diff options
author | Anton Luka Šijanec <anton@sijanec.eu> | 2024-05-27 13:08:29 +0200 |
---|---|---|
committer | Anton Luka Šijanec <anton@sijanec.eu> | 2024-05-27 13:08:29 +0200 |
commit | 75160b12821f7f4299cce7f0b69c83c1502ae071 (patch) | |
tree | 27e25e4ccaef45f0c58b22831164050d1af1d4db /vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php | |
parent | prvi-commit (diff) | |
download | 1ka-75160b12821f7f4299cce7f0b69c83c1502ae071.tar 1ka-75160b12821f7f4299cce7f0b69c83c1502ae071.tar.gz 1ka-75160b12821f7f4299cce7f0b69c83c1502ae071.tar.bz2 1ka-75160b12821f7f4299cce7f0b69c83c1502ae071.tar.lz 1ka-75160b12821f7f4299cce7f0b69c83c1502ae071.tar.xz 1ka-75160b12821f7f4299cce7f0b69c83c1502ae071.tar.zst 1ka-75160b12821f7f4299cce7f0b69c83c1502ae071.zip |
Diffstat (limited to 'vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php')
-rw-r--r-- | vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php | 512 |
1 files changed, 256 insertions, 256 deletions
diff --git a/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php b/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php index 17a5428..d683a2c 100644 --- a/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php +++ b/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php @@ -1,256 +1,256 @@ -<?php - -declare(strict_types=1); - -/* - * The MIT License (MIT) - * - * Copyright (c) 2014-2018 Spomky-Labs - * - * This software may be modified and distributed under the terms - * of the MIT license. See the LICENSE file for details. - */ - -namespace Jose\Component\KeyManagement\KeyConverter; - -use Base64Url\Base64Url; - -/** - * @internal - */ -class KeyConverter -{ - /** - * @throws \InvalidArgumentException - */ - public static function loadKeyFromCertificateFile(string $file): array - { - if (!\file_exists($file)) { - throw new \InvalidArgumentException(\sprintf('File "%s" does not exist.', $file)); - } - $content = \file_get_contents($file); - - return self::loadKeyFromCertificate($content); - } - - /** - * @throws \InvalidArgumentException - */ - public static function loadKeyFromCertificate(string $certificate): array - { - try { - $res = \openssl_x509_read($certificate); - } catch (\Exception $e) { - $certificate = self::convertDerToPem($certificate); - $res = \openssl_x509_read($certificate); - } - if (false === $res) { - throw new \InvalidArgumentException('Unable to load the certificate.'); - } - - $values = self::loadKeyFromX509Resource($res); - \openssl_x509_free($res); - - return $values; - } - - /** - * @param resource $res - * - * @throws \Exception - */ - public static function loadKeyFromX509Resource($res): array - { - $key = \openssl_get_publickey($res); - - $details = \openssl_pkey_get_details($key); - if (isset($details['key'])) { - $values = self::loadKeyFromPEM($details['key']); - \openssl_x509_export($res, $out); - $x5c = \preg_replace('#-.*-#', '', $out); - $x5c = \preg_replace('~\R~', PHP_EOL, $x5c); - $x5c = \trim($x5c); - $values['x5c'] = [$x5c]; - - $values['x5t'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha1', true)); - $values['x5t#256'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha256', true)); - - return $values; - } - - throw new \InvalidArgumentException('Unable to load the certificate'); - } - - /** - * @throws \Exception - */ - public static function loadFromKeyFile(string $file, ?string $password = null): array - { - $content = \file_get_contents($file); - - return self::loadFromKey($content, $password); - } - - /** - * @throws \Exception - */ - public static function loadFromKey(string $key, ?string $password = null): array - { - try { - return self::loadKeyFromDER($key, $password); - } catch (\Exception $e) { - return self::loadKeyFromPEM($key, $password); - } - } - - /** - * @throws \Exception - */ - private static function loadKeyFromDER(string $der, ?string $password = null): array - { - $pem = self::convertDerToPem($der); - - return self::loadKeyFromPEM($pem, $password); - } - - /** - * @throws \Exception - */ - private static function loadKeyFromPEM(string $pem, ?string $password = null): array - { - if (\preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) { - $pem = self::decodePem($pem, $matches, $password); - } - - self::sanitizePEM($pem); - - $res = \openssl_pkey_get_private($pem); - if (false === $res) { - $res = \openssl_pkey_get_public($pem); - } - if (false === $res) { - throw new \InvalidArgumentException('Unable to load the key.'); - } - - $details = \openssl_pkey_get_details($res); - if (!\is_array($details) || !\array_key_exists('type', $details)) { - throw new \InvalidArgumentException('Unable to get details of the key'); - } - - switch ($details['type']) { - case OPENSSL_KEYTYPE_EC: - $ec_key = ECKey::createFromPEM($pem); - - return $ec_key->toArray(); - case OPENSSL_KEYTYPE_RSA: - $rsa_key = RSAKey::createFromPEM($pem); - $rsa_key->optimize(); - - return $rsa_key->toArray(); - default: - throw new \InvalidArgumentException('Unsupported key type'); - } - } - - /** - * This method modifies the PEM to get 64 char lines and fix bug with old OpenSSL versions. - */ - private static function sanitizePEM(string &$pem) - { - \preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER); - $ciphertext = \preg_replace('#-.*-|\r|\n| #', '', $pem); - - $pem = $matches[0][0].PHP_EOL; - $pem .= \chunk_split($ciphertext, 64, PHP_EOL); - $pem .= $matches[0][1].PHP_EOL; - } - - /** - * Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean! - * It is mandatory to verify the root CA or intermediate CA are trusted. - * If not done, it may lead to potential security issues. - */ - public static function loadFromX5C(array $x5c): array - { - $certificate = null; - $last_issuer = null; - $last_subject = null; - foreach ($x5c as $cert) { - $current_cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.\chunk_split($cert,64,PHP_EOL).'-----END CERTIFICATE-----'; - $x509 = \openssl_x509_read($current_cert); - if (false === $x509) { - $last_issuer = null; - $last_subject = null; - - break; - } - $parsed = \openssl_x509_parse($x509); - - \openssl_x509_free($x509); - if (false === $parsed) { - $last_issuer = null; - $last_subject = null; - - break; - } - if (null === $last_subject) { - $last_subject = $parsed['subject']; - $last_issuer = $parsed['issuer']; - $certificate = $current_cert; - } else { - if (\json_encode($last_issuer) === \json_encode($parsed['subject'])) { - $last_subject = $parsed['subject']; - $last_issuer = $parsed['issuer']; - } else { - $last_issuer = null; - $last_subject = null; - - break; - } - } - } - - return self::loadKeyFromCertificate($certificate); - } - - /** - * @param string[] $matches - */ - private static function decodePem(string $pem, array $matches, ?string $password = null): string - { - if (null === $password) { - throw new \InvalidArgumentException('Password required for encrypted keys.'); - } - - $iv = \pack('H*', \trim($matches[2])); - $iv_sub = \mb_substr($iv, 0, 8, '8bit'); - $symkey = \pack('H*', \md5($password.$iv_sub)); - $symkey .= \pack('H*', \md5($symkey.$password.$iv_sub)); - $key = \preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $pem); - $ciphertext = \base64_decode(\preg_replace('#-.*-|\r|\n#', '', $key), true); - - $decoded = \openssl_decrypt($ciphertext, \mb_strtolower($matches[1]), $symkey, OPENSSL_RAW_DATA, $iv); - if (!\is_string($decoded)) { - throw new \InvalidArgumentException('Incorrect password. Key decryption failed.'); - } - - $number = \preg_match_all('#-{5}.*-{5}#', $pem, $result); - if (2 !== $number) { - throw new \InvalidArgumentException('Unable to load the key'); - } - - $pem = $result[0][0].PHP_EOL; - $pem .= \chunk_split(\base64_encode($decoded), 64); - $pem .= $result[0][1].PHP_EOL; - - return $pem; - } - - private static function convertDerToPem(string $der_data): string - { - $pem = \chunk_split(\base64_encode($der_data), 64, PHP_EOL); - $pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL; - - return $pem; - } -} +<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyConverter;
+
+use Base64Url\Base64Url;
+
+/**
+ * @internal
+ */
+class KeyConverter
+{
+ /**
+ * @throws \InvalidArgumentException
+ */
+ public static function loadKeyFromCertificateFile(string $file): array
+ {
+ if (!\file_exists($file)) {
+ throw new \InvalidArgumentException(\sprintf('File "%s" does not exist.', $file));
+ }
+ $content = \file_get_contents($file);
+
+ return self::loadKeyFromCertificate($content);
+ }
+
+ /**
+ * @throws \InvalidArgumentException
+ */
+ public static function loadKeyFromCertificate(string $certificate): array
+ {
+ try {
+ $res = \openssl_x509_read($certificate);
+ } catch (\Exception $e) {
+ $certificate = self::convertDerToPem($certificate);
+ $res = \openssl_x509_read($certificate);
+ }
+ if (false === $res) {
+ throw new \InvalidArgumentException('Unable to load the certificate.');
+ }
+
+ $values = self::loadKeyFromX509Resource($res);
+ \openssl_x509_free($res);
+
+ return $values;
+ }
+
+ /**
+ * @param resource $res
+ *
+ * @throws \Exception
+ */
+ public static function loadKeyFromX509Resource($res): array
+ {
+ $key = \openssl_get_publickey($res);
+
+ $details = \openssl_pkey_get_details($key);
+ if (isset($details['key'])) {
+ $values = self::loadKeyFromPEM($details['key']);
+ \openssl_x509_export($res, $out);
+ $x5c = \preg_replace('#-.*-#', '', $out);
+ $x5c = \preg_replace('~\R~', PHP_EOL, $x5c);
+ $x5c = \trim($x5c);
+ $values['x5c'] = [$x5c];
+
+ $values['x5t'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha1', true));
+ $values['x5t#256'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha256', true));
+
+ return $values;
+ }
+
+ throw new \InvalidArgumentException('Unable to load the certificate');
+ }
+
+ /**
+ * @throws \Exception
+ */
+ public static function loadFromKeyFile(string $file, ?string $password = null): array
+ {
+ $content = \file_get_contents($file);
+
+ return self::loadFromKey($content, $password);
+ }
+
+ /**
+ * @throws \Exception
+ */
+ public static function loadFromKey(string $key, ?string $password = null): array
+ {
+ try {
+ return self::loadKeyFromDER($key, $password);
+ } catch (\Exception $e) {
+ return self::loadKeyFromPEM($key, $password);
+ }
+ }
+
+ /**
+ * @throws \Exception
+ */
+ private static function loadKeyFromDER(string $der, ?string $password = null): array
+ {
+ $pem = self::convertDerToPem($der);
+
+ return self::loadKeyFromPEM($pem, $password);
+ }
+
+ /**
+ * @throws \Exception
+ */
+ private static function loadKeyFromPEM(string $pem, ?string $password = null): array
+ {
+ if (\preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) {
+ $pem = self::decodePem($pem, $matches, $password);
+ }
+
+ self::sanitizePEM($pem);
+
+ $res = \openssl_pkey_get_private($pem);
+ if (false === $res) {
+ $res = \openssl_pkey_get_public($pem);
+ }
+ if (false === $res) {
+ throw new \InvalidArgumentException('Unable to load the key.');
+ }
+
+ $details = \openssl_pkey_get_details($res);
+ if (!\is_array($details) || !\array_key_exists('type', $details)) {
+ throw new \InvalidArgumentException('Unable to get details of the key');
+ }
+
+ switch ($details['type']) {
+ case OPENSSL_KEYTYPE_EC:
+ $ec_key = ECKey::createFromPEM($pem);
+
+ return $ec_key->toArray();
+ case OPENSSL_KEYTYPE_RSA:
+ $rsa_key = RSAKey::createFromPEM($pem);
+ $rsa_key->optimize();
+
+ return $rsa_key->toArray();
+ default:
+ throw new \InvalidArgumentException('Unsupported key type');
+ }
+ }
+
+ /**
+ * This method modifies the PEM to get 64 char lines and fix bug with old OpenSSL versions.
+ */
+ private static function sanitizePEM(string &$pem)
+ {
+ \preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER);
+ $ciphertext = \preg_replace('#-.*-|\r|\n| #', '', $pem);
+
+ $pem = $matches[0][0].PHP_EOL;
+ $pem .= \chunk_split($ciphertext, 64, PHP_EOL);
+ $pem .= $matches[0][1].PHP_EOL;
+ }
+
+ /**
+ * Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean!
+ * It is mandatory to verify the root CA or intermediate CA are trusted.
+ * If not done, it may lead to potential security issues.
+ */
+ public static function loadFromX5C(array $x5c): array
+ {
+ $certificate = null;
+ $last_issuer = null;
+ $last_subject = null;
+ foreach ($x5c as $cert) {
+ $current_cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.\chunk_split($cert,64,PHP_EOL).'-----END CERTIFICATE-----';
+ $x509 = \openssl_x509_read($current_cert);
+ if (false === $x509) {
+ $last_issuer = null;
+ $last_subject = null;
+
+ break;
+ }
+ $parsed = \openssl_x509_parse($x509);
+
+ \openssl_x509_free($x509);
+ if (false === $parsed) {
+ $last_issuer = null;
+ $last_subject = null;
+
+ break;
+ }
+ if (null === $last_subject) {
+ $last_subject = $parsed['subject'];
+ $last_issuer = $parsed['issuer'];
+ $certificate = $current_cert;
+ } else {
+ if (\json_encode($last_issuer) === \json_encode($parsed['subject'])) {
+ $last_subject = $parsed['subject'];
+ $last_issuer = $parsed['issuer'];
+ } else {
+ $last_issuer = null;
+ $last_subject = null;
+
+ break;
+ }
+ }
+ }
+
+ return self::loadKeyFromCertificate($certificate);
+ }
+
+ /**
+ * @param string[] $matches
+ */
+ private static function decodePem(string $pem, array $matches, ?string $password = null): string
+ {
+ if (null === $password) {
+ throw new \InvalidArgumentException('Password required for encrypted keys.');
+ }
+
+ $iv = \pack('H*', \trim($matches[2]));
+ $iv_sub = \mb_substr($iv, 0, 8, '8bit');
+ $symkey = \pack('H*', \md5($password.$iv_sub));
+ $symkey .= \pack('H*', \md5($symkey.$password.$iv_sub));
+ $key = \preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $pem);
+ $ciphertext = \base64_decode(\preg_replace('#-.*-|\r|\n#', '', $key), true);
+
+ $decoded = \openssl_decrypt($ciphertext, \mb_strtolower($matches[1]), $symkey, OPENSSL_RAW_DATA, $iv);
+ if (!\is_string($decoded)) {
+ throw new \InvalidArgumentException('Incorrect password. Key decryption failed.');
+ }
+
+ $number = \preg_match_all('#-{5}.*-{5}#', $pem, $result);
+ if (2 !== $number) {
+ throw new \InvalidArgumentException('Unable to load the key');
+ }
+
+ $pem = $result[0][0].PHP_EOL;
+ $pem .= \chunk_split(\base64_encode($decoded), 64);
+ $pem .= $result[0][1].PHP_EOL;
+
+ return $pem;
+ }
+
+ private static function convertDerToPem(string $der_data): string
+ {
+ $pem = \chunk_split(\base64_encode($der_data), 64, PHP_EOL);
+ $pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL;
+
+ return $pem;
+ }
+}
|