|
|
@@ -249,6 +249,8 @@ class Checker { |
|
|
|
|
|
|
|
$privateKey->setSignatureMode(RSA::SIGNATURE_PSS); |
|
|
|
$privateKey->setMGFHash('sha512'); |
|
|
|
// See https://tools.ietf.org/html/rfc3447#page-38 |
|
|
|
$privateKey->setSaltLength(0); |
|
|
|
$signature = $privateKey->sign(json_encode($hashes)); |
|
|
|
|
|
|
|
return [ |
|
|
@@ -343,7 +345,7 @@ class Checker { |
|
|
|
// Verify if certificate has proper CN. "core" CN is always trusted. |
|
|
|
if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') { |
|
|
|
throw new InvalidSignatureException( |
|
|
|
sprintf('Certificate is not valid for required scope. (Requested: %s, current: %s)', $certificateCN, $x509->getDN(true)) |
|
|
|
sprintf('Certificate is not valid for required scope. (Requested: %s, current: CN=%s)', $certificateCN, $x509->getDN(true)['CN']) |
|
|
|
); |
|
|
|
} |
|
|
|
|
|
|
@@ -352,6 +354,8 @@ class Checker { |
|
|
|
$rsa->loadKey($x509->currentCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']); |
|
|
|
$rsa->setSignatureMode(RSA::SIGNATURE_PSS); |
|
|
|
$rsa->setMGFHash('sha512'); |
|
|
|
// See https://tools.ietf.org/html/rfc3447#page-38 |
|
|
|
$rsa->setSaltLength(0); |
|
|
|
if(!$rsa->verify(json_encode($expectedHashes), $signature)) { |
|
|
|
throw new InvalidSignatureException('Signature could not get verified.'); |
|
|
|
} |