private function rsa($public_or_private_key, $padding_mode)
{
if ($public_or_private_key instanceof JOSE_JWK) {
$rsa = $public_or_private_key->toKey();
} else {
if ($public_or_private_key instanceof RSA) {
$rsa = $public_or_private_key;
} else {
$rsa = new RSA();
$rsa->loadKey($public_or_private_key);
}
}
$rsa->setHash($this->digest());
$rsa->setMGFHash($this->digest());
$rsa->setSignatureMode($padding_mode);
return $rsa;
}
private function rsa($public_or_private_key, $padding_mode)
{
if ($public_or_private_key instanceof JOSE_JWK) {
$rsa = $public_or_private_key->toKey();
} else {
if ($public_or_private_key instanceof RSA) {
$rsa = $public_or_private_key;
} else {
$rsa = new RSA();
$rsa->loadKey($public_or_private_key);
}
}
$rsa->setHash($this->digest());
$rsa->setMGFHash($this->digest());
$rsa->setSaltLength(false);
# NOTE: https://github.com/phpseclib/phpseclib/issues/768
$rsa->setSignatureMode($padding_mode);
return $rsa;
}
/**
* Validates a signature
*
* Returns true if the signature is verified, false if it is not correct or null on error
*
* @param string $publicKeyAlgorithm
* @param string $publicKey
* @param string $signatureAlgorithm
* @param string $signature
* @param string $signatureSubject
* @access private
* @return int
*/
function _validateSignature($publicKeyAlgorithm, $publicKey, $signatureAlgorithm, $signature, $signatureSubject)
{
switch ($publicKeyAlgorithm) {
case 'rsaEncryption':
$rsa = new RSA();
$rsa->loadKey($publicKey);
switch ($signatureAlgorithm) {
case 'md2WithRSAEncryption':
case 'md5WithRSAEncryption':
case 'sha1WithRSAEncryption':
case 'sha224WithRSAEncryption':
case 'sha256WithRSAEncryption':
case 'sha384WithRSAEncryption':
case 'sha512WithRSAEncryption':
$rsa->setHash(preg_replace('#WithRSAEncryption$#', '', $signatureAlgorithm));
$rsa->setSignatureMode(RSA::SIGNATURE_PKCS1);
if (!@$rsa->verify($signatureSubject, $signature)) {
return false;
}
break;
default:
return null;
}
break;
default:
return null;
}
return true;
}
/**
* Validates a signature
*
* Returns true if the signature is verified and false if it is not correct.
* If the algorithms are unsupposed an exception is thrown.
*
* @param string $publicKeyAlgorithm
* @param string $publicKey
* @param string $signatureAlgorithm
* @param string $signature
* @param string $signatureSubject
* @access private
* @throws \phpseclib\Exception\UnsupportedAlgorithmException if the algorithm is unsupported
* @return bool
*/
function _validateSignature($publicKeyAlgorithm, $publicKey, $signatureAlgorithm, $signature, $signatureSubject)
{
switch ($publicKeyAlgorithm) {
case 'rsaEncryption':
$rsa = new RSA();
$rsa->load($publicKey);
switch ($signatureAlgorithm) {
case 'md2WithRSAEncryption':
case 'md5WithRSAEncryption':
case 'sha1WithRSAEncryption':
case 'sha224WithRSAEncryption':
case 'sha256WithRSAEncryption':
case 'sha384WithRSAEncryption':
case 'sha512WithRSAEncryption':
$rsa->setHash(preg_replace('#WithRSAEncryption$#', '', $signatureAlgorithm));
if (!@$rsa->verify($signatureSubject, $signature, RSA::PADDING_PKCS1)) {
return false;
}
break;
default:
throw new UnsupportedAlgorithmException('Signature algorithm unsupported');
}
break;
default:
throw new UnsupportedAlgorithmException('Public key algorithm unsupported');
}
return true;
}
static function crypt_rsa_key($mod, $exp, $hash = 'SHA256')
{
$rsa = new Crypt_RSA();
$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
$rsa->setHash(strtolower($hash));
$rsa->modulus = new Math_BigInteger($mod, 256);
$rsa->k = strlen($rsa->modulus->toBytes());
$rsa->exponent = new Math_BigInteger($exp, 256);
$rsa->setPublicKey();
return $rsa;
}
/**
* Static method for quick calls to calculate a signature.
* @link https://developer.walmartapis.com/#authentication
* @param string $consumerId
* @param string $privateKey
* @param string $requestUrl
* @param string $requestMethod
* @param string|null $timestamp
* @return string
* @throws \Exception
*/
public static function calculateSignature($consumerId, $privateKey, $requestUrl, $requestMethod, $timestamp = null)
{
if (is_null($timestamp) || !is_numeric($timestamp)) {
$timestamp = self::getMilliseconds();
}
/**
* Append values into string for signing
*/
$message = $consumerId . "\n" . $requestUrl . "\n" . strtoupper($requestMethod) . "\n" . $timestamp . "\n";
/**
* Get RSA object for signing
*/
$rsa = new RSA();
$decodedPrivateKey = base64_decode($privateKey);
$rsa->setPrivateKeyFormat(RSA::PRIVATE_FORMAT_PKCS8);
$rsa->setPublicKeyFormat(RSA::PRIVATE_FORMAT_PKCS8);
/**
* Load private key
*/
if ($rsa->loadKey($decodedPrivateKey, RSA::PRIVATE_FORMAT_PKCS8)) {
/**
* Make sure we use SHA256 for signing
*/
$rsa->setHash('sha256');
$rsa->setSignatureMode(RSA::SIGNATURE_PKCS1);
$signed = $rsa->sign($message);
/**
* Return Base64 Encode generated signature
*/
return base64_encode($signed);
} else {
throw new \Exception("Unable to load private key", 1446780146);
}
}
/**
*
* @param string $hashtype
* @param object $key
* @throws OpenIDConnectClientException
* @return bool
*/
private function verifyRSAJWTsignature($hashtype, $key, $payload, $signature)
{
if (!(property_exists($key, 'n') and property_exists($key, 'e'))) {
throw new OpenIDConnectClientException('Malformed key object');
}
/*
* We already have base64url-encoded data, so re-encode it as
* regular base64 and use the XML key format for simplicity.
*/
var_dump($hashtype, $key, $payload, base64_encode($signature));
$public_key_xml = "<RSAKeyValue>\r\n" . " <Modulus>" . b64url2b64($key->n) . "</Modulus>\r\n" . " <Exponent>" . b64url2b64($key->e) . "</Exponent>\r\n" . "</RSAKeyValue>";
$rsa = new RSA();
$rsa->setHash($hashtype);
$rsa->loadKey($public_key_xml, 'xml');
$rsa->signatureMode = RSA::SIGNATURE_PKCS1;
return $rsa->verify($payload, $signature);
}
