-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update RsaKeysProvider.php to use OpenSSL #446
Conversation
Use OpenSSL instead of phpseclib\Crypt\RSA;
Thank you for your contribution.
We are going to update our contribution policy to make these rules easier to implement and understand. Again, thank you for your contribution. |
For the record, it seems However Today we have a php-scoper implementation that prevent this collision to happen, and using a more straightforward implementation is a good idea. |
The main goal was to address a 503 Service Unavailable error that I was encountering, restricting me to connect to the admin panel. 1. What problem are you trying to solve? The issue involves an integration with the phpseclib library, which is currently being used for RSA encryption in the module. However, due to compatibility or configuration issues, the library may be problematic in the environment where the module runs. 2. How can anyone reproduce your issue? To reproduce this issue, one can install the impacted versions of ps_accounts and attempt to run functions requiring RSA key generation or signing (for example, trying to authenticate in the backend with the module being active). If the environment doesn’t have the phpseclib dependency correctly configured, An error 503 would be thrown without any log details. 3. Which version of the module is impacted? This issue impacts all versions of the module that rely on phpseclib for encryption operations. Specifically, it would affect all versions where phpseclib was implemented without fallbacks for environments where it is not configured or compatible. 4. How do you analyze the issue and the expected changes? The issue appears to stem from a missing or misconfigured phpseclib library, possibly due to Composer dependency issues or compatibility constraints. Switching to OpenSSL, a native PHP extension, would reduce dependency issues and improve compatibility. The expected changes involve refactoring the module's encryption logic to replace phpseclib's RSA methods with OpenSSL's native functions for key generation, signing, and verification. |
Fix PHP-CS issues in RsaKeysProvider.php
src/Provider/RsaKeysProvider.php
Outdated
return null; | ||
} | ||
|
||
openssl_public_encrypt($string, $encrypted, $publicKeyResource); |
Check failure
Code scanning / SonarCloud
Encryption algorithms should be used with secure mode and padding scheme High
Improvement of security rating and aligning with best practices for RSA encryption by using OAEP padding.
Quality Gate passedIssues Measures |
Is https://www.php.net/manual/en/class.opensslasymmetrickey.php compatible with all versions from PrestaShop 1.6 to PrestaShop 8? With only one package to cover this version range, I guess the only solution is to scope dependencies with php-scoper. Will notify the team to comment this soon. |
We decided to close the PR, this will be solved in the near future. Thank you for your time. |
Use OpenSSL instead of phpseclib\Crypt\RSA;