ext-sodium is used here if available:
|
private function _verifySignature($dataToVerify, $signature, $credentialPublicKey) { |
|
|
|
// Use Sodium to verify EdDSA 25519 as its not yet supported by openssl |
|
if (\function_exists('sodium_crypto_sign_verify_detached') && !\in_array('ed25519', \openssl_get_curve_names(), true)) { |
|
$pkParts = []; |
|
if (\preg_match('/BEGIN PUBLIC KEY\-+(?:\s|\n|\r)+([^\-]+)(?:\s|\n|\r)*\-+END PUBLIC KEY/i', $credentialPublicKey, $pkParts)) { |
|
$rawPk = \base64_decode($pkParts[1]); |
|
|
|
// 30 = der sequence |
|
// 2a = length 42 byte |
|
// 30 = der sequence |
|
// 05 = lenght 5 byte |
|
// 06 = der OID |
|
// 03 = OID length 3 byte |
|
// 2b 65 70 = OID 1.3.101.112 curveEd25519 (EdDSA 25519 signature algorithm) |
|
// 03 = der bit string |
|
// 21 = length 33 byte |
|
// 00 = null padding |
|
// [...] = 32 byte x-curve |
|
$okpPrefix = "\x30\x2a\x30\x05\x06\x03\x2b\x65\x70\x03\x21\x00"; |
|
|
|
if ($rawPk && \strlen($rawPk) === 44 && \substr($rawPk,0, \strlen($okpPrefix)) === $okpPrefix) { |
|
$publicKeyXCurve = \substr($rawPk, \strlen($okpPrefix)); |
|
|
|
return \sodium_crypto_sign_verify_detached($signature, $dataToVerify, $publicKeyXCurve); |
|
} |
|
} |
|
} |
To me, it should therefore be listed at least as a suggestion in composer.json, together with a short description of what it will be used for if available.
That would make it easier to understand why the behavior changes, if you un-/install ext-sodium.
