Issues in CryptKey.php (master) - Issues in master - thephpleague/oauth2-server - Measure and Improve Code Quality continuously with Scrutinizer

Issues (66)

src/CryptKey.php (1 issue)

Severity

Unknown 1

Andrew Millington 1

<?php

/**
 * Cryptography key holder.
 *
 * @author      Julián Gutiérrez <[email protected]>
 * @copyright   Copyright (c) Alex Bilbie
 * @license     http://mit-license.org/
 *
 * @link        https://github.com/thephpleague/oauth2-server
 */

declare(strict_types=1);

namespace League\OAuth2\Server;

use LogicException;
use OpenSSLAsymmetricKey;
use SensitiveParameter;

use function decoct;
use function file_get_contents;
use function fileperms;
use function in_array;
use function is_file;
use function is_readable;
use function openssl_pkey_get_details;
use function openssl_pkey_get_private;
use function openssl_pkey_get_public;
use function sprintf;
use function trigger_error;

class CryptKey implements CryptKeyInterface
{
    private const FILE_PREFIX = 'file://';

    /**
     * @var string Key contents
     */
    protected string $keyContents;

    protected string $keyPath;

    public function __construct(
        string $keyPath,
        #[SensitiveParameter]
        protected ?string $passPhrase = null,
        bool $keyPermissionsCheck = true
    ) {
        if (str_starts_with($keyPath, self::FILE_PREFIX) === false && $this->isValidKey($keyPath, $this->passPhrase ?? '')) {
            $this->keyContents = $keyPath;
            $this->keyPath = '';
            // There's no file, so no need for permission check.
            $keyPermissionsCheck = false;
        } elseif (is_file($keyPath)) {
            if (str_starts_with($keyPath, self::FILE_PREFIX) === false) {
                $keyPath = self::FILE_PREFIX . $keyPath;
            }

            if (!is_readable($keyPath)) {
                throw new LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
            }

            $keyContents = file_get_contents($keyPath);

            if ($keyContents === false) {
                throw new LogicException('Unable to read key from file ' . $keyPath);
            }

            $this->keyContents = $keyContents;
            $this->keyPath = $keyPath;

            if (!$this->isValidKey($this->keyContents, $this->passPhrase ?? '')) {
                throw new LogicException('Unable to read key from file ' . $keyPath);
            }
        } else {
            throw new LogicException('Invalid key supplied');
        }

        if ($keyPermissionsCheck === true && PHP_OS_FAMILY !== 'Windows') {
            // Verify the permissions of the key
            $keyPathPerms = decoct(fileperms($this->keyPath) & 0777);
            if (in_array($keyPathPerms, ['400', '440', '600', '640', '660'], true) === false) {
                trigger_error(
                    sprintf(
                        'Key file "%s" permissions are not correct, recommend changing to 600 or 660 instead of %s',
                        $this->keyPath,
                        $keyPathPerms
                    ),
                    E_USER_NOTICE
                );
            }
        }
    }

    /**
     * {@inheritdoc}
     */
    public function getKeyContents(): string
    {
        return $this->keyContents;
    }

    /**
     * Validate key contents.
     */
    private function isValidKey(
        #[SensitiveParameter]
        string $contents,
        #[SensitiveParameter]
        string $passPhrase
    ): bool {
        $privateKey = openssl_pkey_get_private($contents, $passPhrase);

        $key = $privateKey instanceof OpenSSLAsymmetricKey ? $privateKey : openssl_pkey_get_public($contents);

        if ($key === false) {

            return false;
        }

        $details = openssl_pkey_get_details($key);

        return $details !== false && in_array(
            $details['type'] ?? -1,
            [OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_EC],
            true
        );
    }

    /**
     * {@inheritdoc}
     */
    public function getKeyPath(): string
    {
        return $this->keyPath;
    }

    /**
     * {@inheritdoc}
     */
    public function getPassPhrase(): ?string
    {
        return $this->passPhrase;
    }
}


1		<?php
2
3		/**
4		* Cryptography key holder.
5		*
6		* @author Julián Gutiérrez <[email protected]>
7		* @copyright Copyright (c) Alex Bilbie
8		* @license http://mit-license.org/
9		*
10		* @link https://github.com/thephpleague/oauth2-server
11		*/
12
13		declare(strict_types=1);
14
15		namespace League\OAuth2\Server;
16
17		use LogicException;
18		use OpenSSLAsymmetricKey;
19		use SensitiveParameter;
20
21		use function decoct;
22		use function file_get_contents;
23		use function fileperms;
24		use function in_array;
25		use function is_file;
26		use function is_readable;
27		use function openssl_pkey_get_details;
28		use function openssl_pkey_get_private;
29		use function openssl_pkey_get_public;
30		use function sprintf;
31		use function trigger_error;
32
33		class CryptKey implements CryptKeyInterface
34		{
35		private const FILE_PREFIX = 'file://';
36
37		/**
38		* @var string Key contents
39		*/
40		protected string $keyContents;
41
42		protected string $keyPath;
43
44	75	public function __construct(
45		string $keyPath,
46		#[SensitiveParameter]
47		protected ?string $passPhrase = null,
48		bool $keyPermissionsCheck = true
49		) {
50	75	if (str_starts_with($keyPath, self::FILE_PREFIX) === false && $this->isValidKey($keyPath, $this->passPhrase ?? '')) {
51	3	$this->keyContents = $keyPath;
52	3	$this->keyPath = '';
53		// There's no file, so no need for permission check.
54	3	$keyPermissionsCheck = false;
55	72	} elseif (is_file($keyPath)) {
56	70	if (str_starts_with($keyPath, self::FILE_PREFIX) === false) {
57	1	$keyPath = self::FILE_PREFIX . $keyPath;
58		}
59
60	70	if (!is_readable($keyPath)) {
61		throw new LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
62		}
63
64	70	$keyContents = file_get_contents($keyPath);
65
66	70	if ($keyContents === false) {
67		throw new LogicException('Unable to read key from file ' . $keyPath);
68		}
69
70	70	$this->keyContents = $keyContents;
71	70	$this->keyPath = $keyPath;
72
73	70	if (!$this->isValidKey($this->keyContents, $this->passPhrase ?? '')) {
74		throw new LogicException('Unable to read key from file ' . $keyPath);
75		}
76		} else {
77	2	throw new LogicException('Invalid key supplied');
78		}
79
80	73	if ($keyPermissionsCheck === true && PHP_OS_FAMILY !== 'Windows') {
81		// Verify the permissions of the key
82	70	$keyPathPerms = decoct(fileperms($this->keyPath) & 0777);
83	70	if (in_array($keyPathPerms, ['400', '440', '600', '640', '660'], true) === false) {
84		trigger_error(
85		sprintf(
86		'Key file "%s" permissions are not correct, recommend changing to 600 or 660 instead of %s',
87		$this->keyPath,
88		$keyPathPerms
89		),
90		E_USER_NOTICE
91		);
92		}
93		}
94		}
95
96		/**
97		* {@inheritdoc}
98		*/
99	20	public function getKeyContents(): string
100		{
101	20	return $this->keyContents;
102		}
103
104		/**
105		* Validate key contents.
106		*/
107	75	private function isValidKey(
108		#[SensitiveParameter]
109		string $contents,
110		#[SensitiveParameter]
111		string $passPhrase
112		): bool {
113	75	$privateKey = openssl_pkey_get_private($contents, $passPhrase);
114
115	75	$key = $privateKey instanceof OpenSSLAsymmetricKey ? $privateKey : openssl_pkey_get_public($contents);
116
117	75	if ($key === false) {
		0 ignored issues – show introduced 2024-03-27 00:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `$key === false` is always `false`. Loading history...
118	2	return false;
119		}
120
121	74	$details = openssl_pkey_get_details($key);
122
123	74	return $details !== false && in_array(
124	74	$details['type'] ?? -1,
125	74	[OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_EC],
126	74	true
127	74	);
128		}
129
130		/**
131		* {@inheritdoc}
132		*/
133	5	public function getKeyPath(): string
134		{
135	5	return $this->keyPath;
136		}
137
138		/**
139		* {@inheritdoc}
140		*/
141	22	public function getPassPhrase(): ?string
142		{
143	22	return $this->passPhrase;
144		}
145		}
146

thephpleague / oauth2-server

Issues (66)

src/CryptKey.php (1 issue)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like