27520589845

Committed 15 Jun 2026 02:33AM UTC coverage: 57.361%. First build

Build # 27520589845

Build Type

Pull #7778

github

Committed by

web-flow

Commit Message

Merge a4dcc27ad into c8b5a8266

Pull Request Pull Request #7778: fix: crl appdata cache

Coverage Stats

211 of 268 new or added lines in 5 files covered. (78.73%)

11038 of 19243 relevant lines covered (57.36%)

6.99 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

68.92

/lib/Service/Crl/CrlRevocationChecker.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\Libresign\Service\Crl;

use OCA\Libresign\AppInfo\Application;
use OCA\Libresign\Enum\CrlValidationStatus;
use OCA\Libresign\Service\Crl\Ldap\LdapCrlDownloader;
use OCP\IAppConfig;
use OCP\ICache;
use OCP\ICacheFactory;
use OCP\IConfig;
use OCP\ITempManager;
use OCP\IURLGenerator;
use Psr\Log\LoggerInterface;

/**
 * Verifies whether a certificate has been revoked by checking its embedded
 * CRL Distribution Point URLs. Supports HTTP/HTTPS, LDAP (RFC 4516), and
 * local LibreSign-managed CRL endpoints.
 */
class CrlRevocationChecker {
        /** Cached result of {@see getLocalCrlPattern()} — built once per request. */
        private ?string $localCrlPattern = null;

        /** @var array<string, string|null> */
        private array $localCrlRequestCache = [];

        /** Distributed cache for externally downloaded CRL content (TTL: 24 h). */
        private ICache $cache;

        private const BINARY_CACHE_PREFIX = 'base64:';

        public function __construct(
                private IConfig $config,
                private IAppConfig $appConfig,
                private IURLGenerator $urlGenerator,
                private ITempManager $tempManager,
                private LoggerInterface $logger,
                ICacheFactory $cacheFactory,
                private LdapCrlDownloader $ldapDownloader,
        ) {
                $this->cache = $cacheFactory->createDistributed('libresign_crl');
        }

        /**
         * Validate a certificate against the CRL Distribution Points found in its
         * data. Returns an array with a 'status' key (always {@see CrlValidationStatus})
         * and optionally 'revoked_at' (ISO 8601) when the certificate is revoked.
         *
         * @return array{status: CrlValidationStatus, revoked_at?: string}
         */
        public function validate(array $crlUrls, string $certPem): array {
                return $this->validateFromUrlsWithDetails($crlUrls, $certPem);
        }

        /**
         * Internal validation worker that iterates through CRL distribution points
         * and returns the validation status from the first accessible/conclusive point.
         *
         * @return array{status: CrlValidationStatus, revoked_at?: string}
         */
        private function validateFromUrlsWithDetails(array $crlUrls, string $certPem): array {
                $externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);

                if (empty($crlUrls)) {
                        // When external validation is disabled, treat an empty distribution-point
                        // list the same as if all points were intentionally skipped.
                        if (!$externalValidationEnabled) {
                                return ['status' => CrlValidationStatus::DISABLED];
                        }
                        return ['status' => CrlValidationStatus::NO_URLS];
                }

                $accessibleUrls = 0;
                $disabledUrls = 0;
                foreach ($crlUrls as $crlUrl) {
                        try {
                                $isLocal = $this->isLocalCrlUrl($crlUrl);
                                // Skip external CRL validation when disabled by admin, but always
                                // validate local LibreSign-managed CRLs.
                                if (!$externalValidationEnabled && !$isLocal) {
                                        $disabledUrls++;
                                        continue;
                                }
                                $validationResult = $this->downloadAndValidateWithDetails($crlUrl, $certPem, $isLocal);
                                if ($validationResult['status'] === CrlValidationStatus::VALID) {
                                        return $validationResult;
                                }
                                if ($validationResult['status'] === CrlValidationStatus::REVOKED) {
                                        return $validationResult;
                                }
                                // Only count as accessible if we actually reached the server and parsed
                                // a CRL response – validation_error means the download itself failed.
                                if ($validationResult['status'] !== CrlValidationStatus::VALIDATION_ERROR) {
                                        $accessibleUrls++;
                                }
                        } catch (\Exception) {
                                continue;
                        }
                }

                // All distribution points were intentionally skipped because the admin
                // disabled external CRL validation.
                if ($disabledUrls > 0 && $accessibleUrls === 0) {
                        return ['status' => CrlValidationStatus::DISABLED];
                }

                if ($accessibleUrls === 0) {
                        return ['status' => CrlValidationStatus::URLS_INACCESSIBLE];
                }

                return ['status' => CrlValidationStatus::VALIDATION_FAILED];
        }

        /**
         * Download and validate CRL content from a single source URL.
         *
         * @return array{status: CrlValidationStatus, revoked_at?: string}
         */
        private function downloadAndValidateWithDetails(string $crlUrl, string $certPem, bool $isLocal): array {
                try {
                        if ($isLocal) {
                                $crlContent = $this->generateLocalCrl($crlUrl);
                        } elseif ($this->ldapDownloader->isLdapUrl($crlUrl)) {
                                $crlContent = $this->ldapDownloader->download($crlUrl);
                        } else {
                                $crlContent = $this->downloadCrlContent($crlUrl);
                        }

                        if (!$crlContent) {
                                throw new \Exception('Failed to get CRL content');
                        }

                        return $this->checkCertificateInCrlWithDetails($certPem, $crlContent);
                } catch (\Exception) {
                        return ['status' => CrlValidationStatus::VALIDATION_ERROR];
                }
        }

        private function isLocalCrlUrl(string $url): bool {
                $host = parse_url($url, PHP_URL_HOST);
                if (!$host) {
                        return false;
                }

                $trustedDomains = $this->config->getSystemValue('trusted_domains', []);

                return in_array($host, $trustedDomains, true);
        }

        protected function generateLocalCrl(string $crlUrl): ?string {
                if (array_key_exists($crlUrl, $this->localCrlRequestCache)) {
                        return $this->localCrlRequestCache[$crlUrl];
                }

                try {
                        $pattern = $this->getLocalCrlPattern();
                        if (preg_match($pattern, $crlUrl, $matches)) {
                                $instanceId = $matches[1];
                                $generation = (int)$matches[2];
                                $engineType = $matches[3];

                                return $this->localCrlRequestCache[$crlUrl] = $this->getCrlService()->generateCrlDer($instanceId, $generation, $engineType);
                        }

                        $this->logger->debug('CRL URL does not match expected pattern', ['url' => $crlUrl, 'pattern' => $pattern]);
                        return $this->localCrlRequestCache[$crlUrl] = null;
                } catch (\Exception $e) {
                        if ($e instanceof \RuntimeException && str_starts_with($e->getMessage(), 'Config path does not exist for instanceId:')) {
                                $this->logger->debug('Skipping local CRL generation because source PKI config path is missing', [
                                        'reason' => $e->getMessage(),
                                ]);
                        } else {
                                $this->logger->warning('Failed to generate local CRL: ' . $e->getMessage());
                        }
                        return $this->localCrlRequestCache[$crlUrl] = null;
                }
        }

        /**
         * Lazy-loaded to avoid a circular dependency:
         * CrlService → CertificateEngineFactory → OpenSslHandler → CrlRevocationChecker → CrlService
         */
        protected function getCrlService(): CrlService {
                /** @var CrlService */
                return \OCP\Server::get(CrlService::class);
        }

        /**
         * Builds and memoises the regex pattern used to recognise local LibreSign
         * CRL URLs. The pattern is constructed once per request from the configured
         * URL generator and then cached in a property to avoid redundant work on
         * installations that validate many certificates in a single request.
         */
        protected function getLocalCrlPattern(): string {
                if ($this->localCrlPattern !== null) {
                        return $this->localCrlPattern;
                }

                $templateUrl = $this->urlGenerator->linkToRouteAbsolute('libresign.crl.getRevocationList', [
                        'instanceId' => 'INSTANCEID',
                        'generation' => 999999,
                        'engineType' => 'ENGINETYPE',
                ]);

                // Match the path only and accept any scheme/host: the CRL DP host is fixed
                // at certificate issuance and may differ from the request host (already
                // vetted as trusted by isLocalCrlUrl()).
                $templatePath = parse_url($templateUrl, PHP_URL_PATH) ?: $templateUrl;

                $patternPath = str_replace('INSTANCEID', '([^/_]+)', $templatePath);
                $patternPath = str_replace('999999', '(\d+)', $patternPath);
                $patternPath = str_replace('ENGINETYPE', '([^/_]+)', $patternPath);

                $escapedPattern = str_replace([':', '/', '.'], ['\:', '\/', '\.'], $patternPath);
                $escapedPattern = str_replace('\/apps\/', '(?:\/index\.php)?\/apps\/', $escapedPattern);

                $this->localCrlPattern = '/^https?\:\/\/[^\/]+' . $escapedPattern . '$/';
                return $this->localCrlPattern;
        }

        protected function downloadCrlContent(string $url): ?string {
                if (!filter_var($url, FILTER_VALIDATE_URL) || !in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https'])) {
                        return null;
                }

                $cacheKey = sha1($url);
                $cached = $this->cache->get($cacheKey);
                if ($cached !== null) {
                        return is_string($cached) ? $this->decodeCachedBinaryContent($cached) : null;
                }

                $context = stream_context_create([
                        'http' => [
                                'timeout' => 30,
                                'user_agent' => 'LibreSign/1.0 CRL Validator',
                                'follow_location' => 1,
                                'max_redirects' => 3,
                        ]
                ]);

                $content = $this->fetchRemoteCrlContent($url, $context);
                if ($content === false) {
                        return null;
                }

                $this->cache->set($cacheKey, $this->encodeCacheableBinaryContent($content), 86400);
                return $content;
        }

        /**
         * @param resource $context
         */
        protected function fetchRemoteCrlContent(string $url, $context): string|false {
                return @file_get_contents($url, false, $context);
        }

        private function encodeCacheableBinaryContent(string $content): string {
                return self::BINARY_CACHE_PREFIX . base64_encode($content);
        }

        private function decodeCachedBinaryContent(string $cachedContent): string {
                if (!str_starts_with($cachedContent, self::BINARY_CACHE_PREFIX)) {
                        return $cachedContent;
                }

                $decoded = base64_decode(substr($cachedContent, strlen(self::BINARY_CACHE_PREFIX)), true);
                return $decoded === false ? $cachedContent : $decoded;
        }

        protected function isSerialNumberInCrl(string $crlText, string $serialNumber): bool {
                $normalizedSerial = strtoupper($serialNumber);
                $normalizedSerial = ltrim($normalizedSerial, '0') ?: '0';

                return preg_match('/Serial Number: 0*' . preg_quote($normalizedSerial, '/') . '/', $crlText) === 1;
        }

        /**
         * Check if certificate serial is revoked in the provided CRL content.
         *
         * @return array{status: CrlValidationStatus, revoked_at?: string}
         */
        private function checkCertificateInCrlWithDetails(string $certPem, string $crlContent): array {
                try {
                        $certResource = openssl_x509_read($certPem);
                        if (!$certResource) {
                                return ['status' => CrlValidationStatus::VALIDATION_ERROR];
                        }

                        $certData = openssl_x509_parse($certResource);
                        if (!isset($certData['serialNumber'])) {
                                return ['status' => CrlValidationStatus::VALIDATION_ERROR];
                        }

                        $tempCrlFile = $this->tempManager->getTemporaryFile('.crl');
                        file_put_contents($tempCrlFile, $crlContent);

                        try {
                                [$output, $exitCode] = $this->execOpenSslCrl($tempCrlFile);

                                if ($exitCode !== 0) {
                                        return ['status' => CrlValidationStatus::VALIDATION_ERROR];
                                }

                                $crlText = implode("\n", $output);
                                $serialCandidates = [$certData['serialNumber']];
                                if (!empty($certData['serialNumberHex'])) {
                                        $serialCandidates[] = $certData['serialNumberHex'];
                                }

                                foreach ($serialCandidates as $serial) {
                                        if ($this->isSerialNumberInCrl($crlText, $serial)) {
                                                $revokedAt = $this->extractRevocationDateFromCrlText($crlText, $serialCandidates);
                                                return array_filter([
                                                        'status' => CrlValidationStatus::REVOKED,
                                                        'revoked_at' => $revokedAt,
                                                ]);
                                        }
                                }

                                return ['status' => CrlValidationStatus::VALID];
                        } finally {
                                if (file_exists($tempCrlFile)) {
                                        unlink($tempCrlFile);
                                }
                        }

                } catch (\Exception) {
                        return ['status' => CrlValidationStatus::VALIDATION_ERROR];
                }
        }

        /**
         * Runs `openssl crl -text -noout` on the given DER file and returns
         * [output_lines[], exit_code]. Extracted to allow test subclasses to
         * override it without executing a real process.
         */
        protected function execOpenSslCrl(string $tempCrlFile): array {
                $cmd = sprintf(
                        'openssl crl -in %s -inform DER -text -noout',
                        escapeshellarg($tempCrlFile)
                );
                exec($cmd, $output, $exitCode);
                return [$output, $exitCode];
        }

        protected function extractRevocationDateFromCrlText(string $crlText, array $serialNumbers): ?string {
                foreach ($serialNumbers as $serial) {
                        $normalizedSerial = strtoupper(ltrim((string)$serial, '0')) ?: '0';
                        $pattern = '/Serial Number:\s*0*' . preg_quote($normalizedSerial, '/') . '\s*\R\s*Revocation Date:\s*([^\r\n]+)/i';
                        if (preg_match($pattern, $crlText, $matches) !== 1) {
                                continue;
                        }
                        $dateText = trim($matches[1]);
                        try {
                                $date = new \DateTimeImmutable($dateText, new \DateTimeZone('UTC'));
                                return $date->setTimezone(new \DateTimeZone('UTC'))->format(\DateTimeInterface::ATOM);
                        } catch (\Exception) {
                                continue;
                        }
                }
                return null;
        }
}

1	<?php
2
3	declare(strict_types=1);
4
5	/**
6	* SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
7	* SPDX-License-Identifier: AGPL-3.0-or-later
8	*/
9
10	namespace OCA\Libresign\Service\Crl;
11
12	use OCA\Libresign\AppInfo\Application;
13	use OCA\Libresign\Enum\CrlValidationStatus;
14	use OCA\Libresign\Service\Crl\Ldap\LdapCrlDownloader;
15	use OCP\IAppConfig;
16	use OCP\ICache;
17	use OCP\ICacheFactory;
18	use OCP\IConfig;
19	use OCP\ITempManager;
20	use OCP\IURLGenerator;
21	use Psr\Log\LoggerInterface;
22
23	/**
24	* Verifies whether a certificate has been revoked by checking its embedded
25	* CRL Distribution Point URLs. Supports HTTP/HTTPS, LDAP (RFC 4516), and
26	* local LibreSign-managed CRL endpoints.
27	*/
28	class CrlRevocationChecker {
29	/** Cached result of {@see getLocalCrlPattern()} — built once per request. */
30	private ?string $localCrlPattern = null;
31
32	/** @var array<string, string\|null> */
33	private array $localCrlRequestCache = [];
34
35	/** Distributed cache for externally downloaded CRL content (TTL: 24 h). */
36	private ICache $cache;
37
38	private const BINARY_CACHE_PREFIX = 'base64:';
39
40	public function __construct(
41	private IConfig $config,
42	private IAppConfig $appConfig,
43	private IURLGenerator $urlGenerator,
44	private ITempManager $tempManager,
45	private LoggerInterface $logger,
46	ICacheFactory $cacheFactory,
47	private LdapCrlDownloader $ldapDownloader,
48	) {
49	$this->cache = $cacheFactory->createDistributed('libresign_crl');	97✔
50	}
51
52	/**
53	* Validate a certificate against the CRL Distribution Points found in its
54	* data. Returns an array with a 'status' key (always {@see CrlValidationStatus})
55	* and optionally 'revoked_at' (ISO 8601) when the certificate is revoked.
56	*
57	* @return array{status: CrlValidationStatus, revoked_at?: string}
58	*/
59	public function validate(array $crlUrls, string $certPem): array {
60	return $this->validateFromUrlsWithDetails($crlUrls, $certPem);	9✔
61	}
62
63	/**
64	* Internal validation worker that iterates through CRL distribution points
65	* and returns the validation status from the first accessible/conclusive point.
66	*
67	* @return array{status: CrlValidationStatus, revoked_at?: string}
68	*/
69	private function validateFromUrlsWithDetails(array $crlUrls, string $certPem): array {
70	$externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);	9✔
71
72	if (empty($crlUrls)) {	9✔
73	// When external validation is disabled, treat an empty distribution-point
74	// list the same as if all points were intentionally skipped.
75	if (!$externalValidationEnabled) {	2✔
76	return ['status' => CrlValidationStatus::DISABLED];	1✔
77	}
78	return ['status' => CrlValidationStatus::NO_URLS];	1✔
79	}
80
81	$accessibleUrls = 0;	7✔
82	$disabledUrls = 0;	7✔
83	foreach ($crlUrls as $crlUrl) {	7✔
84	try {
85	$isLocal = $this->isLocalCrlUrl($crlUrl);	7✔
86	// Skip external CRL validation when disabled by admin, but always
87	// validate local LibreSign-managed CRLs.
88	if (!$externalValidationEnabled && !$isLocal) {	7✔
89	$disabledUrls++;	3✔
90	continue;	3✔
91	}
92	$validationResult = $this->downloadAndValidateWithDetails($crlUrl, $certPem, $isLocal);	4✔
93	if ($validationResult['status'] === CrlValidationStatus::VALID) {	4✔
94	return $validationResult;	×
95	}
96	if ($validationResult['status'] === CrlValidationStatus::REVOKED) {	4✔
97	return $validationResult;	×
98	}
99	// Only count as accessible if we actually reached the server and parsed
100	// a CRL response – validation_error means the download itself failed.
101	if ($validationResult['status'] !== CrlValidationStatus::VALIDATION_ERROR) {	4✔
102	$accessibleUrls++;	4✔
103	}
104	} catch (\Exception) {	×
105	continue;	×
106	}
107	}
108
109	// All distribution points were intentionally skipped because the admin
110	// disabled external CRL validation.
111	if ($disabledUrls > 0 && $accessibleUrls === 0) {	7✔
112	return ['status' => CrlValidationStatus::DISABLED];	3✔
113	}
114
115	if ($accessibleUrls === 0) {	4✔
116	return ['status' => CrlValidationStatus::URLS_INACCESSIBLE];	4✔
117	}
118
119	return ['status' => CrlValidationStatus::VALIDATION_FAILED];	×
120	}
121
122	/**
123	* Download and validate CRL content from a single source URL.
124	*
125	* @return array{status: CrlValidationStatus, revoked_at?: string}
126	*/
127	private function downloadAndValidateWithDetails(string $crlUrl, string $certPem, bool $isLocal): array {
128	try {
129	if ($isLocal) {	4✔
130	$crlContent = $this->generateLocalCrl($crlUrl);	3✔
131	} elseif ($this->ldapDownloader->isLdapUrl($crlUrl)) {	1✔
132	$crlContent = $this->ldapDownloader->download($crlUrl);	×
133	} else {
134	$crlContent = $this->downloadCrlContent($crlUrl);	1✔
135	}
136
137	if (!$crlContent) {	4✔
138	throw new \Exception('Failed to get CRL content');	4✔
139	}
140
141	return $this->checkCertificateInCrlWithDetails($certPem, $crlContent);	×
142	} catch (\Exception) {	4✔
143	return ['status' => CrlValidationStatus::VALIDATION_ERROR];	4✔
144	}
145	}
146
147	private function isLocalCrlUrl(string $url): bool {
148	$host = parse_url($url, PHP_URL_HOST);	7✔
149	if (!$host) {	7✔
150	return false;	×
151	}
152
153	$trustedDomains = $this->config->getSystemValue('trusted_domains', []);	7✔
154
155	return in_array($host, $trustedDomains, true);	7✔
156	}
157
158	protected function generateLocalCrl(string $crlUrl): ?string {
159	if (array_key_exists($crlUrl, $this->localCrlRequestCache)) {	4✔
160	return $this->localCrlRequestCache[$crlUrl];	2✔
161	}
162
163	try {
164	$pattern = $this->getLocalCrlPattern();	3✔
165	if (preg_match($pattern, $crlUrl, $matches)) {	3✔
166	$instanceId = $matches[1];	2✔
167	$generation = (int)$matches[2];	2✔
168	$engineType = $matches[3];	2✔
169
170	return $this->localCrlRequestCache[$crlUrl] = $this->getCrlService()->generateCrlDer($instanceId, $generation, $engineType);	2✔
171	}
172
173	$this->logger->debug('CRL URL does not match expected pattern', ['url' => $crlUrl, 'pattern' => $pattern]);	2✔
174	return $this->localCrlRequestCache[$crlUrl] = null;	2✔
175	} catch (\Exception $e) {	1✔
176	if ($e instanceof \RuntimeException && str_starts_with($e->getMessage(), 'Config path does not exist for instanceId:')) {	1✔
177	$this->logger->debug('Skipping local CRL generation because source PKI config path is missing', [	1✔
178	'reason' => $e->getMessage(),	1✔
179	]);	1✔
180	} else {
181	$this->logger->warning('Failed to generate local CRL: ' . $e->getMessage());	×
182	}
183	return $this->localCrlRequestCache[$crlUrl] = null;	1✔
184	}
185	}
186
187	/**
188	* Lazy-loaded to avoid a circular dependency:
189	* CrlService → CertificateEngineFactory → OpenSslHandler → CrlRevocationChecker → CrlService
190	*/
191	protected function getCrlService(): CrlService {
192	/** @var CrlService */
193	return \OCP\Server::get(CrlService::class);	1✔
194	}
195
196	/**
197	* Builds and memoises the regex pattern used to recognise local LibreSign
198	* CRL URLs. The pattern is constructed once per request from the configured
199	* URL generator and then cached in a property to avoid redundant work on
200	* installations that validate many certificates in a single request.
201	*/
202	protected function getLocalCrlPattern(): string {
203	if ($this->localCrlPattern !== null) {	7✔
204	return $this->localCrlPattern;	1✔
205	}
206
207	$templateUrl = $this->urlGenerator->linkToRouteAbsolute('libresign.crl.getRevocationList', [	7✔
208	'instanceId' => 'INSTANCEID',	7✔
209	'generation' => 999999,	7✔
210	'engineType' => 'ENGINETYPE',	7✔
211	]);	7✔
212
213	// Match the path only and accept any scheme/host: the CRL DP host is fixed
214	// at certificate issuance and may differ from the request host (already
215	// vetted as trusted by isLocalCrlUrl()).
216	$templatePath = parse_url($templateUrl, PHP_URL_PATH) ?: $templateUrl;	7✔
217
218	$patternPath = str_replace('INSTANCEID', '([^/_]+)', $templatePath);	7✔
219	$patternPath = str_replace('999999', '(\d+)', $patternPath);	7✔
220	$patternPath = str_replace('ENGINETYPE', '([^/_]+)', $patternPath);	7✔
221
222	$escapedPattern = str_replace([':', '/', '.'], ['\:', '\/', '\.'], $patternPath);	7✔
223	$escapedPattern = str_replace('\/apps\/', '(?:\/index\.php)?\/apps\/', $escapedPattern);	7✔
224
225	$this->localCrlPattern = '/^https?\:\/\/[^\/]+' . $escapedPattern . '$/';	7✔
226	return $this->localCrlPattern;	7✔
227	}
228
229	protected function downloadCrlContent(string $url): ?string {
230	if (!filter_var($url, FILTER_VALIDATE_URL) \|\| !in_array(parse_url($url, PHP_URL_SCHEME), ['http', 'https'])) {	3✔
231	return null;	×
232	}
233
234	$cacheKey = sha1($url);	3✔
235	$cached = $this->cache->get($cacheKey);	3✔
236	if ($cached !== null) {	3✔
237	return is_string($cached) ? $this->decodeCachedBinaryContent($cached) : null;	1✔
238	}
239
240	$context = stream_context_create([	2✔
241	'http' => [	2✔
242	'timeout' => 30,	2✔
243	'user_agent' => 'LibreSign/1.0 CRL Validator',	2✔
244	'follow_location' => 1,	2✔
245	'max_redirects' => 3,	2✔
246	]	2✔
247	]);	2✔
248
249	$content = $this->fetchRemoteCrlContent($url, $context);	2✔
250	if ($content === false) {	2✔
251	return null;	1✔
252	}
253
254	$this->cache->set($cacheKey, $this->encodeCacheableBinaryContent($content), 86400);	1✔
255	return $content;	1✔
256	}
257
258	/**
259	* @param resource $context
260	*/
261	protected function fetchRemoteCrlContent(string $url, $context): string\|false {
262	return @file_get_contents($url, false, $context);	1✔
263	}
264
265	private function encodeCacheableBinaryContent(string $content): string {
266	return self::BINARY_CACHE_PREFIX . base64_encode($content);	1✔
267	}
268
269	private function decodeCachedBinaryContent(string $cachedContent): string {
270	if (!str_starts_with($cachedContent, self::BINARY_CACHE_PREFIX)) {	1✔
NEW 271	return $cachedContent;	×
272	}
273
274	$decoded = base64_decode(substr($cachedContent, strlen(self::BINARY_CACHE_PREFIX)), true);	1✔
275	return $decoded === false ? $cachedContent : $decoded;	1✔
276	}
277
278	protected function isSerialNumberInCrl(string $crlText, string $serialNumber): bool {
279	$normalizedSerial = strtoupper($serialNumber);	7✔
280	$normalizedSerial = ltrim($normalizedSerial, '0') ?: '0';	7✔
281
282	return preg_match('/Serial Number: 0*' . preg_quote($normalizedSerial, '/') . '/', $crlText) === 1;	7✔
283	}
284
285	/**
286	* Check if certificate serial is revoked in the provided CRL content.
287	*
288	* @return array{status: CrlValidationStatus, revoked_at?: string}
289	*/
290	private function checkCertificateInCrlWithDetails(string $certPem, string $crlContent): array {
291	try {
292	$certResource = openssl_x509_read($certPem);	×
293	if (!$certResource) {	×
294	return ['status' => CrlValidationStatus::VALIDATION_ERROR];	×
295	}
296
297	$certData = openssl_x509_parse($certResource);	×
298	if (!isset($certData['serialNumber'])) {	×
299	return ['status' => CrlValidationStatus::VALIDATION_ERROR];	×
300	}
301
302	$tempCrlFile = $this->tempManager->getTemporaryFile('.crl');	×
303	file_put_contents($tempCrlFile, $crlContent);	×
304
305	try {
306	[$output, $exitCode] = $this->execOpenSslCrl($tempCrlFile);	×
307
308	if ($exitCode !== 0) {	×
309	return ['status' => CrlValidationStatus::VALIDATION_ERROR];	×
310	}
311
312	$crlText = implode("\n", $output);	×
313	$serialCandidates = [$certData['serialNumber']];	×
314	if (!empty($certData['serialNumberHex'])) {	×
315	$serialCandidates[] = $certData['serialNumberHex'];	×
316	}
317
318	foreach ($serialCandidates as $serial) {	×
319	if ($this->isSerialNumberInCrl($crlText, $serial)) {	×
320	$revokedAt = $this->extractRevocationDateFromCrlText($crlText, $serialCandidates);	×
321	return array_filter([	×
322	'status' => CrlValidationStatus::REVOKED,	×
323	'revoked_at' => $revokedAt,	×
324	]);	×
325	}
326	}
327
328	return ['status' => CrlValidationStatus::VALID];	×
329	} finally {
330	if (file_exists($tempCrlFile)) {	×
331	unlink($tempCrlFile);	×
332	}
333	}
334
335	} catch (\Exception) {	×
336	return ['status' => CrlValidationStatus::VALIDATION_ERROR];	×
337	}
338	}
339
340	/**
341	* Runs `openssl crl -text -noout` on the given DER file and returns
342	* [output_lines[], exit_code]. Extracted to allow test subclasses to
343	* override it without executing a real process.
344	*/
345	protected function execOpenSslCrl(string $tempCrlFile): array {
346	$cmd = sprintf(	×
347	'openssl crl -in %s -inform DER -text -noout',	×
348	escapeshellarg($tempCrlFile)	×
349	);	×
350	exec($cmd, $output, $exitCode);	×
351	return [$output, $exitCode];	×
352	}
353
354	protected function extractRevocationDateFromCrlText(string $crlText, array $serialNumbers): ?string {
355	foreach ($serialNumbers as $serial) {	3✔
356	$normalizedSerial = strtoupper(ltrim((string)$serial, '0')) ?: '0';	3✔
357	$pattern = '/Serial Number:\s0' . preg_quote($normalizedSerial, '/') . '\s\R\sRevocation Date:\s*([^\r\n]+)/i';	3✔
358	if (preg_match($pattern, $crlText, $matches) !== 1) {	3✔
359	continue;	1✔
360	}
361	$dateText = trim($matches[1]);	2✔
362	try {
363	$date = new \DateTimeImmutable($dateText, new \DateTimeZone('UTC'));	2✔
364	return $date->setTimezone(new \DateTimeZone('UTC'))->format(\DateTimeInterface::ATOM);	2✔
365	} catch (\Exception) {	×
366	continue;	×
367	}
368	}
369	return null;	1✔
370	}
371	}

LibreSign / libresign / 27520589845

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous