SslChecker::checkBlackList() - Code Metrics - Inspection of "Merge pull request #48 from ARCANEDEV/feature-add_..." - ARCANEDEV/Stripe - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 388c50...c3616e )

by ARCANEDEV

created 2017-04-14 11:18 UTC

SslChecker::checkBlackList() A

↳ Parent: SslChecker

Complexity

Conditions	2
Paths	2

Size

Total Lines	10
Code Lines	6

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	5
CRAP Score	2.0185

Importance

Changes

Metric	Value
cc	2
eloc	6
nc	2
nop	1
dl	0
loc	10
ccs	5
cts	6
cp	0.8333
crap	2.0185
rs	9.4285
c	0
b	0
f	0

<?php namespace Arcanedev\Stripe\Http\Curl;

use Arcanedev\Stripe\Contracts\Http\Curl\SslChecker as SslCheckerContract;
use Arcanedev\Stripe\Exceptions\ApiConnectionException;

/**
 * Class     SslChecker
 *
 * @package  Arcanedev\Stripe\Http\Curl
 * @author   ARCANEDEV <[email protected]>
 */
class SslChecker implements SslCheckerContract
{
    /* ------------------------------------------------------------------------------------------------
     |  Properties
     | ------------------------------------------------------------------------------------------------
     */
    /** @var string */
    protected $url = '';

    /* ------------------------------------------------------------------------------------------------
     |  Getters & Setters
     | ------------------------------------------------------------------------------------------------
     */
    /**
     * Get URL.
     *
     * @return string
     */
    public function getUrl()
    {
        return $this->url;
    }

    /**
     * Set URL.
     *
     * @param  string  $url
     *
     * @return self
     */
    public function setUrl($url)
    {
        $this->url = $this->prepareUrl($url);

        return $this;
    }

    /* ------------------------------------------------------------------------------------------------
     |  Main Functions
     | ------------------------------------------------------------------------------------------------
     */
    /**
     * Preflight the SSL certificate presented by the backend. This isn't 100%
     * bulletproof, in that we're not actually validating the transport used to
     * communicate with Stripe, merely that the first attempt to does not use a
     * revoked certificate.
     *
     * Unfortunately the interface to OpenSSL doesn't make it easy to check the
     * certificate before sending potentially sensitive data on the wire. This
     * approach raises the bar for an attacker significantly.
     *
     * @param  string  $url
     *
     * @return bool
     */
    public function checkCert($url)
    {
        if ( ! $this->hasStreamExtensions())
            return $this->showStreamExtensionWarning();

        $this->setUrl($url);

        list($result, $errorNo, $errorStr) = $this->streamSocketClient();

        $this->checkResult($result, $errorNo, $errorStr);

        openssl_x509_export(
            stream_context_get_params($result)['options']['ssl']['peer_certificate'],
            $pemCert
        );

        $this->checkBlackList($pemCert);

        return true;
    }

    /* ------------------------------------------------------------------------------------------------
     |  Check Functions
     | ------------------------------------------------------------------------------------------------
     */
    /**
     * Check black list.
     *
     * @param  string  $pemCert
     *
     * @throws \Arcanedev\Stripe\Exceptions\ApiConnectionException
     */
    public function checkBlackList($pemCert)
    {
        if ($this->isBlackListed($pemCert)) {
            throw new ApiConnectionException(
                'Invalid server certificate. You tried to connect to a server that has a revoked SSL certificate, '.
                'which means we cannot securely send data to that server. '.
                'Please email [email protected] if you need help connecting to the correct API server.'
            );
        }
    }

    /**
     * Checks if a valid PEM encoded certificate is blacklisted.
     *
     * @param  string  $cert
     *
     * @return bool
     */
    public function isBlackListed($cert)
    {
        $lines = explode("\n", trim($cert));

        // Kludgily remove the PEM padding
        array_shift($lines);
        array_pop($lines);

        $fingerprint = sha1(base64_decode(implode('', $lines)));

        return in_array($fingerprint, [
            '05c0b3643694470a888c6e7feb5c9e24e823dc53',
            '5b7dc7fbc98d78bf76d4d4fa6f597a0c901fad5c',
        ]);
    }


    /**
     * Stream Extension exists - Return true if one of the extensions not found.
     *
     * @return bool
     */
    private function hasStreamExtensions()
    {
        return function_exists('stream_context_get_params') &&
               function_exists('stream_socket_enable_crypto');
    }

    /**
     * Check if has errors or empty result.
     *
     * @param  mixed     $result
     * @param  int|null  $errorNo
     * @param  string    $errorStr
     *
     * @throws \Arcanedev\Stripe\Exceptions\ApiConnectionException
     */
    private function checkResult($result, $errorNo, $errorStr)
    {
        if (
            ($errorNo !== 0 && $errorNo !== null) || $result === false
        )
            throw new ApiConnectionException(
                'Could not connect to Stripe ('.$this->getUrl().').  Please check your internet connection and try again. ' .
                'If this problem persists, you should check Stripe\'s service status at https://twitter.com/stripestatus. ' .
                'Reason was: ' . $errorStr
            );
    }

    /**
     * Check if has SSL Errors
     *
     * @param  int  $errorNum
     *
     * @return bool
     */
    public static function hasCertErrors($errorNum)
    {
        return in_array($errorNum, [
            CURLE_SSL_CACERT,
            CURLE_SSL_PEER_CERTIFICATE,
            CURLE_SSL_CACERT_BADFILE
        ]);
    }

    /* ------------------------------------------------------------------------------------------------
     |  Other Functions
     | ------------------------------------------------------------------------------------------------
     */
    /**
     * Prepare SSL URL.
     *
     * @param  string  $url
     *
     * @return string
     */
    private function prepareUrl($url)
    {
        $url  = parse_url($url);

        return "ssl://{$url['host']}:" . (isset($url['port']) ? $url['port'] : 443);
    }

    /**
     * Open a socket connection.
     *
     * @return array
     */
    private function streamSocketClient()
    {
        $result = stream_socket_client(
            $this->getUrl(),
            $errorNo,
            $errorStr,
            30,
            STREAM_CLIENT_CONNECT,
            stream_context_create([
                'ssl' => [
                    'capture_peer_cert' => true,
                    'verify_peer'       => true,
                    'cafile'            => self::caBundle(),
                ],
            ])
        );

        return [$result, $errorNo, $errorStr];
    }

    /**
     * Get the certificates file path.
     *
     * @return string
     */
    public static function caBundle()
    {
        return realpath(__DIR__.'/../../../data/ca-certificates.crt');
    }

    /**
     * Show Stream Extension Warning (stream_socket_enable_crypto is not supported in HHVM).
     *
     * @return true
     */
    private function showStreamExtensionWarning()
    {
        if ( ! is_testing())
            error_log(
                'Warning: ' . (is_hhvm() ? 'The HHVM (HipHop VM)' : 'This version of PHP') .
                ' does not support checking SSL certificates Stripe cannot guarantee that the server has a ' .
                'certificate which is not blacklisted.'
            );

        return true;
    }
}


1		<?php namespace Arcanedev\Stripe\Http\Curl;
2
3		use Arcanedev\Stripe\Contracts\Http\Curl\SslChecker as SslCheckerContract;
4		use Arcanedev\Stripe\Exceptions\ApiConnectionException;
5
6		/**
7		* Class SslChecker
8		*
9		* @package Arcanedev\Stripe\Http\Curl
10		* @author ARCANEDEV <[email protected]>
11		*/
12		class SslChecker implements SslCheckerContract
13		{
14		/* ------------------------------------------------------------------------------------------------
15		\| Properties
16		\| ------------------------------------------------------------------------------------------------
17		*/
18		/** @var string */
19		protected $url = '';
20
21		/* ------------------------------------------------------------------------------------------------
22		\| Getters & Setters
23		\| ------------------------------------------------------------------------------------------------
24		*/
25		/**
26		* Get URL.
27		*
28		* @return string
29		*/
30	6	public function getUrl()
31		{
32	6	return $this->url;
33		}
34
35		/**
36		* Set URL.
37		*
38		* @param string $url
39		*
40		* @return self
41		*/
42	2	public function setUrl($url)
43		{
44	2	$this->url = $this->prepareUrl($url);
45
46	2	return $this;
47		}
48
49		/* ------------------------------------------------------------------------------------------------
50		\| Main Functions
51		\| ------------------------------------------------------------------------------------------------
52		*/
53		/**
54		* Preflight the SSL certificate presented by the backend. This isn't 100%
55		* bulletproof, in that we're not actually validating the transport used to
56		* communicate with Stripe, merely that the first attempt to does not use a
57		* revoked certificate.
58		*
59		* Unfortunately the interface to OpenSSL doesn't make it easy to check the
60		* certificate before sending potentially sensitive data on the wire. This
61		* approach raises the bar for an attacker significantly.
62		*
63		* @param string $url
64		*
65		* @return bool
66		*/
67		public function checkCert($url)
68		{
69		if ( ! $this->hasStreamExtensions())
70		return $this->showStreamExtensionWarning();
71
72		$this->setUrl($url);
73
74		list($result, $errorNo, $errorStr) = $this->streamSocketClient();
75
76		$this->checkResult($result, $errorNo, $errorStr);
77
78		openssl_x509_export(
79		stream_context_get_params($result)['options']['ssl']['peer_certificate'],
80		$pemCert
81		);
82
83		$this->checkBlackList($pemCert);
84
85		return true;
86		}
87
88		/* ------------------------------------------------------------------------------------------------
89		\| Check Functions
90		\| ------------------------------------------------------------------------------------------------
91		*/
92		/**
93		* Check black list.
94		*
95		* @param string $pemCert
96		*
97		* @throws \Arcanedev\Stripe\Exceptions\ApiConnectionException
98		*/
99	2	public function checkBlackList($pemCert)
100		{
101	2	if ($this->isBlackListed($pemCert)) {
102	2	throw new ApiConnectionException(
103		'Invalid server certificate. You tried to connect to a server that has a revoked SSL certificate, '.
104	2	'which means we cannot securely send data to that server. '.
105		'Please email [email protected] if you need help connecting to the correct API server.'
106	2	);
107		}
108		}
109
110		/**
111		* Checks if a valid PEM encoded certificate is blacklisted.
112		*
113		* @param string $cert
114		*
115		* @return bool
116		*/
117	4	public function isBlackListed($cert)
118		{
119	4	$lines = explode("\n", trim($cert));
120
121		// Kludgily remove the PEM padding
122	4	array_shift($lines);
123	4	array_pop($lines);
124
125	4	$fingerprint = sha1(base64_decode(implode('', $lines)));
126
127	4	return in_array($fingerprint, [
128	4	'05c0b3643694470a888c6e7feb5c9e24e823dc53',
129	4	'5b7dc7fbc98d78bf76d4d4fa6f597a0c901fad5c',
130	4	]);
131		}
132
133
134		/**
135		* Stream Extension exists - Return true if one of the extensions not found.
136		*
137		* @return bool
138		*/
139		private function hasStreamExtensions()
140		{
141		return function_exists('stream_context_get_params') &&
142		function_exists('stream_socket_enable_crypto');
143		}
144
145		/**
146		* Check if has errors or empty result.
147		*
148		* @param mixed $result
149		* @param int\|null $errorNo
150		* @param string $errorStr
151		*
152		* @throws \Arcanedev\Stripe\Exceptions\ApiConnectionException
153		*/
154	4	private function checkResult($result, $errorNo, $errorStr)
155		{
156		if (
157	4	($errorNo !== 0 && $errorNo !== null) \|\| $result === false
158	2	)
159	4	throw new ApiConnectionException(
160	4	'Could not connect to Stripe ('.$this->getUrl().'). Please check your internet connection and try again. ' .
161	4	'If this problem persists, you should check Stripe\'s service status at https://twitter.com/stripestatus. ' .
162	4	'Reason was: ' . $errorStr
163	4	);
164		}
165
166		/**
167		* Check if has SSL Errors
168		*
169		* @param int $errorNum
170		*
171		* @return bool
172		*/
173	308	public static function hasCertErrors($errorNum)
174		{
175	308	return in_array($errorNum, [
176	308	CURLE_SSL_CACERT,
177	308	CURLE_SSL_PEER_CERTIFICATE,
178		CURLE_SSL_CACERT_BADFILE
179	308	]);
180		}
181
182		/* ------------------------------------------------------------------------------------------------
183		\| Other Functions
184		\| ------------------------------------------------------------------------------------------------
185		*/
186		/**
187		* Prepare SSL URL.
188		*
189		* @param string $url
190		*
191		* @return string
192		*/
193	2	private function prepareUrl($url)
194		{
195	2	$url = parse_url($url);
196
197	2	return "ssl://{$url['host']}:" . (isset($url['port']) ? $url['port'] : 443);
198		}
199
200		/**
201		* Open a socket connection.
202		*
203		* @return array
204		*/
205		private function streamSocketClient()
206		{
207		$result = stream_socket_client(
208		$this->getUrl(),
209		$errorNo,
210		$errorStr,
211		30,
212		STREAM_CLIENT_CONNECT,
213		stream_context_create([
214		'ssl' => [
215		'capture_peer_cert' => true,
216		'verify_peer' => true,
217		'cafile' => self::caBundle(),
218		],
219		])
220		);
221
222		return [$result, $errorNo, $errorStr];
223		}
224
225		/**
226		* Get the certificates file path.
227		*
228		* @return string
229		*/
230	2	public static function caBundle()
231		{
232	2	return realpath(__DIR__.'/../../../data/ca-certificates.crt');
233		}
234
235		/**
236		* Show Stream Extension Warning (stream_socket_enable_crypto is not supported in HHVM).
237		*
238		* @return true
239		*/
240	2	private function showStreamExtensionWarning()
241		{
242	2	if ( ! is_testing())
243	2	error_log(
244		'Warning: ' . (is_hhvm() ? 'The HHVM (HipHop VM)' : 'This version of PHP') .
245		' does not support checking SSL certificates Stripe cannot guarantee that the server has a ' .
246		'certificate which is not blacklisted.'
247		);
248
249	2	return true;
250		}
251		}
252

ARCANEDEV / Stripe

Push — master ( 388c50...c3616e )

SslChecker::checkBlackList() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like