Skip to content

Custom 3.0.55#1

Open
zare-ashkan wants to merge 47 commits into
customfrom
custom-3.0.55
Open

Custom 3.0.55#1
zare-ashkan wants to merge 47 commits into
customfrom
custom-3.0.55

Conversation

@zare-ashkan

Copy link
Copy Markdown

Summary

Rebases the rechtlogisch custom phpseclib fork onto upstream 3.0.55 while keeping the DIP-specific RSASSA-PSS certificate patches required by Mind.

  • Preserve OpenSSL-compatible PSS certificate encoding (omitParameters, queueExtension)
  • Pick up upstream security fixes
  • Fix PSS signature validation when the public key has no PSS parameters (failed CRLTest)
  • Add regression tests for PSS key export and certificate encoding

@zare-ashkan zare-ashkan self-assigned this Jul 2, 2026
@zare-ashkan zare-ashkan added the enhancement New feature or request label Jul 2, 2026
@zare-ashkan zare-ashkan requested a review from Copilot July 2, 2026 09:02

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Rebases the custom phpseclib fork onto upstream 3.0.55 while retaining / extending DIP-specific RSASSA-PSS certificate behavior (notably omitting PSS parameters in SubjectPublicKeyInfo) and picking up upstream fixes across RSA, X509, ASN.1, and SFTP.

Changes:

  • Updates X509/RSA/PSS handling to support OpenSSL-compatible PSS certificate encoding and to validate PSS signatures when public keys omit PSS parameters.
  • Adds / updates tests covering PSS export/encoding, OpenSSL engine behavior with password-protected keys, and invalid-key parsing.
  • Pulls in upstream features and fixes (ASN1 OID handling performance work, SFTP hardlink support, DES deprecation fixes, docs/changelog updates).

Reviewed changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
tests/Unit/Math/BigInteger/TestCase.php Adds coverage for empty-string BigInteger length behavior.
tests/Unit/File/X509/X509Test.php Adds regression tests around PSS SPKI parameter omission and queued extensions.
tests/Unit/Crypt/RSA/ModeTest.php Adds OpenSSL-engine regression test for decrypting with passphrase-protected PKCS8 keys; expands engine matrix.
tests/Unit/Crypt/RSA/LoadKeyTest.php Adds tests for PSS omitParameters behavior and invalid-version key rejection.
tests/Unit/Crypt/DSA/LoadDSAKeyTest.php Adds invalid-version DSA key rejection test.
tests/Functional/Net/SFTPUserStoryTest.php Adds functional hardlink user story coverage.
README.md Documents upcoming 4.0 branch details and updates 1.0 download link.
phpseclib/Net/SSH2.php Adds removal annotations in docblocks for upcoming 4.0 API changes.
phpseclib/Net/SFTP.php Adds hardlink() support and 4.0 docblock annotations.
phpseclib/Math/BigInteger/Engines/GMP.php Fixes GMP bit conversion for empty hex input.
phpseclib/Math/BigInteger.php Adds 4.0 docblock annotation for modInverse.
phpseclib/File/X509.php Implements queued extensions, PSS-parameter omission for SPKI, URL fetch callback pinning, and PSS signature-parameter fallback verification.
phpseclib/File/ASN1.php Adds optional 64-bit OID handling and refactors decodeOID for performance.
phpseclib/Crypt/RSA/PublicKey.php Adjusts PSS serialization to support omitting parameters; removes inline PKCS1/OpenSSL commentary now handled centrally.
phpseclib/Crypt/RSA/PrivateKey.php Adjusts PSS serialization to support omitting parameters.
phpseclib/Crypt/RSA/Formats/Keys/PSS.php Supports omitting PSS parameters and updates default parameter emission.
phpseclib/Crypt/RSA/Formats/Keys/PKCS1.php Adds stricter validation for RSA PKCS1 version parsing.
phpseclib/Crypt/RSA.php Improves OpenSSL-engine handling (PKCS1 verification constraints, password-protected key export, warning handling).
phpseclib/Crypt/EC.php Fixes control flow in curve/provider selection.
phpseclib/Crypt/DSA/PrivateKey.php Ensures OpenSSL signing uses an unencrypted PKCS8 export.
phpseclib/Crypt/DSA/Formats/Keys/PKCS1.php Adds stricter validation for DSA PKCS1 version parsing.
phpseclib/Crypt/DES.php Updates inline-crypt callback generation to avoid deprecated callable syntax.
phpseclib/Crypt/Common/Formats/Keys/PKCS8.php Allows omitting algorithm parameters when formats indicate false.
CHANGELOG.md Adds entries for 3.0.53–3.0.55 and aligns CVE annotation text.
.gitignore Ignores .DS_Store.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread README.md
* Composer compatible (PSR-0 autoloading)
* Install using Composer: `composer require phpseclib/phpseclib:~1.0`
* [Download 1.0.25 as ZIP](http://sourceforge.net/projects/phpseclib/files/phpseclib1.0.25.zip/download)
* [Download 1.0.25 as ZIP](http://sourceforge.net/projects/phpseclib/files/phpseclib1.0.30.zip/download)
Comment thread CHANGELOG.md

## 3.0.55 - 2026-06-14

- RSA: signature verification with PKCS1 with failed when the parameters field was absent
Comment thread phpseclib/File/X509.php
Comment on lines +4230 to +4234
/**
* Returns the OID corresponding to a name
*
* @param ?callable $callback
*/
Comment thread phpseclib/File/ASN1.php
$numBytes++;
$endByte = ~$temp & 0x80;
if ($numBytes === PHP_INT_SIZE) {
$prefix .= substr(pack('J', $subn), 1); // we're basically left shifting by 7 bytes
Comment thread phpseclib/Crypt/DES.php
$sbox1 = array_map(["' . self::class . '", "safe_intval"], self::$sbox1);
$sbox2 = array_map(["' . self::class . '", "safe_intval"], self::$sbox2);
$sbox3 = array_map(["' . self::class . '", "safe_intval"], self::$sbox3);
$sbox4 = array_map(["' . self::class .'", "safe_intval"], self::$sbox4);
Comment thread phpseclib/Net/SFTP.php
Comment on lines +3800 to +3804
throw new \RuntimeException(
"Extension 'hardlink@openssh.com' is not supported by the server. " .
"Call getSupportedVersions() to see a list of supported extension"
);
}
Comment on lines +795 to +802
public function testHardlink($sftp)
{
$sftp->put('test3.txt', 'abcdefg');

$this->assertTrue(
$sftp->hardlink('test3.txt', 'hardlink'),
'Failed asserting that a hardlink could be created'
);
@zare-ashkan

Copy link
Copy Markdown
Author

@zembrowski
All Copilot comments are on upstream. Left as-is for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Development

Successfully merging this pull request may close these issues.

5 participants