KeyConverter::loadKeyFromX509Resource() - Code Metrics - Inspection of "Auto deploy removed and new commands added" - Spomky-Labs/jose - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — v7 ( 137ba9...eb2dfc )

by Florent

created 2017-08-22 20:38 UTC

KeyConverter::loadKeyFromX509Resource() B

↳ Parent: KeyConverter

Complexity

Conditions	3
Paths	3

Size

Total Lines	24
Code Lines	16

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	24
rs	8.9713
c	0
b	0
f	0
cc	3
eloc	16
nc	3
nop	1

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2017 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace Jose\Component\KeyManagement\KeyConverter;

use Base64Url\Base64Url;

/**
 * This class will help you to load an EC key or a RSA key/certificate (private or public) and get values to create a JWK object.
 */
final class KeyConverter
{
    /**
     * @param string $file
     *
     * @throws \InvalidArgumentException
     *
     * @return array
     */
    public static function loadKeyFromCertificateFile(string $file): array
    {
        if (!file_exists($file)) {
            throw new \InvalidArgumentException(sprintf('File "%s" does not exist.', $file));
        }
        $content = file_get_contents($file);

        return self::loadKeyFromCertificate($content);
    }

    /**
     * @param string $certificate
     *
     * @throws \InvalidArgumentException
     *
     * @return array
     */
    public static function loadKeyFromCertificate(string $certificate): array
    {
        try {
            $res = openssl_x509_read($certificate);
        } catch (\Exception $e) {
            $certificate = self::convertDerToPem($certificate);
            $res = openssl_x509_read($certificate);
        }
        if (false === $res) {
            throw new \InvalidArgumentException('Unable to load the certificate.');
        }

        $values = self::loadKeyFromX509Resource($res);
        openssl_x509_free($res);

        return $values;
    }

    /**
     * @param resource $res
     *
     * @throws \Exception
     *
     * @return array
     */
    public static function loadKeyFromX509Resource($res): array
    {
        $key = openssl_get_publickey($res);

        $details = openssl_pkey_get_details($key);
        if (isset($details['key'])) {
            $values = self::loadKeyFromPEM($details['key']);
            openssl_x509_export($res, $out);
            $values['x5c'] = [trim(preg_replace('#-.*-#', '', $out))];

            if (function_exists('openssl_x509_fingerprint')) {
                $values['x5t'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha1', true));
                $values['x5t#256'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha256', true));
            } else {
                openssl_x509_export($res, $pem);
                $values['x5t'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha1', true));
                $values['x5t#256'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha256', true));
            }

            return $values;
        }

        throw new \InvalidArgumentException('Unable to load the certificate');
    }

    /**
     * @param string      $file
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    public static function loadFromKeyFile(string $file, ?string $password = null): array
    {
        $content = file_get_contents($file);

        return self::loadFromKey($content, $password);
    }

    /**
     * @param string      $key
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    public static function loadFromKey(string $key, ?string $password = null): array
    {
        try {
            return self::loadKeyFromDER($key, $password);
        } catch (\Exception $e) {
            return self::loadKeyFromPEM($key, $password);
        }
    }

    /**
     * @param string      $der
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    private static function loadKeyFromDER(string $der, ?string $password = null): array
    {
        $pem = self::convertDerToPem($der);

        return self::loadKeyFromPEM($pem, $password);
    }

    /**
     * @param string      $pem
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    private static function loadKeyFromPEM(string $pem, ?string $password = null): array
    {
        if (preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) {
            $pem = self::decodePem($pem, $matches, $password);
        }

        self::sanitizePEM($pem);

        $res = openssl_pkey_get_private($pem);
        if ($res === false) {
            $res = openssl_pkey_get_public($pem);
        }
        if (false === $res) {
            throw new \InvalidArgumentException('Unable to load the key.');
        }

        $details = openssl_pkey_get_details($res);
        if (!is_array($details) || !array_key_exists('type', $details)) {
            throw new \InvalidArgumentException('Unable to get details of the key');
        }

        switch ($details['type']) {
            case OPENSSL_KEYTYPE_EC:
                $ec_key = ECKey::createFromPEM($pem);

                return $ec_key->toArray();
            case OPENSSL_KEYTYPE_RSA:
                 $rsa_key = RSAKey::createFromPEM($pem);

                 return $rsa_key->toArray();
            default:
                throw new \InvalidArgumentException('Unsupported key type');
        }
    }

    /**
     * This method modify the PEM to get 64 char lines and fix bug with old OpenSSL versions.
     *
     * @param string $pem
     */
    private static function sanitizePEM(string &$pem)
    {
        preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER);
        $ciphertext = preg_replace('#-.*-|\r|\n| #', '', $pem);

        $pem = $matches[0][0].PHP_EOL;
        $pem .= chunk_split($ciphertext, 64, PHP_EOL);
        $pem .= $matches[0][1].PHP_EOL;
    }

    /**
     * @param array $x5c
     *
     * @return array
     */
    public static function loadFromX5C(array $x5c): array
    {
        $certificate = null;
        $last_issuer = null;
        $last_subject = null;
        foreach ($x5c as $cert) {
            $current_cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$cert.PHP_EOL.'-----END CERTIFICATE-----';
            $x509 = openssl_x509_read($current_cert);
            if (false === $x509) {
                $last_issuer = null;
                $last_subject = null;

                break;
            }
            $parsed = openssl_x509_parse($x509);

            openssl_x509_free($x509);
            if (false === $parsed) {
                $last_issuer = null;
                $last_subject = null;

                break;
            }
            if (null === $last_subject) {
                $last_subject = $parsed['subject'];
                $last_issuer = $parsed['issuer'];
                $certificate = $current_cert;
            } else {
                if (json_encode($last_issuer) === json_encode($parsed['subject'])) {
                    $last_subject = $parsed['subject'];
                    $last_issuer = $parsed['issuer'];
                } else {
                    $last_issuer = null;
                    $last_subject = null;

                    break;
                }
            }
        }
        if (null !== $last_issuer && json_encode($last_issuer) !== json_encode($last_subject)) {
            throw new \InvalidArgumentException('Invalid certificate chain.');
        }

        return self::loadKeyFromCertificate($certificate);
    }

    /**
     * @param string      $pem
     * @param string[]    $matches
     * @param null|string $password
     *
     * @return string
     */
    private static function decodePem(string $pem, array $matches, ?string $password = null): string
    {
        if (null === $password) {
            throw new \InvalidArgumentException('Password required for encrypted keys.');
        }

        $iv = pack('H*', trim($matches[2]));
        $iv_sub = mb_substr($iv, 0, 8, '8bit');
        $symkey = pack('H*', md5($password.$iv_sub));
        $symkey .= pack('H*', md5($symkey.$password.$iv_sub));
        $key = preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $pem);
        $ciphertext = base64_decode(preg_replace('#-.*-|\r|\n#', '', $key));

        $decoded = openssl_decrypt($ciphertext, strtolower($matches[1]), $symkey, OPENSSL_RAW_DATA, $iv);

        $number = preg_match_all('#-{5}.*-{5}#', $pem, $result);
        if (2 !== $number) {
            throw new \InvalidArgumentException('Unable to load the key');
        }

        $pem = $result[0][0].PHP_EOL;
        $pem .= chunk_split(base64_encode($decoded), 64);
        $pem .= $result[0][1].PHP_EOL;

        return $pem;
    }

    /**
     * @param string $der_data
     *
     * @return string
     */
    private static function convertDerToPem(string $der_data): string
    {
        $pem = chunk_split(base64_encode($der_data), 64, PHP_EOL);
        $pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL;

        return $pem;
    }

    /**
     * @param string $pem
     * @param string $algorithm
     * @param bool   $binary
     *
     * @return string
     */
    private static function calculateX509Fingerprint(string $pem, string $algorithm, bool $binary = false): string
    {
        $pem = preg_replace('#-.*-|\r|\n#', '', $pem);
        $bin = base64_decode($pem);

        return hash($algorithm, $bin, $binary);
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2017 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace Jose\Component\KeyManagement\KeyConverter;
15
16			use Base64Url\Base64Url;
17
18			/**
19			* This class will help you to load an EC key or a RSA key/certificate (private or public) and get values to create a JWK object.
20			*/
21			final class KeyConverter
22			{
23			/**
24			* @param string $file
25			*
26			* @throws \InvalidArgumentException
27			*
28			* @return array
29			*/
30			public static function loadKeyFromCertificateFile(string $file): array
31			{
32			if (!file_exists($file)) {
33			throw new \InvalidArgumentException(sprintf('File "%s" does not exist.', $file));
34			}
35			$content = file_get_contents($file);
36
37			return self::loadKeyFromCertificate($content);
38			}
39
40			/**
41			* @param string $certificate
42			*
43			* @throws \InvalidArgumentException
44			*
45			* @return array
46			*/
47			public static function loadKeyFromCertificate(string $certificate): array
48			{
49			try {
50			$res = openssl_x509_read($certificate);
51			} catch (\Exception $e) {
52			$certificate = self::convertDerToPem($certificate);
53			$res = openssl_x509_read($certificate);
54			}
55			if (false === $res) {
56			throw new \InvalidArgumentException('Unable to load the certificate.');
57			}
58
59			$values = self::loadKeyFromX509Resource($res);
60			openssl_x509_free($res);
61
62			return $values;
63			}
64
65			/**
66			* @param resource $res
67			*
68			* @throws \Exception
69			*
70			* @return array
71			*/
72			public static function loadKeyFromX509Resource($res): array
73			{
74			$key = openssl_get_publickey($res);
75
76			$details = openssl_pkey_get_details($key);
77			if (isset($details['key'])) {
78			$values = self::loadKeyFromPEM($details['key']);
79			openssl_x509_export($res, $out);
80			$values['x5c'] = [trim(preg_replace('#-.*-#', '', $out))];
81
82			if (function_exists('openssl_x509_fingerprint')) {
83			$values['x5t'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha1', true));
84			$values['x5t#256'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha256', true));
85			} else {
86			openssl_x509_export($res, $pem);
87			$values['x5t'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha1', true));
88			$values['x5t#256'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha256', true));
89			}
90
91			return $values;
92			}
93
94			throw new \InvalidArgumentException('Unable to load the certificate');
95			}
96
97			/**
98			* @param string $file
99			* @param null\|string $password
100			*
101			* @throws \Exception
102			*
103			* @return array
104			*/
105			public static function loadFromKeyFile(string $file, ?string $password = null): array
106			{
107			$content = file_get_contents($file);
108
109			return self::loadFromKey($content, $password);
110			}
111
112			/**
113			* @param string $key
114			* @param null\|string $password
115			*
116			* @throws \Exception
117			*
118			* @return array
119			*/
120			public static function loadFromKey(string $key, ?string $password = null): array
121			{
122			try {
123			return self::loadKeyFromDER($key, $password);
124			} catch (\Exception $e) {
125			return self::loadKeyFromPEM($key, $password);
126			}
127			}
128
129			/**
130			* @param string $der
131			* @param null\|string $password
132			*
133			* @throws \Exception
134			*
135			* @return array
136			*/
137			private static function loadKeyFromDER(string $der, ?string $password = null): array
138			{
139			$pem = self::convertDerToPem($der);
140
141			return self::loadKeyFromPEM($pem, $password);
142			}
143
144			/**
145			* @param string $pem
146			* @param null\|string $password
147			*
148			* @throws \Exception
149			*
150			* @return array
151			*/
152			private static function loadKeyFromPEM(string $pem, ?string $password = null): array
153			{
154			if (preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) {
155			$pem = self::decodePem($pem, $matches, $password);
156			}
157
158			self::sanitizePEM($pem);
159
160			$res = openssl_pkey_get_private($pem);
161			if ($res === false) {
162			$res = openssl_pkey_get_public($pem);
163			}
164			if (false === $res) {
165			throw new \InvalidArgumentException('Unable to load the key.');
166			}
167
168			$details = openssl_pkey_get_details($res);
169			if (!is_array($details) \|\| !array_key_exists('type', $details)) {
170			throw new \InvalidArgumentException('Unable to get details of the key');
171			}
172
173			switch ($details['type']) {
174			case OPENSSL_KEYTYPE_EC:
175			$ec_key = ECKey::createFromPEM($pem);
176
177			return $ec_key->toArray();
178			case OPENSSL_KEYTYPE_RSA:
179			$rsa_key = RSAKey::createFromPEM($pem);
180
181			return $rsa_key->toArray();
182			default:
183			throw new \InvalidArgumentException('Unsupported key type');
184			}
185			}
186
187			/**
188			* This method modify the PEM to get 64 char lines and fix bug with old OpenSSL versions.
189			*
190			* @param string $pem
191			*/
192			private static function sanitizePEM(string &$pem)
193			{
194			preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER);
195			$ciphertext = preg_replace('#-.*-\|\r\|\n\| #', '', $pem);
196
197			$pem = $matches[0][0].PHP_EOL;
198			$pem .= chunk_split($ciphertext, 64, PHP_EOL);
199			$pem .= $matches[0][1].PHP_EOL;
200			}
201
202			/**
203			* @param array $x5c
204			*
205			* @return array
206			*/
207			public static function loadFromX5C(array $x5c): array
208			{
209			$certificate = null;
210			$last_issuer = null;
211			$last_subject = null;
212			foreach ($x5c as $cert) {
213			$current_cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$cert.PHP_EOL.'-----END CERTIFICATE-----';
214			$x509 = openssl_x509_read($current_cert);
215			if (false === $x509) {
216			$last_issuer = null;
217			$last_subject = null;
218
219			break;
220			}
221			$parsed = openssl_x509_parse($x509);
222
223			openssl_x509_free($x509);
224			if (false === $parsed) {
225			$last_issuer = null;
226			$last_subject = null;
227
228			break;
229			}
230			if (null === $last_subject) {
231			$last_subject = $parsed['subject'];
232			$last_issuer = $parsed['issuer'];
233			$certificate = $current_cert;
234			} else {
235			if (json_encode($last_issuer) === json_encode($parsed['subject'])) {
236			$last_subject = $parsed['subject'];
237			$last_issuer = $parsed['issuer'];
238			} else {
239			$last_issuer = null;
240			$last_subject = null;
241
242			break;
243			}
244			}
245			}
246			if (null !== $last_issuer && json_encode($last_issuer) !== json_encode($last_subject)) {
247			throw new \InvalidArgumentException('Invalid certificate chain.');
248			}
249
250			return self::loadKeyFromCertificate($certificate);
251			}
252
253			/**
254			* @param string $pem
255			* @param string[] $matches
256			* @param null\|string $password
257			*
258			* @return string
259			*/
260			private static function decodePem(string $pem, array $matches, ?string $password = null): string
261			{
262			if (null === $password) {
263			throw new \InvalidArgumentException('Password required for encrypted keys.');
264			}
265
266			$iv = pack('H*', trim($matches[2]));
267			$iv_sub = mb_substr($iv, 0, 8, '8bit');
268			$symkey = pack('H*', md5($password.$iv_sub));
269			$symkey .= pack('H*', md5($symkey.$password.$iv_sub));
270			$key = preg_replace('#^(?:Proc-Type\|DEK-Info): .*#m', '', $pem);
271			$ciphertext = base64_decode(preg_replace('#-.*-\|\r\|\n#', '', $key));
272
273			$decoded = openssl_decrypt($ciphertext, strtolower($matches[1]), $symkey, OPENSSL_RAW_DATA, $iv);
274
275			$number = preg_match_all('#-{5}.*-{5}#', $pem, $result);
276			if (2 !== $number) {
277			throw new \InvalidArgumentException('Unable to load the key');
278			}
279
280			$pem = $result[0][0].PHP_EOL;
281			$pem .= chunk_split(base64_encode($decoded), 64);
282			$pem .= $result[0][1].PHP_EOL;
283
284			return $pem;
285			}
286
287			/**
288			* @param string $der_data
289			*
290			* @return string
291			*/
292			private static function convertDerToPem(string $der_data): string
293			{
294			$pem = chunk_split(base64_encode($der_data), 64, PHP_EOL);
295			$pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL;
296
297			return $pem;
298			}
299
300			/**
301			* @param string $pem
302			* @param string $algorithm
303			* @param bool $binary
304			*
305			* @return string
306			*/
307			private static function calculateX509Fingerprint(string $pem, string $algorithm, bool $binary = false): string
308			{
309			$pem = preg_replace('#-.*-\|\r\|\n#', '', $pem);
310			$bin = base64_decode($pem);
311
312			return hash($algorithm, $bin, $binary);
313			}
314			}
315

Spomky-Labs / jose

Push — v7 ( 137ba9...eb2dfc )

KeyConverter::loadKeyFromX509Resource() B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like