diff options
| author | Anton Luka Šijanec <anton@sijanec.eu> | 2022-01-11 12:35:47 +0100 |
|---|---|---|
| committer | Anton Luka Šijanec <anton@sijanec.eu> | 2022-01-11 12:35:47 +0100 |
| commit | 19985dbb8c0aa66dc4bf7905abc1148de909097d (patch) | |
| tree | 2cd5a5d20d7e80fc2a51adf60d838d8a2c40999e /vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php | |
| download | 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.gz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.bz2 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.lz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.xz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.zst 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.zip | |
Diffstat (limited to 'vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php')
| -rw-r--r-- | vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php | 256 |
1 files changed, 256 insertions, 0 deletions
diff --git a/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php b/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php new file mode 100644 index 0000000..17a5428 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php @@ -0,0 +1,256 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyConverter; + +use Base64Url\Base64Url; + +/** + * @internal + */ +class KeyConverter +{ + /** + * @throws \InvalidArgumentException + */ + public static function loadKeyFromCertificateFile(string $file): array + { + if (!\file_exists($file)) { + throw new \InvalidArgumentException(\sprintf('File "%s" does not exist.', $file)); + } + $content = \file_get_contents($file); + + return self::loadKeyFromCertificate($content); + } + + /** + * @throws \InvalidArgumentException + */ + public static function loadKeyFromCertificate(string $certificate): array + { + try { + $res = \openssl_x509_read($certificate); + } catch (\Exception $e) { + $certificate = self::convertDerToPem($certificate); + $res = \openssl_x509_read($certificate); + } + if (false === $res) { + throw new \InvalidArgumentException('Unable to load the certificate.'); + } + + $values = self::loadKeyFromX509Resource($res); + \openssl_x509_free($res); + + return $values; + } + + /** + * @param resource $res + * + * @throws \Exception + */ + public static function loadKeyFromX509Resource($res): array + { + $key = \openssl_get_publickey($res); + + $details = \openssl_pkey_get_details($key); + if (isset($details['key'])) { + $values = self::loadKeyFromPEM($details['key']); + \openssl_x509_export($res, $out); + $x5c = \preg_replace('#-.*-#', '', $out); + $x5c = \preg_replace('~\R~', PHP_EOL, $x5c); + $x5c = \trim($x5c); + $values['x5c'] = [$x5c]; + + $values['x5t'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha1', true)); + $values['x5t#256'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha256', true)); + + return $values; + } + + throw new \InvalidArgumentException('Unable to load the certificate'); + } + + /** + * @throws \Exception + */ + public static function loadFromKeyFile(string $file, ?string $password = null): array + { + $content = \file_get_contents($file); + + return self::loadFromKey($content, $password); + } + + /** + * @throws \Exception + */ + public static function loadFromKey(string $key, ?string $password = null): array + { + try { + return self::loadKeyFromDER($key, $password); + } catch (\Exception $e) { + return self::loadKeyFromPEM($key, $password); + } + } + + /** + * @throws \Exception + */ + private static function loadKeyFromDER(string $der, ?string $password = null): array + { + $pem = self::convertDerToPem($der); + + return self::loadKeyFromPEM($pem, $password); + } + + /** + * @throws \Exception + */ + private static function loadKeyFromPEM(string $pem, ?string $password = null): array + { + if (\preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) { + $pem = self::decodePem($pem, $matches, $password); + } + + self::sanitizePEM($pem); + + $res = \openssl_pkey_get_private($pem); + if (false === $res) { + $res = \openssl_pkey_get_public($pem); + } + if (false === $res) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + $details = \openssl_pkey_get_details($res); + if (!\is_array($details) || !\array_key_exists('type', $details)) { + throw new \InvalidArgumentException('Unable to get details of the key'); + } + + switch ($details['type']) { + case OPENSSL_KEYTYPE_EC: + $ec_key = ECKey::createFromPEM($pem); + + return $ec_key->toArray(); + case OPENSSL_KEYTYPE_RSA: + $rsa_key = RSAKey::createFromPEM($pem); + $rsa_key->optimize(); + + return $rsa_key->toArray(); + default: + throw new \InvalidArgumentException('Unsupported key type'); + } + } + + /** + * This method modifies the PEM to get 64 char lines and fix bug with old OpenSSL versions. + */ + private static function sanitizePEM(string &$pem) + { + \preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER); + $ciphertext = \preg_replace('#-.*-|\r|\n| #', '', $pem); + + $pem = $matches[0][0].PHP_EOL; + $pem .= \chunk_split($ciphertext, 64, PHP_EOL); + $pem .= $matches[0][1].PHP_EOL; + } + + /** + * Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean! + * It is mandatory to verify the root CA or intermediate CA are trusted. + * If not done, it may lead to potential security issues. + */ + public static function loadFromX5C(array $x5c): array + { + $certificate = null; + $last_issuer = null; + $last_subject = null; + foreach ($x5c as $cert) { + $current_cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.\chunk_split($cert,64,PHP_EOL).'-----END CERTIFICATE-----'; + $x509 = \openssl_x509_read($current_cert); + if (false === $x509) { + $last_issuer = null; + $last_subject = null; + + break; + } + $parsed = \openssl_x509_parse($x509); + + \openssl_x509_free($x509); + if (false === $parsed) { + $last_issuer = null; + $last_subject = null; + + break; + } + if (null === $last_subject) { + $last_subject = $parsed['subject']; + $last_issuer = $parsed['issuer']; + $certificate = $current_cert; + } else { + if (\json_encode($last_issuer) === \json_encode($parsed['subject'])) { + $last_subject = $parsed['subject']; + $last_issuer = $parsed['issuer']; + } else { + $last_issuer = null; + $last_subject = null; + + break; + } + } + } + + return self::loadKeyFromCertificate($certificate); + } + + /** + * @param string[] $matches + */ + private static function decodePem(string $pem, array $matches, ?string $password = null): string + { + if (null === $password) { + throw new \InvalidArgumentException('Password required for encrypted keys.'); + } + + $iv = \pack('H*', \trim($matches[2])); + $iv_sub = \mb_substr($iv, 0, 8, '8bit'); + $symkey = \pack('H*', \md5($password.$iv_sub)); + $symkey .= \pack('H*', \md5($symkey.$password.$iv_sub)); + $key = \preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $pem); + $ciphertext = \base64_decode(\preg_replace('#-.*-|\r|\n#', '', $key), true); + + $decoded = \openssl_decrypt($ciphertext, \mb_strtolower($matches[1]), $symkey, OPENSSL_RAW_DATA, $iv); + if (!\is_string($decoded)) { + throw new \InvalidArgumentException('Incorrect password. Key decryption failed.'); + } + + $number = \preg_match_all('#-{5}.*-{5}#', $pem, $result); + if (2 !== $number) { + throw new \InvalidArgumentException('Unable to load the key'); + } + + $pem = $result[0][0].PHP_EOL; + $pem .= \chunk_split(\base64_encode($decoded), 64); + $pem .= $result[0][1].PHP_EOL; + + return $pem; + } + + private static function convertDerToPem(string $der_data): string + { + $pem = \chunk_split(\base64_encode($der_data), 64, PHP_EOL); + $pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL; + + return $pem; + } +} |