Skip to content

Commit

Permalink
Pre-release: v0.3.1
Browse files Browse the repository at this point in the history
  • Loading branch information
@mettke
mettke committed Jun 15, 2019
2 parents 73c4641 + ed826fb commit 09ecae0
Show file tree
Hide file tree
Showing 8 changed files with 304 additions and 83 deletions.
2 changes: 2 additions & 0 deletions docker/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ FROM alpine
LABEL maintainer="Marc Mettke <[email protected]>"

ENV SYSTEM https://github.com/mettke/ssl-cert-authority.git
ENV TAG v0.3.1
ADD entrypoint.sh /entrypoint.sh
ADD healthcheck.sh /healthcheck.sh
ADD cron /var/spool/cron/crontabs/root
Expand All @@ -27,6 +28,7 @@ RUN mkdir -p /var/log/cert/ /run/php/ /sca/ && \
ln -sf /dev/stderr /var/log/php7/error.log
RUN apk add git && \
git clone ${SYSTEM} /sca && \
git -C /sca checkout ${TAG} && \
apk del git && \
chown -R cert-sync:nogroup /sca/config

Expand Down
158 changes: 144 additions & 14 deletions scripts/phpseclib/Crypt/RSA.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@
/**
* Include Crypt_Hash
*/
if (!class_exists('Crypt_Hash', false)) {
if (!class_exists('Crypt_Hash')) {
include_once 'Hash.php';
}

Expand Down Expand Up @@ -210,6 +210,10 @@
* PKCS#8 formatted private key
*/
define('CRYPT_RSA_PRIVATE_FORMAT_PKCS8', 8);
/**
* OpenSSH formatted private key
*/
define('CRYPT_RSA_PRIVATE_FORMAT_OPENSSH', 9);
/**#@-*/

/**#@+
Expand Down Expand Up @@ -493,7 +497,7 @@ class Crypt_RSA
*/
function __construct()
{
if (!class_exists('Math_BigInteger', false)) {
if (!class_exists('Math_BigInteger')) {
include_once 'Math/BigInteger.php';
}

Expand Down Expand Up @@ -849,7 +853,7 @@ function _convertPrivateKey($n, $e, $d, $primes, $exponents, $coefficients)
} else {
$private.= crypt_random_string(16 - (strlen($private) & 15));
$source.= pack('Na*', strlen($private), $private);
if (!class_exists('Crypt_AES', false)) {
if (!class_exists('Crypt_AES')) {
include_once 'Crypt/AES.php';
}
$sequence = 0;
Expand All @@ -870,14 +874,66 @@ function _convertPrivateKey($n, $e, $d, $primes, $exponents, $coefficients)
$private = base64_encode($private);
$key.= 'Private-Lines: ' . ((strlen($private) + 63) >> 6) . "\r\n";
$key.= chunk_split($private, 64);
if (!class_exists('Crypt_Hash', false)) {
if (!class_exists('Crypt_Hash')) {
include_once 'Crypt/Hash.php';
}
$hash = new Crypt_Hash('sha1');
$hash->setKey(pack('H*', sha1($hashkey)));
$key.= 'Private-MAC: ' . bin2hex($hash->hash($source)) . "\r\n";

return $key;
case CRYPT_RSA_PRIVATE_FORMAT_OPENSSH:
if ($num_primes != 2) {
return false;
}
$publicKey = pack('Na*Na*Na*', strlen('ssh-rsa'), 'ssh-rsa', strlen($raw['publicExponent']), $raw['publicExponent'], strlen($raw['modulus']), $raw['modulus']);
$privateKey = pack(
'Na*Na*Na*Na*Na*Na*Na*',
strlen('ssh-rsa'),
'ssh-rsa',
strlen($raw['modulus']),
$raw['modulus'],
strlen($raw['publicExponent']),
$raw['publicExponent'],
strlen($raw['privateExponent']),
$raw['privateExponent'],
strlen($raw['coefficient']),
$raw['coefficient'],
strlen($raw['prime1']),
$raw['prime1'],
strlen($raw['prime2']),
$raw['prime2']
);
$checkint = crypt_random_string(4);
$paddedKey = pack(
'a*Na*',
$checkint . $checkint . $privateKey,
strlen($this->comment),
$this->comment
);
$paddingLength = (7 * strlen($paddedKey)) % 8;
for ($i = 1; $i <= $paddingLength; $i++) {
$paddedKey.= chr($i);
}
$key = pack(
'Na*Na*Na*NNa*Na*',
strlen('none'),
'none',
strlen('none'),
'none',
0,
'',
1,
strlen($publicKey),
$publicKey,
strlen($paddedKey),
$paddedKey
);
$key = "openssh-key-v1\0$key";

return "-----BEGIN OPENSSH PRIVATE KEY-----\r\n" .
chunk_split(base64_encode($key), 70) .
"-----END OPENSSH PRIVATE KEY-----";
default: // eg. CRYPT_RSA_PRIVATE_FORMAT_PKCS1
$components = array();
foreach ($raw as $name => $value) {
Expand Down Expand Up @@ -922,7 +978,7 @@ function _convertPrivateKey($n, $e, $d, $primes, $exponents, $coefficients)
$salt = crypt_random_string(8);
$iterationCount = 2048;

if (!class_exists('Crypt_DES', false)) {
if (!class_exists('Crypt_DES')) {
include_once 'Crypt/DES.php';
}
$crypto = new Crypt_DES();
Expand Down Expand Up @@ -977,7 +1033,7 @@ function _convertPrivateKey($n, $e, $d, $primes, $exponents, $coefficients)
$iv = crypt_random_string(8);
$symkey = pack('H*', md5($this->password . $iv)); // symkey is short for symmetric key
$symkey.= substr(pack('H*', md5($symkey . $this->password . $iv)), 0, 8);
if (!class_exists('Crypt_TripleDES', false)) {
if (!class_exists('Crypt_TripleDES')) {
include_once 'Crypt/TripleDES.php';
}
$des = new Crypt_TripleDES();
Expand Down Expand Up @@ -1157,33 +1213,33 @@ function. As is, the definitive authority on this encoding scheme isn't the IET
}
switch ($matches[1]) {
case 'AES-256-CBC':
if (!class_exists('Crypt_AES', false)) {
if (!class_exists('Crypt_AES')) {
include_once 'Crypt/AES.php';
}
$crypto = new Crypt_AES();
break;
case 'AES-128-CBC':
if (!class_exists('Crypt_AES', false)) {
if (!class_exists('Crypt_AES')) {
include_once 'Crypt/AES.php';
}
$symkey = substr($symkey, 0, 16);
$crypto = new Crypt_AES();
break;
case 'DES-EDE3-CFB':
if (!class_exists('Crypt_TripleDES', false)) {
if (!class_exists('Crypt_TripleDES')) {
include_once 'Crypt/TripleDES.php';
}
$crypto = new Crypt_TripleDES(CRYPT_DES_MODE_CFB);
break;
case 'DES-EDE3-CBC':
if (!class_exists('Crypt_TripleDES', false)) {
if (!class_exists('Crypt_TripleDES')) {
include_once 'Crypt/TripleDES.php';
}
$symkey = substr($symkey, 0, 24);
$crypto = new Crypt_TripleDES();
break;
case 'DES-CBC':
if (!class_exists('Crypt_DES', false)) {
if (!class_exists('Crypt_DES')) {
include_once 'Crypt/DES.php';
}
$crypto = new Crypt_DES();
Expand Down Expand Up @@ -1262,7 +1318,7 @@ function. As is, the definitive authority on this encoding scheme isn't the IET
return false;
}

if (!class_exists('Crypt_DES', false)) {
if (!class_exists('Crypt_DES')) {
include_once 'Crypt/DES.php';
}
$crypto = new Crypt_DES();
Expand Down Expand Up @@ -1448,7 +1504,7 @@ function. As is, the definitive authority on this encoding scheme isn't the IET

switch ($encryption) {
case 'aes256-cbc':
if (!class_exists('Crypt_AES', false)) {
if (!class_exists('Crypt_AES')) {
include_once 'Crypt/AES.php';
}
$symkey = '';
Expand Down Expand Up @@ -1497,6 +1553,75 @@ function. As is, the definitive authority on this encoding scheme isn't the IET
}
$components['coefficients'] = array(2 => new Math_BigInteger($this->_string_shift($private, $length), -256));

return $components;
case CRYPT_RSA_PRIVATE_FORMAT_OPENSSH:
$components = array();
$decoded = $this->_extractBER($key);
$magic = $this->_string_shift($decoded, 15);
if ($magic !== "openssh-key-v1\0") {
return false;
}
$options = $this->_string_shift($decoded, 24);
// \0\0\0\4none = ciphername
// \0\0\0\4none = kdfname
// \0\0\0\0 = kdfoptions
// \0\0\0\1 = numkeys
if ($options != "\0\0\0\4none\0\0\0\4none\0\0\0\0\0\0\0\1") {
return false;
}
extract(unpack('Nlength', $this->_string_shift($decoded, 4)));
if (strlen($decoded) < $length) {
return false;
}
$publicKey = $this->_string_shift($decoded, $length);
extract(unpack('Nlength', $this->_string_shift($decoded, 4)));
if (strlen($decoded) < $length) {
return false;
}
$paddedKey = $this->_string_shift($decoded, $length);

if ($this->_string_shift($publicKey, 11) !== "\0\0\0\7ssh-rsa") {
return false;
}

$checkint1 = $this->_string_shift($paddedKey, 4);
$checkint2 = $this->_string_shift($paddedKey, 4);
if (strlen($checkint1) != 4 || $checkint1 !== $checkint2) {
return false;
}

if ($this->_string_shift($paddedKey, 11) !== "\0\0\0\7ssh-rsa") {
return false;
}

$values = array(
&$components['modulus'],
&$components['publicExponent'],
&$components['privateExponent'],
&$components['coefficients'][2],
&$components['primes'][1],
&$components['primes'][2]
);

foreach ($values as &$value) {
extract(unpack('Nlength', $this->_string_shift($paddedKey, 4)));
if (strlen($paddedKey) < $length) {
return false;
}
$value = new Math_BigInteger($this->_string_shift($paddedKey, $length), -256);
}

extract(unpack('Nlength', $this->_string_shift($paddedKey, 4)));
if (strlen($paddedKey) < $length) {
return false;
}
$components['comment'] = $this->_string_shift($decoded, $length);

$temp = $components['primes'][1]->subtract($this->one);
$components['exponents'] = array(1 => $components['publicExponent']->modInverse($temp));
$temp = $components['primes'][2]->subtract($this->one);
$components['exponents'][] = $components['publicExponent']->modInverse($temp);

return $components;
}
}
Expand Down Expand Up @@ -1653,7 +1778,8 @@ function loadKey($key, $type = false)
CRYPT_RSA_PRIVATE_FORMAT_PKCS1,
CRYPT_RSA_PRIVATE_FORMAT_XML,
CRYPT_RSA_PRIVATE_FORMAT_PUTTY,
CRYPT_RSA_PUBLIC_FORMAT_OPENSSH
CRYPT_RSA_PUBLIC_FORMAT_OPENSSH,
CRYPT_RSA_PRIVATE_FORMAT_OPENSSH
);
foreach ($types as $type) {
$components = $this->_parseKey($key, $type);
Expand Down Expand Up @@ -2301,6 +2427,10 @@ function _blind($x, $r, $i)
*/
function _equals($x, $y)
{
if (function_exists('hash_equals')) {
return hash_equals($x, $y);
}

if (strlen($x) != strlen($y)) {
return false;
}
Expand Down
Loading

0 comments on commit 09ecae0

Please sign in to comment.