])) {
+            self::useBestEngine();
+        }
+
+        if (!isset($components['x']) && !isset($components['y'])) {
+            $new = new Parameters();
+        } elseif (isset($components['x'])) {
+            $new = new PrivateKey();
+            $new->x = $components['x'];
+        } else {
+            $new = new PublicKey();
+        }
+
+        $new->p = $components['p'];
+        $new->q = $components['q'];
+        $new->g = $components['g'];
+
+        if (isset($components['y'])) {
+            $new->y = $components['y'];
+        }
+
+        return $new;
+    }
+
+    /**
+     * Constructor
+     *
+     * PublicKey and PrivateKey objects can only be created from abstract RSA class
+     */
+    protected function __construct()
+    {
+        $this->sigFormat = self::validatePlugin('Signature', 'ASN1');
+        $this->shortFormat = 'ASN1';
+
+        parent::__construct();
+    }
+
+    /**
+     * Returns the key size
+     *
+     * More specifically, this L (the length of DSA Prime P) and N (the length of DSA Group Order q)
+     */
+    public function getLength(): array
+    {
+        return ['L' => $this->p->getLength(), 'N' => $this->q->getLength()];
+    }
+
+    /**
+     * Returns the current engine being used
+     *
+     * @see self::useInternalEngine()
+     * @see self::useBestEngine()
+     */
+    public function getEngine(): string
+    {
+        if (!isset(self::$engines['PHP'])) {
+            self::useBestEngine();
+        }
+        return self::$engines['OpenSSL'] && in_array($this->hash->getHash(), openssl_get_md_methods()) ?
+            'OpenSSL' : 'PHP';
+    }
+
+    /**
+     * Returns the parameters
+     *
+     * A public / private key is only returned if the currently loaded "key" contains an x or y
+     * value.
+     *
+     * @see self::getPublicKey()
+     */
+    public function getParameters()
+    {
+        $type = self::validatePlugin('Keys', 'PKCS1', 'saveParameters');
+
+        $key = $type::saveParameters($this->p, $this->q, $this->g);
+        return DSA::load($key, 'PKCS1')
+            ->withHash($this->hash->getHash())
+            ->withSignatureFormat($this->shortFormat);
+    }
+
+    /**
+     * Determines the signature padding mode
+     *
+     * Valid values are: ASN1, SSH2, Raw
+     */
+    public function withSignatureFormat(string $format): DSA
+    {
+        $new = clone $this;
+        $new->shortFormat = $format;
+        $new->sigFormat = self::validatePlugin('Signature', $format);
+        return $new;
+    }
+
+    /**
+     * Returns the signature format currently being used
+     */
+    public function getSignatureFormat(): string
+    {
+        return $this->shortFormat;
+    }
+}

phpseclib/Crypt/DSA/Formats/Keys/OpenSSH.php

@@ -0,0 +1,106 @@
+<?php
+
+/**
+ * OpenSSH Formatted DSA Key Handler
+ *
+ * PHP version 5
+ *
+ * Place in $HOME/.ssh/authorized_keys
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Crypt\Common\Formats\Keys\OpenSSH as Progenitor;
+use phpseclib3\Exception\InvalidArgumentException;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * OpenSSH Formatted DSA Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class OpenSSH extends Progenitor
+{
+    /**
+     * Supported Key Types
+     *
+     * @var array
+     */
+    protected static $types = ['ssh-dss'];
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): array
+    {
+        $parsed = parent::load($key, $password);
+
+        if (isset($parsed['paddedKey'])) {
+            [$type] = Strings::unpackSSH2('s', $parsed['paddedKey']);
+            if ($type != $parsed['type']) {
+                throw new RuntimeException("The public and private keys are not of the same type ($type vs $parsed[type])");
+            }
+
+            [$p, $q, $g, $y, $x, $comment] = Strings::unpackSSH2('i5s', $parsed['paddedKey']);
+
+            return compact('p', 'q', 'g', 'y', 'x', 'comment');
+        }
+
+        [$p, $q, $g, $y] = Strings::unpackSSH2('iiii', $parsed['publicKey']);
+
+        $comment = $parsed['comment'];
+
+        return compact('p', 'q', 'g', 'y', 'comment');
+    }
+
+    /**
+     * Convert a public key to the appropriate format
+     *
+     * @param array $options optional
+     */
+    public static function savePublicKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y, array $options = []): string
+    {
+        if ($q->getLength() != 160) {
+            throw new InvalidArgumentException('SSH only supports keys with an N (length of Group Order q) of 160');
+        }
+
+        // from <http://tools.ietf.org/html/rfc4253#page-15>:
+        // string    "ssh-dss"
+        // mpint     p
+        // mpint     q
+        // mpint     g
+        // mpint     y
+        $DSAPublicKey = Strings::packSSH2('siiii', 'ssh-dss', $p, $q, $g, $y);
+
+        if ($options['binary'] ?? self::$binary) {
+            return $DSAPublicKey;
+        }
+
+        $comment = $options['comment'] ?? self::$comment;
+        $DSAPublicKey = 'ssh-dss ' . base64_encode($DSAPublicKey) . ' ' . $comment;
+
+        return $DSAPublicKey;
+    }
+
+    /**
+     * Convert a private key to the appropriate format.
+     */
+    public static function savePrivateKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y, BigInteger $x, ?string $password = null, array $options = []): string
+    {
+        $publicKey = self::savePublicKey($p, $q, $g, $y, ['binary' => true]);
+        $privateKey = Strings::packSSH2('si5', 'ssh-dss', $p, $q, $g, $y, $x);
+
+        return self::wrapPrivateKey($publicKey, $privateKey, $password, $options);
+    }
+}

phpseclib/Crypt/DSA/Formats/Keys/PKCS1.php

@@ -0,0 +1,127 @@
+<?php
+
+/**
+ * PKCS#1 Formatted DSA Key Handler
+ *
+ * PHP version 5
+ *
+ * Used by File/X509.php
+ *
+ * Processes keys with the following headers:
+ *
+ * -----BEGIN DSA PRIVATE KEY-----
+ * -----BEGIN DSA PUBLIC KEY-----
+ * -----BEGIN DSA PARAMETERS-----
+ *
+ * Analogous to ssh-keygen's pem format (as specified by -m)
+ *
+ * Also, technically, PKCS1 decribes RSA but I am not aware of a formal specification for DSA.
+ * The DSA private key format seems to have been adapted from the RSA private key format so
+ * we're just re-using that as the name.
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Crypt\Common\Formats\Keys\PKCS1 as Progenitor;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\File\ASN1;
+use phpseclib3\File\ASN1\Maps;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * PKCS#1 Formatted DSA Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PKCS1 extends Progenitor
+{
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): array
+    {
+        $key = parent::load($key, $password);
+
+        $decoded = ASN1::decodeBER($key);
+        if (!$decoded) {
+            throw new RuntimeException('Unable to decode BER');
+        }
+
+        $key = ASN1::asn1map($decoded[0], Maps\DSAParams::MAP);
+        if (is_array($key)) {
+            return $key;
+        }
+
+        $key = ASN1::asn1map($decoded[0], Maps\DSAPrivateKey::MAP);
+        if (is_array($key)) {
+            return $key;
+        }
+
+        $key = ASN1::asn1map($decoded[0], Maps\DSAPublicKey::MAP);
+        if (is_array($key)) {
+            return $key;
+        }
+
+        throw new RuntimeException('Unable to perform ASN1 mapping');
+    }
+
+    /**
+     * Convert DSA parameters to the appropriate format
+     */
+    public static function saveParameters(BigInteger $p, BigInteger $q, BigInteger $g): string
+    {
+        $key = [
+            'p' => $p,
+            'q' => $q,
+            'g' => $g,
+        ];
+
+        $key = ASN1::encodeDER($key, Maps\DSAParams::MAP);
+
+        return "-----BEGIN DSA PARAMETERS-----\r\n" .
+               chunk_split(Strings::base64_encode($key), 64) .
+               "-----END DSA PARAMETERS-----\r\n";
+    }
+
+    /**
+     * Convert a private key to the appropriate format.
+     *
+     * @param string $password optional
+     * @param array $options optional
+     */
+    public static function savePrivateKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y, BigInteger $x, string $password = '', array $options = []): string
+    {
+        $key = [
+            'version' => 0,
+            'p' => $p,
+            'q' => $q,
+            'g' => $g,
+            'y' => $y,
+            'x' => $x,
+        ];
+
+        $key = ASN1::encodeDER($key, Maps\DSAPrivateKey::MAP);
+
+        return self::wrapPrivateKey($key, 'DSA', $password, $options);
+    }
+
+    /**
+     * Convert a public key to the appropriate format
+     */
+    public static function savePublicKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y): string
+    {
+        $key = ASN1::encodeDER($y, Maps\DSAPublicKey::MAP);
+
+        return self::wrapPublicKey($key, 'DSA');
+    }
+}

phpseclib/Crypt/DSA/Formats/Keys/PKCS8.php

@@ -0,0 +1,133 @@
+<?php
+
+/**
+ * PKCS#8 Formatted DSA Key Handler
+ *
+ * PHP version 5
+ *
+ * Processes keys with the following headers:
+ *
+ * -----BEGIN ENCRYPTED PRIVATE KEY-----
+ * -----BEGIN PRIVATE KEY-----
+ * -----BEGIN PUBLIC KEY-----
+ *
+ * Analogous to ssh-keygen's pkcs8 format (as specified by -m). Although PKCS8
+ * is specific to private keys it's basically creating a DER-encoded wrapper
+ * for keys. This just extends that same concept to public keys (much like ssh-keygen)
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Keys;
+
+use phpseclib3\Crypt\Common\Formats\Keys\PKCS8 as Progenitor;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\File\ASN1;
+use phpseclib3\File\ASN1\Maps;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * PKCS#8 Formatted DSA Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PKCS8 extends Progenitor
+{
+    /**
+     * OID Name
+     *
+     * @var string
+     */
+    public const OID_NAME = 'id-dsa';
+
+    /**
+     * OID Value
+     *
+     * @var string
+     */
+    public const OID_VALUE = '1.2.840.10040.4.1';
+
+    /**
+     * Child OIDs loaded
+     *
+     * @var bool
+     */
+    protected static $childOIDsLoaded = false;
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): array
+    {
+        $key = parent::load($key, $password);
+
+        $type = isset($key['privateKey']) ? 'privateKey' : 'publicKey';
+
+        $decoded = ASN1::decodeBER($key[$type . 'Algorithm']['parameters']->element);
+        if (!$decoded) {
+            throw new RuntimeException('Unable to decode BER of parameters');
+        }
+        $components = ASN1::asn1map($decoded[0], Maps\DSAParams::MAP);
+        if (!is_array($components)) {
+            throw new RuntimeException('Unable to perform ASN1 mapping on parameters');
+        }
+
+        $decoded = ASN1::decodeBER($key[$type]);
+        if (empty($decoded)) {
+            throw new RuntimeException('Unable to decode BER');
+        }
+
+        $var = $type == 'privateKey' ? 'x' : 'y';
+        $components[$var] = ASN1::asn1map($decoded[0], Maps\DSAPublicKey::MAP);
+        if (!$components[$var] instanceof BigInteger) {
+            throw new RuntimeException('Unable to perform ASN1 mapping');
+        }
+
+        if (isset($key['meta'])) {
+            $components['meta'] = $key['meta'];
+        }
+
+        return $components;
+    }
+
+    /**
+     * Convert a private key to the appropriate format.
+     */
+    public static function savePrivateKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y, BigInteger $x, ?string $password = null, array $options = []): string
+    {
+        $params = [
+            'p' => $p,
+            'q' => $q,
+            'g' => $g,
+        ];
+        $params = ASN1::encodeDER($params, Maps\DSAParams::MAP);
+        $params = new ASN1\Element($params);
+        $key = ASN1::encodeDER($x, Maps\DSAPublicKey::MAP);
+        return self::wrapPrivateKey($key, [], $params, $password, null, '', $options);
+    }
+
+    /**
+     * Convert a public key to the appropriate format
+     *
+     * @param array $options optional
+     */
+    public static function savePublicKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y, array $options = []): string
+    {
+        $params = [
+            'p' => $p,
+            'q' => $q,
+            'g' => $g,
+        ];
+        $params = ASN1::encodeDER($params, Maps\DSAParams::MAP);
+        $params = new ASN1\Element($params);
+        $key = ASN1::encodeDER($y, Maps\DSAPublicKey::MAP);
+        return self::wrapPublicKey($key, $params);
+    }
+}

phpseclib/Crypt/DSA/Formats/Keys/PuTTY.php

@@ -0,0 +1,97 @@
+<?php
+
+/**
+ * PuTTY Formatted DSA Key Handler
+ *
+ * puttygen does not generate DSA keys with an N of anything other than 160, however,
+ * it can still load them and convert them. PuTTY will load them, too, but SSH servers
+ * won't accept them. Since PuTTY formatted keys are primarily used with SSH this makes
+ * keys with N > 160 kinda useless, hence this handlers not supporting such keys.
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Crypt\Common\Formats\Keys\PuTTY as Progenitor;
+use phpseclib3\Exception\InvalidArgumentException;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * PuTTY Formatted DSA Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class PuTTY extends Progenitor
+{
+    /**
+     * Public Handler
+     *
+     * @var string
+     */
+    public const PUBLIC_HANDLER = 'phpseclib3\Crypt\DSA\Formats\Keys\OpenSSH';
+
+    /**
+     * Algorithm Identifier
+     *
+     * @var array
+     */
+    protected static $types = ['ssh-dss'];
+
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param array|string $key
+     * @param string|false $password
+     * @return array|false
+     */
+    public static function load($key, $password)
+    {
+        $components = parent::load($key, $password);
+        if (!isset($components['private'])) {
+            return $components;
+        }
+        extract($components);
+        unset($components['public'], $components['private']);
+
+        [$p, $q, $g, $y] = Strings::unpackSSH2('iiii', $public);
+        [$x] = Strings::unpackSSH2('i', $private);
+
+        return compact('p', 'q', 'g', 'y', 'x', 'comment');
+    }
+
+    /**
+     * Convert a private key to the appropriate format.
+     */
+    public static function savePrivateKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y, BigInteger $x, ?string $password = null, array $options = []): string
+    {
+        if ($q->getLength() != 160) {
+            throw new InvalidArgumentException('SSH only supports keys with an N (length of Group Order q) of 160');
+        }
+
+        $public = Strings::packSSH2('iiii', $p, $q, $g, $y);
+        $private = Strings::packSSH2('i', $x);
+
+        return self::wrapPrivateKey($public, $private, 'ssh-dss', $password, $options);
+    }
+
+    /**
+     * Convert a public key to the appropriate format
+     */
+    public static function savePublicKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y): string
+    {
+        if ($q->getLength() != 160) {
+            throw new InvalidArgumentException('SSH only supports keys with an N (length of Group Order q) of 160');
+        }
+
+        return self::wrapPublicKey(Strings::packSSH2('iiii', $p, $q, $g, $y), 'ssh-dss');
+    }
+}

phpseclib/Crypt/DSA/Formats/Keys/Raw.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Raw DSA Key Handler
+ *
+ * PHP version 5
+ *
+ * Reads and creates arrays as DSA keys
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Keys;
+
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * Raw DSA Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class Raw
+{
+    /**
+     * Break a public or private key down into its constituent components
+     *
+     * @param string|array $key
+     */
+    public static function load($key, ?string $password = null): array
+    {
+        if (!is_array($key)) {
+            throw new UnexpectedValueException('Key should be a array - not a ' . gettype($key));
+        }
+
+        switch (true) {
+            case !isset($key['p']) || !isset($key['q']) || !isset($key['g']):
+            case !$key['p'] instanceof BigInteger:
+            case !$key['q'] instanceof BigInteger:
+            case !$key['g'] instanceof BigInteger:
+            case !isset($key['x']) && !isset($key['y']):
+            case isset($key['x']) && !$key['x'] instanceof BigInteger:
+            case isset($key['y']) && !$key['y'] instanceof BigInteger:
+                throw new UnexpectedValueException('Key appears to be malformed');
+        }
+
+        $options = ['p' => 1, 'q' => 1, 'g' => 1, 'x' => 1, 'y' => 1];
+
+        return array_intersect_key($key, $options);
+    }
+
+    /**
+     * Convert a private key to the appropriate format.
+     *
+     * @param string $password optional
+     */
+    public static function savePrivateKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y, BigInteger $x, string $password = ''): string
+    {
+        return compact('p', 'q', 'g', 'y', 'x');
+    }
+
+    /**
+     * Convert a public key to the appropriate format
+     */
+    public static function savePublicKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y): string
+    {
+        return compact('p', 'q', 'g', 'y');
+    }
+}

phpseclib/Crypt/DSA/Formats/Keys/XML.php

@@ -0,0 +1,125 @@
+<?php
+
+/**
+ * XML Formatted DSA Key Handler
+ *
+ * While XKMS defines a private key format for RSA it does not do so for DSA. Quoting that standard:
+ *
+ * "[XKMS] does not specify private key parameters for the DSA signature algorithm since the algorithm only
+ *  supports signature modes and so the application of server generated keys and key recovery is of limited
+ *  value"
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Keys;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Exception\BadConfigurationException;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * XML Formatted DSA Key Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class XML
+{
+    /**
+     * Break a public or private key down into its constituent components
+     */
+    public static function load(string $key, ?string $password = null): array
+    {
+        if (!Strings::is_stringable($key)) {
+            throw new UnexpectedValueException('Key should be a string - not a ' . gettype($key));
+        }
+
+        if (!class_exists('DOMDocument')) {
+            throw new BadConfigurationException('The dom extension is not setup correctly on this system');
+        }
+
+        $use_errors = libxml_use_internal_errors(true);
+
+        $dom = new \DOMDocument();
+        if (substr($key, 0, 5) != '<?xml') {
+            $key = '<xml>' . $key . '</xml>';
+        }
+        if (!$dom->loadXML($key)) {
+            libxml_use_internal_errors($use_errors);
+            throw new UnexpectedValueException('Key does not appear to contain XML');
+        }
+        $xpath = new \DOMXPath($dom);
+        $keys = ['p', 'q', 'g', 'y', 'j', 'seed', 'pgencounter'];
+        foreach ($keys as $key) {
+            // $dom->getElementsByTagName($key) is case-sensitive
+            $temp = $xpath->query("//*[translate(local-name(), 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')='$key']");
+            if (!$temp->length) {
+                continue;
+            }
+            $value = new BigInteger(Strings::base64_decode($temp->item(0)->nodeValue), 256);
+            switch ($key) {
+                case 'p': // a prime modulus meeting the [DSS] requirements
+                    // Parameters P, Q, and G can be public and common to a group of users. They might be known
+                    // from application context. As such, they are optional but P and Q must either both appear
+                    // or both be absent
+                    $components['p'] = $value;
+                    break;
+                case 'q': // an integer in the range 2**159 < Q < 2**160 which is a prime divisor of P-1
+                    $components['q'] = $value;
+                    break;
+                case 'g': // an integer with certain properties with respect to P and Q
+                    $components['g'] = $value;
+                    break;
+                case 'y': // G**X mod P (where X is part of the private key and not made public)
+                    $components['y'] = $value;
+                    // the remaining options do not do anything
+                case 'j': // (P - 1) / Q
+                    // Parameter J is available for inclusion solely for efficiency as it is calculatable from
+                    // P and Q
+                case 'seed': // a DSA prime generation seed
+                    // Parameters seed and pgenCounter are used in the DSA prime number generation algorithm
+                    // specified in [DSS]. As such, they are optional but must either both be present or both
+                    // be absent
+                case 'pgencounter': // a DSA prime generation counter
+            }
+        }
+
+        libxml_use_internal_errors($use_errors);
+
+        if (!isset($components['y'])) {
+            throw new UnexpectedValueException('Key is missing y component');
+        }
+
+        switch (true) {
+            case !isset($components['p']):
+            case !isset($components['q']):
+            case !isset($components['g']):
+                return ['y' => $components['y']];
+        }
+
+        return $components;
+    }
+
+    /**
+     * Convert a public key to the appropriate format
+     *
+     * See https://www.w3.org/TR/xmldsig-core/#sec-DSAKeyValue
+     */
+    public static function savePublicKey(BigInteger $p, BigInteger $q, BigInteger $g, BigInteger $y): string
+    {
+        return "<DSAKeyValue>\r\n" .
+               '  <P>' . Strings::base64_encode($p->toBytes()) . "</P>\r\n" .
+               '  <Q>' . Strings::base64_encode($q->toBytes()) . "</Q>\r\n" .
+               '  <G>' . Strings::base64_encode($g->toBytes()) . "</G>\r\n" .
+               '  <Y>' . Strings::base64_encode($y->toBytes()) . "</Y>\r\n" .
+               '</DSAKeyValue>';
+    }
+}

phpseclib/Crypt/DSA/Formats/Signature/ASN1.php

@@ -0,0 +1,59 @@
+<?php
+
+/**
+ * ASN1 Signature Handler
+ *
+ * PHP version 5
+ *
+ * Handles signatures in the format described in
+ * https://tools.ietf.org/html/rfc3279#section-2.2.2
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Signature;
+
+use phpseclib3\File\ASN1 as Encoder;
+use phpseclib3\File\ASN1\Maps;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * ASN1 Signature Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class ASN1
+{
+    /**
+     * Loads a signature
+     *
+     * @return array|bool
+     */
+    public static function load(string $sig)
+    {
+        if (!is_string($sig)) {
+            return false;
+        }
+
+        $decoded = Encoder::decodeBER($sig);
+        if (empty($decoded)) {
+            return false;
+        }
+        $components = Encoder::asn1map($decoded[0], Maps\DssSigValue::MAP);
+
+        return $components;
+    }
+
+    /**
+     * Returns a signature in the appropriate format
+     */
+    public static function save(BigInteger $r, BigInteger $s): string
+    {
+        return Encoder::encodeDER(compact('r', 's'), Maps\DssSigValue::MAP);
+    }
+}

phpseclib/Crypt/DSA/Formats/Signature/Raw.php

@@ -0,0 +1,27 @@
+<?php
+
+/**
+ * Raw DSA Signature Handler
+ *
+ * PHP version 5
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Signature;
+
+use phpseclib3\Crypt\Common\Formats\Signature\Raw as Progenitor;
+
+/**
+ * Raw DSA Signature Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class Raw extends Progenitor
+{
+}

phpseclib/Crypt/DSA/Formats/Signature/SSH2.php

@@ -0,0 +1,71 @@
+<?php
+
+/**
+ * SSH2 Signature Handler
+ *
+ * PHP version 5
+ *
+ * Handles signatures in the format used by SSH2
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA\Formats\Signature;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * SSH2 Signature Handler
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class SSH2
+{
+    /**
+     * Loads a signature
+     */
+    public static function load(string $sig)
+    {
+        if (!is_string($sig)) {
+            return false;
+        }
+
+        $result = Strings::unpackSSH2('ss', $sig);
+        if ($result === false) {
+            return false;
+        }
+        [$type, $blob] = $result;
+        if ($type != 'ssh-dss' || strlen($blob) != 40) {
+            return false;
+        }
+
+        return [
+            'r' => new BigInteger(substr($blob, 0, 20), 256),
+            's' => new BigInteger(substr($blob, 20), 256),
+        ];
+    }
+
+    /**
+     * Returns a signature in the appropriate format
+     *
+     * @return string
+     */
+    public static function save(BigInteger $r, BigInteger $s)
+    {
+        if ($r->getLength() > 160 || $s->getLength() > 160) {
+            return false;
+        }
+        return Strings::packSSH2(
+            'ss',
+            'ssh-dss',
+            str_pad($r->toBytes(), 20, "\0", STR_PAD_LEFT) .
+            str_pad($s->toBytes(), 20, "\0", STR_PAD_LEFT)
+        );
+    }
+}

phpseclib/Crypt/DSA/Parameters.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * DSA Parameters
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA;
+
+use phpseclib3\Crypt\DSA;
+
+/**
+ * DSA Parameters
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+final class Parameters extends DSA
+{
+    /**
+     * Returns the parameters
+     *
+     * @param array $options optional
+     */
+    public function toString(string $type = 'PKCS1', array $options = []): string
+    {
+        $type = self::validatePlugin('Keys', 'PKCS1', 'saveParameters');
+
+        return $type::saveParameters($this->p, $this->q, $this->g, $options);
+    }
+}

phpseclib/Crypt/DSA/PrivateKey.php

@@ -0,0 +1,150 @@
+<?php
+
+/**
+ * DSA Private Key
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA;
+
+use phpseclib3\Crypt\Common;
+use phpseclib3\Crypt\DSA;
+use phpseclib3\Crypt\DSA\Formats\Signature\ASN1 as ASN1Signature;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * DSA Private Key
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+final class PrivateKey extends DSA implements Common\PrivateKey
+{
+    use Common\Traits\PasswordProtected;
+
+    /**
+     * DSA secret exponent x
+     *
+     * @var BigInteger
+     */
+    protected $x;
+
+    /**
+     * Returns the public key
+     *
+     * If you do "openssl rsa -in private.rsa -pubout -outform PEM" you get a PKCS8 formatted key
+     * that contains a publicKeyAlgorithm AlgorithmIdentifier and a publicKey BIT STRING.
+     * An AlgorithmIdentifier contains an OID and a parameters field. With RSA public keys this
+     * parameters field is NULL. With DSA PKCS8 public keys it is not - it contains the p, q and g
+     * variables. The publicKey BIT STRING contains, simply, the y variable. This can be verified
+     * by getting a DSA PKCS8 public key:
+     *
+     * "openssl dsa -in private.dsa -pubout -outform PEM"
+     *
+     * ie. just swap out rsa with dsa in the rsa command above.
+     *
+     * A PKCS1 public key corresponds to the publicKey portion of the PKCS8 key. In the case of RSA
+     * the publicKey portion /is/ the key. In the case of DSA it is not. You cannot verify a signature
+     * without the parameters and the PKCS1 DSA public key format does not include the parameters.
+     *
+     * @see self::getPrivateKey()
+     */
+    public function getPublicKey()
+    {
+        $type = self::validatePlugin('Keys', 'PKCS8', 'savePublicKey');
+
+        if (!isset($this->y)) {
+            $this->y = $this->g->powMod($this->x, $this->p);
+        }
+
+        $key = $type::savePublicKey($this->p, $this->q, $this->g, $this->y);
+
+        return DSA::loadFormat('PKCS8', $key)
+            ->withHash($this->hash->getHash())
+            ->withSignatureFormat($this->shortFormat);
+    }
+
+    /**
+     * Create a signature
+     *
+     * @see self::verify()
+     * @param string $message
+     */
+    public function sign($message): string
+    {
+        $format = $this->sigFormat;
+
+        if (self::$engines['OpenSSL'] && in_array($this->hash->getHash(), openssl_get_md_methods())) {
+            $signature = '';
+            $result = openssl_sign($message, $signature, $this->toString('PKCS8'), $this->hash->getHash());
+
+            if ($result) {
+                if ($this->shortFormat == 'ASN1') {
+                    return $signature;
+                }
+
+                extract(ASN1Signature::load($signature));
+
+                return $format::save($r, $s);
+            }
+        }
+
+        $h = $this->hash->hash($message);
+        $h = $this->bits2int($h);
+
+        while (true) {
+            $k = BigInteger::randomRange(self::$one, $this->q->subtract(self::$one));
+            $r = $this->g->powMod($k, $this->p);
+            [, $r] = $r->divide($this->q);
+            if ($r->equals(self::$zero)) {
+                continue;
+            }
+            $kinv = $k->modInverse($this->q);
+            $temp = $h->add($this->x->multiply($r));
+            $temp = $kinv->multiply($temp);
+            [, $s] = $temp->divide($this->q);
+            if (!$s->equals(self::$zero)) {
+                break;
+            }
+        }
+
+        // the following is an RFC6979 compliant implementation of deterministic DSA
+        // it's unused because it's mainly intended for use when a good CSPRNG isn't
+        // available. if phpseclib's CSPRNG isn't good then even key generation is
+        // suspect
+        /*
+        $h1 = $this->hash->hash($message);
+        $k = $this->computek($h1);
+        $r = $this->g->powMod($k, $this->p);
+        list(, $r) = $r->divide($this->q);
+        $kinv = $k->modInverse($this->q);
+        $h1 = $this->bits2int($h1);
+        $temp = $h1->add($this->x->multiply($r));
+        $temp = $kinv->multiply($temp);
+        list(, $s) = $temp->divide($this->q);
+        */
+
+        return $format::save($r, $s);
+    }
+
+    /**
+     * Returns the private key
+     *
+     * @param array $options optional
+     */
+    public function toString(string $type, array $options = []): string
+    {
+        $type = self::validatePlugin('Keys', $type, 'savePrivateKey');
+
+        if (!isset($this->y)) {
+            $this->y = $this->g->powMod($this->x, $this->p);
+        }
+
+        return $type::savePrivateKey($this->p, $this->q, $this->g, $this->y, $this->x, $this->password, $options);
+    }
+}

phpseclib/Crypt/DSA/PublicKey.php

@@ -0,0 +1,85 @@
+<?php
+
+/**
+ * DSA Public Key
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2015 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\DSA;
+
+use phpseclib3\Crypt\Common;
+use phpseclib3\Crypt\DSA;
+use phpseclib3\Crypt\DSA\Formats\Signature\ASN1 as ASN1Signature;
+
+/**
+ * DSA Public Key
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+final class PublicKey extends DSA implements Common\PublicKey
+{
+    use Common\Traits\Fingerprint;
+
+    /**
+     * Verify a signature
+     *
+     * @see self::verify()
+     * @param string $message
+     * @param string $signature
+     */
+    public function verify($message, $signature): bool
+    {
+        $format = $this->sigFormat;
+
+        $params = $format::load($signature);
+        if ($params === false || count($params) != 2) {
+            return false;
+        }
+        extract($params);
+
+        if (self::$engines['OpenSSL'] && in_array($this->hash->getHash(), openssl_get_md_methods())) {
+            $sig = $format != 'ASN1' ? ASN1Signature::save($r, $s) : $signature;
+
+            $result = openssl_verify($message, $sig, $this->toString('PKCS8'), $this->hash->getHash());
+
+            if ($result != -1) {
+                return (bool) $result;
+            }
+        }
+
+        $q_1 = $this->q->subtract(self::$one);
+        if (!$r->between(self::$one, $q_1) || !$s->between(self::$one, $q_1)) {
+            return false;
+        }
+
+        $w = $s->modInverse($this->q);
+        $h = $this->hash->hash($message);
+        $h = $this->bits2int($h);
+        [, $u1] = $h->multiply($w)->divide($this->q);
+        [, $u2] = $r->multiply($w)->divide($this->q);
+        $v1 = $this->g->powMod($u1, $this->p);
+        $v2 = $this->y->powMod($u2, $this->p);
+        [, $v] = $v1->multiply($v2)->divide($this->p);
+        [, $v] = $v->divide($this->q);
+
+        return $v->equals($r);
+    }
+
+    /**
+     * Returns the public key
+     *
+     * @param array $options optional
+     */
+    public function toString(string $type, array $options = []): string
+    {
+        $type = self::validatePlugin('Keys', $type, 'savePublicKey');
+
+        return $type::savePublicKey($this->p, $this->q, $this->g, $this->y, $options);
+    }
+}

phpseclib/Crypt/EC.php

@@ -0,0 +1,470 @@
+<?php
+
+/**
+ * Pure-PHP implementation of EC.
+ *
+ * PHP version 5
+ *
+ * Here's an example of how to create signatures and verify signatures with this library:
+ * <code>
+ * <?php
+ * include 'vendor/autoload.php';
+ *
+ * $private = \phpseclib3\Crypt\EC::createKey('secp256k1');
+ * $public = $private->getPublicKey();
+ *
+ * $plaintext = 'terrafrost';
+ *
+ * $signature = $private->sign($plaintext);
+ *
+ * echo $public->verify($plaintext, $signature) ? 'verified' : 'unverified';
+ * ?>
+ * </code>
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2016 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://phpseclib.sourceforge.net
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt;
+
+use phpseclib3\Crypt\Common\AsymmetricKey;
+use phpseclib3\Crypt\EC\BaseCurves\Base;
+use phpseclib3\Crypt\EC\BaseCurves\Montgomery as MontgomeryCurve;
+use phpseclib3\Crypt\EC\BaseCurves\TwistedEdwards as TwistedEdwardsCurve;
+use phpseclib3\Crypt\EC\Curves\Curve25519;
+use phpseclib3\Crypt\EC\Curves\Ed25519;
+use phpseclib3\Crypt\EC\Curves\Ed448;
+use phpseclib3\Crypt\EC\Formats\Keys\PKCS1;
+use phpseclib3\Crypt\EC\Parameters;
+use phpseclib3\Crypt\EC\PrivateKey;
+use phpseclib3\Crypt\EC\PublicKey;
+use phpseclib3\Exception\InvalidArgumentException;
+use phpseclib3\Exception\LengthException;
+use phpseclib3\Exception\UnsupportedAlgorithmException;
+use phpseclib3\Exception\UnsupportedCurveException;
+use phpseclib3\Exception\UnsupportedOperationException;
+use phpseclib3\File\ASN1;
+use phpseclib3\File\ASN1\Maps\ECParameters;
+use phpseclib3\Math\BigInteger;
+
+/**
+ * Pure-PHP implementation of EC.
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class EC extends AsymmetricKey
+{
+    /**
+     * Algorithm Name
+     *
+     * @var string
+     */
+    public const ALGORITHM = 'EC';
+
+    /**
+     * Public Key QA
+     *
+     * @var object[]
+     */
+    protected $QA;
+
+    /**
+     * Curve
+     *
+     * @var Base
+     */
+    protected $curve;
+
+    /**
+     * Signature Format
+     *
+     * @var string
+     */
+    protected $format;
+
+    /**
+     * Signature Format (Short)
+     *
+     * @var string
+     */
+    protected $shortFormat;
+
+    /**
+     * Curve Name
+     *
+     * @var string
+     */
+    private $curveName;
+
+    /**
+     * Curve Order
+     *
+     * Used for deterministic ECDSA
+     *
+     * @var BigInteger
+     */
+    protected $q;
+
+    /**
+     * Alias for the private key
+     *
+     * Used for deterministic ECDSA. AsymmetricKey expects $x. I don't like x because
+     * with x you have x * the base point yielding an (x, y)-coordinate that is the
+     * public key. But the x is different depending on which side of the equal sign
+     * you're on. It's less ambiguous if you do dA * base point = (x, y)-coordinate.
+     *
+     * @var BigInteger
+     */
+    protected $x;
+
+    /**
+     * Context
+     *
+     * @var string
+     */
+    protected $context;
+
+    /**
+     * Signature Format
+     *
+     * @var string
+     */
+    protected $sigFormat;
+
+    /**
+     * Create public / private key pair.
+     */
+    public static function createKey(string $curve): PrivateKey
+    {
+        self::initialize_static_variables();
+
+        $class = new \ReflectionClass(static::class);
+        if ($class->isFinal()) {
+            throw new \RuntimeException('createKey() should not be called from final classes (' . static::class . ')');
+        }
+
+        if (!isset(self::$engines['PHP'])) {
+            self::useBestEngine();
+        }
+
+        $curve = strtolower($curve);
+        if (self::$engines['libsodium'] && $curve == 'ed25519' && function_exists('sodium_crypto_sign_keypair')) {
+            $kp = sodium_crypto_sign_keypair();
+
+            $privatekey = EC::loadFormat('libsodium', sodium_crypto_sign_secretkey($kp));
+            //$publickey = EC::loadFormat('libsodium', sodium_crypto_sign_publickey($kp));
+
+            $privatekey->curveName = 'Ed25519';
+            //$publickey->curveName = $curve;
+
+            return $privatekey;
+        }
+
+        $privatekey = new PrivateKey();
+
+        $curveName = $curve;
+        if (preg_match('#(?:^curve|^ed)\d+$#', $curveName)) {
+            $curveName = ucfirst($curveName);
+        } elseif (substr($curveName, 0, 10) == 'brainpoolp') {
+            $curveName = 'brainpoolP' . substr($curveName, 10);
+        }
+        $curve = '\phpseclib3\Crypt\EC\Curves\\' . $curveName;
+
+        if (!class_exists($curve)) {
+            throw new UnsupportedCurveException('Named Curve of ' . $curveName . ' is not supported');
+        }
+
+        $reflect = new \ReflectionClass($curve);
+        $curveName = $reflect->isFinal() ?
+            $reflect->getParentClass()->getShortName() :
+            $reflect->getShortName();
+
+        $curve = new $curve();
+        if ($curve instanceof TwistedEdwardsCurve) {
+            $arr = $curve->extractSecret(Random::string($curve instanceof Ed448 ? 57 : 32));
+            $privatekey->dA = $dA = $arr['dA'];
+            $privatekey->secret = $arr['secret'];
+        } else {
+            $privatekey->dA = $dA = $curve->createRandomMultiplier();
+        }
+        if ($curve instanceof Curve25519 && self::$engines['libsodium']) {
+            //$r = pack('H*', '0900000000000000000000000000000000000000000000000000000000000000');
+            //$QA = sodium_crypto_scalarmult($dA->toBytes(), $r);
+            $QA = sodium_crypto_box_publickey_from_secretkey($dA->toBytes());
+            $privatekey->QA = [$curve->convertInteger(new BigInteger(strrev($QA), 256))];
+        } else {
+            $privatekey->QA = $curve->multiplyPoint($curve->getBasePoint(), $dA);
+        }
+        $privatekey->curve = $curve;
+
+        //$publickey = clone $privatekey;
+        //unset($publickey->dA);
+        //unset($publickey->x);
+
+        $privatekey->curveName = $curveName;
+        //$publickey->curveName = $curveName;
+
+        if ($privatekey->curve instanceof TwistedEdwardsCurve) {
+            return $privatekey->withHash($curve::HASH);
+        }
+
+        return $privatekey;
+    }
+
+    /**
+     * OnLoad Handler
+     *
+     * @return AsymmetricKey|Parameters|PrivateKey|PublicKey
+     */
+    protected static function onLoad(array $components)
+    {
+        if (!isset(self::$engines['PHP'])) {
+            self::useBestEngine();
+        }
+
+        if (!isset($components['dA']) && !isset($components['QA'])) {
+            $new = new Parameters();
+            $new->curve = $components['curve'];
+            return $new;
+        }
+
+        $new = isset($components['dA']) ?
+            new PrivateKey() :
+            new PublicKey();
+        $new->curve = $components['curve'];
+        $new->QA = $components['QA'];
+
+        if (isset($components['dA'])) {
+            $new->dA = $components['dA'];
+            $new->secret = $components['secret'];
+        }
+
+        if ($new->curve instanceof TwistedEdwardsCurve) {
+            return $new->withHash($components['curve']::HASH);
+        }
+
+        return $new;
+    }
+
+    /**
+     * Constructor
+     *
+     * PublicKey and PrivateKey objects can only be created from abstract RSA class
+     */
+    protected function __construct()
+    {
+        $this->sigFormat = self::validatePlugin('Signature', 'ASN1');
+        $this->shortFormat = 'ASN1';
+
+        parent::__construct();
+    }
+
+    /**
+     * Returns the curve
+     *
+     * Returns a string if it's a named curve, an array if not
+     *
+     * @return string|array
+     */
+    public function getCurve()
+    {
+        if ($this->curveName) {
+            return $this->curveName;
+        }
+
+        if ($this->curve instanceof MontgomeryCurve) {
+            $this->curveName = $this->curve instanceof Curve25519 ? 'Curve25519' : 'Curve448';
+            return $this->curveName;
+        }
+
+        if ($this->curve instanceof TwistedEdwardsCurve) {
+            $this->curveName = $this->curve instanceof Ed25519 ? 'Ed25519' : 'Ed448';
+            return $this->curveName;
+        }
+
+        $params = $this->getParameters()->toString('PKCS8', ['namedCurve' => true]);
+        $decoded = ASN1::extractBER($params);
+        $decoded = ASN1::decodeBER($decoded);
+        $decoded = ASN1::asn1map($decoded[0], ECParameters::MAP);
+        if (isset($decoded['namedCurve'])) {
+            $this->curveName = $decoded['namedCurve'];
+            return $decoded['namedCurve'];
+        }
+
+        if (!$namedCurves) {
+            PKCS1::useSpecifiedCurve();
+        }
+
+        return $decoded;
+    }
+
+    /**
+     * Returns the key size
+     *
+     * Quoting https://tools.ietf.org/html/rfc5656#section-2,
+     *
+     * "The size of a set of elliptic curve domain parameters on a prime
+     *  curve is defined as the number of bits in the binary representation
+     *  of the field order, commonly denoted by p.  Size on a
+     *  characteristic-2 curve is defined as the number of bits in the binary
+     *  representation of the field, commonly denoted by m.  A set of
+     *  elliptic curve domain parameters defines a group of order n generated
+     *  by a base point P"
+     */
+    public function getLength(): int
+    {
+        return $this->curve->getLength();
+    }
+
+    /**
+     * Returns the current engine being used
+     *
+     * @see self::useInternalEngine()
+     * @see self::useBestEngine()
+     */
+    public function getEngine(): string
+    {
+        if (!isset(self::$engines['PHP'])) {
+            self::useBestEngine();
+        }
+        if ($this->curve instanceof TwistedEdwardsCurve) {
+            return $this->curve instanceof Ed25519 && self::$engines['libsodium'] && !isset($this->context) ?
+                'libsodium' : 'PHP';
+        }
+
+        return self::$engines['OpenSSL'] && in_array($this->hash->getHash(), openssl_get_md_methods()) ?
+            'OpenSSL' : 'PHP';
+    }
+
+    /**
+     * Returns the public key coordinates as a string
+     *
+     * Used by ECDH
+     */
+    public function getEncodedCoordinates(): string
+    {
+        if ($this->curve instanceof MontgomeryCurve) {
+            return strrev($this->QA[0]->toBytes(true));
+        }
+        if ($this->curve instanceof TwistedEdwardsCurve) {
+            return $this->curve->encodePoint($this->QA);
+        }
+        return "\4" . $this->QA[0]->toBytes(true) . $this->QA[1]->toBytes(true);
+    }
+
+    /**
+     * Returns the parameters
+     *
+     * @param string $type optional
+     * @see self::getPublicKey()
+     */
+    public function getParameters(string $type = 'PKCS1')
+    {
+        $type = self::validatePlugin('Keys', $type, 'saveParameters');
+
+        $key = $type::saveParameters($this->curve);
+
+        return EC::load($key, 'PKCS1')
+            ->withHash($this->hash->getHash())
+            ->withSignatureFormat($this->shortFormat);
+    }
+
+    /**
+     * Determines the signature padding mode
+     *
+     * Valid values are: ASN1, SSH2, Raw
+     */
+    public function withSignatureFormat(string $format): EC
+    {
+        if ($this->curve instanceof MontgomeryCurve) {
+            throw new UnsupportedOperationException('Montgomery Curves cannot be used to create signatures');
+        }
+
+        $new = clone $this;
+        $new->shortFormat = $format;
+        $new->sigFormat = self::validatePlugin('Signature', $format);
+        return $new;
+    }
+
+    /**
+     * Returns the signature format currently being used
+     */
+    public function getSignatureFormat(): string
+    {
+        return $this->shortFormat;
+    }
+
+    /**
+     * Sets the context
+     *
+     * Used by Ed25519 / Ed448.
+     *
+     * @param string|null $context optional
+     * @see self::verify()
+          * @see self::sign()
+     */
+    public function withContext(?string $context = null): EC
+    {
+        if (!$this->curve instanceof TwistedEdwardsCurve) {
+            throw new UnsupportedCurveException('Only Ed25519 and Ed448 support contexts');
+        }
+
+        $new = clone $this;
+        if (!isset($context)) {
+            $new->context = null;
+            return $new;
+        }
+        if (!is_string($context)) {
+            throw new InvalidArgumentException('setContext expects a string');
+        }
+        if (strlen($context) > 255) {
+            throw new LengthException('The context is supposed to be, at most, 255 bytes long');
+        }
+        $new->context = $context;
+        return $new;
+    }
+
+    /**
+     * Returns the signature format currently being used
+     */
+    public function getContext(): string
+    {
+        return $this->context;
+    }
+
+    /**
+     * Determines which hashing function should be used
+     */
+    public function withHash(string $hash): AsymmetricKey
+    {
+        if ($this->curve instanceof MontgomeryCurve) {
+            throw new UnsupportedOperationException('Montgomery Curves cannot be used to create signatures');
+        }
+        if ($this->curve instanceof Ed25519 && $hash != 'sha512') {
+            throw new UnsupportedAlgorithmException('Ed25519 only supports sha512 as a hash');
+        }
+        if ($this->curve instanceof Ed448 && $hash != 'shake256-912') {
+            throw new UnsupportedAlgorithmException('Ed448 only supports shake256 with a length of 114 bytes');
+        }
+
+        return parent::withHash($hash);
+    }
+
+    /**
+     * __toString() magic method
+     *
+     * @return string
+     */
+    public function __toString()
+    {
+        if ($this->curve instanceof MontgomeryCurve) {
+            return '';
+        }
+
+        return parent::__toString();
+    }
+}

phpseclib/Crypt/EC/BaseCurves/Base.php

@@ -0,0 +1,217 @@
+<?php
+
+/**
+ * Curve methods common to all curves
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\BaseCurves;
+
+use phpseclib3\Exception\RangeException;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\FiniteField\Integer;
+
+/**
+ * Base
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+abstract class Base
+{
+    /**
+     * The Order
+     *
+     * @var BigInteger
+     */
+    protected $order;
+
+    /**
+     * Finite Field Integer factory
+     *
+     * @var Integer
+     */
+    protected $factory;
+
+    /**
+     * Returns a random integer
+     *
+     * @return object
+     */
+    public function randomInteger()
+    {
+        return $this->factory->randomInteger();
+    }
+
+    /**
+     * Converts a BigInteger to a \phpseclib3\Math\FiniteField\Integer integer
+     *
+     * @return object
+     */
+    public function convertInteger(BigInteger $x)
+    {
+        return $this->factory->newInteger($x);
+    }
+
+    /**
+     * Returns the length, in bytes, of the modulo
+     *
+     * @return integer
+     */
+    public function getLengthInBytes(): int
+    {
+        return $this->factory->getLengthInBytes();
+    }
+
+    /**
+     * Returns the length, in bits, of the modulo
+     *
+     * @return integer
+     */
+    public function getLength(): int
+    {
+        return $this->factory->getLength();
+    }
+
+    /**
+     * Multiply a point on the curve by a scalar
+     *
+     * Uses the montgomery ladder technique as described here:
+     *
+     * https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Montgomery_ladder
+     * https://github.com/phpecc/phpecc/issues/16#issuecomment-59176772
+     */
+    public function multiplyPoint(array $p, BigInteger $d): array
+    {
+        $alreadyInternal = isset($p[2]);
+        $r = $alreadyInternal ?
+            [[], $p] :
+            [[], $this->convertToInternal($p)];
+
+        $d = $d->toBits();
+        for ($i = 0; $i < strlen($d); $i++) {
+            $d_i = (int) $d[$i];
+            $r[1 - $d_i] = $this->addPoint($r[0], $r[1]);
+            $r[$d_i] = $this->doublePoint($r[$d_i]);
+        }
+
+        return $alreadyInternal ? $r[0] : $this->convertToAffine($r[0]);
+    }
+
+    /**
+     * Creates a random scalar multiplier
+     */
+    public function createRandomMultiplier(): BigInteger
+    {
+        static $one;
+        if (!isset($one)) {
+            $one = new BigInteger(1);
+        }
+
+        return BigInteger::randomRange($one, $this->order->subtract($one));
+    }
+
+    /**
+     * Performs range check
+     */
+    public function rangeCheck(BigInteger $x): void
+    {
+        static $zero;
+        if (!isset($zero)) {
+            $zero = new BigInteger();
+        }
+
+        if (!isset($this->order)) {
+            throw new RuntimeException('setOrder needs to be called before this method');
+        }
+        if ($x->compare($this->order) > 0 || $x->compare($zero) <= 0) {
+            throw new RangeException('x must be between 1 and the order of the curve');
+        }
+    }
+
+    /**
+     * Sets the Order
+     */
+    public function setOrder(BigInteger $order): void
+    {
+        $this->order = $order;
+    }
+
+    /**
+     * Returns the Order
+     */
+    public function getOrder(): BigInteger
+    {
+        return $this->order;
+    }
+
+    /**
+     * Use a custom defined modular reduction function
+     *
+     * @return object
+     */
+    public function setReduction(callable $func)
+    {
+        $this->factory->setReduction($func);
+    }
+
+    /**
+     * Returns the affine point
+     *
+     * @return object[]
+     */
+    public function convertToAffine(array $p): array
+    {
+        return $p;
+    }
+
+    /**
+     * Converts an affine point to a jacobian coordinate
+     *
+     * @return object[]
+     */
+    public function convertToInternal(array $p): array
+    {
+        return $p;
+    }
+
+    /**
+     * Negates a point
+     *
+     * @return object[]
+     */
+    public function negatePoint(array $p): array
+    {
+        $temp = [
+            $p[0],
+            $p[1]->negate(),
+        ];
+        if (isset($p[2])) {
+            $temp[] = $p[2];
+        }
+        return $temp;
+    }
+
+    /**
+     * Multiply and Add Points
+     *
+     * @return int[]
+     */
+    public function multiplyAddPoints(array $points, array $scalars): array
+    {
+        $p1 = $this->convertToInternal($points[0]);
+        $p2 = $this->convertToInternal($points[1]);
+        $p1 = $this->multiplyPoint($p1, $scalars[0]);
+        $p2 = $this->multiplyPoint($p2, $scalars[1]);
+        $r = $this->addPoint($p1, $p2);
+        return $this->convertToAffine($r);
+    }
+}

phpseclib/Crypt/EC/BaseCurves/Binary.php

@@ -0,0 +1,371 @@
+<?php
+
+/**
+ * Curves over y^2 + x*y = x^3 + a*x^2 + b
+ *
+ * These are curves used in SEC 2 over prime fields: http://www.secg.org/SEC2-Ver-1.0.pdf
+ * The curve is a weierstrass curve with a[3] and a[2] set to 0.
+ *
+ * Uses Jacobian Coordinates for speed if able:
+ *
+ * https://en.wikipedia.org/wiki/Jacobian_curve
+ * https://en.wikibooks.org/wiki/Cryptography/Prime_Curve/Jacobian_Coordinates
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\BaseCurves;
+
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\BinaryField;
+use phpseclib3\Math\BinaryField\Integer as BinaryInteger;
+use phpseclib3\Math\PrimeField\Integer;
+
+/**
+ * Curves over y^2 + x*y = x^3 + a*x^2 + b
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+class Binary extends Base
+{
+    /**
+     * Binary Field Integer factory
+     *
+     * @var BinaryField
+     */
+    protected $factory;
+
+    /**
+     * Cofficient for x^1
+     *
+     * @var object
+     */
+    protected $a;
+
+    /**
+     * Cofficient for x^0
+     *
+     * @var object
+     */
+    protected $b;
+
+    /**
+     * Base Point
+     *
+     * @var object
+     */
+    protected $p;
+
+    /**
+     * The number one over the specified finite field
+     *
+     * @var object
+     */
+    protected $one;
+
+    /**
+     * The modulo
+     *
+     * @var array
+     */
+    protected $modulo;
+
+    /**
+     * The Order
+     *
+     * @var BigInteger
+     */
+    protected $order;
+
+    /**
+     * Sets the modulo
+     */
+    public function setModulo(int ...$modulo): void
+    {
+        $this->modulo = $modulo;
+        $this->factory = new BinaryField(...$modulo);
+
+        $this->one = $this->factory->newInteger("\1");
+    }
+
+    /**
+     * Set coefficients a and b
+     */
+    public function setCoefficients(string $a, string $b): void
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->a = $this->factory->newInteger(pack('H*', $a));
+        $this->b = $this->factory->newInteger(pack('H*', $b));
+    }
+
+    /**
+     * Set x and y coordinates for the base point
+     *
+     * @param string|BinaryInteger $x
+     * @param string|BinaryInteger $y
+     */
+    public function setBasePoint($x, $y): void
+    {
+        switch (true) {
+            case !is_string($x) && !$x instanceof BinaryInteger:
+                throw new UnexpectedValueException('Argument 1 passed to Binary::setBasePoint() must be a string or an instance of BinaryField\Integer');
+            case !is_string($y) && !$y instanceof BinaryInteger:
+                throw new UnexpectedValueException('Argument 2 passed to Binary::setBasePoint() must be a string or an instance of BinaryField\Integer');
+        }
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->p = [
+            is_string($x) ? $this->factory->newInteger(pack('H*', $x)) : $x,
+            is_string($y) ? $this->factory->newInteger(pack('H*', $y)) : $y,
+        ];
+    }
+
+    /**
+     * Retrieve the base point as an array
+     *
+     * @return array
+     */
+    public function getBasePoint()
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        /*
+        if (!isset($this->p)) {
+            throw new \phpseclib3\Exception\RuntimeException('setBasePoint needs to be called before this method');
+        }
+        */
+        return $this->p;
+    }
+
+    /**
+     * Adds two points on the curve
+     *
+     * @return FiniteField[]
+     */
+    public function addPoint(array $p, array $q): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p) || !count($q)) {
+            if (count($q)) {
+                return $q;
+            }
+            if (count($p)) {
+                return $p;
+            }
+            return [];
+        }
+
+        if (!isset($p[2]) || !isset($q[2])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to "Jacobi" coordinates or vice versa');
+        }
+
+        if ($p[0]->equals($q[0])) {
+            return !$p[1]->equals($q[1]) ? [] : $this->doublePoint($p);
+        }
+
+        // formulas from http://hyperelliptic.org/EFD/g12o/auto-shortw-jacobian.html
+
+        [$x1, $y1, $z1] = $p;
+        [$x2, $y2, $z2] = $q;
+
+        $o1 = $z1->multiply($z1);
+        $b = $x2->multiply($o1);
+
+        if ($z2->equals($this->one)) {
+            $d = $y2->multiply($o1)->multiply($z1);
+            $e = $x1->add($b);
+            $f = $y1->add($d);
+            $z3 = $e->multiply($z1);
+            $h = $f->multiply($x2)->add($z3->multiply($y2));
+            $i = $f->add($z3);
+            $g = $z3->multiply($z3);
+            $p1 = $this->a->multiply($g);
+            $p2 = $f->multiply($i);
+            $p3 = $e->multiply($e)->multiply($e);
+            $x3 = $p1->add($p2)->add($p3);
+            $y3 = $i->multiply($x3)->add($g->multiply($h));
+
+            return [$x3, $y3, $z3];
+        }
+
+        $o2 = $z2->multiply($z2);
+        $a = $x1->multiply($o2);
+        $c = $y1->multiply($o2)->multiply($z2);
+        $d = $y2->multiply($o1)->multiply($z1);
+        $e = $a->add($b);
+        $f = $c->add($d);
+        $g = $e->multiply($z1);
+        $h = $f->multiply($x2)->add($g->multiply($y2));
+        $z3 = $g->multiply($z2);
+        $i = $f->add($z3);
+        $p1 = $this->a->multiply($z3->multiply($z3));
+        $p2 = $f->multiply($i);
+        $p3 = $e->multiply($e)->multiply($e);
+        $x3 = $p1->add($p2)->add($p3);
+        $y3 = $i->multiply($x3)->add($g->multiply($g)->multiply($h));
+
+        return [$x3, $y3, $z3];
+    }
+
+    /**
+     * Doubles a point on a curve
+     *
+     * @return FiniteField[]
+     */
+    public function doublePoint(array $p): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p)) {
+            return [];
+        }
+
+        if (!isset($p[2])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to "Jacobi" coordinates or vice versa');
+        }
+
+        // formulas from http://hyperelliptic.org/EFD/g12o/auto-shortw-jacobian.html
+
+        [$x1, $y1, $z1] = $p;
+
+        $a = $x1->multiply($x1);
+        $b = $a->multiply($a);
+
+        if ($z1->equals($this->one)) {
+            $x3 = $b->add($this->b);
+            $z3 = clone $x1;
+            $p1 = $a->add($y1)->add($z3)->multiply($this->b);
+            $p2 = $a->add($y1)->multiply($b);
+            $y3 = $p1->add($p2);
+
+            return [$x3, $y3, $z3];
+        }
+
+        $c = $z1->multiply($z1);
+        $d = $c->multiply($c);
+        $x3 = $b->add($this->b->multiply($d->multiply($d)));
+        $z3 = $x1->multiply($c);
+        $p1 = $b->multiply($z3);
+        $p2 = $a->add($y1->multiply($z1))->add($z3)->multiply($x3);
+        $y3 = $p1->add($p2);
+
+        return [$x3, $y3, $z3];
+    }
+
+    /**
+     * Returns the X coordinate and the derived Y coordinate
+     *
+     * Not supported because it is covered by patents.
+     * Quoting https://www.openssl.org/docs/man1.1.0/apps/ecparam.html ,
+     *
+     * "Due to patent issues the compressed option is disabled by default for binary curves
+     *  and can be enabled by defining the preprocessor macro OPENSSL_EC_BIN_PT_COMP at
+     *  compile time."
+     */
+    public function derivePoint($m): array
+    {
+        throw new RuntimeException('Point compression on binary finite field elliptic curves is not supported');
+    }
+
+    /**
+     * Tests whether or not the x / y values satisfy the equation
+     *
+     * @return boolean
+     */
+    public function verifyPoint(array $p): bool
+    {
+        [$x, $y] = $p;
+        $lhs = $y->multiply($y);
+        $lhs = $lhs->add($x->multiply($y));
+        $x2 = $x->multiply($x);
+        $x3 = $x2->multiply($x);
+        $rhs = $x3->add($this->a->multiply($x2))->add($this->b);
+
+        return $lhs->equals($rhs);
+    }
+
+    /**
+     * Returns the modulo
+     */
+    public function getModulo(): array
+    {
+        return $this->modulo;
+    }
+
+    /**
+     * Returns the a coefficient
+     *
+     * @return Integer
+     */
+    public function getA()
+    {
+        return $this->a;
+    }
+
+    /**
+     * Returns the a coefficient
+     *
+     * @return Integer
+     */
+    public function getB()
+    {
+        return $this->b;
+    }
+
+    /**
+     * Returns the affine point
+     *
+     * A Jacobian Coordinate is of the form (x, y, z).
+     * To convert a Jacobian Coordinate to an Affine Point
+     * you do (x / z^2, y / z^3)
+     *
+     * @return Integer[]
+     */
+    public function convertToAffine(array $p): array
+    {
+        if (!isset($p[2])) {
+            return $p;
+        }
+        [$x, $y, $z] = $p;
+        $z = $this->one->divide($z);
+        $z2 = $z->multiply($z);
+        return [
+            $x->multiply($z2),
+            $y->multiply($z2)->multiply($z),
+        ];
+    }
+
+    /**
+     * Converts an affine point to a jacobian coordinate
+     *
+     * @return Integer[]
+     */
+    public function convertToInternal(array $p): array
+    {
+        if (isset($p[2])) {
+            return $p;
+        }
+
+        $p[2] = clone $this->one;
+        $p['fresh'] = true;
+        return $p;
+    }
+}

phpseclib/Crypt/EC/BaseCurves/KoblitzPrime.php

@@ -0,0 +1,335 @@
+<?php
+
+/**
+ * Generalized Koblitz Curves over y^2 = x^3 + b.
+ *
+ * According to http://www.secg.org/SEC2-Ver-1.0.pdf Koblitz curves are over the GF(2**m)
+ * finite field. Both the $a$ and $b$ coefficients are either 0 or 1. However, SEC2
+ * generalizes the definition to include curves over GF(P) "which possess an efficiently
+ * computable endomorphism".
+ *
+ * For these generalized Koblitz curves $b$ doesn't have to be 0 or 1. Whether or not $a$
+ * has any restrictions on it is unclear, however, for all the GF(P) Koblitz curves defined
+ * in SEC2 v1.0 $a$ is $0$ so all of the methods defined herein will assume that it is.
+ *
+ * I suppose we could rename the $b$ coefficient to $a$, however, the documentation refers
+ * to $b$ so we'll just keep it.
+ *
+ * If a later version of SEC2 comes out wherein some $a$ values are non-zero we can create a
+ * new method for those. eg. KoblitzA1Prime.php or something.
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\BaseCurves;
+
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\PrimeField;
+
+/**
+ * Curves over y^2 = x^3 + b
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+class KoblitzPrime extends Prime
+{
+    /**
+     * Basis
+     *
+     * @var list<array{a: BigInteger, b: BigInteger}>
+     */
+    public $basis;
+
+    /**
+     * Beta
+     *
+     * @var PrimeField\Integer
+     */
+    public $beta;
+
+    // don't overwrite setCoefficients() with one that only accepts one parameter so that
+    // one might be able to switch between KoblitzPrime and Prime more easily (for benchmarking
+    // purposes).
+
+    /**
+     * Multiply and Add Points
+     *
+     * Uses a efficiently computable endomorphism to achieve a slight speedup
+     *
+     * Adapted from:
+     * https://github.com/indutny/elliptic/blob/725bd91/lib/elliptic/curve/short.js#L219
+     *
+     * @return int[]
+     */
+    public function multiplyAddPoints(array $points, array $scalars): array
+    {
+        static $zero, $one, $two;
+        if (!isset($two)) {
+            $two = new BigInteger(2);
+            $one = new BigInteger(1);
+        }
+
+        if (!isset($this->beta)) {
+            // get roots
+            $inv = $this->one->divide($this->two)->negate();
+            $s = $this->three->negate()->squareRoot()->multiply($inv);
+            $betas = [
+                $inv->add($s),
+                $inv->subtract($s),
+            ];
+            $this->beta = $betas[0]->compare($betas[1]) < 0 ? $betas[0] : $betas[1];
+            //echo strtoupper($this->beta->toHex(true)) . "\n"; exit;
+        }
+
+        if (!isset($this->basis)) {
+            $factory = new PrimeField($this->order);
+            $tempOne = $factory->newInteger($one);
+            $tempTwo = $factory->newInteger($two);
+            $tempThree = $factory->newInteger(new BigInteger(3));
+
+            $inv = $tempOne->divide($tempTwo)->negate();
+            $s = $tempThree->negate()->squareRoot()->multiply($inv);
+
+            $lambdas = [
+                $inv->add($s),
+                $inv->subtract($s),
+            ];
+
+            $lhs = $this->multiplyPoint($this->p, $lambdas[0])[0];
+            $rhs = $this->p[0]->multiply($this->beta);
+            $lambda = $lhs->equals($rhs) ? $lambdas[0] : $lambdas[1];
+
+            $this->basis = static::extendedGCD($lambda->toBigInteger(), $this->order);
+            ///*
+            foreach ($this->basis as $basis) {
+                echo strtoupper($basis['a']->toHex(true)) . "\n";
+                echo strtoupper($basis['b']->toHex(true)) . "\n\n";
+            }
+            exit;
+            //*/
+        }
+
+        $npoints = $nscalars = [];
+        for ($i = 0; $i < count($points); $i++) {
+            $p = $points[$i];
+            $k = $scalars[$i]->toBigInteger();
+
+            // begin split
+            [$v1, $v2] = $this->basis;
+
+            $c1 = $v2['b']->multiply($k);
+            [$c1, $r] = $c1->divide($this->order);
+            if ($this->order->compare($r->multiply($two)) <= 0) {
+                $c1 = $c1->add($one);
+            }
+
+            $c2 = $v1['b']->negate()->multiply($k);
+            [$c2, $r] = $c2->divide($this->order);
+            if ($this->order->compare($r->multiply($two)) <= 0) {
+                $c2 = $c2->add($one);
+            }
+
+            $p1 = $c1->multiply($v1['a']);
+            $p2 = $c2->multiply($v2['a']);
+            $q1 = $c1->multiply($v1['b']);
+            $q2 = $c2->multiply($v2['b']);
+
+            $k1 = $k->subtract($p1)->subtract($p2);
+            $k2 = $q1->add($q2)->negate();
+            // end split
+
+            $beta = [
+                $p[0]->multiply($this->beta),
+                $p[1],
+                clone $this->one,
+            ];
+
+            if (isset($p['naf'])) {
+                $beta['naf'] = array_map(function ($p) {
+                    return [
+                        $p[0]->multiply($this->beta),
+                        $p[1],
+                        clone $this->one,
+                    ];
+                }, $p['naf']);
+                $beta['nafwidth'] = $p['nafwidth'];
+            }
+
+            if ($k1->isNegative()) {
+                $k1 = $k1->negate();
+                $p = $this->negatePoint($p);
+            }
+
+            if ($k2->isNegative()) {
+                $k2 = $k2->negate();
+                $beta = $this->negatePoint($beta);
+            }
+
+            $pos = 2 * $i;
+            $npoints[$pos] = $p;
+            $nscalars[$pos] = $this->factory->newInteger($k1);
+
+            $pos++;
+            $npoints[$pos] = $beta;
+            $nscalars[$pos] = $this->factory->newInteger($k2);
+        }
+
+        return parent::multiplyAddPoints($npoints, $nscalars);
+    }
+
+    /**
+     * Returns the numerator and denominator of the slope
+     *
+     * @return FiniteField[]
+     */
+    protected function doublePointHelper(array $p): array
+    {
+        $numerator = $this->three->multiply($p[0])->multiply($p[0]);
+        $denominator = $this->two->multiply($p[1]);
+        return [$numerator, $denominator];
+    }
+
+    /**
+     * Doubles a jacobian coordinate on the curve
+     *
+     * See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
+     *
+     * @return FiniteField[]
+     */
+    protected function jacobianDoublePoint(array $p): array
+    {
+        [$x1, $y1, $z1] = $p;
+        $a = $x1->multiply($x1);
+        $b = $y1->multiply($y1);
+        $c = $b->multiply($b);
+        $d = $x1->add($b);
+        $d = $d->multiply($d)->subtract($a)->subtract($c)->multiply($this->two);
+        $e = $this->three->multiply($a);
+        $f = $e->multiply($e);
+        $x3 = $f->subtract($this->two->multiply($d));
+        $y3 = $e->multiply($d->subtract($x3))->subtract(
+            $this->eight->multiply($c)
+        );
+        $z3 = $this->two->multiply($y1)->multiply($z1);
+        return [$x3, $y3, $z3];
+    }
+
+    /**
+     * Doubles a "fresh" jacobian coordinate on the curve
+     *
+     * See http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-mdbl-2007-bl
+     *
+     * @return FiniteField[]
+     */
+    protected function jacobianDoublePointMixed(array $p): array
+    {
+        [$x1, $y1] = $p;
+        $xx = $x1->multiply($x1);
+        $yy = $y1->multiply($y1);
+        $yyyy = $yy->multiply($yy);
+        $s = $x1->add($yy);
+        $s = $s->multiply($s)->subtract($xx)->subtract($yyyy)->multiply($this->two);
+        $m = $this->three->multiply($xx);
+        $t = $m->multiply($m)->subtract($this->two->multiply($s));
+        $x3 = $t;
+        $y3 = $s->subtract($t);
+        $y3 = $m->multiply($y3)->subtract($this->eight->multiply($yyyy));
+        $z3 = $this->two->multiply($y1);
+        return [$x3, $y3, $z3];
+    }
+
+    /**
+     * Tests whether or not the x / y values satisfy the equation
+     *
+     * @return boolean
+     */
+    public function verifyPoint(array $p): bool
+    {
+        [$x, $y] = $p;
+        $lhs = $y->multiply($y);
+        $temp = $x->multiply($x)->multiply($x);
+        $rhs = $temp->add($this->b);
+
+        return $lhs->equals($rhs);
+    }
+
+    /**
+     * Calculates the parameters needed from the Euclidean algorithm as discussed at
+     * http://diamond.boisestate.edu/~liljanab/MATH308/GuideToECC.pdf#page=148
+     *
+     * @return BigInteger[]
+     */
+    protected static function extendedGCD(BigInteger $u, BigInteger $v): array
+    {
+        $one = new BigInteger(1);
+        $zero = new BigInteger();
+
+        $a = clone $one;
+        $b = clone $zero;
+        $c = clone $zero;
+        $d = clone $one;
+
+        $stop = $v->bitwise_rightShift($v->getLength() >> 1);
+
+        $a1 = clone $zero;
+        $b1 = clone $zero;
+        $a2 = clone $zero;
+        $b2 = clone $zero;
+
+        $postGreatestIndex = 0;
+
+        while (!$v->equals($zero)) {
+            [$q] = $u->divide($v);
+
+            $temp = $u;
+            $u = $v;
+            $v = $temp->subtract($v->multiply($q));
+
+            $temp = $a;
+            $a = $c;
+            $c = $temp->subtract($a->multiply($q));
+
+            $temp = $b;
+            $b = $d;
+            $d = $temp->subtract($b->multiply($q));
+
+            if ($v->compare($stop) > 0) {
+                $a0 = $v;
+                $b0 = $c;
+            } else {
+                $postGreatestIndex++;
+            }
+
+            if ($postGreatestIndex == 1) {
+                $a1 = $v;
+                $b1 = $c->negate();
+            }
+
+            if ($postGreatestIndex == 2) {
+                $rhs = $a0->multiply($a0)->add($b0->multiply($b0));
+                $lhs = $v->multiply($v)->add($b->multiply($b));
+                if ($lhs->compare($rhs) <= 0) {
+                    $a2 = $a0;
+                    $b2 = $b0->negate();
+                } else {
+                    $a2 = $v;
+                    $b2 = $c->negate();
+                }
+
+                break;
+            }
+        }
+
+        return [
+            ['a' => $a1, 'b' => $b1],
+            ['a' => $a2, 'b' => $b2],
+        ];
+    }
+}

phpseclib/Crypt/EC/BaseCurves/Montgomery.php

@@ -0,0 +1,281 @@
+<?php
+
+/**
+ * Curves over y^2 = x^3 + a*x + x
+ *
+ * Technically, a Montgomery curve has a coefficient for y^2 but for Curve25519 and Curve448 that
+ * coefficient is 1.
+ *
+ * Curve25519 and Curve448 do not make use of the y coordinate, which makes it unsuitable for use
+ * with ECDSA / EdDSA. A few other differences between Curve25519 and Ed25519 are discussed at
+ * https://crypto.stackexchange.com/a/43058/4520
+ *
+ * More info:
+ *
+ * https://en.wikipedia.org/wiki/Montgomery_curve
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2019 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\BaseCurves;
+
+use phpseclib3\Crypt\EC\Curves\Curve25519;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\PrimeField;
+use phpseclib3\Math\PrimeField\Integer as PrimeInteger;
+
+/**
+ * Curves over y^2 = x^3 + a*x + x
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+class Montgomery extends Base
+{
+    /**
+     * Prime Field Integer factory
+     *
+     * @var PrimeField
+     */
+    protected $factory;
+
+    /**
+     * Cofficient for x
+     *
+     * @var object
+     */
+    protected $a;
+
+    /**
+     * Constant used for point doubling
+     *
+     * @var object
+     */
+    protected $a24;
+
+    /**
+     * The Number Zero
+     *
+     * @var object
+     */
+    protected $zero;
+
+    /**
+     * The Number One
+     *
+     * @var object
+     */
+    protected $one;
+
+    /**
+     * Base Point
+     *
+     * @var object
+     */
+    protected $p;
+
+    /**
+     * The modulo
+     *
+     * @var BigInteger
+     */
+    protected $modulo;
+
+    /**
+     * The Order
+     *
+     * @var BigInteger
+     */
+    protected $order;
+
+    /**
+     * Sets the modulo
+     */
+    public function setModulo(BigInteger $modulo): void
+    {
+        $this->modulo = $modulo;
+        $this->factory = new PrimeField($modulo);
+        $this->zero = $this->factory->newInteger(new BigInteger());
+        $this->one = $this->factory->newInteger(new BigInteger(1));
+    }
+
+    /**
+     * Set coefficients a
+     */
+    public function setCoefficients(BigInteger $a): void
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->a = $this->factory->newInteger($a);
+        $two = $this->factory->newInteger(new BigInteger(2));
+        $four = $this->factory->newInteger(new BigInteger(4));
+        $this->a24 = $this->a->subtract($two)->divide($four);
+    }
+
+    /**
+     * Set x and y coordinates for the base point
+     *
+     * @param BigInteger|PrimeInteger $x
+     * @param BigInteger|PrimeInteger $y
+     * @return PrimeInteger[]
+     */
+    public function setBasePoint($x, $y): array
+    {
+        switch (true) {
+            case !$x instanceof BigInteger && !$x instanceof PrimeInteger:
+                throw new UnexpectedValueException('Argument 1 passed to Prime::setBasePoint() must be an instance of either BigInteger or PrimeField\Integer');
+            case !$y instanceof BigInteger && !$y instanceof PrimeInteger:
+                throw new UnexpectedValueException('Argument 2 passed to Prime::setBasePoint() must be an instance of either BigInteger or PrimeField\Integer');
+        }
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->p = [
+            $x instanceof BigInteger ? $this->factory->newInteger($x) : $x,
+            $y instanceof BigInteger ? $this->factory->newInteger($y) : $y,
+        ];
+    }
+
+    /**
+     * Retrieve the base point as an array
+     *
+     * @return array
+     */
+    public function getBasePoint()
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        /*
+        if (!isset($this->p)) {
+            throw new \phpseclib3\Exception\RuntimeException('setBasePoint needs to be called before this method');
+        }
+        */
+        return $this->p;
+    }
+
+    /**
+     * Doubles and adds a point on a curve
+     *
+     * See https://tools.ietf.org/html/draft-ietf-tls-curve25519-01#appendix-A.1.3
+     *
+     * @return FiniteField[][]
+     */
+    private function doubleAndAddPoint(array $p, array $q, PrimeInteger $x1): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p) || !count($q)) {
+            return [];
+        }
+
+        if (!isset($p[1])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to XZ coordinates');
+        }
+
+        [$x2, $z2] = $p;
+        [$x3, $z3] = $q;
+
+        $a = $x2->add($z2);
+        $aa = $a->multiply($a);
+        $b = $x2->subtract($z2);
+        $bb = $b->multiply($b);
+        $e = $aa->subtract($bb);
+        $c = $x3->add($z3);
+        $d = $x3->subtract($z3);
+        $da = $d->multiply($a);
+        $cb = $c->multiply($b);
+        $temp = $da->add($cb);
+        $x5 = $temp->multiply($temp);
+        $temp = $da->subtract($cb);
+        $z5 = $x1->multiply($temp->multiply($temp));
+        $x4 = $aa->multiply($bb);
+        $temp = static::class == Curve25519::class ? $bb : $aa;
+        $z4 = $e->multiply($temp->add($this->a24->multiply($e)));
+
+        return [
+            [$x4, $z4],
+            [$x5, $z5],
+        ];
+    }
+
+    /**
+     * Multiply a point on the curve by a scalar
+     *
+     * Uses the montgomery ladder technique as described here:
+     *
+     * https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Montgomery_ladder
+     * https://github.com/phpecc/phpecc/issues/16#issuecomment-59176772
+     */
+    public function multiplyPoint(array $p, BigInteger $d): array
+    {
+        $p1 = [$this->one, $this->zero];
+        $alreadyInternal = isset($x[1]);
+        $p2 = $this->convertToInternal($p);
+        $x = $p[0];
+
+        $b = $d->toBits();
+        $b = str_pad($b, 256, '0', STR_PAD_LEFT);
+        for ($i = 0; $i < strlen($b); $i++) {
+            $b_i = (int) $b[$i];
+            if ($b_i) {
+                [$p2, $p1] = $this->doubleAndAddPoint($p2, $p1, $x);
+            } else {
+                [$p1, $p2] = $this->doubleAndAddPoint($p1, $p2, $x);
+            }
+        }
+
+        return $alreadyInternal ? $p1 : $this->convertToAffine($p1);
+    }
+
+    /**
+     * Converts an affine point to an XZ coordinate
+     *
+     * From https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html
+     *
+     * XZ coordinates represent x y as X Z satsfying the following equations:
+     *
+     *   x=X/Z
+     *
+     * @return PrimeInteger[]
+     */
+    public function convertToInternal(array $p): array
+    {
+        if (empty($p)) {
+            return [clone $this->zero, clone $this->one];
+        }
+
+        if (isset($p[1])) {
+            return $p;
+        }
+
+        $p[1] = clone $this->one;
+
+        return $p;
+    }
+
+    /**
+     * Returns the affine point
+     *
+     * @return PrimeInteger[]
+     */
+    public function convertToAffine(array $p): array
+    {
+        if (!isset($p[1])) {
+            return $p;
+        }
+        [$x, $z] = $p;
+        return [$x->divide($z)];
+    }
+}

phpseclib/Crypt/EC/BaseCurves/Prime.php

@@ -0,0 +1,785 @@
+<?php
+
+/**
+ * Curves over y^2 = x^3 + a*x + b
+ *
+ * These are curves used in SEC 2 over prime fields: http://www.secg.org/SEC2-Ver-1.0.pdf
+ * The curve is a weierstrass curve with a[1], a[3] and a[2] set to 0.
+ *
+ * Uses Jacobian Coordinates for speed if able:
+ *
+ * https://en.wikipedia.org/wiki/Jacobian_curve
+ * https://en.wikibooks.org/wiki/Cryptography/Prime_Curve/Jacobian_Coordinates
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\BaseCurves;
+
+use phpseclib3\Common\Functions\Strings;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\Common\FiniteField\Integer;
+use phpseclib3\Math\PrimeField;
+use phpseclib3\Math\PrimeField\Integer as PrimeInteger;
+use phpseclib3\Math\PrimeFields;
+
+/**
+ * Curves over y^2 = x^3 + a*x + b
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+class Prime extends Base
+{
+    /**
+     * Prime Field Integer factory
+     *
+     * @var PrimeFields
+     */
+    protected $factory;
+
+    /**
+     * Cofficient for x^1
+     *
+     * @var object
+     */
+    protected $a;
+
+    /**
+     * Cofficient for x^0
+     *
+     * @var object
+     */
+    protected $b;
+
+    /**
+     * Base Point
+     *
+     * @var object
+     */
+    protected $p;
+
+    /**
+     * The number one over the specified finite field
+     *
+     * @var object
+     */
+    protected $one;
+
+    /**
+     * The number two over the specified finite field
+     *
+     * @var object
+     */
+    protected $two;
+
+    /**
+     * The number three over the specified finite field
+     *
+     * @var object
+     */
+    protected $three;
+
+    /**
+     * The number four over the specified finite field
+     *
+     * @var object
+     */
+    protected $four;
+
+    /**
+     * The number eight over the specified finite field
+     *
+     * @var object
+     */
+    protected $eight;
+
+    /**
+     * The modulo
+     *
+     * @var BigInteger
+     */
+    protected $modulo;
+
+    /**
+     * The Order
+     *
+     * @var BigInteger
+     */
+    protected $order;
+
+    /**
+     * Sets the modulo
+     */
+    public function setModulo(BigInteger $modulo): void
+    {
+        $this->modulo = $modulo;
+        $this->factory = new PrimeField($modulo);
+        $this->two = $this->factory->newInteger(new BigInteger(2));
+        $this->three = $this->factory->newInteger(new BigInteger(3));
+        // used by jacobian coordinates
+        $this->one = $this->factory->newInteger(new BigInteger(1));
+        $this->four = $this->factory->newInteger(new BigInteger(4));
+        $this->eight = $this->factory->newInteger(new BigInteger(8));
+    }
+
+    /**
+     * Set coefficients a and b
+     */
+    public function setCoefficients(BigInteger $a, BigInteger $b): void
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->a = $this->factory->newInteger($a);
+        $this->b = $this->factory->newInteger($b);
+    }
+
+    /**
+     * Set x and y coordinates for the base point
+     *
+     * @param BigInteger|PrimeInteger $x
+     * @param BigInteger|PrimeInteger $y
+     */
+    public function setBasePoint($x, $y): void
+    {
+        switch (true) {
+            case !$x instanceof BigInteger && !$x instanceof PrimeInteger:
+                throw new UnexpectedValueException('Argument 1 passed to Prime::setBasePoint() must be an instance of either BigInteger or PrimeField\Integer');
+            case !$y instanceof BigInteger && !$y instanceof PrimeInteger:
+                throw new UnexpectedValueException('Argument 2 passed to Prime::setBasePoint() must be an instance of either BigInteger or PrimeField\Integer');
+        }
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->p = [
+            $x instanceof BigInteger ? $this->factory->newInteger($x) : $x,
+            $y instanceof BigInteger ? $this->factory->newInteger($y) : $y,
+        ];
+    }
+
+    /**
+     * Retrieve the base point as an array
+     *
+     * @return array
+     */
+    public function getBasePoint()
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        /*
+        if (!isset($this->p)) {
+            throw new \phpseclib3\Exception\RuntimeException('setBasePoint needs to be called before this method');
+        }
+        */
+        return $this->p;
+    }
+
+    /**
+     * Adds two "fresh" jacobian form on the curve
+     *
+     * @return FiniteField[]
+     */
+    protected function jacobianAddPointMixedXY(array $p, array $q): array
+    {
+        [$u1, $s1] = $p;
+        [$u2, $s2] = $q;
+        if ($u1->equals($u2)) {
+            if (!$s1->equals($s2)) {
+                return [];
+            } else {
+                return $this->doublePoint($p);
+            }
+        }
+        $h = $u2->subtract($u1);
+        $r = $s2->subtract($s1);
+        $h2 = $h->multiply($h);
+        $h3 = $h2->multiply($h);
+        $v = $u1->multiply($h2);
+        $x3 = $r->multiply($r)->subtract($h3)->subtract($v->multiply($this->two));
+        $y3 = $r->multiply(
+            $v->subtract($x3)
+        )->subtract(
+            $s1->multiply($h3)
+        );
+        return [$x3, $y3, $h];
+    }
+
+    /**
+     * Adds one "fresh" jacobian form on the curve
+     *
+     * The second parameter should be the "fresh" one
+     *
+     * @return FiniteField[]
+     */
+    protected function jacobianAddPointMixedX(array $p, array $q): array
+    {
+        [$u1, $s1, $z1] = $p;
+        [$x2, $y2] = $q;
+
+        $z12 = $z1->multiply($z1);
+
+        $u2 = $x2->multiply($z12);
+        $s2 = $y2->multiply($z12->multiply($z1));
+        if ($u1->equals($u2)) {
+            if (!$s1->equals($s2)) {
+                return [];
+            } else {
+                return $this->doublePoint($p);
+            }
+        }
+        $h = $u2->subtract($u1);
+        $r = $s2->subtract($s1);
+        $h2 = $h->multiply($h);
+        $h3 = $h2->multiply($h);
+        $v = $u1->multiply($h2);
+        $x3 = $r->multiply($r)->subtract($h3)->subtract($v->multiply($this->two));
+        $y3 = $r->multiply(
+            $v->subtract($x3)
+        )->subtract(
+            $s1->multiply($h3)
+        );
+        $z3 = $h->multiply($z1);
+        return [$x3, $y3, $z3];
+    }
+
+    /**
+     * Adds two jacobian coordinates on the curve
+     *
+     * @return FiniteField[]
+     */
+    protected function jacobianAddPoint(array $p, array $q): array
+    {
+        [$x1, $y1, $z1] = $p;
+        [$x2, $y2, $z2] = $q;
+
+        $z12 = $z1->multiply($z1);
+        $z22 = $z2->multiply($z2);
+
+        $u1 = $x1->multiply($z22);
+        $u2 = $x2->multiply($z12);
+        $s1 = $y1->multiply($z22->multiply($z2));
+        $s2 = $y2->multiply($z12->multiply($z1));
+        if ($u1->equals($u2)) {
+            if (!$s1->equals($s2)) {
+                return [];
+            } else {
+                return $this->doublePoint($p);
+            }
+        }
+        $h = $u2->subtract($u1);
+        $r = $s2->subtract($s1);
+        $h2 = $h->multiply($h);
+        $h3 = $h2->multiply($h);
+        $v = $u1->multiply($h2);
+        $x3 = $r->multiply($r)->subtract($h3)->subtract($v->multiply($this->two));
+        $y3 = $r->multiply(
+            $v->subtract($x3)
+        )->subtract(
+            $s1->multiply($h3)
+        );
+        $z3 = $h->multiply($z1)->multiply($z2);
+        return [$x3, $y3, $z3];
+    }
+
+    /**
+     * Adds two points on the curve
+     *
+     * @return FiniteField[]
+     */
+    public function addPoint(array $p, array $q): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p) || !count($q)) {
+            if (count($q)) {
+                return $q;
+            }
+            if (count($p)) {
+                return $p;
+            }
+            return [];
+        }
+
+        // use jacobian coordinates
+        if (isset($p[2]) && isset($q[2])) {
+            if (isset($p['fresh']) && isset($q['fresh'])) {
+                return $this->jacobianAddPointMixedXY($p, $q);
+            }
+            if (isset($p['fresh'])) {
+                return $this->jacobianAddPointMixedX($q, $p);
+            }
+            if (isset($q['fresh'])) {
+                return $this->jacobianAddPointMixedX($p, $q);
+            }
+            return $this->jacobianAddPoint($p, $q);
+        }
+
+        if (isset($p[2]) || isset($q[2])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to Jacobi coordinates or vice versa');
+        }
+
+        if ($p[0]->equals($q[0])) {
+            if (!$p[1]->equals($q[1])) {
+                return [];
+            } else { // eg. doublePoint
+                [$numerator, $denominator] = $this->doublePointHelper($p);
+            }
+        } else {
+            $numerator = $q[1]->subtract($p[1]);
+            $denominator = $q[0]->subtract($p[0]);
+        }
+        $slope = $numerator->divide($denominator);
+        $x = $slope->multiply($slope)->subtract($p[0])->subtract($q[0]);
+        $y = $slope->multiply($p[0]->subtract($x))->subtract($p[1]);
+
+        return [$x, $y];
+    }
+
+    /**
+     * Returns the numerator and denominator of the slope
+     *
+     * @return FiniteField[]
+     */
+    protected function doublePointHelper(array $p): array
+    {
+        $numerator = $this->three->multiply($p[0])->multiply($p[0])->add($this->a);
+        $denominator = $this->two->multiply($p[1]);
+        return [$numerator, $denominator];
+    }
+
+    /**
+     * Doubles a jacobian coordinate on the curve
+     *
+     * @return FiniteField[]
+     */
+    protected function jacobianDoublePoint(array $p): array
+    {
+        [$x, $y, $z] = $p;
+        $x2 = $x->multiply($x);
+        $y2 = $y->multiply($y);
+        $z2 = $z->multiply($z);
+        $s = $this->four->multiply($x)->multiply($y2);
+        $m1 = $this->three->multiply($x2);
+        $m2 = $this->a->multiply($z2->multiply($z2));
+        $m = $m1->add($m2);
+        $x1 = $m->multiply($m)->subtract($this->two->multiply($s));
+        $y1 = $m->multiply($s->subtract($x1))->subtract(
+            $this->eight->multiply($y2->multiply($y2))
+        );
+        $z1 = $this->two->multiply($y)->multiply($z);
+        return [$x1, $y1, $z1];
+    }
+
+    /**
+     * Doubles a "fresh" jacobian coordinate on the curve
+     *
+     * @return FiniteField[]
+     */
+    protected function jacobianDoublePointMixed(array $p): array
+    {
+        [$x, $y] = $p;
+        $x2 = $x->multiply($x);
+        $y2 = $y->multiply($y);
+        $s = $this->four->multiply($x)->multiply($y2);
+        $m1 = $this->three->multiply($x2);
+        $m = $m1->add($this->a);
+        $x1 = $m->multiply($m)->subtract($this->two->multiply($s));
+        $y1 = $m->multiply($s->subtract($x1))->subtract(
+            $this->eight->multiply($y2->multiply($y2))
+        );
+        $z1 = $this->two->multiply($y);
+        return [$x1, $y1, $z1];
+    }
+
+    /**
+     * Doubles a point on a curve
+     *
+     * @return FiniteField[]
+     */
+    public function doublePoint(array $p): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p)) {
+            return [];
+        }
+
+        // use jacobian coordinates
+        if (isset($p[2])) {
+            if (isset($p['fresh'])) {
+                return $this->jacobianDoublePointMixed($p);
+            }
+            return $this->jacobianDoublePoint($p);
+        }
+
+        [$numerator, $denominator] = $this->doublePointHelper($p);
+
+        $slope = $numerator->divide($denominator);
+
+        $x = $slope->multiply($slope)->subtract($p[0])->subtract($p[0]);
+        $y = $slope->multiply($p[0]->subtract($x))->subtract($p[1]);
+
+        return [$x, $y];
+    }
+
+    /**
+     * Returns the X coordinate and the derived Y coordinate
+     */
+    public function derivePoint($m): array
+    {
+        $y = ord(Strings::shift($m));
+        $x = new BigInteger($m, 256);
+        $xp = $this->convertInteger($x);
+        switch ($y) {
+            case 2:
+                $ypn = false;
+                break;
+            case 3:
+                $ypn = true;
+                break;
+            default:
+                throw new RuntimeException('Coordinate not in recognized format');
+        }
+        $temp = $xp->multiply($this->a);
+        $temp = $xp->multiply($xp)->multiply($xp)->add($temp);
+        $temp = $temp->add($this->b);
+        $b = $temp->squareRoot();
+        if (!$b) {
+            throw new RuntimeException('Unable to derive Y coordinate');
+        }
+        $bn = $b->isOdd();
+        $yp = $ypn == $bn ? $b : $b->negate();
+        return [$xp, $yp];
+    }
+
+    /**
+     * Tests whether or not the x / y values satisfy the equation
+     *
+     * @return boolean
+     */
+    public function verifyPoint(array $p): bool
+    {
+        [$x, $y] = $p;
+        $lhs = $y->multiply($y);
+        $temp = $x->multiply($this->a);
+        $temp = $x->multiply($x)->multiply($x)->add($temp);
+        $rhs = $temp->add($this->b);
+
+        return $lhs->equals($rhs);
+    }
+
+    /**
+     * Returns the modulo
+     */
+    public function getModulo(): BigInteger
+    {
+        return $this->modulo;
+    }
+
+    /**
+     * Returns the a coefficient
+     *
+     * @return PrimeInteger
+     */
+    public function getA()
+    {
+        return $this->a;
+    }
+
+    /**
+     * Returns the a coefficient
+     *
+     * @return PrimeInteger
+     */
+    public function getB()
+    {
+        return $this->b;
+    }
+
+    /**
+     * Multiply and Add Points
+     *
+     * Adapted from:
+     * https://github.com/indutny/elliptic/blob/725bd91/lib/elliptic/curve/base.js#L125
+     *
+     * @return int[]
+     */
+    public function multiplyAddPoints(array $points, array $scalars): array
+    {
+        $length = count($points);
+
+        foreach ($points as &$point) {
+            $point = $this->convertToInternal($point);
+        }
+
+        $wnd = [$this->getNAFPoints($points[0], 7)];
+        $wndWidth = [$points[0]['nafwidth'] ?? 7];
+        for ($i = 1; $i < $length; $i++) {
+            $wnd[] = $this->getNAFPoints($points[$i], 1);
+            $wndWidth[] = $points[$i]['nafwidth'] ?? 1;
+        }
+
+        $naf = [];
+
+        // comb all window NAFs
+
+        $max = 0;
+        for ($i = $length - 1; $i >= 1; $i -= 2) {
+            $a = $i - 1;
+            $b = $i;
+            if ($wndWidth[$a] != 1 || $wndWidth[$b] != 1) {
+                $naf[$a] = $scalars[$a]->getNAF($wndWidth[$a]);
+                $naf[$b] = $scalars[$b]->getNAF($wndWidth[$b]);
+                $max = max(count($naf[$a]), count($naf[$b]), $max);
+                continue;
+            }
+
+            $comb = [
+                $points[$a], // 1
+                null,        // 3
+                null,        // 5
+                $points[$b],  // 7
+            ];
+
+            $comb[1] = $this->addPoint($points[$a], $points[$b]);
+            $comb[2] = $this->addPoint($points[$a], $this->negatePoint($points[$b]));
+
+            $index = [
+                -3, /* -1 -1 */
+                -1, /* -1  0 */
+                -5, /* -1  1 */
+                -7, /*  0 -1 */
+                 0, /*  0 -1 */
+                 7, /*  0  1 */
+                 5, /*  1 -1 */
+                 1, /*  1  0 */
+                 3,  /*  1  1 */
+            ];
+
+            $jsf = self::getJSFPoints($scalars[$a], $scalars[$b]);
+
+            $max = max(count($jsf[0]), $max);
+            if ($max > 0) {
+                $naf[$a] = array_fill(0, $max, 0);
+                $naf[$b] = array_fill(0, $max, 0);
+            } else {
+                $naf[$a] = [];
+                $naf[$b] = [];
+            }
+
+            for ($j = 0; $j < $max; $j++) {
+                $ja = $jsf[0][$j] ?? 0;
+                $jb = $jsf[1][$j] ?? 0;
+
+                $naf[$a][$j] = $index[3 * ($ja + 1) + $jb + 1];
+                $naf[$b][$j] = 0;
+                $wnd[$a] = $comb;
+            }
+        }
+
+        $acc = [];
+        $temp = [0, 0, 0, 0];
+        for ($i = $max; $i >= 0; $i--) {
+            $k = 0;
+            while ($i >= 0) {
+                $zero = true;
+                for ($j = 0; $j < $length; $j++) {
+                    $temp[$j] = $naf[$j][$i] ?? 0;
+                    if ($temp[$j] != 0) {
+                        $zero = false;
+                    }
+                }
+                if (!$zero) {
+                    break;
+                }
+                $k++;
+                $i--;
+            }
+
+            if ($i >= 0) {
+                $k++;
+            }
+            while ($k--) {
+                $acc = $this->doublePoint($acc);
+            }
+
+            if ($i < 0) {
+                break;
+            }
+
+            for ($j = 0; $j < $length; $j++) {
+                $z = $temp[$j];
+                $p = null;
+                if ($z == 0) {
+                    continue;
+                }
+                $p = $z > 0 ?
+                    $wnd[$j][($z - 1) >> 1] :
+                    $this->negatePoint($wnd[$j][(-$z - 1) >> 1]);
+                $acc = $this->addPoint($acc, $p);
+            }
+        }
+
+        return $this->convertToAffine($acc);
+    }
+
+    /**
+     * Precomputes NAF points
+     *
+     * Adapted from:
+     * https://github.com/indutny/elliptic/blob/725bd91/lib/elliptic/curve/base.js#L351
+     *
+     * @return list<array>
+     */
+    private function getNAFPoints(array $point, int $wnd): array
+    {
+        if (isset($point['naf'])) {
+            return $point['naf'];
+        }
+
+        $res = [$point];
+        $max = (1 << $wnd) - 1;
+        $dbl = $max == 1 ? null : $this->doublePoint($point);
+        for ($i = 1; $i < $max; $i++) {
+            $res[] = $this->addPoint($res[$i - 1], $dbl);
+        }
+
+        $point['naf'] = $res;
+
+        /*
+        $str = '';
+        foreach ($res as $re) {
+            $re[0] = bin2hex($re[0]->toBytes());
+            $re[1] = bin2hex($re[1]->toBytes());
+            $str.= "            ['$re[0]', '$re[1]'],\r\n";
+        }
+        file_put_contents('temp.txt', $str);
+        exit;
+        */
+
+        return $res;
+    }
+
+    /**
+     * Precomputes points in Joint Sparse Form
+     *
+     * Adapted from:
+     * https://github.com/indutny/elliptic/blob/725bd91/lib/elliptic/utils.js#L96
+     *
+     * @return int[]
+     */
+    private static function getJSFPoints(Integer $k1, Integer $k2): array
+    {
+        static $three;
+        if (!isset($three)) {
+            $three = new BigInteger(3);
+        }
+
+        $jsf = [[], []];
+        $k1 = $k1->toBigInteger();
+        $k2 = $k2->toBigInteger();
+        $d1 = 0;
+        $d2 = 0;
+
+        while ($k1->compare(new BigInteger(-$d1)) > 0 || $k2->compare(new BigInteger(-$d2)) > 0) {
+            // first phase
+            $m14 = $k1->testBit(0) + 2 * $k1->testBit(1);
+            $m14 += $d1;
+            $m14 &= 3;
+
+            $m24 = $k2->testBit(0) + 2 * $k2->testBit(1);
+            $m24 += $d2;
+            $m24 &= 3;
+
+            if ($m14 == 3) {
+                $m14 = -1;
+            }
+            if ($m24 == 3) {
+                $m24 = -1;
+            }
+
+            $u1 = 0;
+            if ($m14 & 1) { // if $m14 is odd
+                $m8 = $k1->testBit(0) + 2 * $k1->testBit(1) + 4 * $k1->testBit(2);
+                $m8 += $d1;
+                $m8 &= 7;
+                $u1 = ($m8 == 3 || $m8 == 5) && $m24 == 2 ? -$m14 : $m14;
+            }
+            $jsf[0][] = $u1;
+
+            $u2 = 0;
+            if ($m24 & 1) { // if $m24 is odd
+                $m8 = $k2->testBit(0) + 2 * $k2->testBit(1) + 4 * $k2->testBit(2);
+                $m8 += $d2;
+                $m8 &= 7;
+                $u2 = ($m8 == 3 || $m8 == 5) && $m14 == 2 ? -$m24 : $m24;
+            }
+            $jsf[1][] = $u2;
+
+            // second phase
+            if (2 * $d1 == $u1 + 1) {
+                $d1 = 1 - $d1;
+            }
+            if (2 * $d2 == $u2 + 1) {
+                $d2 = 1 - $d2;
+            }
+            $k1 = $k1->bitwise_rightShift(1);
+            $k2 = $k2->bitwise_rightShift(1);
+        }
+
+        return $jsf;
+    }
+
+    /**
+     * Returns the affine point
+     *
+     * A Jacobian Coordinate is of the form (x, y, z).
+     * To convert a Jacobian Coordinate to an Affine Point
+     * you do (x / z^2, y / z^3)
+     *
+     * @return PrimeInteger[]
+     */
+    public function convertToAffine(array $p): array
+    {
+        if (!isset($p[2])) {
+            return $p;
+        }
+        [$x, $y, $z] = $p;
+        $z = $this->one->divide($z);
+        $z2 = $z->multiply($z);
+        return [
+            $x->multiply($z2),
+            $y->multiply($z2)->multiply($z),
+        ];
+    }
+
+    /**
+     * Converts an affine point to a jacobian coordinate
+     *
+     * @return PrimeInteger[]
+     */
+    public function convertToInternal(array $p): array
+    {
+        if (isset($p[2])) {
+            return $p;
+        }
+
+        $p[2] = clone $this->one;
+        $p['fresh'] = true;
+        return $p;
+    }
+}

phpseclib/Crypt/EC/BaseCurves/TwistedEdwards.php

@@ -0,0 +1,215 @@
+<?php
+
+/**
+ * Curves over a*x^2 + y^2 = 1 + d*x^2*y^2
+ *
+ * http://www.secg.org/SEC2-Ver-1.0.pdf provides for curves with custom parameters.
+ * ie. the coefficients can be arbitrary set through specially formatted keys, etc.
+ * As such, Prime.php is built very generically and it's not able to take full
+ * advantage of curves with 0 coefficients to produce simplified point doubling,
+ * point addition. Twisted Edwards curves, in contrast, do not have a way, currently,
+ * to customize them. As such, we can omit the super generic stuff from this class
+ * and let the named curves (Ed25519 and Ed448) define their own custom tailored
+ * point addition and point doubling methods.
+ *
+ * More info:
+ *
+ * https://en.wikipedia.org/wiki/Twisted_Edwards_curve
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\BaseCurves;
+
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Exception\UnexpectedValueException;
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\PrimeField;
+use phpseclib3\Math\PrimeField\Integer as PrimeInteger;
+
+/**
+ * Curves over a*x^2 + y^2 = 1 + d*x^2*y^2
+ *
+ * @author  Jim Wigginton <terrafrost@php.net>
+ */
+class TwistedEdwards extends Base
+{
+    /**
+     * The modulo
+     *
+     * @var BigInteger
+     */
+    protected $modulo;
+
+    /**
+     * Cofficient for x^2
+     *
+     * @var object
+     */
+    protected $a;
+
+    /**
+     * Cofficient for x^2*y^2
+     *
+     * @var object
+     */
+    protected $d;
+
+    /**
+     * Base Point
+     *
+     * @var object[]
+     */
+    protected $p;
+
+    /**
+     * The number zero over the specified finite field
+     *
+     * @var object
+     */
+    protected $zero;
+
+    /**
+     * The number one over the specified finite field
+     *
+     * @var object
+     */
+    protected $one;
+
+    /**
+     * The number two over the specified finite field
+     *
+     * @var object
+     */
+    protected $two;
+
+    /**
+     * Sets the modulo
+     */
+    public function setModulo(BigInteger $modulo): void
+    {
+        $this->modulo = $modulo;
+        $this->factory = new PrimeField($modulo);
+        $this->zero = $this->factory->newInteger(new BigInteger(0));
+        $this->one = $this->factory->newInteger(new BigInteger(1));
+        $this->two = $this->factory->newInteger(new BigInteger(2));
+    }
+
+    /**
+     * Set coefficients a and b
+     */
+    public function setCoefficients(BigInteger $a, BigInteger $d): void
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->a = $this->factory->newInteger($a);
+        $this->d = $this->factory->newInteger($d);
+    }
+
+    /**
+     * Set x and y coordinates for the base point
+     */
+    public function setBasePoint($x, $y): void
+    {
+        switch (true) {
+            case !$x instanceof BigInteger && !$x instanceof PrimeInteger:
+                throw new UnexpectedValueException('Argument 1 passed to Prime::setBasePoint() must be an instance of either BigInteger or PrimeField\Integer');
+            case !$y instanceof BigInteger && !$y instanceof PrimeInteger:
+                throw new UnexpectedValueException('Argument 2 passed to Prime::setBasePoint() must be an instance of either BigInteger or PrimeField\Integer');
+        }
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        $this->p = [
+            $x instanceof BigInteger ? $this->factory->newInteger($x) : $x,
+            $y instanceof BigInteger ? $this->factory->newInteger($y) : $y,
+        ];
+    }
+
+    /**
+     * Returns the a coefficient
+     *
+     * @return PrimeInteger
+     */
+    public function getA()
+    {
+        return $this->a;
+    }
+
+    /**
+     * Returns the a coefficient
+     *
+     * @return PrimeInteger
+     */
+    public function getD()
+    {
+        return $this->d;
+    }
+
+    /**
+     * Retrieve the base point as an array
+     */
+    public function getBasePoint(): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+        /*
+        if (!isset($this->p)) {
+            throw new \phpseclib3\Exception\RuntimeException('setBasePoint needs to be called before this method');
+        }
+        */
+        return $this->p;
+    }
+
+    /**
+     * Returns the affine point
+     *
+     * @return PrimeInteger[]
+     */
+    public function convertToAffine(array $p): array
+    {
+        if (!isset($p[2])) {
+            return $p;
+        }
+        [$x, $y, $z] = $p;
+        $z = $this->one->divide($z);
+        return [
+            $x->multiply($z),
+            $y->multiply($z),
+        ];
+    }
+
+    /**
+     * Returns the modulo
+     */
+    public function getModulo(): BigInteger
+    {
+        return $this->modulo;
+    }
+
+    /**
+     * Tests whether or not the x / y values satisfy the equation
+     *
+     * @return boolean
+     */
+    public function verifyPoint(array $p): bool
+    {
+        [$x, $y] = $p;
+        $x2 = $x->multiply($x);
+        $y2 = $y->multiply($y);
+
+        $lhs = $this->a->multiply($x2)->add($y2);
+        $rhs = $this->d->multiply($x2)->multiply($y2)->add($this->one);
+
+        return $lhs->equals($rhs);
+    }
+}

phpseclib/Crypt/EC/Curves/Curve25519.php

@@ -0,0 +1,80 @@
+<?php
+
+/**
+ * Curve25519
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2019 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Montgomery;
+use phpseclib3\Exception\RangeException;
+use phpseclib3\Math\BigInteger;
+
+class Curve25519 extends Montgomery
+{
+    public function __construct()
+    {
+        // 2^255 - 19
+        $this->setModulo(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED', 16));
+        $this->a24 = $this->factory->newInteger(new BigInteger('121666'));
+        $this->p = [$this->factory->newInteger(new BigInteger(9))];
+        // 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed
+        $this->setOrder(new BigInteger('1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED', 16));
+
+        /*
+        $this->setCoefficients(
+            new BigInteger('486662'), // a
+        );
+        $this->setBasePoint(
+            new BigInteger(9),
+            new BigInteger('14781619447589544791020593568409986887264606134616475288964881837755586237401')
+        );
+        */
+    }
+
+    /**
+     * Multiply a point on the curve by a scalar
+     *
+     * Modifies the scalar as described at https://tools.ietf.org/html/rfc7748#page-8
+     */
+    public function multiplyPoint(array $p, BigInteger $d): array
+    {
+        //$r = strrev(sodium_crypto_scalarmult($d->toBytes(), strrev($p[0]->toBytes())));
+        //return [$this->factory->newInteger(new BigInteger($r, 256))];
+
+        $d = $d->toBytes();
+        $d &= "\xF8" . str_repeat("\xFF", 30) . "\x7F";
+        $d = strrev($d);
+        $d |= "\x40";
+        $d = new BigInteger($d, -256);
+
+        return parent::multiplyPoint($p, $d);
+    }
+
+    /**
+     * Creates a random scalar multiplier
+     */
+    public function createRandomMultiplier(): BigInteger
+    {
+        return BigInteger::random(256);
+    }
+
+    /**
+     * Performs range check
+     */
+    public function rangeCheck(BigInteger $x): void
+    {
+        if ($x->getLength() > 256 || $x->isNegative()) {
+            throw new RangeException('x must be a positive integer less than 256 bytes in length');
+        }
+    }
+}

phpseclib/Crypt/EC/Curves/Curve448.php

@@ -0,0 +1,91 @@
+<?php
+
+/**
+ * Curve448
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2019 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Montgomery;
+use phpseclib3\Exception\RangeException;
+use phpseclib3\Math\BigInteger;
+
+class Curve448 extends Montgomery
+{
+    public function __construct()
+    {
+        // 2^448 - 2^224 - 1
+        $this->setModulo(new BigInteger(
+            'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE' .
+            'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',
+            16
+        ));
+        $this->a24 = $this->factory->newInteger(new BigInteger('39081'));
+        $this->p = [$this->factory->newInteger(new BigInteger(5))];
+        // 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
+        $this->setOrder(new BigInteger(
+            '3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF' .
+            '7CCA23E9C44EDB49AED63690216CC2728DC58F552378C292AB5844F3',
+            16
+        ));
+
+        /*
+        $this->setCoefficients(
+            new BigInteger('156326'), // a
+        );
+        $this->setBasePoint(
+            new BigInteger(5),
+            new BigInteger(
+                '355293926785568175264127502063783334808976399387714271831880898' .
+                '435169088786967410002932673765864550910142774147268105838985595290' .
+                '606362')
+        );
+        */
+    }
+
+    /**
+     * Multiply a point on the curve by a scalar
+     *
+     * Modifies the scalar as described at https://tools.ietf.org/html/rfc7748#page-8
+     */
+    public function multiplyPoint(array $p, BigInteger $d): array
+    {
+        //$r = strrev(sodium_crypto_scalarmult($d->toBytes(), strrev($p[0]->toBytes())));
+        //return [$this->factory->newInteger(new BigInteger($r, 256))];
+
+        $d = $d->toBytes();
+        $d[0] = $d[0] & "\xFC";
+        $d = strrev($d);
+        $d |= "\x80";
+        $d = new BigInteger($d, 256);
+
+        return parent::multiplyPoint($p, $d);
+    }
+
+    /**
+     * Creates a random scalar multiplier
+     */
+    public function createRandomMultiplier(): BigInteger
+    {
+        return BigInteger::random(446);
+    }
+
+    /**
+     * Performs range check
+     */
+    public function rangeCheck(BigInteger $x): void
+    {
+        if ($x->getLength() > 448 || $x->isNegative()) {
+            throw new RangeException('x must be a positive integer less than 446 bytes in length');
+        }
+    }
+}

phpseclib/Crypt/EC/Curves/Ed25519.php

@@ -0,0 +1,330 @@
+<?php
+
+/**
+ * Ed25519
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\TwistedEdwards;
+use phpseclib3\Crypt\Hash;
+use phpseclib3\Crypt\Random;
+use phpseclib3\Exception\LengthException;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Math\BigInteger;
+
+class Ed25519 extends TwistedEdwards
+{
+    public const HASH = 'sha512';
+    /*
+      Per https://tools.ietf.org/html/rfc8032#page-6 EdDSA has several parameters, one of which is b:
+
+      2.   An integer b with 2^(b-1) > p.  EdDSA public keys have exactly b
+           bits, and EdDSA signatures have exactly 2*b bits.  b is
+           recommended to be a multiple of 8, so public key and signature
+           lengths are an integral number of octets.
+
+      SIZE corresponds to b
+    */
+    public const SIZE = 32;
+
+    public function __construct()
+    {
+        // 2^255 - 19
+        $this->setModulo(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED', 16));
+        $this->setCoefficients(
+            // -1
+            new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEC', 16), // a
+            // -121665/121666
+            new BigInteger('52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3', 16)  // d
+        );
+        $this->setBasePoint(
+            new BigInteger('216936D3CD6E53FEC0A4E231FDD6DC5C692CC7609525A7B2C9562D608F25D51A', 16),
+            new BigInteger('6666666666666666666666666666666666666666666666666666666666666658', 16)
+        );
+        $this->setOrder(new BigInteger('1000000000000000000000000000000014DEF9DEA2F79CD65812631A5CF5D3ED', 16));
+        // algorithm 14.47 from http://cacr.uwaterloo.ca/hac/about/chap14.pdf#page=16
+        /*
+        $this->setReduction(function($x) {
+            $parts = $x->bitwise_split(255);
+            $className = $this->className;
+
+            if (count($parts) > 2) {
+                list(, $r) = $x->divide($className::$modulo);
+                return $r;
+            }
+
+            $zero = new BigInteger();
+            $c = new BigInteger(19);
+
+            switch (count($parts)) {
+                case 2:
+                    list($qi, $ri) = $parts;
+                    break;
+                case 1:
+                    $qi = $zero;
+                    list($ri) = $parts;
+                    break;
+                case 0:
+                    return $zero;
+            }
+            $r = $ri;
+
+            while ($qi->compare($zero) > 0) {
+                $temp = $qi->multiply($c)->bitwise_split(255);
+                if (count($temp) == 2) {
+                    list($qi, $ri) = $temp;
+                } else {
+                    $qi = $zero;
+                    list($ri) = $temp;
+                }
+                $r = $r->add($ri);
+            }
+
+            while ($r->compare($className::$modulo) > 0) {
+                $r = $r->subtract($className::$modulo);
+            }
+            return $r;
+        });
+        */
+    }
+
+    /**
+     * Recover X from Y
+     *
+     * Implements steps 2-4 at https://tools.ietf.org/html/rfc8032#section-5.1.3
+     *
+     * Used by EC\Keys\Common.php
+     *
+     * @param boolean $sign
+     * @return object[]
+     */
+    public function recoverX(BigInteger $y, bool $sign): array
+    {
+        $y = $this->factory->newInteger($y);
+
+        $y2 = $y->multiply($y);
+        $u = $y2->subtract($this->one);
+        $v = $this->d->multiply($y2)->add($this->one);
+        $x2 = $u->divide($v);
+        if ($x2->equals($this->zero)) {
+            if ($sign) {
+                throw new RuntimeException('Unable to recover X coordinate (x2 = 0)');
+            }
+            return clone $this->zero;
+        }
+        // find the square root
+        /* we don't do $x2->squareRoot() because, quoting from
+           https://tools.ietf.org/html/rfc8032#section-5.1.1:
+
+           "For point decoding or "decompression", square roots modulo p are
+            needed.  They can be computed using the Tonelli-Shanks algorithm or
+            the special case for p = 5 (mod 8).  To find a square root of a,
+            first compute the candidate root x = a^((p+3)/8) (mod p)."
+         */
+        $exp = $this->getModulo()->add(new BigInteger(3));
+        $exp = $exp->bitwise_rightShift(3);
+        $x = $x2->pow($exp);
+
+        // If v x^2 = -u (mod p), set x <-- x * 2^((p-1)/4), which is a square root.
+        if (!$x->multiply($x)->subtract($x2)->equals($this->zero)) {
+            $temp = $this->getModulo()->subtract(new BigInteger(1));
+            $temp = $temp->bitwise_rightShift(2);
+            $temp = $this->two->pow($temp);
+            $x = $x->multiply($temp);
+            if (!$x->multiply($x)->subtract($x2)->equals($this->zero)) {
+                throw new RuntimeException('Unable to recover X coordinate');
+            }
+        }
+        if ($x->isOdd() != $sign) {
+            $x = $x->negate();
+        }
+
+        return [$x, $y];
+    }
+
+    /**
+     * Extract Secret Scalar
+     *
+     * Implements steps 1-3 at https://tools.ietf.org/html/rfc8032#section-5.1.5
+     *
+     * Used by the various key handlers
+     *
+     * @return array
+     */
+    public function extractSecret(string $str)
+    {
+        if (strlen($str) != 32) {
+            throw new LengthException('Private Key should be 32-bytes long');
+        }
+        // 1.  Hash the 32-byte private key using SHA-512, storing the digest in
+        //     a 64-octet large buffer, denoted h.  Only the lower 32 bytes are
+        //     used for generating the public key.
+        $hash = new Hash('sha512');
+        $h = $hash->hash($str);
+        $h = substr($h, 0, 32);
+        // 2.  Prune the buffer: The lowest three bits of the first octet are
+        //     cleared, the highest bit of the last octet is cleared, and the
+        //     second highest bit of the last octet is set.
+        $h[0] = $h[0] & chr(0xF8);
+        $h = strrev($h);
+        $h[0] = ($h[0] & chr(0x3F)) | chr(0x40);
+        // 3.  Interpret the buffer as the little-endian integer, forming a
+        //     secret scalar s.
+        $dA = new BigInteger($h, 256);
+
+        return [
+            'dA' => $dA,
+            'secret' => $str,
+        ];
+    }
+
+    /**
+     * Encode a point as a string
+     */
+    public function encodePoint(array $point): string
+    {
+        [$x, $y] = $point;
+        $y = $y->toBytes();
+        $y[0] = $y[0] & chr(0x7F);
+        if ($x->isOdd()) {
+            $y[0] = $y[0] | chr(0x80);
+        }
+        $y = strrev($y);
+
+        return $y;
+    }
+
+    /**
+     * Creates a random scalar multiplier
+     */
+    public function createRandomMultiplier(): BigInteger
+    {
+        return $this->extractSecret(Random::string(32))['dA'];
+    }
+
+    /**
+     * Converts an affine point to an extended homogeneous coordinate
+     *
+     * From https://tools.ietf.org/html/rfc8032#section-5.1.4 :
+     *
+     * A point (x,y) is represented in extended homogeneous coordinates (X, Y, Z, T),
+     * with x = X/Z, y = Y/Z, x * y = T/Z.
+     *
+     * @return Integer[]
+     */
+    public function convertToInternal(array $p): array
+    {
+        if (empty($p)) {
+            return [clone $this->zero, clone $this->one, clone $this->one, clone $this->zero];
+        }
+
+        if (isset($p[2])) {
+            return $p;
+        }
+
+        $p[2] = clone $this->one;
+        $p[3] = $p[0]->multiply($p[1]);
+
+        return $p;
+    }
+
+    /**
+     * Doubles a point on a curve
+     *
+     * @return FiniteField[]
+     */
+    public function doublePoint(array $p): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p)) {
+            return [];
+        }
+
+        if (!isset($p[2])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to "Jacobi" coordinates or vice versa');
+        }
+
+        // from https://tools.ietf.org/html/rfc8032#page-12
+
+        [$x1, $y1, $z1, $t1] = $p;
+
+        $a = $x1->multiply($x1);
+        $b = $y1->multiply($y1);
+        $c = $this->two->multiply($z1)->multiply($z1);
+        $h = $a->add($b);
+        $temp = $x1->add($y1);
+        $e = $h->subtract($temp->multiply($temp));
+        $g = $a->subtract($b);
+        $f = $c->add($g);
+
+        $x3 = $e->multiply($f);
+        $y3 = $g->multiply($h);
+        $t3 = $e->multiply($h);
+        $z3 = $f->multiply($g);
+
+        return [$x3, $y3, $z3, $t3];
+    }
+
+    /**
+     * Adds two points on the curve
+     *
+     * @return FiniteField[]
+     */
+    public function addPoint(array $p, array $q): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p) || !count($q)) {
+            if (count($q)) {
+                return $q;
+            }
+            if (count($p)) {
+                return $p;
+            }
+            return [];
+        }
+
+        if (!isset($p[2]) || !isset($q[2])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to "Jacobi" coordinates or vice versa');
+        }
+
+        if ($p[0]->equals($q[0])) {
+            return !$p[1]->equals($q[1]) ? [] : $this->doublePoint($p);
+        }
+
+        // from https://tools.ietf.org/html/rfc8032#page-12
+
+        [$x1, $y1, $z1, $t1] = $p;
+        [$x2, $y2, $z2, $t2] = $q;
+
+        $a = $y1->subtract($x1)->multiply($y2->subtract($x2));
+        $b = $y1->add($x1)->multiply($y2->add($x2));
+        $c = $t1->multiply($this->two)->multiply($this->d)->multiply($t2);
+        $d = $z1->multiply($this->two)->multiply($z2);
+        $e = $b->subtract($a);
+        $f = $d->subtract($c);
+        $g = $d->add($c);
+        $h = $b->add($a);
+
+        $x3 = $e->multiply($f);
+        $y3 = $g->multiply($h);
+        $t3 = $e->multiply($h);
+        $z3 = $f->multiply($g);
+
+        return [$x3, $y3, $z3, $t3];
+    }
+}

phpseclib/Crypt/EC/Curves/Ed448.php

@@ -0,0 +1,268 @@
+<?php
+
+/**
+ * Ed448
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\TwistedEdwards;
+use phpseclib3\Crypt\Hash;
+use phpseclib3\Crypt\Random;
+use phpseclib3\Exception\LengthException;
+use phpseclib3\Exception\RuntimeException;
+use phpseclib3\Math\BigInteger;
+use phpseclib3\Math\PrimeField\Integer;
+
+class Ed448 extends TwistedEdwards
+{
+    public const HASH = 'shake256-912';
+    public const SIZE = 57;
+
+    public function __construct()
+    {
+        // 2^448 - 2^224 - 1
+        $this->setModulo(new BigInteger(
+            'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE' .
+            'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',
+            16
+        ));
+        $this->setCoefficients(
+            new BigInteger(1),
+            // -39081
+            new BigInteger('FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE' .
+                           'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6756', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('4F1970C66BED0DED221D15A622BF36DA9E146570470F1767EA6DE324' .
+                           'A3D3A46412AE1AF72AB66511433B80E18B00938E2626A82BC70CC05E', 16),
+            new BigInteger('693F46716EB6BC248876203756C9C7624BEA73736CA3984087789C1E' .
+                           '05A0C2D73AD3FF1CE67C39C4FDBD132C4ED7C8AD9808795BF230FA14', 16)
+        );
+        $this->setOrder(new BigInteger(
+            '3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF' .
+            '7CCA23E9C44EDB49AED63690216CC2728DC58F552378C292AB5844F3',
+            16
+        ));
+    }
+
+    /**
+     * Recover X from Y
+     *
+     * Implements steps 2-4 at https://tools.ietf.org/html/rfc8032#section-5.2.3
+     *
+     * Used by EC\Keys\Common.php
+     *
+     * @param boolean $sign
+     * @return object[]
+     */
+    public function recoverX(BigInteger $y, bool $sign): array
+    {
+        $y = $this->factory->newInteger($y);
+
+        $y2 = $y->multiply($y);
+        $u = $y2->subtract($this->one);
+        $v = $this->d->multiply($y2)->subtract($this->one);
+        $x2 = $u->divide($v);
+        if ($x2->equals($this->zero)) {
+            if ($sign) {
+                throw new RuntimeException('Unable to recover X coordinate (x2 = 0)');
+            }
+            return clone $this->zero;
+        }
+        // find the square root
+        $exp = $this->getModulo()->add(new BigInteger(1));
+        $exp = $exp->bitwise_rightShift(2);
+        $x = $x2->pow($exp);
+
+        if (!$x->multiply($x)->subtract($x2)->equals($this->zero)) {
+            throw new RuntimeException('Unable to recover X coordinate');
+        }
+        if ($x->isOdd() != $sign) {
+            $x = $x->negate();
+        }
+
+        return [$x, $y];
+    }
+
+    /**
+     * Extract Secret Scalar
+     *
+     * Implements steps 1-3 at https://tools.ietf.org/html/rfc8032#section-5.2.5
+     *
+     * Used by the various key handlers
+     *
+     * @return array
+     */
+    public function extractSecret(string $str)
+    {
+        if (strlen($str) != 57) {
+            throw new LengthException('Private Key should be 57-bytes long');
+        }
+        // 1.  Hash the 57-byte private key using SHAKE256(x, 114), storing the
+        //     digest in a 114-octet large buffer, denoted h.  Only the lower 57
+        //     bytes are used for generating the public key.
+        $hash = new Hash('shake256-912');
+        $h = $hash->hash($str);
+        $h = substr($h, 0, 57);
+        // 2.  Prune the buffer: The two least significant bits of the first
+        //     octet are cleared, all eight bits the last octet are cleared, and
+        //     the highest bit of the second to last octet is set.
+        $h[0] = $h[0] & chr(0xFC);
+        $h = strrev($h);
+        $h[0] = "\0";
+        $h[1] = $h[1] | chr(0x80);
+        // 3.  Interpret the buffer as the little-endian integer, forming a
+        //     secret scalar s.
+        $dA = new BigInteger($h, 256);
+
+        return [
+            'dA' => $dA,
+            'secret' => $str,
+        ];
+    }
+
+    /**
+     * Encode a point as a string
+     */
+    public function encodePoint(array $point): string
+    {
+        [$x, $y] = $point;
+        $y = "\0" . $y->toBytes();
+        if ($x->isOdd()) {
+            $y[0] = $y[0] | chr(0x80);
+        }
+        $y = strrev($y);
+
+        return $y;
+    }
+
+    /**
+     * Creates a random scalar multiplier
+     */
+    public function createRandomMultiplier(): BigInteger
+    {
+        return $this->extractSecret(Random::string(57))['dA'];
+    }
+
+    /**
+     * Converts an affine point to an extended homogeneous coordinate
+     *
+     * From https://tools.ietf.org/html/rfc8032#section-5.2.4 :
+     *
+     * A point (x,y) is represented in extended homogeneous coordinates (X, Y, Z, T),
+     * with x = X/Z, y = Y/Z, x * y = T/Z.
+     *
+     * @return Integer[]
+     */
+    public function convertToInternal(array $p): array
+    {
+        if (empty($p)) {
+            return [clone $this->zero, clone $this->one, clone $this->one];
+        }
+
+        if (isset($p[2])) {
+            return $p;
+        }
+
+        $p[2] = clone $this->one;
+
+        return $p;
+    }
+
+    /**
+     * Doubles a point on a curve
+     *
+     * @return FiniteField[]
+     */
+    public function doublePoint(array $p): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p)) {
+            return [];
+        }
+
+        if (!isset($p[2])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to "Jacobi" coordinates or vice versa');
+        }
+
+        // from https://tools.ietf.org/html/rfc8032#page-18
+
+        [$x1, $y1, $z1] = $p;
+
+        $b = $x1->add($y1);
+        $b = $b->multiply($b);
+        $c = $x1->multiply($x1);
+        $d = $y1->multiply($y1);
+        $e = $c->add($d);
+        $h = $z1->multiply($z1);
+        $j = $e->subtract($this->two->multiply($h));
+
+        $x3 = $b->subtract($e)->multiply($j);
+        $y3 = $c->subtract($d)->multiply($e);
+        $z3 = $e->multiply($j);
+
+        return [$x3, $y3, $z3];
+    }
+
+    /**
+     * Adds two points on the curve
+     *
+     * @return FiniteField[]
+     */
+    public function addPoint(array $p, array $q): array
+    {
+        if (!isset($this->factory)) {
+            throw new RuntimeException('setModulo needs to be called before this method');
+        }
+
+        if (!count($p) || !count($q)) {
+            if (count($q)) {
+                return $q;
+            }
+            if (count($p)) {
+                return $p;
+            }
+            return [];
+        }
+
+        if (!isset($p[2]) || !isset($q[2])) {
+            throw new RuntimeException('Affine coordinates need to be manually converted to "Jacobi" coordinates or vice versa');
+        }
+
+        if ($p[0]->equals($q[0])) {
+            return !$p[1]->equals($q[1]) ? [] : $this->doublePoint($p);
+        }
+
+        // from https://tools.ietf.org/html/rfc8032#page-17
+
+        [$x1, $y1, $z1] = $p;
+        [$x2, $y2, $z2] = $q;
+
+        $a = $z1->multiply($z2);
+        $b = $a->multiply($a);
+        $c = $x1->multiply($x2);
+        $d = $y1->multiply($y2);
+        $e = $this->d->multiply($c)->multiply($d);
+        $f = $b->subtract($e);
+        $g = $b->add($e);
+        $h = $x1->add($y1)->multiply($x2->add($y2));
+
+        $x3 = $a->multiply($f)->multiply($h->subtract($c)->subtract($d));
+        $y3 = $a->multiply($g)->multiply($d->subtract($c));
+        $z3 = $f->multiply($g);
+
+        return [$x3, $y3, $z3];
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP160r1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * brainpoolP160r1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP160r1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('E95E4A5F737059DC60DFC7AD95B3D8139515620F', 16));
+        $this->setCoefficients(
+            new BigInteger('340E7BE2A280EB74E2BE61BADA745D97E8F7C300', 16),
+            new BigInteger('1E589A8595423412134FAA2DBDEC95C8D8675E58', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3', 16),
+            new BigInteger('1667CB477A1A8EC338F94741669C976316DA6321', 16)
+        );
+        $this->setOrder(new BigInteger('E95E4A5F737059DC60DF5991D45029409E60FC09', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP160t1.php

@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * brainpoolP160t1
+ *
+ * This curve is a twisted version of brainpoolP160r1 with A = -3. With brainpool,
+ * the curves ending in r1 are the "regular" curves and the curves ending in "t1"
+ * are the twisted version of the r1 curves. Per https://tools.ietf.org/html/rfc5639#page-7
+ * you can convert a point on an r1 curve to a point on a t1 curve thusly:
+ *
+ *     F(x,y) := (x*Z^2, y*Z^3)
+ *
+ * The advantage of A = -3 is that some of the point doubling and point addition can be
+ * slightly optimized. See http://hyperelliptic.org/EFD/g1p/auto-shortw-projective-3.html
+ * vs http://hyperelliptic.org/EFD/g1p/auto-shortw-projective.html for example.
+ *
+ * phpseclib does not currently take advantage of this optimization opportunity
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP160t1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('E95E4A5F737059DC60DFC7AD95B3D8139515620F', 16));
+        $this->setCoefficients(
+            new BigInteger('E95E4A5F737059DC60DFC7AD95B3D8139515620C', 16), // eg. -3
+            new BigInteger('7A556B6DAE535B7B51ED2C4D7DAA7A0B5C55F380', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('B199B13B9B34EFC1397E64BAEB05ACC265FF2378', 16),
+            new BigInteger('ADD6718B7C7C1961F0991B842443772152C9E0AD', 16)
+        );
+        $this->setOrder(new BigInteger('E95E4A5F737059DC60DF5991D45029409E60FC09', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP192r1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * brainpoolP192r1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP192r1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297', 16));
+        $this->setCoefficients(
+            new BigInteger('6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF', 16),
+            new BigInteger('469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6', 16),
+            new BigInteger('14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F', 16)
+        );
+        $this->setOrder(new BigInteger('C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP192t1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * brainpoolP192t1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP192t1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297', 16));
+        $this->setCoefficients(
+            new BigInteger('C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294', 16), // eg. -3
+            new BigInteger('13D56FFAEC78681E68F9DEB43B35BEC2FB68542E27897B79', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('3AE9E58C82F63C30282E1FE7BBF43FA72C446AF6F4618129', 16),
+            new BigInteger('097E2C5667C2223A902AB5CA449D0084B7E5B3DE7CCC01C9', 16)
+        );
+        $this->setOrder(new BigInteger('C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP224r1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * brainpoolP224r1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP224r1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF', 16));
+        $this->setCoefficients(
+            new BigInteger('68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43', 16),
+            new BigInteger('2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D', 16),
+            new BigInteger('58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD', 16)
+        );
+        $this->setOrder(new BigInteger('D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP224t1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * brainpoolP224t1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP224t1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF', 16));
+        $this->setCoefficients(
+            new BigInteger('D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC', 16), // eg. -3
+            new BigInteger('4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('6AB1E344CE25FF3896424E7FFE14762ECB49F8928AC0C76029B4D580', 16),
+            new BigInteger('0374E9F5143E568CD23F3F4D7C0D4B1E41C8CC0D1C6ABD5F1A46DB4C', 16)
+        );
+        $this->setOrder(new BigInteger('D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP256r1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * brainpoolP256r1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP256r1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377', 16));
+        $this->setCoefficients(
+            new BigInteger('7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9', 16),
+            new BigInteger('26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262', 16),
+            new BigInteger('547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997', 16)
+        );
+        $this->setOrder(new BigInteger('A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP256t1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * brainpoolP256t1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP256t1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377', 16));
+        $this->setCoefficients(
+            new BigInteger('A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374', 16), // eg. -3
+            new BigInteger('662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4', 16),
+            new BigInteger('2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE', 16)
+        );
+        $this->setOrder(new BigInteger('A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP320r1.php

@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * brainpoolP320r1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP320r1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F9' .
+                                        '2B9EC7893EC28FCD412B1F1B32E27', 16));
+        $this->setCoefficients(
+            new BigInteger('3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F4' .
+                           '92F375A97D860EB4', 16),
+            new BigInteger('520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD88453981' .
+                           '6F5EB4AC8FB1F1A6', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C7' .
+                           '10AF8D0D39E20611', 16),
+            new BigInteger('14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7' .
+                           'D35245D1692E8EE1', 16)
+        );
+        $this->setOrder(new BigInteger('D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D4' .
+                                       '82EC7EE8658E98691555B44C59311', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP320t1.php

@@ -0,0 +1,42 @@
+<?php
+
+/**
+ * brainpoolP320t1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP320t1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F9' .
+                                        '2B9EC7893EC28FCD412B1F1B32E27', 16));
+        $this->setCoefficients(
+            new BigInteger('D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28' .
+                           'FCD412B1F1B32E24', 16), // eg. -3
+            new BigInteger('A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547CE' .
+                           'B5B4FEF422340353', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('925BE9FB01AFC6FB4D3E7D4990010F813408AB106C4F09CB7EE07868CC136FFF' .
+                           '3357F624A21BED52', 16),
+            new BigInteger('63BA3A7A27483EBF6671DBEF7ABB30EBEE084E58A0B077AD42A5A0989D1EE71B' .
+                           '1B9BC0455FB0D2C3', 16)
+        );
+        $this->setOrder(new BigInteger('D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D4' .
+                                       '82EC7EE8658E98691555B44C59311', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP384r1.php

@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * brainpoolP384r1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP384r1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger(
+            '8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A7' .
+            '1874700133107EC53',
+            16
+        ));
+        $this->setCoefficients(
+            new BigInteger(
+                '7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503' .
+                'AD4EB04A8C7DD22CE2826',
+                16
+            ),
+            new BigInteger(
+                '4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DB' .
+                'C9943AB78696FA504C11',
+                16
+            )
+        );
+        $this->setBasePoint(
+            new BigInteger(
+                '1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D' .
+                '646AAEF87B2E247D4AF1E',
+                16
+            ),
+            new BigInteger(
+                '8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E464621779' .
+                '1811142820341263C5315',
+                16
+            )
+        );
+        $this->setOrder(new BigInteger(
+            '8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC31' .
+            '03B883202E9046565',
+            16
+        ));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP384t1.php

@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * brainpoolP384t1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP384t1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger(
+            '8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A7' .
+            '1874700133107EC53',
+            16
+        ));
+        $this->setCoefficients(
+            new BigInteger(
+                '8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901' .
+                'D1A71874700133107EC50',
+                16
+            ), // eg. -3
+            new BigInteger(
+                '7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B8' .
+                '8805CED70355A33B471EE',
+                16
+            )
+        );
+        $this->setBasePoint(
+            new BigInteger(
+                '18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AABFFC4FF191B946' .
+                'A5F54D8D0AA2F418808CC',
+                16
+            ),
+            new BigInteger(
+                '25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CCFE469408584DC' .
+                '2B2912675BF5B9E582928',
+                16
+            )
+        );
+        $this->setOrder(new BigInteger(
+            '8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC31' .
+            '03B883202E9046565',
+            16
+        ));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP512r1.php

@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * brainpoolP512r1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP512r1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger(
+            'AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC' .
+            '66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3',
+            16
+        ));
+        $this->setCoefficients(
+            new BigInteger(
+                '7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA82' .
+                '53AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA',
+                16
+            ),
+            new BigInteger(
+                '3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C' .
+                '1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723',
+                16
+            )
+        );
+        $this->setBasePoint(
+            new BigInteger(
+                '81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D' .
+                '0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822',
+                16
+            ),
+            new BigInteger(
+                '7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5' .
+                'F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892',
+                16
+            )
+        );
+        $this->setOrder(new BigInteger(
+            'AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA' .
+            '92619418661197FAC10471DB1D381085DDADDB58796829CA90069',
+            16
+        ));
+    }
+}

phpseclib/Crypt/EC/Curves/brainpoolP512t1.php

@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * brainpoolP512t1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class brainpoolP512t1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger(
+            'AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC' .
+            '66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3',
+            16
+        ));
+        $this->setCoefficients(
+            new BigInteger(
+                'AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC' .
+                '66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F0',
+                16
+            ), // eg. -3
+            new BigInteger(
+                '7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA23049' .
+                '76540F6450085F2DAE145C22553B465763689180EA2571867423E',
+                16
+            )
+        );
+        $this->setBasePoint(
+            new BigInteger(
+                '640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C0313D82BA51735CD' .
+                'B3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA',
+                16
+            ),
+            new BigInteger(
+                '5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CEE9D9932184BEE' .
+                'F216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332',
+                16
+            )
+        );
+        $this->setOrder(new BigInteger(
+            'AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA' .
+            '92619418661197FAC10471DB1D381085DDADDB58796829CA90069',
+            16
+        ));
+    }
+}

phpseclib/Crypt/EC/Curves/nistb233.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistb233
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistb233 extends sect233r1
+{
+}

phpseclib/Crypt/EC/Curves/nistb409.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistb409
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistb409 extends sect409r1
+{
+}

phpseclib/Crypt/EC/Curves/nistk163.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistk163
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistk163 extends sect163k1
+{
+}

phpseclib/Crypt/EC/Curves/nistk233.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistk233
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistk233 extends sect233k1
+{
+}

phpseclib/Crypt/EC/Curves/nistk283.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * sect283k1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistk283 extends sect283k1
+{
+}

phpseclib/Crypt/EC/Curves/nistk409.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistk409
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistk409 extends sect409k1
+{
+}

phpseclib/Crypt/EC/Curves/nistp192.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistp192
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistp192 extends secp192r1
+{
+}

phpseclib/Crypt/EC/Curves/nistp224.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistp224
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistp224 extends secp224r1
+{
+}

phpseclib/Crypt/EC/Curves/nistp256.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistp256
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistp256 extends secp256r1
+{
+}

phpseclib/Crypt/EC/Curves/nistp384.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistp384
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistp384 extends secp384r1
+{
+}

phpseclib/Crypt/EC/Curves/nistp521.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistp521
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistp521 extends secp521r1
+{
+}

phpseclib/Crypt/EC/Curves/nistt571.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * nistt571
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class nistt571 extends sect571k1
+{
+}

phpseclib/Crypt/EC/Curves/prime192v1.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * prime192v1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class prime192v1 extends secp192r1
+{
+}

phpseclib/Crypt/EC/Curves/prime192v2.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * prime192v2
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class prime192v2 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF', 16));
+        $this->setCoefficients(
+            new BigInteger('FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC', 16),
+            new BigInteger('CC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('EEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A', 16),
+            new BigInteger('6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15', 16)
+        );
+        $this->setOrder(new BigInteger('FFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/prime192v3.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * prime192v3
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class prime192v3 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF', 16));
+        $this->setCoefficients(
+            new BigInteger('FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC', 16),
+            new BigInteger('22123DC2395A05CAA7423DAECCC94760A7D462256BD56916', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896', 16),
+            new BigInteger('38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0', 16)
+        );
+        $this->setOrder(new BigInteger('FFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/prime239v1.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * prime239v1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class prime239v1 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF', 16));
+        $this->setCoefficients(
+            new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC', 16),
+            new BigInteger('6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('0FFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF', 16),
+            new BigInteger('7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE', 16)
+        );
+        $this->setOrder(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/prime239v2.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * prime239v2
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class prime239v2 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF', 16));
+        $this->setCoefficients(
+            new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC', 16),
+            new BigInteger('617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7', 16),
+            new BigInteger('5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA', 16)
+        );
+        $this->setOrder(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/prime239v3.php

@@ -0,0 +1,36 @@
+<?php
+
+/**
+ * prime239v3
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+use phpseclib3\Crypt\EC\BaseCurves\Prime;
+use phpseclib3\Math\BigInteger;
+
+class prime239v3 extends Prime
+{
+    public function __construct()
+    {
+        $this->setModulo(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF', 16));
+        $this->setCoefficients(
+            new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC', 16),
+            new BigInteger('255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E', 16)
+        );
+        $this->setBasePoint(
+            new BigInteger('6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A', 16),
+            new BigInteger('1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3', 16)
+        );
+        $this->setOrder(new BigInteger('7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551', 16));
+    }
+}

phpseclib/Crypt/EC/Curves/prime256v1.php

@@ -0,0 +1,20 @@
+<?php
+
+/**
+ * prime256v1
+ *
+ * PHP version 5 and 7
+ *
+ * @author    Jim Wigginton <terrafrost@php.net>
+ * @copyright 2017 Jim Wigginton
+ * @license   http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @link      http://pear.php.net/package/Math_BigInteger
+ */
+
+declare(strict_types=1);
+
+namespace phpseclib3\Crypt\EC\Curves;
+
+final class prime256v1 extends secp256r1
+{
+}