public function toPEM()
{
if ($this->isPublic()) {
$der = ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::OID, ASN1::encodeOID(self::OID)) . ASN1::encodeDER(ASN1::NULL_TYPE), false) . ASN1::encodeDER(ASN1::BIT_STRING, chr(0x0) . ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['n'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['e'])), false)), false);
return wordwrap("-----BEGIN PUBLIC KEY-----\n" . base64_encode($der) . "\n-----END PUBLIC KEY-----\n", 64, "\n", true);
} else {
$der = ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::INTEGER_TYPE, chr(0)) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['n'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['e'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['d'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['p'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['q'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['dp'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['dq'])) . ASN1::encodeDER(ASN1::INTEGER_TYPE, Util::base64url_decode($this->data['qi'])), false);
return wordwrap("-----BEGIN RSA PRIVATE KEY-----\n" . base64_encode($der) . "\n-----END RSA PRIVATE KEY-----\n", 64, "\n", true);
}
}
public function verify($signature, $data, $keys, $kid = null)
{
$key = $this->selectKey($keys, $kid, array(Key::PUBLIC_PROPERTY => true, '~use' => 'sig'));
if ($key == null) {
throw new KeyException('Key not found or is invalid');
}
$binary = Util::base64url_decode($signature);
if ($key->getKeyType() == \SimpleJWT\Keys\ECKey::KTY) {
// For ECDSA signatures, OpenSSL expects a ASN.1 DER SEQUENCE
list($r, $s) = str_split($binary, (int) (strlen($binary) / 2));
// Trim leading zeros
$r = ltrim($r, "");
$s = ltrim($s, "");
// Convert r and s from unsigned big-endian integers to signed two's complement
if (ord($r[0]) > 0x7f) {
$r = "" . $r;
}
if (ord($s[0]) > 0x7f) {
$s = "" . $s;
}
$binary = ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::INTEGER_TYPE, $r) . ASN1::encodeDER(ASN1::INTEGER_TYPE, $s), false);
}
$result = openssl_verify($data, $binary, $key->toPEM(), 'SHA' . $this->size);
switch ($result) {
case 1:
return true;
break;
case 0:
return false;
break;
default:
$messages = array();
while ($message = openssl_error_string()) {
$messages[] = $message;
}
throw new CryptException('Cannot verify signature: ' . implode("\n", $messages));
return false;
break;
}
}
/**
* Detects the format of key data and returns a key object.
*
* The supported formats are:
*
* - `php` - JSON web key formatted as a PHP associative array
* - `json` - JSON web key
* - `pem` - the public or private key encoded in PEM (base64 encoded DER) format
* - `jwe` - Encrypted JSON web key
*
* @param string $data the key data
* @param string $format the format
* @param string $password the password, if the key is password protected
* @param string $alg the algorithm, if the key is password protected
* @return Key the key object
* @throws KeyException if an error occurs in reading the data
*/
public static function create($data, $format = null, $password = null, $alg = 'PBES2-HS256+A128KW')
{
// 1. Detect format
if ($format == null || $format == 'auto') {
if (is_array($data)) {
$format = 'php';
} elseif (json_decode($data, true) != null) {
$format = 'json';
} elseif (substr_count($data, '.') == 5) {
$format = 'jwe';
} elseif (preg_match('/-----([^-:]+)-----/', $data)) {
$format = 'pem';
}
}
if ($format == null || $format == 'auto') {
throw new KeyException('Cannot detect key format');
}
// 2. Decode JSON
if ($format == 'json') {
$json = json_decode($data, true);
if (isset($json['ciphertext'])) {
$format = 'jwe';
} else {
$data = $json;
$format = 'php';
}
}
// 3. JWE
if ($format == 'jwe') {
if ($password == null) {
throw new KeyException('No password for encrypted key');
} else {
$keys = KeySet::createFromSecret($password, 'bin');
try {
$jwe = JWE::decrypt($data, $keys, $alg, isset($data['ciphertext']) ? JWE::JSON_FORMAT : JWE::COMPACT_FORMAT);
$data = json_decode($jwe->getPlaintext());
$format = 'php';
} catch (CryptException $e) {
throw new KeyException('Cannot decrypt key', 0, $e);
}
}
}
// 4. PHP/JSON
if ($format == 'php') {
if ($data != null && isset($data['kty'])) {
if (isset(self::$jwk_kty_map[$data['kty']])) {
return new self::$jwk_kty_map[$data['kty']]($data, 'php');
}
}
}
// 4. PEM
if ($format == 'pem') {
if (preg_match(Key::PEM_PUBLIC, $data, $matches)) {
$der = base64_decode($matches[1]);
if ($der === FALSE) {
throw new KeyException('Cannot read PEM key');
}
$offset = 0;
$offset += ASN1::readDER($der, $offset, $value);
// SEQUENCE
$offset += ASN1::readDER($der, $offset, $value);
// SEQUENCE
$offset += ASN1::readDER($der, $offset, $algorithm);
// OBJECT IDENTIFIER - AlgorithmIdentifier
$oid = ASN1::decodeOID($algorithm);
if (isset(self::$oid_map[$oid])) {
return new self::$oid_map[$oid]($data, 'pem');
}
} else {
foreach (self::$pem_map as $regex => $cls) {
if (preg_match($regex, $data)) {
return new $cls($data, 'pem');
}
}
}
}
// 5. Symmetric key
if ($format == 'base64url' || $format == 'base64' || $format == 'bin') {
return new SymmetricKey($data, $format);
}
return null;
}
public function toPEM()
{
$oid = $this->getOID($this->data['crv']);
if ($oid == null) {
throw new KeyException('Unrecognised EC curve');
}
if ($this->isPublic()) {
$der = ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::OID, ASN1::encodeOID(self::EC_OID)) . ASN1::encodeDER(ASN1::OID, ASN1::encodeOID($oid)), false) . ASN1::encodeDER(ASN1::BIT_STRING, chr(0x0) . chr(0x4) . Util::base64url_decode($this->data['x']) . Util::base64url_decode($this->data['y'])), false);
return wordwrap("-----BEGIN PUBLIC KEY-----\n" . base64_encode($der) . "\n-----END PUBLIC KEY-----\n", 64, "\n", true);
} else {
$der = ASN1::encodeDER(ASN1::SEQUENCE, ASN1::encodeDER(ASN1::INTEGER_TYPE, chr(0x1)) . ASN1::encodeDER(ASN1::OCTET_STRING, Util::base64url_decode($this->data['d'])) . ASN1::encodeDER(0x0, ASN1::encodeDER(ASN1::OID, ASN1::encodeOID($oid)), false, ASN1::CONTEXT_CLASS) . ASN1::encodeDER(0x1, ASN1::encodeDER(ASN1::BIT_STRING, chr(0x0) . chr(0x4) . Util::base64url_decode($this->data['x']) . Util::base64url_decode($this->data['y'])), false, ASN1::CONTEXT_CLASS), false);
return wordwrap("-----BEGIN EC PRIVATE KEY-----\n" . base64_encode($der) . "\n-----END EC PRIVATE KEY-----\n", 64, "\n", true);
}
}
