Allow creating an unsigned CSR and adding the signature later. #82
Conversation
…s a requirement if you want to use an HSM to sign the CSR.
| $this->signature = $signature; | ||
| $this->signatureAlgorithm = $signatureAlgorithm; | ||
|
|
||
| $this->createCSRSequence(); |
There was a problem hiding this comment.
I note createCSRSequence is non-public, perhaps setSignature should check if $this (extends Sequence) has any children yet? It shouldn't be possible to set more than the necessary elements on this object
Lines 73 to 76 in 73d914e
- someone creates CSR() with a signature and calls setSignature to override it
- someone creates CSR() without a signature, and somehow calls setSignature twice
Maybe it should error, or remove all the children before calling createCSRSequence, or maybe clone $this, remove children, call createCSRSequence so the original object remains valid?
There was a problem hiding this comment.
I opted for clearing the sequence inside createCSRSequence().
|
I added test cases, including behaviour when setSignature is called twice. |
|
Thanks also from my side for the contribution. LGTM from my side. @afk11 should we merge? |
|
@sanderkruger Perfect, thanks for those! @fgrosse Yep, all good! I think this one makes 2.3.0? |
|
Just merged the PR and tagged it as v2.3.0. Thanks @sanderkruger for the contribution and @afk11 for reviewing 👍 |
| $csr->setSignature($signature, OID::SHA256_WITH_RSA_SIGNATURE); | ||
| $csr->setSignature($signature, OID::SHA256_WITH_RSA_SIGNATURE); |
| $digest = $csr->getSignatureSubject(); | ||
| $signature = null; | ||
| openssl_sign($digest, $signature, $private_key, OPENSSL_ALGO_SHA256); | ||
| $csr->setSignature($signature, OID::SHA256_WITH_RSA_SIGNATURE); |
There was a problem hiding this comment.
This breaks in PHP 8, because CSR expects the signature to be hex-encoded, while you pass in a binary string. Generally this API appears to be unsafe.
This is a requirement if you want to use an HSM to sign the CSR.
This use case came up integrating with a bank's API that requires asymmetric signing with a keypair whose private key must reside in an HSM while the public key must be submitted wrapped in a CSR.
The workflow is to create the CSR, then retrieve the unsigned sequence, submit it to the HSM to sign, then add the signature to the CSR and retrieve the completed CSR.