oauth2-server
oauth2-server copied to clipboard
thephpleague
RSA_KEY_PATTERN in CryptKey.php not working?
for some reason, the RSA_KEY_PATTERN constant does not work with my keys on linux/nginx/php-fpm 7.0.9. The preg_match returns false, which probably means failure in pattern compilation, as no match should return 0.
Changing the pattern from
'/^(-----BEGIN (RSA )?(PUBLIC|PRIVATE) KEY-----\n)(.|\n)+(-----END (RSA )?(PUBLIC|PRIVATE) KEY-----)$/';
to
'/^(-----BEGIN (RSA )?(PUBLIC|PRIVATE) KEY-----\n).*(-----END (RSA )?(PUBLIC|PRIVATE) KEY-----)$/si';
works for me.
Cheers, Björn
This might be because it doesn't match against those with carriage returns. I generated a key using phpseclib's RSA class, and either that, or the built in openssl_ methods, use \r\n line endings. So modifying my script to replace \r\n with \n made it work for me.
Hi! I am still having this issue with version 6.1.1. The pattern does work when I test it on Regex101, as you can see in this example. However the preg_match function returns false or... nothing. Like @visual4 said, the following pattern works perfectly:
/^(-----BEGIN (RSA )?(PUBLIC|PRIVATE) KEY-----\n).*(-----END (RSA )?(PUBLIC|PRIVATE) KEY-----)$/s
Environment:
- macOS 10.13.2 (17C88)
- PHP 7.1.12
@louisfisch Check if your regexp returns an error. We run into the same (?) / a similar issue. For us it was caused by PHP's most stupid ever "feature", the implementation of PCRE JIT. See this bug for reference. You know you've hit it, when the error code is PREG_JIT_STACKLIMIT_ERROR
Essentially with PHP 7, one cannot guarantee the behaviour of a preg_match anymore.
Thanks for sharing the extra detail @mrgrain. Also see comments on https://github.com/php/php-src/pull/2910.
@louisfisch can you confirm the preg_last_error() code you're seeing when using the RSA_KEY_PATTERN constant? Is it a PREG_JIT_STACKLIMIT_ERROR?
Does anyone fancy recompiling their PHP to see if the stack limit size change fixes this issue?
@simonhamp I confirm the preg_last_error() returns the value 6 which I think is the value of the PREG_JIT_STACKLIMIT_ERROR constant.
Essentially with PHP 7, one cannot guarantee the behaviour of a preg_match anymore.
@mrgrain, agree. I also run into bad experiences with preg_match().
I appear to also be getting PREG_JIT_STACKLIMIT_ERROR on PHP 7.0
Edit:
Still getting it intermittently on 7.0, 7.1 and 7.2, which are each running PCRE_VERSION 8.41 2017-07-05, even with pcre.jit=0.
My understanding is that turning pcre.jit off in the .ini file should resolve this. Did you restart your php instance? I don't think this error can be thrown if jit is turned off.
As an aside, I think we need to look at making this preg more efficient. It might not be possible (I am by no means a regex expert) but I think there might be some optimisations we can make.
We also probably need to list this in the docs to make people aware. I will reopen this ticket for now.
@Sephster So i was disabling pcre.jit with ini_set in my application bootstrapping- ini_get('pcre.jit') at the point the error occurs was returning 0, so i was under the impression it was turned off.
The worst part about this is the error message contains my private key, so that ends up in plaintext in my error log. Frustratingly it was happening intermittently (consistently every 3rd request oddly)
To get around the issue i extended the CryptKey class and always call $this->storeFile() before running it through the parent constructor, and use my overridden CryptKey class in my service provider instead of the default.
Thinking of opening an issue and PR about the key being visible in the error message because that is honestly nightmare fuel.
@Sephster Another option would be to make some of the checks in CryptKey.php optional. They are nice for a quick start, but as someone how knows what they are doing and what their input is, I really don't need these checks to happen.