<?php
declare(strict_types=1);
/*
* The MIT License (MIT)
*
* Copyright (c) 2014-2018 Spomky-Labs
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
namespace Jose\Component\KeyManagement\KeyConverter;
use Base64Url\Base64Url;
/**
* @internal
*/
class KeyConverter
{
/**
* @throws \InvalidArgumentException
*/
public static function loadKeyFromCertificateFile(string $file): array
{
if (!\file_exists($file)) {
throw new \InvalidArgumentException(\sprintf('File "%s" does not exist.', $file));
}
$content = \file_get_contents($file);
return self::loadKeyFromCertificate($content);
}
/**
* @throws \InvalidArgumentException
*/
public static function loadKeyFromCertificate(string $certificate): array
{
try {
$res = \openssl_x509_read($certificate);
} catch (\Exception $e) {
$certificate = self::convertDerToPem($certificate);
$res = \openssl_x509_read($certificate);
}
if (false === $res) {
throw new \InvalidArgumentException('Unable to load the certificate.');
}
$values = self::loadKeyFromX509Resource($res);
\openssl_x509_free($res);
return $values;
}
/**
* @param resource $res
*
* @throws \Exception
*/
public static function loadKeyFromX509Resource($res): array
{
$key = \openssl_get_publickey($res);
$details = \openssl_pkey_get_details($key);
if (isset($details['key'])) {
$values = self::loadKeyFromPEM($details['key']);
\openssl_x509_export($res, $out);
$x5c = \preg_replace('#-.*-#', '', $out);
$x5c = \preg_replace('~\R~', PHP_EOL, $x5c);
$x5c = \trim($x5c);
$values['x5c'] = [$x5c];
$values['x5t'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha1', true));
$values['x5t#256'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha256', true));
return $values;
}
throw new \InvalidArgumentException('Unable to load the certificate');
}
/**
* @throws \Exception
*/
public static function loadFromKeyFile(string $file, ?string $password = null): array
{
$content = \file_get_contents($file);
return self::loadFromKey($content, $password);
}
/**
* @throws \Exception
*/
public static function loadFromKey(string $key, ?string $password = null): array
{
try {
return self::loadKeyFromDER($key, $password);
} catch (\Exception $e) {
return self::loadKeyFromPEM($key, $password);
}
}
/**
* @throws \Exception
*/
private static function loadKeyFromDER(string $der, ?string $password = null): array
{
$pem = self::convertDerToPem($der);
return self::loadKeyFromPEM($pem, $password);
}
/**
* @throws \Exception
*/
private static function loadKeyFromPEM(string $pem, ?string $password = null): array
{
if (\preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) {
$pem = self::decodePem($pem, $matches, $password);
}
self::sanitizePEM($pem);
$res = \openssl_pkey_get_private($pem);
if (false === $res) {
$res = \openssl_pkey_get_public($pem);
}
if (false === $res) {
throw new \InvalidArgumentException('Unable to load the key.');
}
$details = \openssl_pkey_get_details($res);
if (!\is_array($details) || !\array_key_exists('type', $details)) {
throw new \InvalidArgumentException('Unable to get details of the key');
}
switch ($details['type']) {
case OPENSSL_KEYTYPE_EC:
$ec_key = ECKey::createFromPEM($pem);
return $ec_key->toArray();
case OPENSSL_KEYTYPE_RSA:
$rsa_key = RSAKey::createFromPEM($pem);
$rsa_key->optimize();
return $rsa_key->toArray();
default:
throw new \InvalidArgumentException('Unsupported key type');
}
}
/**
* This method modifies the PEM to get 64 char lines and fix bug with old OpenSSL versions.
*/
private static function sanitizePEM(string &$pem)
{
\preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER);
$ciphertext = \preg_replace('#-.*-|\r|\n| #', '', $pem);
$pem = $matches[0][0].PHP_EOL;
$pem .= \chunk_split($ciphertext, 64, PHP_EOL);
$pem .= $matches[0][1].PHP_EOL;
}
/**
* Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean!
* It is mandatory to verify the root CA or intermediate CA are trusted.
* If not done, it may lead to potential security issues.
*/
public static function loadFromX5C(array $x5c): array
{
$certificate = null;
$last_issuer = null;
$last_subject = null;
foreach ($x5c as $cert) {
$current_cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.\chunk_split($cert,64,PHP_EOL).'-----END CERTIFICATE-----';
$x509 = \openssl_x509_read($current_cert);
if (false === $x509) {
$last_issuer = null;
$last_subject = null;
break;
}
$parsed = \openssl_x509_parse($x509);
\openssl_x509_free($x509);
if (false === $parsed) {
$last_issuer = null;
$last_subject = null;
break;
}
if (null === $last_subject) {
$last_subject = $parsed['subject'];
$last_issuer = $parsed['issuer'];
$certificate = $current_cert;
} else {
if (\json_encode($last_issuer) === \json_encode($parsed['subject'])) {
$last_subject = $parsed['subject'];
$last_issuer = $parsed['issuer'];
} else {
$last_issuer = null;
$last_subject = null;
break;
}
}
}
return self::loadKeyFromCertificate($certificate);
}
/**
* @param string[] $matches
*/
private static function decodePem(string $pem, array $matches, ?string $password = null): string
{
if (null === $password) {
throw new \InvalidArgumentException('Password required for encrypted keys.');
}
$iv = \pack('H*', \trim($matches[2]));
$iv_sub = \mb_substr($iv, 0, 8, '8bit');
$symkey = \pack('H*', \md5($password.$iv_sub));
$symkey .= \pack('H*', \md5($symkey.$password.$iv_sub));
$key = \preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $pem);
$ciphertext = \base64_decode(\preg_replace('#-.*-|\r|\n#', '', $key), true);
$decoded = \openssl_decrypt($ciphertext, \mb_strtolower($matches[1]), $symkey, OPENSSL_RAW_DATA, $iv);
if (!\is_string($decoded)) {
throw new \InvalidArgumentException('Incorrect password. Key decryption failed.');
}
$number = \preg_match_all('#-{5}.*-{5}#', $pem, $result);
if (2 !== $number) {
throw new \InvalidArgumentException('Unable to load the key');
}
$pem = $result[0][0].PHP_EOL;
$pem .= \chunk_split(\base64_encode($decoded), 64);
$pem .= $result[0][1].PHP_EOL;
return $pem;
}
private static function convertDerToPem(string $der_data): string
{
$pem = \chunk_split(\base64_encode($der_data), 64, PHP_EOL);
$pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL;
return $pem;
}
}