Edit File by line

<?php

[0] Fix | Delete

/**

[1] Fix | Delete

* SSL utilities for Requests

[2] Fix | Delete

[3] Fix | Delete

* @package Requests\Utilities

[4] Fix | Delete

[5] Fix | Delete

[6] Fix | Delete

namespace WpOrg\Requests;

[7] Fix | Delete

[8] Fix | Delete

use WpOrg\Requests\Exception\InvalidArgument;

[9] Fix | Delete

use WpOrg\Requests\Utility\InputValidator;

[10] Fix | Delete

[11] Fix | Delete

/**

[12] Fix | Delete

* SSL utilities for Requests

[13] Fix | Delete

[14] Fix | Delete

* Collection of utilities for working with and verifying SSL certificates.

[15] Fix | Delete

[16] Fix | Delete

* @package Requests\Utilities

[17] Fix | Delete

[18] Fix | Delete

final class Ssl {

[19] Fix | Delete

/**

[20] Fix | Delete

* Verify the certificate against common name and subject alternative names

[21] Fix | Delete

[22] Fix | Delete

* Unfortunately, PHP doesn't check the certificate against the alternative

[23] Fix | Delete

* names, leading things like 'https://www.github.com/' to be invalid.

[24] Fix | Delete

[25] Fix | Delete

* @link https://tools.ietf.org/html/rfc2818#section-3.1 RFC2818, Section 3.1

[26] Fix | Delete

[27] Fix | Delete

* @param string|Stringable $host Host name to verify against

[28] Fix | Delete

* @param array $cert Certificate data from openssl_x509_parse()

[29] Fix | Delete

* @return bool

[30] Fix | Delete

* @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $host argument is not a string or a stringable object.

[31] Fix | Delete

* @throws \WpOrg\Requests\Exception\InvalidArgument When the passed $cert argument is not an array or array accessible.

[32] Fix | Delete

[33] Fix | Delete

public static function verify_certificate($host, $cert) {

[34] Fix | Delete

if (InputValidator::is_string_or_stringable($host) === false) {

[35] Fix | Delete

throw InvalidArgument::create(1, '$host', 'string|Stringable', gettype($host));

[36] Fix | Delete

}

[37] Fix | Delete

[38] Fix | Delete

if (InputValidator::has_array_access($cert) === false) {

[39] Fix | Delete

throw InvalidArgument::create(2, '$cert', 'array|ArrayAccess', gettype($cert));

[40] Fix | Delete

}

[41] Fix | Delete

[42] Fix | Delete

$has_dns_alt = false;

[43] Fix | Delete

[44] Fix | Delete

// Check the subjectAltName

[45] Fix | Delete

if (!empty($cert['extensions']['subjectAltName'])) {

[46] Fix | Delete

$altnames = explode(',', $cert['extensions']['subjectAltName']);

[47] Fix | Delete

foreach ($altnames as $altname) {

[48] Fix | Delete

$altname = trim($altname);

[49] Fix | Delete

if (strpos($altname, 'DNS:') !== 0) {

[50] Fix | Delete

continue;

[51] Fix | Delete

}

[52] Fix | Delete

[53] Fix | Delete

$has_dns_alt = true;

[54] Fix | Delete

[55] Fix | Delete

// Strip the 'DNS:' prefix and trim whitespace

[56] Fix | Delete

$altname = trim(substr($altname, 4));

[57] Fix | Delete

[58] Fix | Delete

// Check for a match

[59] Fix | Delete

if (self::match_domain($host, $altname) === true) {

[60] Fix | Delete

return true;

[61] Fix | Delete

}

[62] Fix | Delete

}

[63] Fix | Delete

[64] Fix | Delete

if ($has_dns_alt === true) {

[65] Fix | Delete

return false;

[66] Fix | Delete

}

[67] Fix | Delete

}

[68] Fix | Delete

[69] Fix | Delete

// Fall back to checking the common name if we didn't get any dNSName

[70] Fix | Delete

// alt names, as per RFC2818

[71] Fix | Delete

if (!empty($cert['subject']['CN'])) {

[72] Fix | Delete

// Check for a match

[73] Fix | Delete

return (self::match_domain($host, $cert['subject']['CN']) === true);

[74] Fix | Delete

}

[75] Fix | Delete

[76] Fix | Delete

return false;

[77] Fix | Delete

}

[78] Fix | Delete

[79] Fix | Delete

/**

[80] Fix | Delete

* Verify that a reference name is valid

[81] Fix | Delete

[82] Fix | Delete

* Verifies a dNSName for HTTPS usage, (almost) as per Firefox's rules:

[83] Fix | Delete

* - Wildcards can only occur in a name with more than 3 components

[84] Fix | Delete

* - Wildcards can only occur as the last character in the first

[85] Fix | Delete

* component

[86] Fix | Delete

* - Wildcards may be preceded by additional characters

[87] Fix | Delete

[88] Fix | Delete

* We modify these rules to be a bit stricter and only allow the wildcard

[89] Fix | Delete

* character to be the full first component; that is, with the exclusion of

[90] Fix | Delete

* the third rule.

[91] Fix | Delete

[92] Fix | Delete

* @param string|Stringable $reference Reference dNSName

[93] Fix | Delete

* @return boolean Is the name valid?

[94] Fix | Delete

* @throws \WpOrg\Requests\Exception\InvalidArgument When the passed argument is not a string or a stringable object.

[95] Fix | Delete

[96] Fix | Delete

public static function verify_reference_name($reference) {

[97] Fix | Delete

if (InputValidator::is_string_or_stringable($reference) === false) {

[98] Fix | Delete

throw InvalidArgument::create(1, '$reference', 'string|Stringable', gettype($reference));

[99] Fix | Delete

}

[100] Fix | Delete

[101] Fix | Delete

if ($reference === '') {

[102] Fix | Delete

return false;

[103] Fix | Delete

}

[104] Fix | Delete

[105] Fix | Delete

if (preg_match('`\s`', $reference) > 0) {

[106] Fix | Delete

// Whitespace detected. This can never be a dNSName.

[107] Fix | Delete

return false;

[108] Fix | Delete

}

[109] Fix | Delete

[110] Fix | Delete

$parts = explode('.', $reference);

[111] Fix | Delete

if ($parts !== array_filter($parts)) {

[112] Fix | Delete

// DNSName cannot contain two dots next to each other.

[113] Fix | Delete

return false;

[114] Fix | Delete

}

[115] Fix | Delete

[116] Fix | Delete

// Check the first part of the name

[117] Fix | Delete

$first = array_shift($parts);

[118] Fix | Delete

[119] Fix | Delete

if (strpos($first, '*') !== false) {

[120] Fix | Delete

// Check that the wildcard is the full part

[121] Fix | Delete

if ($first !== '*') {

[122] Fix | Delete

return false;

[123] Fix | Delete

}

[124] Fix | Delete

[125] Fix | Delete

// Check that we have at least 3 components (including first)

[126] Fix | Delete

if (count($parts) < 2) {

[127] Fix | Delete

return false;

[128] Fix | Delete

}

[129] Fix | Delete

}

[130] Fix | Delete

[131] Fix | Delete

// Check the remaining parts

[132] Fix | Delete

foreach ($parts as $part) {

[133] Fix | Delete

if (strpos($part, '*') !== false) {

[134] Fix | Delete

return false;

[135] Fix | Delete

}

[136] Fix | Delete

}

[137] Fix | Delete

[138] Fix | Delete

// Nothing found, verified!

[139] Fix | Delete

return true;

[140] Fix | Delete

}

[141] Fix | Delete

[142] Fix | Delete

/**

[143] Fix | Delete

* Match a hostname against a dNSName reference

[144] Fix | Delete

[145] Fix | Delete

* @param string|Stringable $host Requested host

[146] Fix | Delete

* @param string|Stringable $reference dNSName to match against

[147] Fix | Delete

* @return boolean Does the domain match?

[148] Fix | Delete

* @throws \WpOrg\Requests\Exception\InvalidArgument When either of the passed arguments is not a string or a stringable object.

[149] Fix | Delete

[150] Fix | Delete

public static function match_domain($host, $reference) {

[151] Fix | Delete

if (InputValidator::is_string_or_stringable($host) === false) {

[152] Fix | Delete

throw InvalidArgument::create(1, '$host', 'string|Stringable', gettype($host));

[153] Fix | Delete

}

[154] Fix | Delete

[155] Fix | Delete

// Check if the reference is blocklisted first

[156] Fix | Delete

if (self::verify_reference_name($reference) !== true) {

[157] Fix | Delete

return false;

[158] Fix | Delete

}

[159] Fix | Delete

[160] Fix | Delete

// Check for a direct match

[161] Fix | Delete

if ((string) $host === (string) $reference) {

[162] Fix | Delete

return true;

[163] Fix | Delete

}

[164] Fix | Delete

[165] Fix | Delete

// Calculate the valid wildcard match if the host is not an IP address

[166] Fix | Delete

// Also validates that the host has 3 parts or more, as per Firefox's ruleset,

[167] Fix | Delete

// as a wildcard reference is only allowed with 3 parts or more, so the

[168] Fix | Delete

// comparison will never match if host doesn't contain 3 parts or more as well.

[169] Fix | Delete

if (ip2long($host) === false) {

[170] Fix | Delete

$parts = explode('.', $host);

[171] Fix | Delete

$parts[0] = '*';

[172] Fix | Delete

$wildcard = implode('.', $parts);

[173] Fix | Delete

if ($wildcard === (string) $reference) {

[174] Fix | Delete

return true;

[175] Fix | Delete

}

[176] Fix | Delete

}

[177] Fix | Delete

[178] Fix | Delete

return false;

[179] Fix | Delete

}

[180] Fix | Delete

}

[181] Fix | Delete

[182] Fix | Delete