KeyConverter::loadFromX5C() - Code Metrics - Inspection of "Bump to v4" - Spomky-Labs/jose - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( d8c018...19ac78 )

by Florent

created 2016-06-13 21:01 UTC

KeyConverter::loadFromX5C() C

↳ Parent: KeyConverter

Complexity

Conditions	7
Paths	4

Size

Total Lines	43
Code Lines	33

Duplication

Lines	0
Ratio	0 %

Importance

Changes	2
Bugs	0	Features	1

Metric	Value
c	2
b	0
f	1
dl	0
loc	43
rs	6.7272
cc	7
eloc	33
nc	4
nop	1

<?php

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2016 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace Jose\KeyConverter;

use Assert\Assertion;
use Base64Url\Base64Url;
use phpseclib\Crypt\RSA;

/**
 * This class will help you to load an EC key or a RSA key/certificate (private or public) and get values to create a JWK object.
 */
final class KeyConverter
{
    /**
     * @param string $file
     *
     * @throws \InvalidArgumentException
     *
     * @return array
     */
    public static function loadKeyFromCertificateFile($file)
    {
        Assertion::true(file_exists($file), sprintf('File "%s" does not exist.', $file));
        $content = file_get_contents($file);

        return self::loadKeyFromCertificate($content);
    }

    /**
     * @param string $certificate
     *
     * @throws \InvalidArgumentException
     *
     * @return array
     */
    public static function loadKeyFromCertificate($certificate)
    {
        try {
            $res = openssl_x509_read($certificate);
        } catch (\Exception $e) {
            $certificate = self::convertDerToPem($certificate);
            $res = openssl_x509_read($certificate);
        }
        Assertion::false(false === $res, 'Unable to load the certificate');

        $values = self::loadKeyFromX509Resource($res);
        openssl_x509_free($res);

        return $values;
    }

    /**
     * @param resource $res
     *
     * @throws \Exception
     *
     * @return array
     */
    public static function loadKeyFromX509Resource($res)
    {
        $key = openssl_get_publickey($res);

        $details = openssl_pkey_get_details($key);
        if (isset($details['key'])) {
            $values = self::loadKeyFromPEM($details['key']);
            openssl_x509_export($res, $out);
            $values['x5c'] = [trim(preg_replace('#-.*-#', '', $out))];

            if (function_exists('openssl_x509_fingerprint')) {
                $values['x5t'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha1', true));
                $values['x5t#256'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha256', true));
            } else {
                openssl_x509_export($res, $pem);
                $values['x5t'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha1', true));
                $values['x5t#256'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha256', true));
            }

            return $values;
        }
        throw new \InvalidArgumentException('Unable to load the certificate');
    }

    /**
     * @param string      $file
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    public static function loadFromKeyFile($file, $password = null)
    {
        $content = file_get_contents($file);

        return self::loadFromKey($content, $password);
    }

    /**
     * @param string      $key
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    public static function loadFromKey($key, $password = null)
    {
        try {
            return self::loadKeyFromDER($key, $password);
        } catch (\Exception $e) {
            return self::loadKeyFromPEM($key, $password);
        }
    }

    /**
     * @param string      $der
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    private static function loadKeyFromDER($der, $password = null)
    {
        $pem = self::convertDerToPem($der);

        return self::loadKeyFromPEM($pem, $password);
    }

    /**
     * @param string      $pem
     * @param null|string $password
     *
     * @throws \Exception
     *
     * @return array
     */
    private static function loadKeyFromPEM($pem, $password = null)
    {
        if (preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) {
            $pem = self::decodePem($pem, $matches, $password);
        }

        $res = openssl_pkey_get_private($pem);
        if ($res === false) {
            $res = openssl_pkey_get_public($pem);
        }
        Assertion::false($res === false, 'Unable to load the key');

        $details = openssl_pkey_get_details($res);
        Assertion::isArray($details, 'Unable to get details of the key');
        Assertion::keyExists($details, 'type', 'Unable to get details of the key');

        switch ($details['type']) {
            case OPENSSL_KEYTYPE_EC:
                $ec_key = new ECKey($pem);

                return $ec_key->toArray();
            case OPENSSL_KEYTYPE_RSA:
                 $rsa_key = new RSAKey($pem);

                 return $rsa_key->toArray();
            default:
                throw new \InvalidArgumentException('Unsupported key type');
        }
    }

    /**
     * @param array $data
     *
     * @throws \Exception
     *
     * @return \phpseclib\Crypt\RSA
     */
    public static function fromArrayToRSACrypt(array $data)
    {
        $xml = self::fromArrayToXML($data);
        $rsa = new RSA();
        $rsa->loadKey($xml);

        return $rsa;
    }

    /**
     * @param array $x5c
     *
     * @return array
     */
    public static function loadFromX5C(array $x5c)
    {
        $certificate = null;
        $last_issuer = null;
        $last_subject = null;
        foreach ($x5c as $cert) {
            $current_cert = "-----BEGIN CERTIFICATE-----\n$cert\n-----END CERTIFICATE-----";
            $x509 = openssl_x509_read($current_cert);
            if (false === $x509) {
                $last_issuer = null;
                $last_subject = null;
                break;
            }
            $parsed = openssl_x509_parse($x509);

            openssl_x509_free($x509);
            if (false === $parsed) {
                $last_issuer = null;
                $last_subject = null;
                break;
            }
            if (null === $last_subject) {
                $last_subject = $parsed['subject'];
                $last_issuer = $parsed['issuer'];
                $certificate = $current_cert;
            } else {
                if (json_encode($last_issuer) === json_encode($parsed['subject'])) {
                    $last_subject = $parsed['subject'];
                    $last_issuer = $parsed['issuer'];
                } else {
                    $last_issuer = null;
                    $last_subject = null;
                    break;
                }
            }
        }
        Assertion::false(
            null === $last_issuer || json_encode($last_issuer) !== json_encode($last_subject),
            'Invalid certificate chain.'
        );

        return self::loadKeyFromCertificate($certificate);
    }

    /**
     * @param array $data
     *
     * @throws \Exception
     *
     * @return string
     */
    public static function fromArrayToXML(array $data)
    {
        $result = "<RSAKeyPair>\n";
        foreach ($data as $key => $value) {
            $element = self::getElement($key);
            $value = strtr($value, '-_', '+/');

            switch (mb_strlen($value, '8bit') % 4) {
                case 0:
                    break; // No pad chars in this case
                case 2:
                    $value .= '==';
                    break; // Two pad chars
                case 3:
                    $value .= '=';
                    break; // One pad char
                default:
                    throw new \Exception('Invalid data');
            }

            $result .= "\t<$element>$value</$element>\n";
        }
        $result .= '</RSAKeyPair>';

        return $result;
    }

    /**
     * @param $key
     *
     * @return string
     */
    private static function getElement($key)
    {
        $values = [
            'n'  => 'Modulus',
            'e'  => 'Exponent',
            'p'  => 'P',
            'd'  => 'D',
            'q'  => 'Q',
            'dp' => 'DP',
            'dq' => 'DQ',
            'qi' => 'InverseQ',
        ];
        if (array_key_exists($key, $values)) {
            return $values[$key];
        } else {
            throw new \InvalidArgumentException('Unsupported key data');
        }
    }

    /**
     * @param string      $pem
     * @param string[]    $matches
     * @param null|string $password
     *
     * @return string
     */
    private static function decodePem($pem, array $matches, $password = null)
    {
        Assertion::notNull($password, 'Password required for encrypted keys.');

        $iv = pack('H*', trim($matches[2]));
        $iv_sub = mb_substr($iv, 0, 8, '8bit');
        $symkey = pack('H*', md5($password.$iv_sub));
        $symkey .= pack('H*', md5($symkey.$password.$iv_sub));
        $key = preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $pem);
        $ciphertext = base64_decode(preg_replace('#-.*-|\r|\n#', '', $key));

        $decoded = openssl_decrypt($ciphertext, strtolower($matches[1]), $symkey, true, $iv);

        $number = preg_match_all('#-{5}.*-{5}#', $pem, $result);
        Assertion::eq($number, 2, 'Unable to load the key');

        $pem = $result[0][0].PHP_EOL;
        $pem .= chunk_split(base64_encode($decoded), 64);
        $pem .= $result[0][1].PHP_EOL;

        return $pem;
    }

    /**
     * @param string $der_data
     *
     * @return string
     */
    private static function convertDerToPem($der_data)
    {
        $pem = chunk_split(base64_encode($der_data), 64, PHP_EOL);
        $pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL;

        return $pem;
    }

    /**
     * @param string $pem
     * @param string $algorithm
     * @param bool   $binary
     *
     * @return string
     */
    private static function calculateX509Fingerprint($pem, $algorithm, $binary = false)
    {
        $pem = preg_replace('#-.*-|\r|\n#', '', $pem);
        $bin = base64_decode($pem);

        return hash($algorithm, $bin, $binary);
    }
}


1			<?php
2
3			/*
4			* The MIT License (MIT)
5			*
6			* Copyright (c) 2014-2016 Spomky-Labs
7			*
8			* This software may be modified and distributed under the terms
9			* of the MIT license. See the LICENSE file for details.
10			*/
11
12			namespace Jose\KeyConverter;
13
14			use Assert\Assertion;
15			use Base64Url\Base64Url;
16			use phpseclib\Crypt\RSA;
17
18			/**
19			* This class will help you to load an EC key or a RSA key/certificate (private or public) and get values to create a JWK object.
20			*/
21			final class KeyConverter
22			{
23			/**
24			* @param string $file
25			*
26			* @throws \InvalidArgumentException
27			*
28			* @return array
29			*/
30			public static function loadKeyFromCertificateFile($file)
31			{
32			Assertion::true(file_exists($file), sprintf('File "%s" does not exist.', $file));
33			$content = file_get_contents($file);
34
35			return self::loadKeyFromCertificate($content);
36			}
37
38			/**
39			* @param string $certificate
40			*
41			* @throws \InvalidArgumentException
42			*
43			* @return array
44			*/
45			public static function loadKeyFromCertificate($certificate)
46			{
47			try {
48			$res = openssl_x509_read($certificate);
49			} catch (\Exception $e) {
50			$certificate = self::convertDerToPem($certificate);
51			$res = openssl_x509_read($certificate);
52			}
53			Assertion::false(false === $res, 'Unable to load the certificate');
54
55			$values = self::loadKeyFromX509Resource($res);
56			openssl_x509_free($res);
57
58			return $values;
59			}
60
61			/**
62			* @param resource $res
63			*
64			* @throws \Exception
65			*
66			* @return array
67			*/
68			public static function loadKeyFromX509Resource($res)
69			{
70			$key = openssl_get_publickey($res);
71
72			$details = openssl_pkey_get_details($key);
73			if (isset($details['key'])) {
74			$values = self::loadKeyFromPEM($details['key']);
75			openssl_x509_export($res, $out);
76			$values['x5c'] = [trim(preg_replace('#-.*-#', '', $out))];
77
78			if (function_exists('openssl_x509_fingerprint')) {
79			$values['x5t'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha1', true));
80			$values['x5t#256'] = Base64Url::encode(openssl_x509_fingerprint($res, 'sha256', true));
81			} else {
82			openssl_x509_export($res, $pem);
83			$values['x5t'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha1', true));
84			$values['x5t#256'] = Base64Url::encode(self::calculateX509Fingerprint($pem, 'sha256', true));
85			}
86
87			return $values;
88			}
89			throw new \InvalidArgumentException('Unable to load the certificate');
90			}
91
92			/**
93			* @param string $file
94			* @param null\|string $password
95			*
96			* @throws \Exception
97			*
98			* @return array
99			*/
100			public static function loadFromKeyFile($file, $password = null)
101			{
102			$content = file_get_contents($file);
103
104			return self::loadFromKey($content, $password);
105			}
106
107			/**
108			* @param string $key
109			* @param null\|string $password
110			*
111			* @throws \Exception
112			*
113			* @return array
114			*/
115			public static function loadFromKey($key, $password = null)
116			{
117			try {
118			return self::loadKeyFromDER($key, $password);
119			} catch (\Exception $e) {
120			return self::loadKeyFromPEM($key, $password);
121			}
122			}
123
124			/**
125			* @param string $der
126			* @param null\|string $password
127			*
128			* @throws \Exception
129			*
130			* @return array
131			*/
132			private static function loadKeyFromDER($der, $password = null)
133			{
134			$pem = self::convertDerToPem($der);
135
136			return self::loadKeyFromPEM($pem, $password);
137			}
138
139			/**
140			* @param string $pem
141			* @param null\|string $password
142			*
143			* @throws \Exception
144			*
145			* @return array
146			*/
147			private static function loadKeyFromPEM($pem, $password = null)
148			{
149			if (preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) {
150			$pem = self::decodePem($pem, $matches, $password);
151			}
152
153			$res = openssl_pkey_get_private($pem);
154			if ($res === false) {
155			$res = openssl_pkey_get_public($pem);
156			}
157			Assertion::false($res === false, 'Unable to load the key');
158
159			$details = openssl_pkey_get_details($res);
160			Assertion::isArray($details, 'Unable to get details of the key');
161			Assertion::keyExists($details, 'type', 'Unable to get details of the key');
162
163			switch ($details['type']) {
164			case OPENSSL_KEYTYPE_EC:
165			$ec_key = new ECKey($pem);
166
167			return $ec_key->toArray();
168			case OPENSSL_KEYTYPE_RSA:
169			$rsa_key = new RSAKey($pem);
170
171			return $rsa_key->toArray();
172			default:
173			throw new \InvalidArgumentException('Unsupported key type');
174			}
175			}
176
177			/**
178			* @param array $data
179			*
180			* @throws \Exception
181			*
182			* @return \phpseclib\Crypt\RSA
183			*/
184			public static function fromArrayToRSACrypt(array $data)
185			{
186			$xml = self::fromArrayToXML($data);
187			$rsa = new RSA();
188			$rsa->loadKey($xml);
189
190			return $rsa;
191			}
192
193			/**
194			* @param array $x5c
195			*
196			* @return array
197			*/
198			public static function loadFromX5C(array $x5c)
199			{
200			$certificate = null;
201			$last_issuer = null;
202			$last_subject = null;
203			foreach ($x5c as $cert) {
204			$current_cert = "-----BEGIN CERTIFICATE-----\n$cert\n-----END CERTIFICATE-----";
205			$x509 = openssl_x509_read($current_cert);
206			if (false === $x509) {
207			$last_issuer = null;
208			$last_subject = null;
209			break;
210			}
211			$parsed = openssl_x509_parse($x509);
212
213			openssl_x509_free($x509);
214			if (false === $parsed) {
215			$last_issuer = null;
216			$last_subject = null;
217			break;
218			}
219			if (null === $last_subject) {
220			$last_subject = $parsed['subject'];
221			$last_issuer = $parsed['issuer'];
222			$certificate = $current_cert;
223			} else {
224			if (json_encode($last_issuer) === json_encode($parsed['subject'])) {
225			$last_subject = $parsed['subject'];
226			$last_issuer = $parsed['issuer'];
227			} else {
228			$last_issuer = null;
229			$last_subject = null;
230			break;
231			}
232			}
233			}
234			Assertion::false(
235			null === $last_issuer \|\| json_encode($last_issuer) !== json_encode($last_subject),
236			'Invalid certificate chain.'
237			);
238
239			return self::loadKeyFromCertificate($certificate);
240			}
241
242			/**
243			* @param array $data
244			*
245			* @throws \Exception
246			*
247			* @return string
248			*/
249			public static function fromArrayToXML(array $data)
250			{
251			$result = "<RSAKeyPair>\n";
252			foreach ($data as $key => $value) {
253			$element = self::getElement($key);
254			$value = strtr($value, '-_', '+/');
255
256			switch (mb_strlen($value, '8bit') % 4) {
257			case 0:
258			break; // No pad chars in this case
259			case 2:
260			$value .= '==';
261			break; // Two pad chars
262			case 3:
263			$value .= '=';
264			break; // One pad char
265			default:
266			throw new \Exception('Invalid data');
267			}
268
269			$result .= "\t<$element>$value</$element>\n";
270			}
271			$result .= '</RSAKeyPair>';
272
273			return $result;
274			}
275
276			/**
277			* @param $key
278			*
279			* @return string
280			*/
281			private static function getElement($key)
282			{
283			$values = [
284			'n' => 'Modulus',
285			'e' => 'Exponent',
286			'p' => 'P',
287			'd' => 'D',
288			'q' => 'Q',
289			'dp' => 'DP',
290			'dq' => 'DQ',
291			'qi' => 'InverseQ',
292			];
293			if (array_key_exists($key, $values)) {
294			return $values[$key];
295			} else {
296			throw new \InvalidArgumentException('Unsupported key data');
297			}
298			}
299
300			/**
301			* @param string $pem
302			* @param string[] $matches
303			* @param null\|string $password
304			*
305			* @return string
306			*/
307			private static function decodePem($pem, array $matches, $password = null)
308			{
309			Assertion::notNull($password, 'Password required for encrypted keys.');
310
311			$iv = pack('H*', trim($matches[2]));
312			$iv_sub = mb_substr($iv, 0, 8, '8bit');
313			$symkey = pack('H*', md5($password.$iv_sub));
314			$symkey .= pack('H*', md5($symkey.$password.$iv_sub));
315			$key = preg_replace('#^(?:Proc-Type\|DEK-Info): .*#m', '', $pem);
316			$ciphertext = base64_decode(preg_replace('#-.*-\|\r\|\n#', '', $key));
317
318			$decoded = openssl_decrypt($ciphertext, strtolower($matches[1]), $symkey, true, $iv);
319
320			$number = preg_match_all('#-{5}.*-{5}#', $pem, $result);
321			Assertion::eq($number, 2, 'Unable to load the key');
322
323			$pem = $result[0][0].PHP_EOL;
324			$pem .= chunk_split(base64_encode($decoded), 64);
325			$pem .= $result[0][1].PHP_EOL;
326
327			return $pem;
328			}
329
330			/**
331			* @param string $der_data
332			*
333			* @return string
334			*/
335			private static function convertDerToPem($der_data)
336			{
337			$pem = chunk_split(base64_encode($der_data), 64, PHP_EOL);
338			$pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL;
339
340			return $pem;
341			}
342
343			/**
344			* @param string $pem
345			* @param string $algorithm
346			* @param bool $binary
347			*
348			* @return string
349			*/
350			private static function calculateX509Fingerprint($pem, $algorithm, $binary = false)
351			{
352			$pem = preg_replace('#-.*-\|\r\|\n#', '', $pem);
353			$bin = base64_decode($pem);
354
355			return hash($algorithm, $bin, $binary);
356			}
357			}
358

Spomky-Labs / jose

Push — master ( d8c018...19ac78 )

KeyConverter::loadFromX5C() C

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like