gmp not required for RSxxx algs, only PSxxx

Spomky · Spomky · commit f2071a12d1f0 · 2019-07-10T13:13:45.000+02:00
diff --git a/src/Bundle/JoseFramework/DependencyInjection/Source/Signature/SignatureSource.php b/src/Bundle/JoseFramework/DependencyInjection/Source/Signature/SignatureSource.php
@@ -21,7 +21,7 @@
 use Jose\Component\Signature\Algorithm\HMAC;
 use Jose\Component\Signature\Algorithm\HS1;
 use Jose\Component\Signature\Algorithm\None;
-use Jose\Component\Signature\Algorithm\RSA;
+use Jose\Component\Signature\Algorithm\RSAPSS;
 use Jose\Component\Signature\JWSBuilderFactory;
 use Jose\Component\Signature\JWSVerifierFactory;
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
@@ -125,7 +125,7 @@ public function getCompilerPasses(): array
     private function getAlgorithmsFiles(): array
     {
         return [
-            RSA::class => 'signature_rsa.php',
+            RSAPSS::class => 'signature_rsa.php',
             ECDSA::class => 'signature_ecdsa.php',
             EdDSA::class => 'signature_eddsa.php',
             HMAC::class => 'signature_hmac.php',
diff --git a/src/Bundle/JoseFramework/Resources/config/Algorithms/signature_rsa.php b/src/Bundle/JoseFramework/Resources/config/Algorithms/signature_rsa.php
@@ -33,15 +33,17 @@
         ->tag('jose.algorithm', ['alias' => 'RS512'])
     ;
 
-    $container->set(Algorithm\PS256::class)
-        ->tag('jose.algorithm', ['alias' => 'PS256'])
-    ;
-
-    $container->set(Algorithm\PS384::class)
-        ->tag('jose.algorithm', ['alias' => 'PS384'])
-    ;
-
-    $container->set(Algorithm\PS512::class)
-        ->tag('jose.algorithm', ['alias' => 'PS512'])
-    ;
+    if (extension_loaded('gmp')) {
+        $container->set(Algorithm\PS256::class)
+            ->tag('jose.algorithm', ['alias' => 'PS256'])
+        ;
+
+        $container->set(Algorithm\PS384::class)
+            ->tag('jose.algorithm', ['alias' => 'PS384'])
+        ;
+
+        $container->set(Algorithm\PS512::class)
+            ->tag('jose.algorithm', ['alias' => 'PS512'])
+        ;
+    }
 };
diff --git a/src/SignatureAlgorithm/Experimental/RS1.php b/src/SignatureAlgorithm/Experimental/RS1.php
@@ -13,9 +13,7 @@
 
 namespace Jose\Component\Signature\Algorithm;
 
-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
-
-final class RS1 extends RSA
+final class RS1 extends RSAPKCS1
 {
     public function name(): string
     {
@@ -26,9 +24,4 @@ protected function getAlgorithm(): string
     {
         return 'sha1';
     }
-
-    protected function getSignatureMethod(): int
-    {
-        return JoseRSA::SIGNATURE_PKCS1;
-    }
 }
diff --git a/src/SignatureAlgorithm/RSA/PS256.php b/src/SignatureAlgorithm/RSA/PS256.php
@@ -13,9 +13,7 @@
 
 namespace Jose\Component\Signature\Algorithm;
 
-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
-
-final class PS256 extends RSA
+final class PS256 extends RSAPSS
 {
     public function name(): string
     {
@@ -26,9 +24,4 @@ protected function getAlgorithm(): string
     {
         return 'sha256';
     }
-
-    protected function getSignatureMethod(): int
-    {
-        return JoseRSA::SIGNATURE_PSS;
-    }
 }
diff --git a/src/SignatureAlgorithm/RSA/PS384.php b/src/SignatureAlgorithm/RSA/PS384.php
@@ -13,9 +13,7 @@
 
 namespace Jose\Component\Signature\Algorithm;
 
-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
-
-final class PS384 extends RSA
+final class PS384 extends RSAPSS
 {
     public function name(): string
     {
@@ -26,9 +24,4 @@ protected function getAlgorithm(): string
     {
         return 'sha384';
     }
-
-    protected function getSignatureMethod(): int
-    {
-        return JoseRSA::SIGNATURE_PSS;
-    }
 }
diff --git a/src/SignatureAlgorithm/RSA/PS512.php b/src/SignatureAlgorithm/RSA/PS512.php
@@ -13,9 +13,7 @@
 
 namespace Jose\Component\Signature\Algorithm;
 
-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
-
-final class PS512 extends RSA
+final class PS512 extends RSAPSS
 {
     public function name(): string
     {
@@ -26,9 +24,4 @@ protected function getAlgorithm(): string
     {
         return 'sha512';
     }
-
-    protected function getSignatureMethod(): int
-    {
-        return JoseRSA::SIGNATURE_PSS;
-    }
 }
diff --git a/src/SignatureAlgorithm/RSA/RS256.php b/src/SignatureAlgorithm/RSA/RS256.php
@@ -13,9 +13,7 @@
 
 namespace Jose\Component\Signature\Algorithm;
 
-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
-
-final class RS256 extends RSA
+final class RS256 extends RSAPKCS1
 {
     public function name(): string
     {
@@ -26,9 +24,4 @@ protected function getAlgorithm(): string
     {
         return 'sha256';
     }
-
-    protected function getSignatureMethod(): int
-    {
-        return JoseRSA::SIGNATURE_PKCS1;
-    }
 }
diff --git a/src/SignatureAlgorithm/RSA/RS384.php b/src/SignatureAlgorithm/RSA/RS384.php
@@ -13,9 +13,7 @@
 
 namespace Jose\Component\Signature\Algorithm;
 
-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
-
-final class RS384 extends RSA
+final class RS384 extends RSAPKCS1
 {
     public function name(): string
     {
@@ -26,9 +24,4 @@ protected function getAlgorithm(): string
     {
         return 'sha384';
     }
-
-    protected function getSignatureMethod(): int
-    {
-        return JoseRSA::SIGNATURE_PKCS1;
-    }
 }
diff --git a/src/SignatureAlgorithm/RSA/RS512.php b/src/SignatureAlgorithm/RSA/RS512.php
@@ -13,9 +13,7 @@
 
 namespace Jose\Component\Signature\Algorithm;
 
-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
-
-final class RS512 extends RSA
+final class RS512 extends RSAPKCS1
 {
     public function name(): string
     {
@@ -26,9 +24,4 @@ protected function getAlgorithm(): string
     {
         return 'sha512';
     }
-
-    protected function getSignatureMethod(): int
-    {
-        return JoseRSA::SIGNATURE_PKCS1;
-    }
 }
diff --git a/src/SignatureAlgorithm/RSA/RSA.php b/src/SignatureAlgorithm/RSA/RSA.php
@@ -18,6 +18,9 @@
 use Jose\Component\Core\Util\RSAKey;
 use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
 
+/**
+ * @deprecated Please use either RSAPSS or RSAPKCS1 depending on the padding mode
+ */
 abstract class RSA implements SignatureAlgorithm
 {
     public function allowedKeyTypes(): array
@@ -29,6 +32,9 @@ public function verify(JWK $key, string $input, string $signature): bool
     {
         $this->checkKey($key);
         $pub = RSAKey::createFromJWK($key->toPublic());
+        if (JoseRSA::SIGNATURE_PKCS1 === $this->getSignatureMethod()) {
+            return 1 === openssl_verify($input, $signature, $pub->toPEM(), $this->getAlgorithm());
+        }
 
         return JoseRSA::verify($pub, $input, $signature, $this->getAlgorithm(), $this->getSignatureMethod());
     }
diff --git a/src/SignatureAlgorithm/RSA/RSAPKCS1.php b/src/SignatureAlgorithm/RSA/RSAPKCS1.php
@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2019 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+namespace Jose\Component\Signature\Algorithm;
+
+use InvalidArgumentException;
+use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\RSAKey;
+use RuntimeException;
+
+abstract class RSAPKCS1 implements SignatureAlgorithm
+{
+    public function allowedKeyTypes(): array
+    {
+        return ['RSA'];
+    }
+
+    public function verify(JWK $key, string $input, string $signature): bool
+    {
+        $this->checkKey($key);
+        $pub = RSAKey::createFromJWK($key->toPublic());
+
+        return 1 === openssl_verify($input, $signature, $pub->toPEM(), $this->getAlgorithm());
+    }
+
+    public function sign(JWK $key, string $input): string
+    {
+        $this->checkKey($key);
+        if (!$key->has('d')) {
+            throw new InvalidArgumentException('The key is not a private key.');
+        }
+
+        $priv = RSAKey::createFromJWK($key);
+
+        $result = openssl_sign($input, $signature, $priv->toPEM(), $this->getAlgorithm());
+        if (true !== $result) {
+            throw new RuntimeException('Unable to sign');
+        }
+
+        return $signature;
+    }
+
+    abstract protected function getAlgorithm(): string;
+
+    private function checkKey(JWK $key): void
+    {
+        if (!\in_array($key->get('kty'), $this->allowedKeyTypes(), true)) {
+            throw new InvalidArgumentException('Wrong key type.');
+        }
+        foreach (['n', 'e'] as $k) {
+            if (!$key->has($k)) {
+                throw new InvalidArgumentException(sprintf('The key parameter "%s" is missing.', $k));
+            }
+        }
+    }
+}
diff --git a/src/SignatureAlgorithm/RSA/RSAPSS.php b/src/SignatureAlgorithm/RSA/RSAPSS.php
@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2019 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+namespace Jose\Component\Signature\Algorithm;
+
+use InvalidArgumentException;
+use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\RSAKey;
+use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;
+use RuntimeException;
+
+abstract class RSAPSS implements SignatureAlgorithm
+{
+    public function __construct()
+    {
+        if (!\extension_loaded('gmp')) {
+            throw new RuntimeException(static::class.' requires gmp extension');
+        }
+    }
+
+    public function allowedKeyTypes(): array
+    {
+        return ['RSA'];
+    }
+
+    public function verify(JWK $key, string $input, string $signature): bool
+    {
+        $this->checkKey($key);
+        $pub = RSAKey::createFromJWK($key->toPublic());
+
+        return JoseRSA::verify($pub, $input, $signature, $this->getAlgorithm(), JoseRSA::SIGNATURE_PSS);
+    }
+
+    public function sign(JWK $key, string $input): string
+    {
+        $this->checkKey($key);
+        if (!$key->has('d')) {
+            throw new InvalidArgumentException('The key is not a private key.');
+        }
+
+        $priv = RSAKey::createFromJWK($key);
+
+        return JoseRSA::sign($priv, $input, $this->getAlgorithm(), JoseRSA::SIGNATURE_PSS);
+    }
+
+    abstract protected function getAlgorithm(): string;
+
+    private function checkKey(JWK $key): void
+    {
+        if (!\in_array($key->get('kty'), $this->allowedKeyTypes(), true)) {
+            throw new InvalidArgumentException('Wrong key type.');
+        }
+        foreach (['n', 'e'] as $k) {
+            if (!$key->has($k)) {
+                throw new InvalidArgumentException(sprintf('The key parameter "%s" is missing.', $k));
+            }
+        }
+    }
+}
diff --git a/src/SignatureAlgorithm/RSA/Util/RSA.php b/src/SignatureAlgorithm/RSA/Util/RSA.php
@@ -40,7 +40,12 @@ public static function sign(RSAKey $key, string $message, string $hash, int $mod
             case self::SIGNATURE_PSS:
                 return self::signWithPSS($key, $message, $hash);
             case self::SIGNATURE_PKCS1:
-                return self::signWithPKCS15($key, $message, $hash);
+                $result = openssl_sign($message, $signature, $key->toPEM(), $hash);
+                if (true !== $result) {
+                    throw new RuntimeException('Unable to sign the data');
+                }
+
+                return $signature;
             default:
                 throw new InvalidArgumentException('Unsupported mode.');
         }
@@ -60,6 +65,8 @@ public static function signWithPSS(RSAKey $key, string $message, string $hash):
 
     /**
      * Create a signature.
+     *
+     * @deprecated Please use openssl_sign
      */
     public static function signWithPKCS15(RSAKey $key, string $message, string $hash): string
     {
@@ -76,7 +83,7 @@ public static function verify(RSAKey $key, string $message, string $signature, s
             case self::SIGNATURE_PSS:
                 return self::verifyWithPSS($key, $message, $signature, $hash);
             case self::SIGNATURE_PKCS1:
-                return self::verifyWithPKCS15($key, $message, $signature, $hash);
+                return 1 === openssl_verify($message, $signature, $key->toPEM(), $hash);
             default:
                 throw new InvalidArgumentException('Unsupported mode.');
         }
@@ -100,6 +107,8 @@ public static function verifyWithPSS(RSAKey $key, string $message, string $signa
 
     /**
      * Verifies a signature.
+     *
+     * @deprecated Please use openssl_sign
      */
     public static function verifyWithPKCS15(RSAKey $key, string $message, string $signature, string $hash): bool
     {
diff --git a/src/SignatureAlgorithm/RSA/composer.json b/src/SignatureAlgorithm/RSA/composer.json

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,7 @@`
`13`	`13`
`14`	`14`	`namespace Jose\Component\Signature\Algorithm;`
`15`	`15`
`16`		`-use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;`
`17`		`-`
`18`		`-final class RS1 extends RSA`
	`16`	`+final class RS1 extends RSAPKCS1`
`19`	`17`	`{`
`20`	`18`	`public function name(): string`
`21`	`19`	`{`
`@@ -26,9 +24,4 @@ protected function getAlgorithm(): string`
`26`	`24`	`{`
`27`	`25`	`return 'sha1';`
`28`	`26`	`}`
`29`		`-`
`30`		`- protected function getSignatureMethod(): int`
`31`		`- {`
`32`		`- return JoseRSA::SIGNATURE_PKCS1;`
`33`		`- }`
`34`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@`
`18`	`18`	`use Jose\Component\Core\Util\RSAKey;`
`19`	`19`	`use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA;`
`20`	`20`
	`21`	`+/**`
	`22`	`+ * @deprecated Please use either RSAPSS or RSAPKCS1 depending on the padding mode`
	`23`	`+ */`
`21`	`24`	`abstract class RSA implements SignatureAlgorithm`
`22`	`25`	`{`
`23`	`26`	`public function allowedKeyTypes(): array`
`@@ -29,6 +32,9 @@ public function verify(JWK $key, string $input, string $signature): bool`
`29`	`32`	`{`
`30`	`33`	`$this->checkKey($key);`
`31`	`34`	`$pub = RSAKey::createFromJWK($key->toPublic());`
	`35`	`+ if (JoseRSA::SIGNATURE_PKCS1 === $this->getSignatureMethod()) {`
	`36`	`+ return 1 === openssl_verify($input, $signature, $pub->toPEM(), $this->getAlgorithm());`
	`37`	`+ }`
`32`	`38`
`33`	`39`	`return JoseRSA::verify($pub, $input, $signature, $this->getAlgorithm(), $this->getSignatureMethod());`
`34`	`40`	`}`