Accueil Explorer Aide
Connexion
Tilo15
/
php-ppub
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 021894a470
Branches Tags
php-ppub
/
ppcl.php

ppcl.php 7.1 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 
  1. <?php
    2. 

  2. 

  3. class Ppcl {
    4. 

  4.     public $identifier;
    5. 

  5.     public $serial;
    6. 

  6.     public $domains = array();
    7. 

  7.     public $members = array();
    8. 

  8.     public $agents = array();
    9. 

  9.     public $last_modified;
    10. 

  10.     public $signature;
    11. 

  11.     public $shared_signature_key;
    12. 

  12.     public $shared_signature;
    13. 

  13.     public $name;
    14. 

  14.     public $current_state_token;
    15. 

  15. 

  16.     public $publications = array();
    17. 

  17.     private $authoritative_part;
    18. 

  18. 

  19.     public function from_string($str) {
    20. 

  20.         $lines = explode("\n", $str);
    21. 

  21.         $header = explode(" ", $lines[0]);
    22. 

  22.         $this->authoritative_part = explode("\nCST ", $str, 2)[0];
    23. 

  23. 

  24.         if($header[0] != "PPCL") {
    25. 

  25.             throw new Exception("Header does not start with PPCL magic number", 1);
    26. 

  26.         }
    27. 

  27.         $this->identifier = base64_decode($header[1]);
    28. 

  28.         $this->serial = (int)$header[2];
    29. 

  29. 

  30.         $authoritative = true;
    31. 

  31.         foreach ($lines as $line) {
    32. 

  32.             $entry = explode(" ", $line);
    33. 

  33.             if($entry[0] == "PPCL") {
    34. 

  34.                 continue;
    35. 

  35.             }
    36. 

  36.             if($entry[0] == "SSK" && $authoritative) {
    37. 

  37.                 $this->shared_signature_key = base64_decode($entry[1]);
    38. 

  38.             }
    39. 

  39.             else if($entry[0] == "NAM" && $authoritative) {
    40. 

  40.                 $this->name = explode(" ", $line, 2)[1];
    41. 

  41.             }
    42. 

  42.             else if($entry[0] == "DOM" && $authoritative) {
    43. 

  43.                 array_push($this->domains, $entry[1]);
    44. 

  44.             }
    45. 

  45.             else if($entry[0] == "MEM" && $authoritative) {
    46. 

  46.                 array_push($this->members, new CollectionMember($entry[1], $entry[2], base64_decode($entry[3])));
    47. 

  47.             }
    48. 

  48.             else if($entry[0] == "AGT" && $authoritative) {
    49. 

  49.                 array_push($this->agents, new CollectionAgent($entry[1], base64_decode($entry[2]), base64_decode($entry[3])));
    50. 

  50.             }
    51. 

  51.             else if($entry[0] == "SIG" && $authoritative) {
    52. 

  52.                 $this->signature = base64_decode($entry[1]);
    53. 

  53.                 $authoritative = false;
    54. 

  54.             }
    55. 

  55.             else if($entry[0] == "CST") {
    56. 

  56.                 $this->current_state_token = base64_decode($entry[1]);
    57. 

  57.             }
    58. 

  58.             else if($entry[0] == "MOD") {
    59. 

  59.                 $this->last_modified = new DateTime($entry[1]);
    60. 

  60.             }
    61. 

  61.             else if($entry[0] == "PUB") {
    62. 

  62.                 array_push($this->publications, new CollectionPublication($line, $this->members));
    63. 

  63.             }
    64. 

  64.             else if($entry[0] == "SSG") {
    65. 

  65.                 $this->shared_signature = base64_decode($entry[1]);
    66. 

  66.             }
    67. 

  67.         }
    68. 

  68. 

  69.         // Verify authoritative signature
    70. 

  70.         $parts = explode("\nSIG ", $str, 2);
    71. 

  71.         $hash = hash("sha512", $parts[0], true);
    72. 

  72.         $sig_data = sodium_crypto_sign_open($this->signature, $this->identifier);
    73. 

  73.         if($hash != $sig_data) {
    74. 

  74.             throw new Exception("Invalid authoritative signature", 1);
    75. 

  75.         }
    76. 

  76. 

  77.         // Verify shared signature
    78. 

  78.         $parts = explode("\nSSG ", $str, 2);
    79. 

  79.         $hash = hash("sha512", $parts[0], true);
    80. 

  80.         $sig_data = sodium_crypto_sign_open($this->shared_signature, $this->shared_signature_key);
    81. 

  81.         if($hash != $sig_data) {
    82. 

  82.             throw new Exception("Invalid shared signature", 1);
    83. 

  83.         }
    84. 

  84.     }
    85. 

  85. 

  86.     public function to_string() {
    87. 

  87.         $str = $this->authoritative_part;
    88. 

  88.         $now = new DateTime();
    89. 

  89.         $token = random_bytes(256);
    90. 

  90.         $str .= "\nCST " . base64_encode($token) . "\nMOD " . $now->format(DateTime::ATOM) . "\n";
    91. 

  91.         usort($this->publications, function ($a, $b) { return $a->timestamp <=> $b->timestamp; });
    92. 

  92.         foreach($this->publications as $pub) {
    93. 

  93.             $str .= "\n" . $pub->raw_data;
    94. 

  94.         }
    95. 

  95.         $checksum = hash("sha512", $str, true);
    96. 

  96. 

  97.         $agent = null;
    98. 

  98.         foreach($this->agents as $agt) {
    99. 

  99.             if($agt->public_key == base64_decode(PPCL_AGENT_PUBLIC_KEY)) {
    100. 

  100.                 $agent = $agt;
    101. 

  101.                 break;
    102. 

  102.             }
    103. 

  103.         }
    104. 

  104.         if($agent == null) {
    105. 

  105.             throw new Exception("Public key defined in config (PPCL_AGENT_PUBLIC_KEY) not present in PPCL file", 1);
    106. 

  106.         }
    107. 

  107. 

  108.         $key = sodium_crypto_box_keypair_from_secretkey_and_publickey(base64_decode(PPCL_AGENT_SECRET_KEY), $agent->public_key);
    109. 

  109.         $secret = sodium_crypto_box_seal_open($agent->collection_secret, $key);
    110. 

  110.         if($secret == null) {
    111. 

  111.             throw new Exception("Could not decrypt collection secret", 1);
    112. 

  112.         }
    113. 

  113. 

  114.         $shared_signature = sodium_crypto_sign($checksum, $secret);
    115. 

  115.         $str .= "\nSSG " . base64_encode($shared_signature);
    116. 

  116.         return $str;
    117. 

  117.     }
    118. 

  118. 

  119.     public function get_publication($name) {
    120. 

  120.         foreach($this->publications as $pub) {
    121. 

  121.             if($pub->name == $name) {
    122. 

  122.                 return $pub;
    123. 

  123.             }
    124. 

  124.         }
    125. 

  125.         return null;
    126. 

  126.     }
    127. 

  127. }
    128. 

  128. 

  129. class CollectionMember {
    130. 

  130.     public $name;
    131. 

  131.     public $signing_public_key;
    132. 

  132.     public $sealing_public_key;
    133. 

  133.     public $collection_secret;
    134. 

  134.     
    135. 

  135.     public function __construct($name, $keys, $secret) {
    136. 

  136.         $this->name = $name;
    137. 

  137.         $this->collection_secret = $secret;
    138. 

  138.         
    139. 

  139.         $key_parts = explode(":", $keys);
    140. 

  140.         if($key_parts[0] != "CLMPK") {
    141. 

  141.             error_log($keys);
    142. 

  142.             throw new Exception("Invalid member public key");
    143. 

  143.         }
    144. 

  144.         $key_data = base64_decode($key_parts[1]);
    145. 

  145.         $this->signing_public_key = substr($key_data, 0, SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES);
    146. 

  146.         $this->sealing_public_key = substr($key_data, SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES, SODIUM_CRYPTO_BOX_PUBLICKEYBYTES);
    147. 

  147.     }
    148. 

  148. }
    149. 

  149. 

  150. class CollectionAgent {
    151. 

  151.     public $name;
    152. 

  152.     public $public_key;
    153. 

  153.     public $collection_secret;
    154. 

  154.     
    155. 

  155.     public function __construct($name, $key, $secret) {
    156. 

  156.         $this->name = $name;
    157. 

  157.         $this->public_key = $key;
    158. 

  158.         $this->collection_secret = $secret;
    159. 

  159.     }
    160. 

  160. }
    161. 

  161. 

  162. class CollectionPublication {
    163. 

  163.     public $name;
    164. 

  164.     public $member_name;
    165. 

  165.     public $timestamp;
    166. 

  166.     public $signature;
    167. 

  167.     public $checksum;
    168. 

  168.     public $raw_data;
    169. 

  169. 

  170.     public function __construct($line, $members) {
    171. 

  171.         $this->raw_data = $line;
    172. 

  172.         $parts = explode(": ", $line, 2);
    173. 

  173.         $params = explode(" ", $parts[1]);
    174. 

  174. 

  175.         $this->name = substr($parts[0], 4);
    176. 

  176.         $this->member_name = $params[0];
    177. 

  177.         $this->timestamp = new DateTime($params[1]);
    178. 

  178.         $this->signature = base64_decode($params[2]);
    179. 

  179.         
    180. 

  180.         $member = null;
    181. 

  181.         foreach($members as $m) {
    182. 

  182.             if($m->name == $this->member_name) {
    183. 

  183.                 $member = $m;
    184. 

  184.                 break;
    185. 

  185.             }
    186. 

  186.         }
    187. 

  187. 

  188.         if($member == null) {
    189. 

  189.             throw new Exception("PUB entry references member (" . $this->member_name . ") that is not present in the collection", 1);
    190. 

  190.         }
    191. 

  191. 

  192.         $hash_data = $this->name . ": " . $this->member_name . " " . $params[1];
    193. 

  193.         $hash = hash("sha512", $hash_data, true);
    194. 

  194.         $sig_data = sodium_crypto_sign_open($this->signature, $member->signing_public_key);
    195. 

  195.         if(substr($sig_data, 0, 64) != $hash) {
    196. 

  196.             throw new Exception("Invalid member signature on publication " . $this->name , 1);
    197. 

  197.         }
    198. 

  198. 

  199.         $this->checksum = substr($sig_data, 64, 64);
    200. 

  200.     }
    201. 

  201.     
    202. 

  202.     public function verify_ppub() {
    203. 

  203.         $file_hash = hash_file("sha512", PUBLICATION_DIR . "/" . $this->name, true);
    204. 

  204.         return $file_hash == $this->checksum;
    205. 

  205.     }
    206. 

  206. 

  207. }
    208. 

  208. 

  209. 

  210. ?>
    211.