1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
declare(strict_types=1); |
4
|
|
|
|
5
|
|
|
/* |
6
|
|
|
* The MIT License (MIT) |
7
|
|
|
* |
8
|
|
|
* Copyright (c) 2014-2019 Spomky-Labs |
9
|
|
|
* |
10
|
|
|
* This software may be modified and distributed under the terms |
11
|
|
|
* of the MIT license. See the LICENSE file for details. |
12
|
|
|
*/ |
13
|
|
|
|
14
|
|
|
namespace Jose\Bundle\JoseFramework\DataCollector; |
15
|
|
|
|
16
|
|
|
use Jose\Component\Core\Algorithm; |
17
|
|
|
use Jose\Component\Core\AlgorithmManagerFactory; |
18
|
|
|
use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm; |
19
|
|
|
use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithm; |
20
|
|
|
use Jose\Component\Signature\Algorithm\MacAlgorithm; |
21
|
|
|
use Jose\Component\Signature\Algorithm\SignatureAlgorithm; |
22
|
|
|
use Symfony\Component\HttpFoundation\Request; |
23
|
|
|
use Symfony\Component\HttpFoundation\Response; |
24
|
|
|
|
25
|
|
|
final class AlgorithmCollector implements Collector |
26
|
|
|
{ |
27
|
|
|
/** |
28
|
|
|
* @var AlgorithmManagerFactory |
29
|
|
|
*/ |
30
|
|
|
private $algorithmManagerFactory; |
31
|
|
|
|
32
|
|
|
public function __construct(AlgorithmManagerFactory $algorithmManagerFactory) |
33
|
|
|
{ |
34
|
|
|
$this->algorithmManagerFactory = $algorithmManagerFactory; |
35
|
|
|
} |
36
|
|
|
|
37
|
|
|
public function collect(array &$data, Request $request, Response $response, ?\Exception $exception = null): void |
38
|
|
|
{ |
39
|
|
|
$algorithms = $this->algorithmManagerFactory->all(); |
40
|
|
|
$data['algorithm'] = [ |
41
|
|
|
'messages' => $this->getAlgorithmMessages(), |
42
|
|
|
'algorithms' => [], |
43
|
|
|
]; |
44
|
|
|
$signatureAlgorithms = 0; |
45
|
|
|
$macAlgorithms = 0; |
46
|
|
|
$keyEncryptionAlgorithms = 0; |
47
|
|
|
$contentEncryptionAlgorithms = 0; |
48
|
|
|
foreach ($algorithms as $alias => $algorithm) { |
49
|
|
|
$type = $this->getAlgorithmType($algorithm, $signatureAlgorithms, $macAlgorithms, $keyEncryptionAlgorithms, $contentEncryptionAlgorithms); |
50
|
|
|
if (!\array_key_exists($type, $data['algorithm']['algorithms'])) { |
51
|
|
|
$data['algorithm']['algorithms'][$type] = []; |
52
|
|
|
} |
53
|
|
|
$data['algorithm']['algorithms'][$type][$alias] = [ |
54
|
|
|
'name' => $algorithm->name(), |
55
|
|
|
]; |
56
|
|
|
} |
57
|
|
|
|
58
|
|
|
$data['algorithm']['types'] = [ |
59
|
|
|
'signature' => $signatureAlgorithms, |
60
|
|
|
'mac' => $macAlgorithms, |
61
|
|
|
'key_encryption' => $keyEncryptionAlgorithms, |
62
|
|
|
'content_encryption' => $contentEncryptionAlgorithms, |
63
|
|
|
]; |
64
|
|
|
} |
65
|
|
|
|
66
|
|
|
private function getAlgorithmType(Algorithm $algorithm, int &$signatureAlgorithms, int &$macAlgorithms, int &$keyEncryptionAlgorithms, int &$contentEncryptionAlgorithms): string |
67
|
|
|
{ |
68
|
|
|
switch (true) { |
69
|
|
|
case $algorithm instanceof SignatureAlgorithm: |
70
|
|
|
$signatureAlgorithms++; |
71
|
|
|
|
72
|
|
|
return 'Signature'; |
73
|
|
|
case $algorithm instanceof MacAlgorithm: |
74
|
|
|
$macAlgorithms++; |
75
|
|
|
|
76
|
|
|
return 'MAC'; |
77
|
|
|
case $algorithm instanceof KeyEncryptionAlgorithm: |
78
|
|
|
$keyEncryptionAlgorithms++; |
79
|
|
|
|
80
|
|
|
return 'Key Encryption'; |
81
|
|
|
case $algorithm instanceof ContentEncryptionAlgorithm: |
82
|
|
|
$contentEncryptionAlgorithms++; |
83
|
|
|
|
84
|
|
|
return 'Content Encryption'; |
85
|
|
|
default: |
86
|
|
|
return 'Unknown'; |
87
|
|
|
} |
88
|
|
|
} |
89
|
|
|
|
90
|
|
|
private function getAlgorithmMessages(): array |
91
|
|
|
{ |
92
|
|
|
$messages = [ |
93
|
|
|
'none' => [ |
94
|
|
|
'severity' => 'severity-low', |
95
|
|
|
'message' => 'This algorithm is not secured. Please use with caution.', |
96
|
|
|
], |
97
|
|
|
'HS256/64' => [ |
98
|
|
|
'severity' => 'severity-low', |
99
|
|
|
'message' => 'Experimental. Please use for testing purpose only.', |
100
|
|
|
], |
101
|
|
|
'RS1' => [ |
102
|
|
|
'severity' => 'severity-high', |
103
|
|
|
'message' => 'Experimental. Please use for testing purpose only. SHA-1 hashing function is not recommended.', |
104
|
|
|
], |
105
|
|
|
'RS256' => [ |
106
|
|
|
'severity' => 'severity-medium', |
107
|
|
|
'message' => 'RSAES-PKCS1-v1_5 based algorithms are not recommended.', |
108
|
|
|
], |
109
|
|
|
'RS384' => [ |
110
|
|
|
'severity' => 'severity-medium', |
111
|
|
|
'message' => 'RSAES-PKCS1-v1_5 based algorithms are not recommended.', |
112
|
|
|
], |
113
|
|
|
'RS512' => [ |
114
|
|
|
'severity' => 'severity-medium', |
115
|
|
|
'message' => 'RSAES-PKCS1-v1_5 based algorithms are not recommended.', |
116
|
|
|
], |
117
|
|
|
'HS1' => [ |
118
|
|
|
'severity' => 'severity-high', |
119
|
|
|
'message' => 'This algorithm has known vulnerabilities. See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-17">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-17</a>. SHA-1 hashing function is not recommended.', |
120
|
|
|
], |
121
|
|
|
'A128CTR' => [ |
122
|
|
|
'severity' => 'severity-high', |
123
|
|
|
'message' => 'This algorithm is prohibited. For compatibility with old application only. See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11</a>.', |
124
|
|
|
], |
125
|
|
|
'A192CTR' => [ |
126
|
|
|
'severity' => 'severity-high', |
127
|
|
|
'message' => 'This algorithm is prohibited. For compatibility with old application only. See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11</a>.', |
128
|
|
|
], |
129
|
|
|
'A256CTR' => [ |
130
|
|
|
'severity' => 'severity-high', |
131
|
|
|
'message' => 'This algorithm is prohibited. For compatibility with old application only. See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11</a>.', |
132
|
|
|
], |
133
|
|
|
'A128CBC' => [ |
134
|
|
|
'severity' => 'severity-high', |
135
|
|
|
'message' => 'This algorithm is prohibited. For compatibility with old application only. See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11</a>.', |
136
|
|
|
], |
137
|
|
|
'A192CBC' => [ |
138
|
|
|
'severity' => 'severity-high', |
139
|
|
|
'message' => 'This algorithm is prohibited. For compatibility with old application only. See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11</a>.', |
140
|
|
|
], |
141
|
|
|
'A256CBC' => [ |
142
|
|
|
'severity' => 'severity-high', |
143
|
|
|
'message' => 'This algorithm is prohibited. For compatibility with old application only. See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-11</a>.', |
144
|
|
|
], |
145
|
|
|
'chacha20-poly1305' => [ |
146
|
|
|
'severity' => 'severity-low', |
147
|
|
|
'message' => 'Experimental. Please use for testing purpose only.', |
148
|
|
|
], |
149
|
|
|
'RSA-OAEP-384' => [ |
150
|
|
|
'severity' => 'severity-low', |
151
|
|
|
'message' => 'Experimental. Please use for testing purpose only.', |
152
|
|
|
], |
153
|
|
|
'RSA-OAEP-512' => [ |
154
|
|
|
'severity' => 'severity-low', |
155
|
|
|
'message' => 'Experimental. Please use for testing purpose only.', |
156
|
|
|
], |
157
|
|
|
'A128CCM-16-64' => [ |
158
|
|
|
'severity' => 'severity-low', |
159
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
160
|
|
|
], |
161
|
|
|
'A256CCM-16-64' => [ |
162
|
|
|
'severity' => 'severity-low', |
163
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
164
|
|
|
], |
165
|
|
|
'A128CCM-64-64' => [ |
166
|
|
|
'severity' => 'severity-low', |
167
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
168
|
|
|
], |
169
|
|
|
'A256CCM-64-64' => [ |
170
|
|
|
'severity' => 'severity-low', |
171
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
172
|
|
|
], |
173
|
|
|
'A128CCM-16-128' => [ |
174
|
|
|
'severity' => 'severity-low', |
175
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
176
|
|
|
], |
177
|
|
|
'A256CCM-16-128' => [ |
178
|
|
|
'severity' => 'severity-low', |
179
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
180
|
|
|
], |
181
|
|
|
'A128CCM-64-128' => [ |
182
|
|
|
'severity' => 'severity-low', |
183
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
184
|
|
|
], |
185
|
|
|
'A256CCM-64-128' => [ |
186
|
|
|
'severity' => 'severity-low', |
187
|
|
|
'message' => 'Experimental and subject to changes. Please use for testing purpose only.', |
188
|
|
|
], |
189
|
|
|
'RSA1_5' => [ |
190
|
|
|
'severity' => 'severity-high', |
191
|
|
|
'message' => 'This algorithm is not secured (known attacks). See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-5">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-5</a>.', |
192
|
|
|
], |
193
|
|
|
]; |
194
|
|
|
if (!\function_exists('openssl_pkey_derive')) { |
195
|
|
|
$messages += [ |
196
|
|
|
'ECDH-ES' => [ |
197
|
|
|
'severity' => 'severity-medium', |
198
|
|
|
'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.', |
199
|
|
|
], |
200
|
|
|
'ECDH-ES+A128KW' => [ |
201
|
|
|
'severity' => 'severity-medium', |
202
|
|
|
'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.', |
203
|
|
|
], |
204
|
|
|
'ECDH-ES+A192KW' => [ |
205
|
|
|
'severity' => 'severity-medium', |
206
|
|
|
'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.', |
207
|
|
|
], |
208
|
|
|
'ECDH-ES+A256KW' => [ |
209
|
|
|
'severity' => 'severity-medium', |
210
|
|
|
'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.', |
211
|
|
|
], |
212
|
|
|
]; |
213
|
|
|
} |
214
|
|
|
|
215
|
|
|
return $messages; |
216
|
|
|
} |
217
|
|
|
} |
218
|
|
|
|