|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
declare(strict_types = 1); |
|
4
|
|
|
|
|
5
|
|
|
namespace Sop\JWX\JWS\Algorithm; |
|
6
|
|
|
|
|
7
|
|
|
use Sop\JWX\JWK\Asymmetric\PrivateKeyJWK; |
|
8
|
|
|
use Sop\JWX\JWK\Asymmetric\PublicKeyJWK; |
|
9
|
|
|
use Sop\JWX\JWS\SignatureAlgorithm; |
|
10
|
|
|
|
|
11
|
|
|
/** |
|
12
|
|
|
* Base class for algorithms employing asymmetric signature computation |
|
13
|
|
|
* using OpenSSL extension. |
|
14
|
|
|
*/ |
|
15
|
|
|
abstract class OpenSSLSignatureAlgorithm extends SignatureAlgorithm |
|
16
|
|
|
{ |
|
17
|
|
|
/** |
|
18
|
|
|
* Public key. |
|
19
|
|
|
* |
|
20
|
|
|
* @var PublicKeyJWK |
|
21
|
|
|
*/ |
|
22
|
|
|
protected $_publicKey; |
|
23
|
|
|
|
|
24
|
|
|
/** |
|
25
|
|
|
* Private key. |
|
26
|
|
|
* |
|
27
|
|
|
* @var null|PrivateKeyJWK |
|
28
|
|
|
*/ |
|
29
|
|
|
protected $_privateKey; |
|
30
|
|
|
|
|
31
|
|
|
/** |
|
32
|
|
|
* {@inheritdoc} |
|
33
|
|
|
* |
|
34
|
|
|
* @throws \LogicException If private key was not provided |
|
35
|
|
|
* @throws \RuntimeException For generic errors |
|
36
|
|
|
*/ |
|
37
|
12 |
|
public function computeSignature(string $data): string |
|
38
|
|
|
{ |
|
39
|
|
|
/* |
|
40
|
|
|
* NOTE: OpenSSL uses PKCS #1 v1.5 padding by default, so no explicit |
|
41
|
|
|
* padding is required by sign and verify operations. |
|
42
|
|
|
*/ |
|
43
|
12 |
|
if (!isset($this->_privateKey)) { |
|
44
|
1 |
|
throw new \LogicException('Private key not set.'); |
|
45
|
|
|
} |
|
46
|
11 |
|
$key = openssl_pkey_get_private($this->_privateKey->toPEM()->string()); |
|
47
|
11 |
|
if (false === $key) { |
|
48
|
1 |
|
throw new \RuntimeException( |
|
49
|
|
|
'openssl_pkey_get_private() failed: ' . |
|
50
|
1 |
|
$this->_getLastOpenSSLError()); |
|
51
|
|
|
} |
|
52
|
10 |
|
$result = @openssl_sign($data, $signature, $key, $this->_mdMethod()); |
|
53
|
10 |
|
if (!$result) { |
|
54
|
1 |
|
throw new \RuntimeException( |
|
55
|
1 |
|
'openssl_sign() failed: ' . $this->_getLastOpenSSLError()); |
|
56
|
|
|
} |
|
57
|
9 |
|
return $signature; |
|
58
|
|
|
} |
|
59
|
|
|
|
|
60
|
|
|
/** |
|
61
|
|
|
* {@inheritdoc} |
|
62
|
|
|
* |
|
63
|
|
|
* @throws \RuntimeException For generic errors |
|
64
|
|
|
*/ |
|
65
|
10 |
|
public function validateSignature(string $data, string $signature): bool |
|
66
|
|
|
{ |
|
67
|
10 |
|
$key = openssl_pkey_get_public($this->_publicKey->toPEM()->string()); |
|
68
|
10 |
|
if (false === $key) { |
|
69
|
1 |
|
throw new \RuntimeException( |
|
70
|
|
|
'openssl_pkey_get_public() failed: ' . |
|
71
|
1 |
|
$this->_getLastOpenSSLError()); |
|
72
|
|
|
} |
|
73
|
9 |
|
$result = @openssl_verify($data, $signature, $key, $this->_mdMethod()); |
|
74
|
9 |
|
if (false === $result || -1 == $result) { |
|
75
|
1 |
|
throw new \RuntimeException( |
|
76
|
1 |
|
'openssl_verify() failed: ' . $this->_getLastOpenSSLError()); |
|
77
|
|
|
} |
|
78
|
8 |
|
return 1 == $result; |
|
79
|
|
|
} |
|
80
|
|
|
|
|
81
|
|
|
/** |
|
82
|
|
|
* Get the signature algorithm identifier supported by OpenSSL. |
|
83
|
|
|
*/ |
|
84
|
|
|
abstract protected function _mdMethod(): int; |
|
85
|
|
|
|
|
86
|
|
|
/** |
|
87
|
|
|
* Get the last OpenSSL error message. |
|
88
|
|
|
*/ |
|
89
|
4 |
|
protected function _getLastOpenSSLError(): ?string |
|
90
|
|
|
{ |
|
91
|
4 |
|
$msg = null; |
|
92
|
4 |
|
while (false !== ($err = openssl_error_string())) { |
|
93
|
4 |
|
$msg = $err; |
|
94
|
|
|
} |
|
95
|
4 |
|
return $msg; |
|
96
|
|
|
} |
|
97
|
|
|
} |
|
98
|
|
|
|
sop /
jwx
