RequestSigner::signData() - Code Metrics - Inspection of "API break: rewrite PaymentProtocol classes (#301)" - Bit-Wasp/bitcoin-php - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( b34763...3537a1 )

by thomas

created 2016-05-27 15:19 UTC

RequestSigner::signData() A

↳ Parent: RequestSigner

Complexity

Conditions	3
Paths	3

Size

Total Lines	13
Code Lines	7

Duplication

Lines	0
Ratio	0 %

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
cc	3
eloc	7
nc	3
nop	1
dl	0
loc	13
rs	9.4285
c	1
b	0
f	0

<?php

namespace BitWasp\Bitcoin\PaymentProtocol;

use BitWasp\Bitcoin\PaymentProtocol\Protobufs\PaymentRequest as PaymentRequestBuf;
use BitWasp\Bitcoin\PaymentProtocol\Protobufs\X509Certificates as X509CertificatesBuf;

class RequestSigner
{
    const SHA256 = 'x509+sha256';
    const SHA1 = 'x509+sha1';
    const NONE = 'none';
    
    /**
     * @var string
     */
    private $type;

    /**
     * @var int
     */
    private $algoConst;

    /**
     * @var X509CertificatesBuf
     */
    private $certificates;

    /**
     * @var resource
     */
    private $privateKey;

    /**
     * @param string $type
     * @param string $keyFile
     * @param string $certFile
     * @throws \Exception
     */
    public function __construct($type = null, $keyFile = '', $certFile = '')
    {
        if ($type === null) {
            $type = self::NONE;
        }
        
        if (false === in_array($type, [self::NONE, self::SHA1, self::SHA256], true)) {
            throw new \InvalidArgumentException('Invalid BIP70 signature type');
        }

        $this->type = $type;
        $this->certificates = new X509CertificatesBuf();

        if ($type !== self::NONE) {
            $this->initialize($keyFile, $certFile);
        }
    }

    /**
     * @return RequestSigner
     */
    public static function none()
    {
        return new self(self::NONE);
    }

    /**
     * @param string $keyFile
     * @param string $certFile
     * @return RequestSigner
     */
    public static function sha1($keyFile, $certFile)
    {
        return new self(self::SHA1, $keyFile, $certFile);
    }

    /**
     * @param string $keyFile
     * @param string $certFile
     * @return RequestSigner
     */
    public static function sha256($keyFile, $certFile)
    {
        return new self(self::SHA256, $keyFile, $certFile);
    }

    /**
     * @return bool
     */
    public function supportsSha256()
    {
        return defined('OPENSSL_ALGO_SHA256');
    }

    /**
     * @param string $keyFile - path to key file
     * @param string $certFile - path to certificate chain file
     * @throws \Exception
     */
    private function initialize($keyFile, $certFile)
    {
        if (false === file_exists($keyFile)) {
            throw new \InvalidArgumentException('Private key file does not exist');
        }

        if (false === file_exists($certFile)) {
            throw new \InvalidArgumentException('Certificate file does not exist');
        }

        if (self::SHA256 === $this->type && !$this->supportsSha256()) {
            throw new \Exception('Server does not support x.509+SHA256');
        }

        $chain = $this->fetchChain($certFile);
        if (!is_array($chain) || count($chain) === 0) {
            throw new \RuntimeException('Certificate file contains no certificates');
        }

        foreach ($chain as $cert) {
            $this->certificates->addCertificate($cert);
        }

        $pkeyid = openssl_get_privatekey(file_get_contents($keyFile));
        if (false === $pkeyid) {
            throw new \InvalidArgumentException('Private key is invalid');
        }

        $this->privateKey = $pkeyid;
        $this->algoConst = $this->type === self::SHA256
            ? OPENSSL_ALGO_SHA256
            : OPENSSL_ALGO_SHA1;
    }

    /**
     * @param string $data
     * @return string
     * @throws \Exception
     */
    private function signData($data)
    {
        if ($this->type === self::NONE) {
            throw new \RuntimeException('signData called when Signer is not configured for signatures');
        }

        $signature = '';
        if (!openssl_sign($data, $signature, $this->privateKey, $this->algoConst)) {
            throw new \Exception('PaymentRequestSigner: Unable to create signature');
        }

        return $signature;
    }

    /**
     * Applies the configured signature algorithm, adding values to
     * the protobuf: 'pkiType', 'signature', 'pkiData'
     *
     * @param PaymentRequestBuf $request
     * @return PaymentRequestBuf
     * @throws \Exception
     */
    public function sign(PaymentRequestBuf $request)
    {
        $request->setPkiType($this->type);
        $request->setSignature('');

        if ($this->type !== self::NONE) {
            // PkiData must be captured in signature, and signature must be empty!
            $request->setPkiData($this->certificates->serialize());
            $signature = $this->signData($request->serialize());
            $request->setSignature($signature);
        }

        return $request;
    }

    /**
     * @param PaymentRequestBuf $request
     * @return bool
     */
    public function verify(PaymentRequestBuf $request)
    {
        $type = $request->getPkiType();
        if ($type === self::NONE) {
            return true;
        }

        if ($type === self::SHA256) {
            $algorithm = OPENSSL_ALGO_SHA256;
        } else if ($type === self::SHA1) {
            $algorithm = OPENSSL_ALGO_SHA1;
        } else {
            throw new \RuntimeException('Unsupported signature algorithm');
        }

        $clone = clone $request;
        $clone->setSignature('');
        $data = $clone->serialize();

        // Parse the public key
        $certificates = new X509CertificatesBuf();
        $certificates->parse($clone->getPkiData());
        $certificate = $this->der2pem($certificates->getCertificate(0));
        $pubkeyid = openssl_pkey_get_public($certificate);

        return 1 === openssl_verify($data, $request->getSignature(), $pubkeyid, $algorithm);
    }

    /**
     * Checks whether the decoded certificate is a root / self-signed certificate
     * @param array $certificate
     * @return bool
     */
    private function isRoot($certificate)
    {
        return $certificate['issuer'] === $certificate['subject'];
    }

    /**
     * Fetches parent certificates using network requests
     * Todo: review use of file_get_contents
     * @param $leafCertificate
     * @return false|string
     */
    private function fetchCertificateParent($leafCertificate)
    {
        $pattern = '/CA Issuers - URI:(\\S*)/';
        $matches = array();

        $nMatches = preg_match_all($pattern, $leafCertificate['extensions']['authorityInfoAccess'], $matches);
        if ($nMatches === 0) {
            return false;
        }
        foreach ($matches[1] as $url) {
            $parentCert = file_get_contents($url);
            if ($parentCert && $this->parseCertificate($parentCert)) {
                return $parentCert;
            }
        }

        return false;
    }

    /**
     * Parses a PEM or DER certificate
     * @param string $certData
     * @return array
     */
    private function parseCertificate($certData)
    {
        $begin = '-----BEGIN CERTIFICATE-----';
        $end = '-----END CERTIFICATE-----';

        if (strpos($certData, $begin) !== false) {
            return openssl_x509_parse($certData);
        }
        $d = $begin . "\n";
        $d .= chunk_split(base64_encode($certData));
        $d .= $end . "\n";
        return openssl_x509_parse($d);
    }

    /**
     * @param $certData
     * @return array
     */
    private function der2pem($certData)
    {
        $begin = '-----BEGIN CERTIFICATE-----';
        $end = '-----END CERTIFICATE-----';

        $d = $begin . "\n";
        $d .= chunk_split(base64_encode($certData));
        $d .= $end . "\n";
        return $d;
    }

    /**
     * Decode PEM data, return the internal DER data
     * @param string $pem_data - pem certificate data
     * @return string
     */
    private function pem2der($pem_data)
    {
        $begin = 'CERTIFICATE-----';
        $end = '-----END';
        if (strpos($pem_data, $begin) === false) {
            return $pem_data;
        }
        $pem_data = substr($pem_data, strpos($pem_data, $begin) + strlen($begin));
        $pem_data = substr($pem_data, 0, strpos($pem_data, $end));
        $der = base64_decode($pem_data);
        return $der;
    }

    /**
     * @param string $leaf - path to a file with certificates
     * @return array|bool
     */
    private function fetchChain($leaf)
    {
        $result = array();
        $leaf = file_get_contents($leaf);
        $cert = $this->parseCertificate($leaf);
        if ($cert === false) {
            return false;
        }

        $certData = self::pem2der($leaf);
        $result[] = $certData;
        while ($cert) {

            $result[] = $certData;
            // Only break after adding Cert Data - allows for self-signed certificates
            if ($this->isRoot($cert)) {
                break;
            }
            $certData = $this->fetchCertificateParent($cert);
            $cert = $this->parseCertificate($certData);
<?php

function getDate($date)
{
    if ($date !== null) {
        return new DateTime($date);
    }

    return false;
}
        }

        return $result;
    }
}


1			<?php
2
3			namespace BitWasp\Bitcoin\PaymentProtocol;
4
5			use BitWasp\Bitcoin\PaymentProtocol\Protobufs\PaymentRequest as PaymentRequestBuf;
6			use BitWasp\Bitcoin\PaymentProtocol\Protobufs\X509Certificates as X509CertificatesBuf;
7
8			class RequestSigner
9			{
10			const SHA256 = 'x509+sha256';
11			const SHA1 = 'x509+sha1';
12			const NONE = 'none';
13
14			/**
15			* @var string
16			*/
17			private $type;
18
19			/**
20			* @var int
21			*/
22			private $algoConst;
23
24			/**
25			* @var X509CertificatesBuf
26			*/
27			private $certificates;
28
29			/**
30			* @var resource
31			*/
32			private $privateKey;
33
34			/**
35			* @param string $type
36			* @param string $keyFile
37			* @param string $certFile
38			* @throws \Exception
39			*/
40			public function __construct($type = null, $keyFile = '', $certFile = '')
41			{
42			if ($type === null) {
43			$type = self::NONE;
44			}
45
46			if (false === in_array($type, [self::NONE, self::SHA1, self::SHA256], true)) {
47			throw new \InvalidArgumentException('Invalid BIP70 signature type');
48			}
49
50			$this->type = $type;
51			$this->certificates = new X509CertificatesBuf();
52
53			if ($type !== self::NONE) {
54			$this->initialize($keyFile, $certFile);
55			}
56			}
57
58			/**
59			* @return RequestSigner
60			*/
61			public static function none()
62			{
63			return new self(self::NONE);
64			}
65
66			/**
67			* @param string $keyFile
68			* @param string $certFile
69			* @return RequestSigner
70			*/
71			public static function sha1($keyFile, $certFile)
72			{
73			return new self(self::SHA1, $keyFile, $certFile);
74			}
75
76			/**
77			* @param string $keyFile
78			* @param string $certFile
79			* @return RequestSigner
80			*/
81			public static function sha256($keyFile, $certFile)
82			{
83			return new self(self::SHA256, $keyFile, $certFile);
84			}
85
86			/**
87			* @return bool
88			*/
89			public function supportsSha256()
90			{
91			return defined('OPENSSL_ALGO_SHA256');
92			}
93
94			/**
95			* @param string $keyFile - path to key file
96			* @param string $certFile - path to certificate chain file
97			* @throws \Exception
98			*/
99			private function initialize($keyFile, $certFile)
100			{
101			if (false === file_exists($keyFile)) {
102			throw new \InvalidArgumentException('Private key file does not exist');
103			}
104
105			if (false === file_exists($certFile)) {
106			throw new \InvalidArgumentException('Certificate file does not exist');
107			}
108
109			if (self::SHA256 === $this->type && !$this->supportsSha256()) {
110			throw new \Exception('Server does not support x.509+SHA256');
111			}
112
113			$chain = $this->fetchChain($certFile);
114			if (!is_array($chain) \|\| count($chain) === 0) {
115			throw new \RuntimeException('Certificate file contains no certificates');
116			}
117
118			foreach ($chain as $cert) {
119			$this->certificates->addCertificate($cert);
120			}
121
122			$pkeyid = openssl_get_privatekey(file_get_contents($keyFile));
123			if (false === $pkeyid) {
124			throw new \InvalidArgumentException('Private key is invalid');
125			}
126
127			$this->privateKey = $pkeyid;
128			$this->algoConst = $this->type === self::SHA256
129			? OPENSSL_ALGO_SHA256
130			: OPENSSL_ALGO_SHA1;
131			}
132
133			/**
134			* @param string $data
135			* @return string
136			* @throws \Exception
137			*/
138			private function signData($data)
139			{
140			if ($this->type === self::NONE) {
141			throw new \RuntimeException('signData called when Signer is not configured for signatures');
142			}
143
144			$signature = '';
145			if (!openssl_sign($data, $signature, $this->privateKey, $this->algoConst)) {
146			throw new \Exception('PaymentRequestSigner: Unable to create signature');
147			}
148
149			return $signature;
150			}
151
152			/**
153			* Applies the configured signature algorithm, adding values to
154			* the protobuf: 'pkiType', 'signature', 'pkiData'
155			*
156			* @param PaymentRequestBuf $request
157			* @return PaymentRequestBuf
158			* @throws \Exception
159			*/
160			public function sign(PaymentRequestBuf $request)
161			{
162			$request->setPkiType($this->type);
163			$request->setSignature('');
164
165			if ($this->type !== self::NONE) {
166			// PkiData must be captured in signature, and signature must be empty!
167			$request->setPkiData($this->certificates->serialize());
168			$signature = $this->signData($request->serialize());
169			$request->setSignature($signature);
170			}
171
172			return $request;
173			}
174
175			/**
176			* @param PaymentRequestBuf $request
177			* @return bool
178			*/
179			public function verify(PaymentRequestBuf $request)
180			{
181			$type = $request->getPkiType();
182			if ($type === self::NONE) {
183			return true;
184			}
185
186			if ($type === self::SHA256) {
187			$algorithm = OPENSSL_ALGO_SHA256;
188			} else if ($type === self::SHA1) {
189			$algorithm = OPENSSL_ALGO_SHA1;
190			} else {
191			throw new \RuntimeException('Unsupported signature algorithm');
192			}
193
194			$clone = clone $request;
195			$clone->setSignature('');
196			$data = $clone->serialize();
197
198			// Parse the public key
199			$certificates = new X509CertificatesBuf();
200			$certificates->parse($clone->getPkiData());
201			$certificate = $this->der2pem($certificates->getCertificate(0));
202			$pubkeyid = openssl_pkey_get_public($certificate);
203
204			return 1 === openssl_verify($data, $request->getSignature(), $pubkeyid, $algorithm);
205			}
206
207			/**
208			* Checks whether the decoded certificate is a root / self-signed certificate
209			* @param array $certificate
210			* @return bool
211			*/
212			private function isRoot($certificate)
213			{
214			return $certificate['issuer'] === $certificate['subject'];
215			}
216
217			/**
218			* Fetches parent certificates using network requests
219			* Todo: review use of file_get_contents
220			* @param $leafCertificate
221			* @return false\|string
222			*/
223			private function fetchCertificateParent($leafCertificate)
224			{
225			$pattern = '/CA Issuers - URI:(\\S*)/';
226			$matches = array();
227
228			$nMatches = preg_match_all($pattern, $leafCertificate['extensions']['authorityInfoAccess'], $matches);
229			if ($nMatches === 0) {
230			return false;
231			}
232			foreach ($matches[1] as $url) {
233			$parentCert = file_get_contents($url);
234			if ($parentCert && $this->parseCertificate($parentCert)) {
235			return $parentCert;
236			}
237			}
238
239			return false;
240			}
241
242			/**
243			* Parses a PEM or DER certificate
244			* @param string $certData
245			* @return array
246			*/
247			private function parseCertificate($certData)
248			{
249			$begin = '-----BEGIN CERTIFICATE-----';
250			$end = '-----END CERTIFICATE-----';
251
252			if (strpos($certData, $begin) !== false) {
253			return openssl_x509_parse($certData);
254			}
255			$d = $begin . "\n";
256			$d .= chunk_split(base64_encode($certData));
257			$d .= $end . "\n";
258			return openssl_x509_parse($d);
259			}
260
261			/**
262			* @param $certData
263			* @return array
264			*/
265			private function der2pem($certData)
266			{
267			$begin = '-----BEGIN CERTIFICATE-----';
268			$end = '-----END CERTIFICATE-----';
269
270			$d = $begin . "\n";
271			$d .= chunk_split(base64_encode($certData));
272			$d .= $end . "\n";
273			return $d;
274			}
275
276			/**
277			* Decode PEM data, return the internal DER data
278			* @param string $pem_data - pem certificate data
279			* @return string
280			*/
281			private function pem2der($pem_data)
282			{
283			$begin = 'CERTIFICATE-----';
284			$end = '-----END';
285			if (strpos($pem_data, $begin) === false) {
286			return $pem_data;
287			}
288			$pem_data = substr($pem_data, strpos($pem_data, $begin) + strlen($begin));
289			$pem_data = substr($pem_data, 0, strpos($pem_data, $end));
290			$der = base64_decode($pem_data);
291			return $der;
292			}
293
294			/**
295			* @param string $leaf - path to a file with certificates
296			* @return array\|bool
297			*/
298			private function fetchChain($leaf)
299			{
300			$result = array();
301			$leaf = file_get_contents($leaf);
302			$cert = $this->parseCertificate($leaf);
303			if ($cert === false) {
304			return false;
305			}
306
307			$certData = self::pem2der($leaf);
308			$result[] = $certData;
309			while ($cert) {
			0 ignored issues – show Bug Best Practice introduced 2016-05-24 19:25 UTC by Report Bug Copy Issue Report The expression `$cert` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
310			$result[] = $certData;
311			// Only break after adding Cert Data - allows for self-signed certificates
312			if ($this->isRoot($cert)) {
313			break;
314			}
315			$certData = $this->fetchCertificateParent($cert);
316			$cert = $this->parseCertificate($certData);
			0 ignored issues – show Security Bug introduced 2016-05-24 19:25 UTC by Report Bug Copy Issue Report It seems like `$certData` defined by `$this->fetchCertificateParent($cert)` on line `315` can also be of type `false`; however, `BitWasp\Bitcoin\PaymentP...ner::parseCertificate()` does only seem to accept `string`, did you maybe forget to handle an error condition? This check looks for type mismatches where the missing type is `false`. This is usually indicative of an error condtion. Consider the follow example <?php function getDate($date) { if ($date !== null) { return new DateTime($date); } return false; } This function either returns a new `DateTime` object or false, if there was an error. This is a typical pattern in PHP programming to show that an error has occurred without raising an exception. The calling code should check for this returned `false` before passing on the value to another function or method that may not be able to handle a `false`. Loading history...
317			}
318
319			return $result;
320			}
321			}
322

Bit-Wasp / bitcoin-php

Push — master ( b34763...3537a1 )

RequestSigner::signData() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like