Ensure OpenSSL or Sodium are available before cypher operation

Author: Spomky

src/Experimental/Signature/Blake2b.php

@@ -8,6 +8,8 @@
 use Jose\Component\Core\JWK;
 use Jose\Component\Signature\Algorithm\MacAlgorithm;
 use ParagonIE\ConstantTime\Base64UrlSafe;
+use RuntimeException;
+use function extension_loaded;
 use function in_array;
 use function is_string;
 
@@ -18,6 +20,13 @@ final class Blake2b implements MacAlgorithm
 {
     private const MINIMUM_KEY_LENGTH = 32;
 
+    public function __construct()
+    {
+        if (! extension_loaded('sodium')) {
+            throw new RuntimeException('Please install the Sodium extension');
+        }
+    }
+
     public function allowedKeyTypes(): array
     {
         return ['oct'];

src/Library/Encryption/Algorithm/ContentEncryption/AESCBCHS.php

@@ -7,10 +7,18 @@
 use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
 use ParagonIE\ConstantTime\Base64UrlSafe;
 use RuntimeException;
+use function extension_loaded;
 use const OPENSSL_RAW_DATA;
 
 abstract class AESCBCHS implements ContentEncryptionAlgorithm
 {
+    public function __construct()
+    {
+        if (! extension_loaded('openssl')) {
+            throw new RuntimeException('Please install the OpenSSL extension');
+        }
+    }
+
     public function allowedKeyTypes(): array
     {
         return []; //Irrelevant

src/Library/Encryption/Algorithm/ContentEncryption/AESGCM.php

@@ -7,10 +7,18 @@
 use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
 use ParagonIE\ConstantTime\Base64UrlSafe;
 use RuntimeException;
+use function extension_loaded;
 use const OPENSSL_RAW_DATA;
 
 abstract class AESGCM implements ContentEncryptionAlgorithm
 {
+    public function __construct()
+    {
+        if (! extension_loaded('openssl')) {
+            throw new RuntimeException('Please install the OpenSSL extension');
+        }
+    }
+
     public function allowedKeyTypes(): array
     {
         return []; //Irrelevant

src/Library/Encryption/Algorithm/KeyEncryption/AESGCMKW.php

@@ -8,12 +8,20 @@
 use Jose\Component\Core\JWK;
 use ParagonIE\ConstantTime\Base64UrlSafe;
 use RuntimeException;
+use function extension_loaded;
 use function in_array;
 use function is_string;
 use const OPENSSL_RAW_DATA;
 
 abstract class AESGCMKW implements KeyWrapping
 {
+    public function __construct()
+    {
+        if (! extension_loaded('openssl')) {
+            throw new RuntimeException('Please install the OpenSSL extension');
+        }
+    }
+
     public function allowedKeyTypes(): array
     {
         return ['oct'];

src/Library/Encryption/Algorithm/KeyEncryption/AbstractECDH.php

@@ -121,6 +121,7 @@ protected function calculateAgreementKey(JWK $private_key, JWK $public_key): str
                 return $this->convertDecToBin(EcDH::computeSharedKey($curve, $pub_key, $priv_key));
 
             case 'X25519' :
+                $this->checkSodiumExtensionIsAvailable();
                 $x = $public_key->get('x');
                 if (! is_string($x)) {
                     throw new InvalidArgumentException('Invalid key parameter "x"');
@@ -155,23 +156,11 @@ protected function getKeysFromPublicKey(
         if (! is_string($crv)) {
             throw new InvalidArgumentException('Invalid key parameter "crv"');
         }
-        switch ($crv) {
-            case 'P-256' :
-            case 'P-384' :
-            case 'P-521' :
-                $private_key = $senderKey ?? ECKey::createECKey($crv);
-
-                break;
-
-            case 'X25519' :
-                $this->checkSodiumExtensionIsAvailable();
-                $private_key = $senderKey ?? $this->createOKPKey('X25519');
-
-                break;
-
-            default :
-                throw new InvalidArgumentException(sprintf('The curve "%s" is not supported', $crv));
-        }
+        $private_key = match ($crv) {
+            'P-256', 'P-384', 'P-521' => $senderKey ?? ECKey::createECKey($crv),
+            'X25519' => $senderKey ?? $this->createOKPKey('X25519'),
+            default => throw new InvalidArgumentException(sprintf('The curve "%s" is not supported', $crv)),
+        };
         $epk = $private_key->toPublic()
             ->all();
         $additional_header_values['epk'] = $epk;

src/Library/KeyManagement/JWKFactory.php

@@ -34,6 +34,9 @@ class JWKFactory
      */
     public static function createRSAKey(int $size, array $values = []): JWK
     {
+        if (! extension_loaded('openssl')) {
+            throw new RuntimeException('Please install the OpenSSL extension');
+        }
         if ($size % 8 !== 0) {
             throw new InvalidArgumentException('Invalid key size.');
         }
@@ -80,13 +83,8 @@ public static function createOctKey(int $size, array $values = []): JWK
         if ($size % 8 !== 0) {
             throw new InvalidArgumentException('Invalid key size.');
         }
-        $values = [
-            ...$values,
-            'kty' => 'oct',
-            'k' => Base64UrlSafe::encodeUnpadded(random_bytes($size / 8)),
-        ];
 
-        return new JWK($values);
+        return self::createFromSecret(random_bytes($size / 8), $values);
     }
 
     /**

src/Library/KeyManagement/KeyConverter/KeyConverter.php

@@ -133,6 +133,9 @@ public static function loadFromKey(string $key, ?string $password = null): array
      */
     public static function loadFromX5C(array $x5c): array
     {
+        if (! extension_loaded('openssl')) {
+            throw new RuntimeException('Please install the OpenSSL extension');
+        }
         if (count($x5c) === 0) {
             throw new InvalidArgumentException('The certificate chain is empty');
         }
@@ -164,14 +167,14 @@ private static function loadKeyFromDER(string $der, ?string $password = null): a
 
     private static function loadKeyFromPEM(string $pem, ?string $password = null): array
     {
-        if (preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches) === 1) {
-            $pem = self::decodePem($pem, $matches, $password);
-        }
-
         if (! extension_loaded('openssl')) {
             throw new RuntimeException('Please install the OpenSSL extension');
         }
 
+        if (preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches) === 1) {
+            $pem = self::decodePem($pem, $matches, $password);
+        }
+
         if (preg_match('#BEGIN ENCRYPTED PRIVATE KEY(.+)(.+)#', $pem) === 1) {
             $decrypted = openssl_pkey_get_private($pem, $password);
             if ($decrypted === false) {
@@ -255,7 +258,10 @@ private static function tryToLoadOtherKeyTypes(string $input): array
      */
     private static function populatePoints(PrivateKey $key, array $values): array
     {
-        if (($values['crv'] === 'Ed25519' || $values['crv'] === 'X25519') && extension_loaded('sodium')) {
+        if (($values['crv'] === 'Ed25519' || $values['crv'] === 'X25519')) {
+            if (! extension_loaded('sodium')) {
+                throw new RuntimeException('Please install the Sodium extension');
+            }
             $x = sodium_crypto_scalarmult_base($key->privateKeyData());
             $values['x'] = Base64UrlSafe::encodeUnpadded($x);
         }

src/Library/Signature/Algorithm/ECDSA.php

@@ -9,14 +9,19 @@
 use Jose\Component\Core\Util\ECKey;
 use Jose\Component\Core\Util\ECSignature;
 use LogicException;
+use RuntimeException;
 use Throwable;
 use function defined;
+use function extension_loaded;
 use function in_array;
 
 abstract class ECDSA implements SignatureAlgorithm
 {
     public function __construct()
     {
+        if (! extension_loaded('openssl')) {
+            throw new RuntimeException('Please install the OpenSSL extension');
+        }
         if (! defined('OPENSSL_KEYTYPE_EC')) {
             throw new LogicException('Elliptic Curve key type not supported by your environment.');
         }

src/Library/Signature/Algorithm/RSAPKCS1.php

@@ -8,10 +8,18 @@
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\Util\RSAKey;
 use RuntimeException;
+use function extension_loaded;
 use function in_array;
 
 abstract class RSAPKCS1 implements SignatureAlgorithm
 {
+    public function __construct()
+    {
+        if (! extension_loaded('openssl')) {
+            throw new RuntimeException('Please install the OpenSSL extension');
+        }
+    }
+
     public function allowedKeyTypes(): array
     {
         return ['RSA'];

src/Library/Signature/Algorithm/Util/RSA.php

@@ -10,6 +10,7 @@
 use Jose\Component\Core\Util\RSAKey;
 use RuntimeException;
 use function chr;
+use function extension_loaded;
 use function ord;
 use const STR_PAD_LEFT;
 
@@ -38,6 +39,9 @@ public static function sign(RSAKey $key, string $message, string $hash, int $mod
                 return self::signWithPSS($key, $message, $hash);
 
             case self::SIGNATURE_PKCS1:
+                if (! extension_loaded('openssl')) {
+                    throw new RuntimeException('Please install the OpenSSL extension');
+                }
                 $result = openssl_sign($message, $signature, $key->toPEM(), $hash);
                 if ($result !== true) {
                     throw new RuntimeException('Unable to sign the data');
@@ -70,11 +74,17 @@ public static function signWithPSS(RSAKey $key, string $message, string $hash):
 
     public static function verify(RSAKey $key, string $message, string $signature, string $hash, int $mode): bool
     {
-        return match ($mode) {
-            self::SIGNATURE_PSS => self::verifyWithPSS($key, $message, $signature, $hash),
-            self::SIGNATURE_PKCS1 => openssl_verify($message, $signature, $key->toPEM(), $hash) === 1,
-            default => throw new InvalidArgumentException('Unsupported mode.'),
-        };
+        switch ($mode) {
+            case self::SIGNATURE_PSS:
+                return self::verifyWithPSS($key, $message, $signature, $hash);
+            case self::SIGNATURE_PKCS1:
+                if (! extension_loaded('openssl')) {
+                    throw new RuntimeException('Please install the OpenSSL extension');
+                }
+                return openssl_verify($message, $signature, $key->toPEM(), $hash) === 1;
+            default:
+                throw new InvalidArgumentException('Unsupported mode.');
+        }
     }
 
     /**