Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for RSASSA_PSS (sha256-rsa-MGF1) #262

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Added support for RSASSA_PSS (sha256-rsa-MGF1) #262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5b3df21
Added support for RSASSA_PSS signatures
May 14, 2024
33e28d2
Added support for RSASSA_PSS signatures
May 14, 2024
fdc0c51
Added support for RSASSA_PSS signatures
May 14, 2024
178991b
Added support for RSASSA_PSS signatures
May 14, 2024
b247d10
Added support for RSASSA_PSS signatures
May 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
},
"require": {
"php": ">= 5.4",
"ext-openssl": "*"
"ext-openssl": "*",
"phpseclib/phpseclib": "^3.0"
}
}
31 changes: 26 additions & 5 deletions src/XMLSecurityKey.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@

use DOMElement;
use Exception;
use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Crypt\RSA;

/**
* xmlseclibs.php
Expand Down Expand Up @@ -62,6 +64,7 @@ class XMLSecurityKey
const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384';
const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512';
const HMAC_SHA1 = 'http://www.w3.org/2000/09/xmldsig#hmac-sha1';
const RSASSA_PSS = 'http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1';
const AUTHTAG_LENGTH = 16;

/** @var array */
Expand All @@ -73,6 +76,9 @@ class XMLSecurityKey
/** @var mixed|null */
public $key = null;

/** @var RSA|null */
public $rsaPrivateKey = null;

/** @var string */
public $passphrase = "";

Expand Down Expand Up @@ -257,6 +263,10 @@ public function __construct($type, $params=null)
$this->cryptParams['library'] = $type;
$this->cryptParams['method'] = 'http://www.w3.org/2000/09/xmldsig#hmac-sha1';
break;
case (self::RSASSA_PSS):
$this->cryptParams['library'] = $type;
$this->cryptParams['method'] = 'http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1';
break;
default:
throw new Exception('Invalid Key Type');
}
Expand Down Expand Up @@ -291,9 +301,9 @@ public function generateSessionKey()
throw new Exception('Unknown key size for type "' . $this->type . '".');
}
$keysize = $this->cryptParams['keysize'];

$key = openssl_random_pseudo_bytes($keysize);

if ($this->type === self::TRIPLEDES_CBC) {
/* Make sure that the generated key has the proper parity bits set.
* Mcrypt doesn't care about the parity bits, but others may care.
Expand All @@ -308,7 +318,7 @@ public function generateSessionKey()
$key[$i] = chr($byte);
}
}

$this->key = $key;
return $key;
}
Expand Down Expand Up @@ -358,6 +368,13 @@ public function loadKey($key, $isFile=false, $isCert = false)
{
if ($isFile) {
$this->key = file_get_contents($key);

if ($this->cryptParams['library'] == self::RSASSA_PSS) {
$this->rsaPrivateKey = PublicKeyLoader::loadPrivateKey(file_get_contents($key));
$this->rsaPrivateKey->withPadding(RSA::SIGNATURE_PSS);
$this->rsaPrivateKey->withHash('sha256');
$this->rsaPrivateKey->withMGFHash('sha256');
}
} else {
$this->key = $key;
}
Expand Down Expand Up @@ -452,7 +469,7 @@ private function encryptSymmetric($data)
$data = $this->padISO10126($data, $this->cryptParams['blocksize']);
$encrypted = openssl_encrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
}

if (false === $encrypted) {
throw new Exception('Failure encrypting Data (openssl symmetric) - ' . openssl_error_string());
}
Expand Down Expand Up @@ -483,7 +500,7 @@ private function decryptSymmetric($data)
} else {
$decrypted = openssl_decrypt($data, $this->cryptParams['cipher'], $this->key, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->iv);
}

if (false === $decrypted) {
throw new Exception('Failure decrypting Data (openssl symmetric) - ' . openssl_error_string());
}
Expand Down Expand Up @@ -647,6 +664,8 @@ public function signData($data)
return $this->signOpenSSL($data);
case (self::HMAC_SHA1):
return hash_hmac("sha1", $data, $this->key, true);
case (self::RSASSA_PSS):
return $this->rsaPrivateKey->sign($data);
}
}

Expand Down Expand Up @@ -674,6 +693,8 @@ public function verifySignature($data, $signature)
case (self::HMAC_SHA1):
$expectedSignature = hash_hmac("sha1", $data, $this->key, true);
return strcmp($signature, $expectedSignature) == 0;
case (self::RSASSA_PSS):
return $this->rsaPrivateKey->verify($data, $signature);
}
}

Expand Down