Add digest and cipher options

Author: schroedan

src/Console/Command/GeneratePrivateKeyCommand.php

@@ -8,6 +8,8 @@
 namespace Skriptfabrik\Openssl\Console\Command;
 
 use Skriptfabrik\Openssl\Console\Input\BitsOptionTrait;
+use Skriptfabrik\Openssl\Console\Input\CipherOptionTrait;
+use Skriptfabrik\Openssl\Console\Input\DigestOptionTrait;
 use Skriptfabrik\Openssl\Console\Input\NoOverrideOptionTrait;
 use Skriptfabrik\Openssl\Console\Input\OutputArgumentTrait;
 use Skriptfabrik\Openssl\Console\Input\PassphraseOptionTrait;
@@ -29,9 +31,11 @@
  */
 class GeneratePrivateKeyCommand extends Command
 {
+    use DigestOptionTrait;
     use TypeOptionTrait;
     use BitsOptionTrait;
     use PassphraseOptionTrait;
+    use CipherOptionTrait;
     use NoOverrideOptionTrait;
     use OutputArgumentTrait;
 
@@ -45,6 +49,11 @@ class GeneratePrivateKeyCommand extends Command
      */
     public const DESCRIPTION = 'Generate a private key with OpenSSL';
 
+    /**
+     * The default digest.
+     */
+    public const DEFAULT_DIGEST = 'sha256';
+
     /**
      * The default key type.
      */
@@ -65,6 +74,13 @@ protected function configure(): void
     {
         $this->setName(self::NAME);
         $this->setDescription(self::DESCRIPTION);
+        $this->addOption(
+            'digest',
+            'd',
+            InputOption::VALUE_REQUIRED,
+            'The method or signature hash',
+            self::DEFAULT_DIGEST
+        );
         $this->addOption(
             'type',
             't',
@@ -85,6 +101,12 @@ protected function configure(): void
             InputOption::VALUE_REQUIRED,
             'The private key can be optionally protected by a passphrase'
         );
+        $this->addOption(
+            'cipher',
+            'c',
+            InputOption::VALUE_REQUIRED,
+            'The cipher for the passphrase protection'
+        );
         $this->addOption(
             'no-override',
             null,
@@ -111,9 +133,11 @@ protected function configure(): void
      */
     protected function execute(InputInterface $input, OutputInterface $output): int
     {
+        $digest = $this->getDigestOption($input);
         $type = $this->getTypeOption($input);
         $bits = $this->getBitsOption($input);
         $passphrase = $this->getPassphraseOption($input);
+        $cipher = $this->getCipherOption($input);
         $noOverride = $this->isNoOverrideOption($input);
         $outputFile = $this->getOutputArgument($input);
 
@@ -135,7 +159,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         $generator = $this->createPrivateKeyGenerator();
 
         try {
-            $generator->setType($type)->setBits($bits)->setPassphrase($passphrase);
+            $generator->setDigest($digest)->setType($type)->setBits($bits)->setPassphrase($passphrase)->setCipher($cipher);
         } catch (InvalidArgumentException $exception) {
             $output->writeln(sprintf('<error>[OpenSSL] %s</error>', $exception->getMessage()));
             return 1;

src/Console/Input/CipherOptionTrait.php

@@ -0,0 +1,39 @@
+<?php declare(strict_types=1);
+/**
+ * This file is part of the skriptfabrik PHP OpenSSL package.
+ *
+ * @author Daniel Schröder <[email protected]>
+ */
+
+namespace Skriptfabrik\Openssl\Console\Input;
+
+use Symfony\Component\Console\Exception\InvalidOptionException;
+use Symfony\Component\Console\Input\InputInterface;
+use function is_string;
+
+/**
+ * Cipher option trait.
+ *
+ * @package Skriptfabrik\Openssl\Console\Input
+ */
+trait CipherOptionTrait
+{
+    /**
+     * Get cipher option.
+     *
+     * @param InputInterface $input
+     *
+     * @return string|null
+     *
+     * @throws \Symfony\Component\Console\Exception\InvalidOptionException
+     */
+    protected function getCipherOption(InputInterface $input): ?string
+    {
+        $cipher = $input->getOption('cipher');
+        if ($cipher === null || is_string($cipher)) {
+            return $cipher;
+        }
+
+        throw new InvalidOptionException('The "--cipher" option must be string');
+    }
+}

src/Console/Input/DigestOptionTrait.php

@@ -0,0 +1,39 @@
+<?php declare(strict_types=1);
+/**
+ * This file is part of the skriptfabrik PHP OpenSSL package.
+ *
+ * @author Daniel Schröder <[email protected]>
+ */
+
+namespace Skriptfabrik\Openssl\Console\Input;
+
+use Symfony\Component\Console\Exception\InvalidOptionException;
+use Symfony\Component\Console\Input\InputInterface;
+use function is_string;
+
+/**
+ * Digest option trait.
+ *
+ * @package Skriptfabrik\Openssl\Console\Input
+ */
+trait DigestOptionTrait
+{
+    /**
+     * Get digest option.
+     *
+     * @param InputInterface $input
+     *
+     * @return string
+     *
+     * @throws \Symfony\Component\Console\Exception\InvalidOptionException
+     */
+    protected function getDigestOption(InputInterface $input): string
+    {
+        $digest = $input->getOption('digest');
+        if (is_string($digest)) {
+            return $digest;
+        }
+
+        throw new InvalidOptionException('The "--digest" option must be string');
+    }
+}

src/Generator/PrivateKeyGenerator.php

@@ -23,6 +23,46 @@ class PrivateKeyGenerator
      */
     public const MIN_BITS = 64;
 
+    /**
+     * RC2 128 cipher.
+     */
+    public const CIPHER_RC2_128 = 'rc2-128';
+
+    /**
+     * AES 128 CBC cipher.
+     */
+    public const CIPHER_AES_128_CBC = 'aes-128-cbc';
+
+    /**
+     * AES 192 CBC cipher.
+     */
+    public const CIPHER_AES_192_CBC = 'aes-192-cbc';
+
+    /**
+     * AES 256 CBC cipher.
+     */
+    public const CIPHER_AES_256_CBC = 'aes-256-cbc';
+
+    /**
+     * Supported ciphers.
+     */
+    public const SUPPORTED_CIPHERS = [
+        OPENSSL_CIPHER_RC2_128 => self::CIPHER_RC2_128,
+        OPENSSL_CIPHER_AES_128_CBC => self::CIPHER_AES_128_CBC,
+        OPENSSL_CIPHER_AES_192_CBC => self::CIPHER_AES_192_CBC,
+        OPENSSL_CIPHER_AES_256_CBC => self::CIPHER_AES_256_CBC,
+    ];
+
+    /**
+     * @var string[]|null
+     */
+    private static $supportedDigests;
+
+    /**
+     * @var string
+     */
+    private $digest = 'sha256';
+
     /**
      * @var int
      */
@@ -38,6 +78,59 @@ class PrivateKeyGenerator
      */
     private $passphrase;
 
+    /**
+     * @var int|null
+     */
+    private $cipher;
+
+    /**
+     * @return string[]
+     */
+    public function getSupportedDigests(): array
+    {
+        if (self::$supportedDigests === null) {
+            self::$supportedDigests = openssl_get_md_methods(true);
+        }
+
+        return self::$supportedDigests;
+    }
+
+    /**
+     * Get digest.
+     *
+     * @return string
+     */
+    public function getDigest(): string
+    {
+        return $this->digest;
+    }
+
+    /**
+     * Set digest.
+     *
+     * @param string $digest
+     *
+     * @return $this
+     *
+     * @throws InvalidArgumentException
+     */
+    public function setDigest(string $digest): self
+    {
+        if (!in_array($digest, $this->getSupportedDigests(), true)) {
+            throw new InvalidArgumentException(
+                sprintf(
+                    'Invalid digest (%s), valid digests: %s',
+                    $digest,
+                    implode(', ', $this->getSupportedDigests())
+                )
+            );
+        }
+
+        $this->digest = $digest;
+
+        return $this;
+    }
+
     /**
      * Get type.
      *
@@ -142,6 +235,50 @@ public function setPassphrase(?string $passphrase): self
         return $this;
     }
 
+    /**
+     * Get cipher.
+     *
+     * @return string|null
+     */
+    public function getCipher(): ?string
+    {
+        return self::SUPPORTED_CIPHERS[$this->cipher] ?? null;
+    }
+
+    /**
+     * Set cipher.
+     *
+     * @param string|null $cipher
+     *
+     * @return $this
+     *
+     * @throws InvalidArgumentException
+     */
+    public function setCipher(?string $cipher): self
+    {
+        if ($cipher === null) {
+            $this->cipher = null;
+
+            return $this;
+        }
+
+        $numericCipher = array_search(strtolower($cipher), self::SUPPORTED_CIPHERS, true);
+
+        if ($numericCipher === false) {
+            throw new InvalidArgumentException(
+                sprintf(
+                    'Invalid cipher (%s), valid ciphers: %s',
+                    $cipher,
+                    implode(', ', self::SUPPORTED_CIPHERS)
+                )
+            );
+        }
+
+        $this->cipher = $numericCipher;
+
+        return $this;
+    }
+
     /**
      * Generate private key.
      *
@@ -153,9 +290,11 @@ public function generate(): PrivateKey
     {
         $key = openssl_pkey_new(
             [
+                'digest_alg' => $this->digest,
                 'private_key_type' => $this->type,
                 'private_key_bits' => $this->bits,
                 'encrypt_key' => $this->passphrase !== null,
+                'encrypt_key_cipher' => $this->cipher,
             ]
         );
 

tests/Console/Command/GeneratePrivateKeyCommandTest.php

@@ -31,8 +31,12 @@ public function testConfiguration(): void
 
         $this->assertSame(GeneratePrivateKeyCommand::NAME, $command->getName());
         $this->assertSame(GeneratePrivateKeyCommand::DESCRIPTION, $command->getDescription());
+        $this->assertTrue($command->getDefinition()->hasOption('digest'));
         $this->assertTrue($command->getDefinition()->hasOption('type'));
         $this->assertTrue($command->getDefinition()->hasOption('bits'));
+        $this->assertTrue($command->getDefinition()->hasOption('passphrase'));
+        $this->assertTrue($command->getDefinition()->hasOption('cipher'));
+        $this->assertTrue($command->getDefinition()->hasOption('no-override'));
         $this->assertTrue($command->getDefinition()->hasArgument('output'));
     }
 
@@ -50,6 +54,7 @@ public function testSuccessfulExecution(): void
             [
                 'command' => $command->getName(),
                 'output' => $output->getPathname(),
+                '--digest' => 'sha256',
                 '--type' => 'DSA',
                 '--bits' => '1024',
             ]
@@ -120,6 +125,31 @@ public function testExecutionReturnsErrorOnWriteFailure(): void
         $this->assertContains('[OpenSSL] Unable to write private key file', $commandTester->getDisplay());
     }
 
+    public function testExecutionReturnsErrorOnInvalidDigestOption(): void
+    {
+        $application = new Application();
+        $application->add(new GeneratePrivateKeyCommand());
+
+        $command = $application->find(GeneratePrivateKeyCommand::NAME);
+        $commandTester = new CommandTester($command);
+
+        $output = TempFileObjectHelper::createTempFile();
+        $output->fwrite('');
+
+        $commandTester->execute(
+            [
+                'command' => $command->getName(),
+                'output' => $output->getPathname(),
+                '--digest' => 'FOO',
+            ]
+        );
+
+        $this->assertEquals(1, $commandTester->getStatusCode());
+        $this->assertContains('[OpenSSL] Invalid digest (FOO)', $commandTester->getDisplay());
+
+        unlink($output->getPathname());
+    }
+
     public function testExecutionReturnsErrorOnInvalidTypeOption(): void
     {
         $application = new Application();
@@ -181,9 +211,11 @@ public function testExecutionReturnsErrorOnGeneratorFailure(): void
         };
 
         $privateKeyGeneratorProphecy = $this->prophesize(PrivateKeyGenerator::class);
+        $privateKeyGeneratorProphecy->setDigest('sha256')->will($returnSelf);
         $privateKeyGeneratorProphecy->setType(KeyInterface::TYPE_RSA)->will($returnSelf);
         $privateKeyGeneratorProphecy->setBits(2048)->will($returnSelf);
         $privateKeyGeneratorProphecy->setPassphrase(null)->will($returnSelf);
+        $privateKeyGeneratorProphecy->setCipher(null)->will($returnSelf);
         $privateKeyGeneratorProphecy->generate()->willThrow(new OpensslErrorException('Unknown OpenSSL error'));
 
         $commandMock = $this->getMockBuilder(GeneratePrivateKeyCommand::class)