From 5fbeb235d2bf7b8a7810a5ac10ab2c07d1110788 Mon Sep 17 00:00:00 2001
From: Greg Beaver <cellog@php.net>
Date: Sun, 1 Jun 2008 04:21:26 +0000
Subject: [PATCH] add openssl signing support.  This adds an extra parameter
 for the contents of the exported private key to Phar->setSignatureAlgorithm,
 and expects the public key to be in a file named blah.phar.pubkey in the same
 directory as the phar blah.phar.  This works with openssl static or shared
 and fails gracefully if openssl is not present without adding a dependency.
 config.w32 needs updating to match config.m4 [DOC]

---
 ext/phar/config.m4                            |  11 +
 ext/phar/phar.c                               | 355 +++++++++++++++++-
 ext/phar/phar_internal.h                      |   4 +-
 ext/phar/phar_object.c                        |  24 +-
 ext/phar/tests/files/openssl.phar             | Bin 0 -> 6901 bytes
 ext/phar/tests/files/openssl.phar.pubkey      |   6 +
 ext/phar/tests/files/private.pem              |  15 +
 .../phar_get_supported_signatures_001.phpt    |   1 +
 .../phar_get_supported_signatures_002.phpt    |   1 +
 ext/phar/tests/phar_setsignaturealgo2.phpt    |  11 +-
 ext/phar/tests/test_signaturealgos.phpt       |   5 +
 11 files changed, 421 insertions(+), 12 deletions(-)
 create mode 100644 ext/phar/tests/files/openssl.phar
 create mode 100644 ext/phar/tests/files/openssl.phar.pubkey
 create mode 100644 ext/phar/tests/files/private.pem

diff --git a/ext/phar/config.m4 b/ext/phar/config.m4
index e7a577d6a8..d1263e4de5 100644
--- a/ext/phar/config.m4
+++ b/ext/phar/config.m4
@@ -8,6 +8,17 @@ if test "$PHP_PHAR" != "no"; then
   PHP_NEW_EXTENSION(phar, util.c tar.c zip.c stream.c func_interceptors.c dirstream.c phar.c phar_object.c phar_path_check.c, $ext_shared)
   PHP_ADD_BUILD_DIR($ext_builddir/lib, 1)
   PHP_SUBST(PHAR_SHARED_LIBADD)
+  AC_MSG_CHECKING([for phar openssl support])
+  if test "$PHP_OPENSSL_SHARED" = "yes"; then
+    AC_MSG_RESULT([no (shared openssl)])
+  else
+    if test "$PHP_OPENSSL" = "yes"; then
+      AC_MSG_RESULT([yes])
+      AC_DEFINE(PHAR_HAVE_OPENSSL,1,[ ])
+    else
+      AC_MSG_RESULT([no])
+    fi
+  fi
   PHP_ADD_EXTENSION_DEP(phar, spl, true)
   PHP_ADD_MAKEFILE_FRAGMENT
 fi
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 27afc67dc7..fc7870fe55 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -24,6 +24,24 @@
 #include "SAPI.h"
 #include "func_interceptors.h"
 
+#ifdef PHAR_HAVE_OPENSSL
+
+/* OpenSSL includes */
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/crypto.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/conf.h>
+#include <openssl/rand.h>
+#include <openssl/ssl.h>
+#include <openssl/pkcs12.h>
+
+#endif
+
+static int phar_call_openssl_signverify(int is_sign, php_stream *fp, off_t end, char *key, int key_len, char **signature, int *signature_len TSRMLS_DC);
+
 ZEND_DECLARE_MODULE_GLOBALS(phar)
 #if PHP_VERSION_ID >= 50300
 char *(*phar_save_resolve_path)(const char *filename, int filename_len TSRMLS_DC);
@@ -113,6 +131,7 @@ void phar_destroy_phar_data(phar_archive_data *phar TSRMLS_DC) /* {{{ */
 	}
 	if (phar->signature) {
 		efree(phar->signature);
+		phar->signature = NULL;
 	}
 	if (phar->manifest.arBuckets) {
 		zend_hash_destroy(&phar->manifest);
@@ -592,6 +611,7 @@ int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char *alias,
 		int read_size, len;
 		char sig_buf[8], *sig_ptr = sig_buf;
 		off_t read_len;
+		size_t end_of_phar;
 
 		if (-1 == php_stream_seek(fp, -8, SEEK_END)
 		|| (read_len = php_stream_tell(fp)) < 20
@@ -606,6 +626,149 @@ int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char *alias,
 		}
 		PHAR_GET_32(sig_ptr, sig_flags);
 		switch(sig_flags) {
+		case PHAR_SIG_OPENSSL: {
+#ifdef PHAR_HAVE_OPENSSL
+			BIO *in;
+			EVP_PKEY *key;
+			EVP_MD *mdtype = (EVP_MD *) EVP_sha1();
+			EVP_MD_CTX md_ctx;
+#endif
+			php_uint32 signature_len, pubkey_len;
+			char *sig, *pubkey = NULL, *pfile;
+			off_t whence;
+			php_stream *pfp;
+			int tempsig;
+
+			if (!zend_hash_exists(&module_registry, "openssl", sizeof("openssl"))) {
+				efree(savebuf);
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl signature cannot be verified, openssl not loaded", fname);
+				}
+				return FAILURE;
+			}
+			/* we store the signature followed by the signature length */
+			if (-1 == php_stream_seek(fp, -12, SEEK_CUR)
+			|| 4 != php_stream_read(fp, sig_buf, 4)) {
+				efree(savebuf);
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl signature length could not be read", fname);
+				}
+				return FAILURE;
+			}
+
+			sig_ptr = sig_buf;
+			PHAR_GET_32(sig_ptr, signature_len);
+
+			sig = (char *)emalloc(signature_len);
+
+			whence = signature_len + 4;
+			whence = -whence;
+			if (-1 == php_stream_seek(fp, whence, SEEK_CUR)
+			|| !(end_of_phar = php_stream_tell(fp))
+			|| signature_len != php_stream_read(fp, sig, signature_len)) {
+				efree(savebuf);
+				efree(sig);
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl signature could not be read", fname);
+				}
+				return FAILURE;
+			}
+
+			/* use __FILE__ . '.pubkey' for public key file */
+			spprintf(&pfile, 0, "%s.pubkey", fname);
+			pfp = php_stream_open_wrapper(pfile, "rb", 0, NULL);
+			efree(pfile);
+			if (!pfp || !(pubkey_len = php_stream_copy_to_mem(pfp, &pubkey, PHP_STREAM_COPY_ALL, 0)) || !pubkey) {
+				efree(savebuf);
+				efree(sig);
+				if (pubkey) {
+					efree(pubkey);
+				}
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl public key could not be read", fname);
+				}
+				return FAILURE;
+			}
+			php_stream_close(pfp);
+#ifndef PHAR_HAVE_OPENSSL
+			tempsig = signature_len;
+			if (FAILURE == phar_call_openssl_signverify(0, fp, end_of_phar, pubkey, pubkey_len, &sig, &tempsig TSRMLS_CC)) {
+				efree(savebuf);
+				efree(sig);
+				if (pubkey) {
+					efree(pubkey);
+				}
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl signature could not be verified", fname);
+				}
+				return FAILURE;
+			}
+			if (pubkey) {
+				efree(pubkey);
+			}
+			signature_len = tempsig;
+#else
+			in = BIO_new_mem_buf(pubkey, pubkey_len);
+			if (NULL == in) {
+				efree(savebuf);
+				efree(sig);
+				efree(pubkey);
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl signature could not be processed", fname);
+				}
+				return FAILURE;
+			}
+			key = PEM_read_bio_PUBKEY(in, NULL,NULL, NULL);
+			BIO_free(in);
+			efree(pubkey);
+			if (NULL == key) {
+				efree(savebuf);
+				efree(sig);
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl signature could not be processed", fname);
+				}
+				return FAILURE;
+			}
+
+			EVP_VerifyInit(&md_ctx, mdtype);
+
+			read_len -= signature_len + 4;
+			if (read_len > sizeof(buf)) {
+				read_size = sizeof(buf);
+			} else {
+				read_size = (int)read_len;
+			}
+			php_stream_seek(fp, 0, SEEK_SET);
+			while (read_size && (len = php_stream_read(fp, (char*)buf, read_size)) > 0) {
+				EVP_VerifyUpdate (&md_ctx, buf, len);
+				read_len -= (off_t)len;
+				if (read_len < read_size) {
+					read_size = (int)read_len;
+				}
+			}
+			if (!EVP_VerifyFinal (&md_ctx, (unsigned char *)sig, signature_len, key)) {
+				EVP_MD_CTX_cleanup(&md_ctx);
+				efree(sig);
+				efree(savebuf);
+				php_stream_close(fp);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" has a broken signature", fname);
+				}
+				return FAILURE;
+			}
+			EVP_MD_CTX_cleanup(&md_ctx);
+#endif
+			sig_len = phar_hex_str((const char*)sig, sig_len, &signature);
+			efree(sig);
+		}
+		break;
 #if HAVE_HASH_EXT
 		case PHAR_SIG_SHA512: {
 			unsigned char digest[64], saved[64];
@@ -2078,6 +2241,116 @@ char *phar_create_default_stub(const char *index_php, const char *web_index, siz
 	return stub;
 }
 
+static int phar_call_openssl_signverify(int is_sign, php_stream *fp, off_t end, char *key, int key_len, char **signature, int *signature_len TSRMLS_DC)
+{
+	zend_fcall_info fci;
+	zend_fcall_info_cache fcc;
+	zval *zdata, *zsig, *zkey, *retval_ptr, **zp[3], *openssl;
+
+	MAKE_STD_ZVAL(zdata);
+	MAKE_STD_ZVAL(openssl);
+	ZVAL_STRINGL(openssl, is_sign ? "openssl_sign" : "openssl_verify", is_sign ? sizeof("openssl_sign")-1 : sizeof("openssl_verify")-1, 1);
+	MAKE_STD_ZVAL(zsig);
+	ZVAL_STRINGL(zsig, *signature, *signature_len, 1);
+	MAKE_STD_ZVAL(zkey);
+	ZVAL_STRINGL(zkey, key, key_len, 1);
+	zp[0] = &zdata;
+	zp[1] = &zsig;
+	zp[2] = &zkey;
+
+	php_stream_rewind(fp);
+	Z_TYPE_P(zdata) = IS_STRING;
+	Z_STRLEN_P(zdata) = end;
+	if (end != (off_t) php_stream_copy_to_mem(fp, &(Z_STRVAL_P(zdata)), (size_t) end, 0)) {
+		zval_dtor(zdata);
+		zval_dtor(zsig);
+		zval_dtor(zkey);
+		return FAILURE;
+	}
+
+#if PHP_VERSION_ID < 50300
+	if (FAILURE == zend_fcall_info_init(openssl, &fci, &fcc TSRMLS_CC)) {
+#else
+	if (FAILURE == zend_fcall_info_init(openssl, 0, &fci, &fcc, NULL, NULL TSRMLS_CC)) {
+#endif
+		zval_dtor(zdata);
+		zval_dtor(zsig);
+		zval_dtor(zkey);
+		zval_dtor(openssl);
+		return FAILURE;
+	}
+	zval_dtor(openssl);
+	efree(openssl);
+
+	fci.param_count = 3;
+	fci.params = zp;
+#if PHP_VERSION_ID < 50300
+	++(zdata->refcount);
+	++(zsig->refcount);
+	++(zkey->refcount);
+#else
+	Z_ADDREF_P(zdata);
+	if (is_sign) {
+		Z_SET_ISREF_P(zsig);
+	} else {
+		Z_ADDREF_P(zsig);
+	}
+	Z_ADDREF_P(zkey);
+#endif
+	fci.retval_ptr_ptr = &retval_ptr;
+
+	if (FAILURE == zend_call_function(&fci, &fcc TSRMLS_CC)) {
+		zval_dtor(zdata);
+		zval_dtor(zsig);
+		zval_dtor(zkey);
+		efree(zdata);
+		efree(zkey);
+		efree(zsig);
+		return FAILURE;
+	}
+#if PHP_VERSION_ID < 50300
+	--(zdata->refcount);
+	--(zsig->refcount);
+	--(zkey->refcount);
+#else
+	Z_DELREF_P(zdata);
+	if (is_sign) {
+		Z_UNSET_ISREF_P(zsig);
+	} else {
+		Z_DELREF_P(zsig);
+	}
+	Z_DELREF_P(zkey);
+#endif
+	zval_dtor(zdata);
+	efree(zdata);
+	zval_dtor(zkey);
+	efree(zkey);
+	switch (Z_TYPE_P(retval_ptr)) {
+		default:
+		case IS_LONG :
+			zval_dtor(zsig);
+			efree(zsig);
+			if (1 == Z_LVAL_P(retval_ptr)) {
+				efree(retval_ptr);
+				return SUCCESS;
+			}
+			efree(retval_ptr);
+			return FAILURE;
+		case IS_BOOL :
+			efree(retval_ptr);
+			if (Z_BVAL_P(retval_ptr)) {
+				*signature = estrndup(Z_STRVAL_P(zsig), Z_STRLEN_P(zsig));
+				*signature_len = Z_STRLEN_P(zsig);
+				zval_dtor(zsig);
+				efree(zsig);
+				return SUCCESS;
+			}
+			zval_dtor(zsig);
+			efree(zsig);
+			return FAILURE;
+	}
+}
+
 /**
  * Save phar contents to disk
  *
@@ -2621,11 +2894,11 @@ int phar_flush(phar_archive_data *phar, char *user_stub, long len, int convert,
 		unsigned char buf[1024];
 		int  sig_flags = 0, sig_len;
 		char sig_buf[4];
-
 		php_stream_rewind(newfile);
 		
 		if (phar->signature) {
 			efree(phar->signature);
+			phar->signature = NULL;
 		}
 		
 		switch(phar->sig_flags) {
@@ -2670,8 +2943,83 @@ int phar_flush(phar_archive_data *phar, char *user_stub, long len, int convert,
 			}
 			return EOF;
 #endif
-		case PHAR_SIG_PGP:
-			/* TODO: currently fall back to sha1,later do both */
+		case PHAR_SIG_OPENSSL: {
+			int siglen;
+			unsigned char *sigbuf;
+#ifdef PHAR_HAVE_OPENSSL
+			BIO *in;
+			EVP_PKEY *key;
+			EVP_MD *mdtype = (EVP_MD *) EVP_sha1();
+			EVP_MD_CTX md_ctx;
+			
+			if (!zend_hash_exists(&module_registry, "openssl", sizeof("openssl"))) {
+				if (closeoldfile) {
+					php_stream_close(oldfile);
+				}
+				php_stream_close(newfile);
+				if (error) {
+					spprintf(error, 0, "phar \"%s\" openssl signature cannot be created, openssl not loaded", phar->fname);
+				}
+				return EOF;
+			}
+			in = BIO_new_mem_buf(PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len));
+
+			if (in == NULL) {
+				if (closeoldfile) {
+					php_stream_close(oldfile);
+				}
+				php_stream_close(newfile);
+				if (error) {
+					spprintf(error, 0, "unable to write contents of file \"%s\" to new phar \"%s\" with requested openssl signature", entry->filename, phar->fname);
+				}
+				return EOF;
+			}
+			key = PEM_read_bio_PrivateKey(in, NULL,NULL, "");
+
+			BIO_free(in);
+			siglen = EVP_PKEY_size(key);
+			sigbuf = emalloc(siglen + 1);
+		
+			EVP_SignInit(&md_ctx, mdtype);
+			while ((sig_len = php_stream_read(newfile, (char*)buf, sizeof(buf))) > 0) {
+				EVP_SignUpdate(&md_ctx, buf, sig_len);
+			}
+			if (!EVP_SignFinal (&md_ctx, sigbuf,(unsigned int *)&siglen, key)) {
+				efree(sigbuf);
+				if (closeoldfile) {
+					php_stream_close(oldfile);
+				}
+				php_stream_close(newfile);
+				if (error) {
+					spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
+				}
+				return EOF;
+			}
+			sigbuf[siglen] = '\0';
+			EVP_MD_CTX_cleanup(&md_ctx);
+#else
+			sigbuf = NULL;
+			siglen = 0;
+			php_stream_seek(newfile, 0, SEEK_END);
+			if (FAILURE == phar_call_openssl_signverify(1, newfile, php_stream_tell(newfile), PHAR_G(openssl_privatekey), PHAR_G(openssl_privatekey_len), (char **)&sigbuf, &siglen TSRMLS_CC)) {
+				if (closeoldfile) {
+					php_stream_close(oldfile);
+				}
+				php_stream_close(newfile);
+				if (error) {
+					spprintf(error, 0, "unable to write phar \"%s\" with requested openssl signature", phar->fname);
+				}
+				return EOF;
+			}
+#endif
+			sig_flags |= PHAR_SIG_OPENSSL;
+			phar->sig_len = phar_hex_str((const char *)sigbuf, siglen, &phar->signature);
+			php_stream_write(newfile, (char *) sigbuf, siglen);
+			efree(sigbuf);
+			phar_set_32(sig_buf, siglen);
+			php_stream_write(newfile, sig_buf, 4);
+		}
+		break;
 		default:
 		case PHAR_SIG_SHA1: {
 			unsigned char digest[20];
@@ -3084,6 +3432,7 @@ PHP_MINFO_FUNCTION(phar) /* {{{ */
  */
 static zend_module_dep phar_deps[] = {
 	ZEND_MOD_OPTIONAL("apc")
+	ZEND_MOD_OPTIONAL("openssl")
 #if HAVE_SPL
 	ZEND_MOD_REQUIRED("spl")
 #endif
diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
index 9005ca84eb..4d8ba8475b 100755
--- a/ext/phar/phar_internal.h
+++ b/ext/phar/phar_internal.h
@@ -103,7 +103,7 @@
 #define PHAR_SIG_SHA1             0x0002
 #define PHAR_SIG_SHA256           0x0003
 #define PHAR_SIG_SHA512           0x0004
-#define PHAR_SIG_PGP              0x0010
+#define PHAR_SIG_OPENSSL          0x0010
 
 /* flags byte for each file adheres to these bitmasks.
    All unused values are reserved */
@@ -171,6 +171,8 @@ ZEND_BEGIN_MODULE_GLOBALS(phar)
 	char*       cwd;
 	int         cwd_len;
 	int         cwd_init;
+	char        *openssl_privatekey;
+	int         openssl_privatekey_len;
 ZEND_END_MODULE_GLOBALS(phar)
 
 ZEND_EXTERN_MODULE_GLOBALS(phar)
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 4ca68a0bcc..4c9a6e5790 100755
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -1251,6 +1251,13 @@ PHP_METHOD(Phar, getSupportedSignatures)
 	add_next_index_stringl(return_value, "SHA-256", 7, 1);
 	add_next_index_stringl(return_value, "SHA-512", 7, 1);
 #endif
+#if PHAR_HAVE_OPENSSL
+	add_next_index_stringl(return_value, "OpenSSL", 7, 1);
+#else
+	if (zend_hash_exists(&module_registry, "openssl", sizeof("openssl"))) {
+		add_next_index_stringl(return_value, "OpenSSL", 7, 1);
+	}
+#endif
 }
 /* }}} */
 
@@ -2675,7 +2682,7 @@ PHP_METHOD(Phar, setStub)
 }
 /* }}} */
 
-/* {{{ proto array Phar::setSignatureAlgorithm(int sigtype)
+/* {{{ proto array Phar::setSignatureAlgorithm(int sigtype[, string privatekey])
  * Sets the signature algorithm for a phar and applies it. The signature
  * algorithm must be one of Phar::MD5, Phar::SHA1, Phar::SHA256,
  * Phar::SHA512, or Phar::PGP (PGP is not yet supported and falls back to
@@ -2685,7 +2692,8 @@ PHP_METHOD(Phar, setStub)
 PHP_METHOD(Phar, setSignatureAlgorithm)
 {
 	long algo;
-	char *error;
+	char *error, *key = NULL;
+	int key_len = 0;
 	PHAR_ARCHIVE_OBJECT();
 	
 	if (PHAR_G(readonly) && !phar_obj->arc.archive->is_data) {
@@ -2704,7 +2712,7 @@ PHP_METHOD(Phar, setSignatureAlgorithm)
 		return;
 	}
 
-	if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "l", &algo) != SUCCESS) {
+	if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "l|s", &algo, &key, &key_len) != SUCCESS) {
 		return;
 	}
 
@@ -2718,9 +2726,11 @@ PHP_METHOD(Phar, setSignatureAlgorithm)
 #endif
 		case PHAR_SIG_MD5 :
 		case PHAR_SIG_SHA1 :
-		case PHAR_SIG_PGP :
+		case PHAR_SIG_OPENSSL :
 			phar_obj->arc.archive->sig_flags = algo;
 			phar_obj->arc.archive->is_modified = 1;
+			PHAR_G(openssl_privatekey) = key;
+			PHAR_G(openssl_privatekey_len) = key_len;
 
 			phar_flush(phar_obj->arc.archive, 0, 0, 0, &error TSRMLS_CC);
 			if (error) {
@@ -2758,6 +2768,9 @@ PHP_METHOD(Phar, getSignature)
 		case PHAR_SIG_SHA512:
 			add_assoc_stringl(return_value, "hash_type", "SHA-512", 7, 1);
 			break;
+		case PHAR_SIG_OPENSSL:
+			add_assoc_stringl(return_value, "hash_type", "OpenSSL", 7, 1);
+			break;
 		}
 	} else {
 		RETURN_FALSE;
@@ -4571,6 +4584,7 @@ ZEND_END_ARG_INFO();
 static
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phar_setSigAlgo, 0, 0, 1)
 	ZEND_ARG_INFO(0, algorithm)
+	ZEND_ARG_INFO(0, privatekey)
 ZEND_END_ARG_INFO();
 
 static
@@ -4759,7 +4773,7 @@ void phar_object_init(TSRMLS_D) /* {{{ */
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PHP", PHAR_MIME_PHP)
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PHPS", PHAR_MIME_PHPS)
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "MD5", PHAR_SIG_MD5)
-	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "PGP", PHAR_SIG_PGP)
+	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "OPENSSL", PHAR_SIG_OPENSSL)
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA1", PHAR_SIG_SHA1)
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA256", PHAR_SIG_SHA256)
 	REGISTER_PHAR_CLASS_CONST_LONG(phar_ce_archive, "SHA512", PHAR_SIG_SHA512)
diff --git a/ext/phar/tests/files/openssl.phar b/ext/phar/tests/files/openssl.phar
new file mode 100644
index 0000000000000000000000000000000000000000..f3864d7faacb9b6a50215f8f0b9513839ef71fd5
GIT binary patch
literal 6901
zcmb_hOKcoj70nD94fHH#5F?Nn3B6b~sq)zEc6Xd);$Q3}oj8ge8@ppfdQ7Xj>UDR;
z^`olVpL`@1uo;$<4H64RNU#9JH*5wL2#FCA3nVry5E2qQR<J@EBslkd%GK`fWEN!P
zalKpj|L(i@yz=6exEGg7#vyOBC1!e|%a3M2G8alEufr@aY}rX-A6sVJvlDZgrCGx5
zpw;DB>oBq7m?x<<ImynQV~%g9X^S6uX_i{%mSmsByN4xO%+Gsa#uJCf*$vO<H~OIi
z$%Rr1O<w5ueV4alJL^eH^OcIpW>~9r<JNk;)xzV}YGbXnQ{P(MUTth{gFr3}2u?zq
zw1jBr!3z7nKg}pOyi&YOL^7=36b9=@Sz<d`OX}HatZp|JN(s;UNw`pYEOWAAc`3ZM
z47jtsTi<S)+x0Krt?x8iceihudm<U*I5z5ywax2_X@my-o-JWFZq^$nd-RA68yaBS
z+T3ZFlOoZB?sp?AOZptK8-W+_6gw<8vxFSPsmYd>S#7#xI^xO9_)%7gecKC7B95lU
z@kr*WsZnG%b4QVTqlkXg9Ys#Uk>u<s8^wK;jx<OGO~F<X7s?=iwhuh1<-l`!RG}p}
z+JTDE3+yhh(30|z%7n=@(F(+_*O3Y&D=k6oWr3uMjAG?0sy~KY)U4S(Cn~BwDiZ<9
z@5j7I$FeKQDo@gr6Ea>?=;kT9GKmxHdybuXQCK-D-?tC!)JeQJBb9;Ys`S`>*NZA*
zE$LF_DRQK8ugF*ub95k?@!;{wSNoo`pP?AVyZHQoA}mQFRvybu2~>dMw}@nr9=mD_
zilGn@s$yL{GI&~onjVgjNPCg9e`p`@atD2^M||1f=3*(7ir<BlYC43A(a;h~j@qgg
zqzkkpDoR4A5EVkJ=@O1<smE=XC)UI@+v)N0wJ6Mz$e(9nRCb6m&4PZKl@oqo`<`oO
zd;&sRW-GC~fqlYE?@C77PI+ht9A{rYTDq%(fqMK|^z=ANM|306&(J`%r06kD&-D^(
zu+tbB4`Na$8@Xt?#lC6885~IaZI~Kw=i~dqrf3lPJhTeFsc6U+HBB;!CR#CR0!asG
z666Up*BXtjN_D2n&d*laMs&bkw#Adc4tbdQ$L2|D&Gkqgk$FZ#X}BGWJmHO;A+QBm
z48n{?hG8Re%uHVlw-ITB-1S@A^=p`FUmh56QjgdnC_zXnWTc;V)G}=B$D*c=&@8q~
zm4}XYmd(x1u{%-5Zbbdir6{@6i`c{>HJ;^nLbgZ}^uQJ~FZ1~_jq4K$MI^?G=3Hz?
z?y(f<RhP*?nF*;06i=K@vx$Oy1uQ~Z2|*26o+zY@un48g3p){osdiQk)ppawq~c+U
zriDpL+pB}56NB9=H;!XI&k6&ru$h`?orm45C%3eN5L54g%qbPF?Gj1a);lTikevKt
zoHmU?PoyivCCBa1d(`6+tCGL@Ik8Woex6`W1nPBrK7O*+uz#bIfQlXC&i^APfJ6fK
zv10j^9+uJ!GsR(|F974IRg`#LRPRE`iNZ8vH}7GeXOF70v$L9X^<GWTY6aTH>dtLJ
zJYOIRXa?#4WR+^y>v!<t;>EWwpaCk=9l%W*atxTrka!L}9otX&B-}MRF)gDQ9YuG?
zX=WyEIv<^s^L+~}K)>AY%+JFB$i_NE`eAH4`<A&2Xe>^;)%HR=IiBoL4N0Ln0;Wa)
zZvE0Ec<n|g1o&dRc=LAka!ppbvEHoi;r!_S7SI`|*P@Ln_F*Q`YB0H|&uTLTAA}w0
z#>^5kh!GO(ut#Ux(zb{!;HxGG<H8tZ#jqIh24T1!x6JzX_U86HLj(0X9FCwp<A71`
zbJ?MtvI&$T_CvO9Xr3`A7{+ejcUhauw=ym?(g{jDip!uDfRJS3TPoc~K%sO%7w?-u
zuzSisP|qpuoA<;~qY0<CKfj)IA3(8>2@2qx`=2CHGS43PUYq3&hIuK*Z^kf0+dd{l
znSwA`E^kdTt(=9NyI|==iBM8@q99H<I)=+|r?Qh&2BoeM1y51+<6Uh(aJkkr>}~sj
z7uTNaZc)b=kJ}Gw&u~~A<a{5pASMi;YvQbYiwSksOK~mqGRl=DL4hdS6j{LOqn<95
zh*c{E+>&=bXrlIq;s6jq|19uhcq~jzva@KN>bMr)k~V=VP794!HC0vC&Qc526;V_=
zNyC;xp&$od<h625lr0s8PuPHC)&y~s;N&w1aVLxLltr{Lbf09j{c`tpCX0GysgnwZ
z(`i<STS->T8I8V*ok`RaDU=5zS4ui^qH4Fu5$?*)p-UUK66}kph;f?DUb=K?n(0fT
zaG(HI<OZsPHJB~w>lok?xEJJj(ydfpPSqJsIIaS`5yUrW=*lXY&OLm#iz{Nw;(pdb
ztEWk?<a6vbY#MEx@>Ig9<iOCV6KW|<GcflUnvx-Fa+w*VS`;e*wt;AoFbTL+)EefY
znyIy`ls=2=RHhxDqZ?o-3RIt;BjHO^cSv$<5`zHK-~`7Ow=WM`$Vn4$=P~1$YG`WD
z%asz7+oH;i_QX;zL`E>yI<bh-=>-uc+HekF`QpWkWLf-Ik{5)*;!!hKbUAfLkapE4
z77`tr)w<1KK%aC6Yin(*wYh_B{nD*F!1gDN0U-+vbzmp5<au~tnT?Gta9yDSE3D^F
z)^%ba#}q6uAWyN7F4Y6f3PlYy=nL}vXi7m2<s~t`en(1_PSLrvQZg{;An^Z47nF2S
zGr2*EhLTm7jRa`a+$`b~ef<isVbe^Y5+DJ1GKQ(Dxde78NLS}@|1x~w6u4s0XQeS3
zas@QPf$<E~d_o9CC`h3IGz2LIxMZPoN@rB8Fx~-v<bee*o~EWK<1o%caEvi4&8QHS
z%_$gNfFR8rJ%-eE6#38+q*sR}T!omTL6|Y=ELul1SA^3kzpAxxDet49<xbg^-F9Wy
zsqDIyU0&J6$AkO^TrgR~Mo=0>8U{5t&y(^rPVnWlW0`OE31p7uE1d(7?x=s`)LkNV
zMg(IKqrgU~s?nCnZ30V8Y}6>e3j<sCXpFYGy&R1ZiZ7f9GCs17M>Qfe`s7%4BC2hC
z`Jf(6DB5r+B=NpUu9p;|H5}1u=q~0I@v{)cj9n>WV}}w(icq3?_XMG=ak;d3N=#sK
z3PIyJ=|v%A2|%^GCy-H4U{l%>J!?o-K|(D&0N`@@K}b%qQ9soAn8l}P3C$;Nh2o15
z6QAHi+n0Eh(S!i%!o`<y0>8MY&*T>mscr@|sKg6V7FiQT1llBhT^bA=#R^7UtrKtd
zart)==X}l5_YvtgDxy%TAJ0X6`*QZvejwe{#!*7}F3*Ho;mzsGUTZYgFcdJNo8PHn
zm7|2NAGIy>E%bZ>2_0QcVy3FUaeykw3MYc+3R_760k5!_XDj{C_d>clB3ZP}r=;nx
zCK_c*U1K0pX8<3mF{@3{XoCJ>Orb*4!KzZN5B!A#*I~%ET5GH8jn=izjV=7SWg8@R
zWqIw)nKLio=hNah{lA^qp&Rl;f~Nw2f_COp_@TI}Gx#R|A{IaR#p)XU{^48i{rQ)q
z0RMX4XJ3Ec{P3?&SN1;F`l!r4@rAD(z5mg-mfrowTKmbX)*nBpz5KVNa&_aw>Sx~g
z&nL^b->p1+Y59%oFRi?~5#0aI2mktebJqHU|HAKoYyai*xA~vmn|k@3pI=`4@hh*#
z2mko)PiJ5I+2h}BJpR$#D>IkB{r#_h^XZeh-~8(C)1S2eIrqIMwHN>WU+32kzXmT}
L!_UpD8(04aZkIp_

literal 0
HcmV?d00001

diff --git a/ext/phar/tests/files/openssl.phar.pubkey b/ext/phar/tests/files/openssl.phar.pubkey
new file mode 100644
index 0000000000..7dd79ac2bf
--- /dev/null
+++ b/ext/phar/tests/files/openssl.phar.pubkey
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA3ADUiKZIEhekYShzPCZ3LFbg
+rDuV44jH94OdJQfqaCQBvZXqMoG1bWOeYfbc3iO0gHWW3SKB27Sf1ZBnc5c1+YzB
+mx9bFipOX2W2ouKS2YoHeIoR9leDNu4yqwBsuggFPGVPxM9ikEI+YAOGVTCd4mV5
+agpkVsHLNJWbz/nPVwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/ext/phar/tests/files/private.pem b/ext/phar/tests/files/private.pem
new file mode 100644
index 0000000000..e4f4883eb2
--- /dev/null
+++ b/ext/phar/tests/files/private.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDA3ADUiKZIEhekYShzPCZ3LFbgrDuV44jH94OdJQfqaCQBvZXq
+MoG1bWOeYfbc3iO0gHWW3SKB27Sf1ZBnc5c1+YzBmx9bFipOX2W2ouKS2YoHeIoR
+9leDNu4yqwBsuggFPGVPxM9ikEI+YAOGVTCd4mV5agpkVsHLNJWbz/nPVwIDAQAB
+AoGAGiS4qBbuE48ATXQuO5DH1hfYnxQ575Oskw7mdIL0k74SQ3ojvF+kXae6fVni
+UQZ76JgRWKYZa2kRDymwLZXpxVbiGL9dDvQY8ZENDtWOy9s7TDtxNixbZloKBopg
+J7G1B05LgetR3dgFnQOwt+e3kOu72RpS7thyBaUm8zHCRSECQQDw+h5uxE7i9CC8
+KHyJlwGoR28KZgrSpo74yWhQ+b1lzxQ+rk2wToFD/p+WNe/nf78YUl/cq0LngCKH
+Y7t228VLAkEAzOHzAjuDlGGzK6Kpe67iKgXd+GpKwPr9iaFfmzABOkRwQug4LCN7
+skmzCX5pzxqMZW1xNICjeDjWsMA3d4EypQJBAJyXPA1onYaXc2oxuPPD3/zVJpAQ
+TTojp8Z9Qr9T+kJdNV+h7rQB37gqjtOSiynY9nm8lbSUya4bstRd96S+HU8CQQCp
+yBAd6H2oZ7IXVeuHACyRUF1ab5LVCukxtVXJ/2T1CSPSfieWhC0MWMCR/HzoUALK
+RoBKVtOgW9GllRQh5yG1AkARVYbvj0XBy6XUpe5WZsLNWwpw1JreRsygcPXYh8bs
+nxhCdHNHJQ01lRDMjvNLtI8a5YjJE/IeW76T2mPCiJZI
+-----END RSA PRIVATE KEY-----
diff --git a/ext/phar/tests/phar_get_supported_signatures_001.phpt b/ext/phar/tests/phar_get_supported_signatures_001.phpt
index f672c0024b..794da6a942 100644
--- a/ext/phar/tests/phar_get_supported_signatures_001.phpt
+++ b/ext/phar/tests/phar_get_supported_signatures_001.phpt
@@ -3,6 +3,7 @@ Phar::getSupportedSignatures()
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (extension_loaded("hash")) die("skip extension hash conflicts"); ?>
+<?php if (extension_loaded("openssl")) die("skip extension openssl loaded"); ?>
 --INI--
 phar.require_hash=0
 phar.readonly=0
diff --git a/ext/phar/tests/phar_get_supported_signatures_002.phpt b/ext/phar/tests/phar_get_supported_signatures_002.phpt
index ba86947d5d..21bb56d7ea 100644
--- a/ext/phar/tests/phar_get_supported_signatures_002.phpt
+++ b/ext/phar/tests/phar_get_supported_signatures_002.phpt
@@ -3,6 +3,7 @@ Phar::getSupportedSignatures()
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("hash")) die("skip extension hash required"); ?>
+<?php if (extension_loaded("openssl")) die("skip extension openssl loaded"); ?>
 --INI--
 phar.require_hash=0
 phar.readonly=0
diff --git a/ext/phar/tests/phar_setsignaturealgo2.phpt b/ext/phar/tests/phar_setsignaturealgo2.phpt
index cc83281b22..57b16097e7 100644
--- a/ext/phar/tests/phar_setsignaturealgo2.phpt
+++ b/ext/phar/tests/phar_setsignaturealgo2.phpt
@@ -3,11 +3,13 @@ Phar::setSupportedSignatures() with hash
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("hash")) die("skip extension hash required"); ?>
+<?php if (!extension_loaded("openssl")) die("skip extension openssl required"); ?>
 --INI--
 phar.require_hash=0
 phar.readonly=0
 --FILE--
 <?php
+$fname = dirname(__FILE__) . '/' . basename(__FILE__, '.php') . '.phar';
 $p = new Phar(dirname(__FILE__) . '/brandnewphar.phar', 0, 'brandnewphar.phar');
 $p['file1.txt'] = 'hi';
 var_dump($p->getSignature());
@@ -28,7 +30,10 @@ var_dump($p->getSignature());
 echo $e->getMessage();
 }
 try {
-$p->setSignatureAlgorithm(Phar::PGP);
+$private = openssl_get_privatekey(file_get_contents(dirname(__FILE__) . '/files/private.pem'));
+$pkey = '';
+openssl_pkey_export($private, $pkey);
+$p->setSignatureAlgorithm(Phar::OPENSSL, $pkey);
 var_dump($p->getSignature());
 } catch (Exception $e) {
 echo $e->getMessage();
@@ -36,7 +41,7 @@ echo $e->getMessage();
 ?>
 ===DONE===
 --CLEAN--
-<?php 
+<?php
 unlink(dirname(__FILE__) . '/brandnewphar.phar');
 ?>
 --EXPECTF--
@@ -74,6 +79,6 @@ array(2) {
   ["hash"]=>
   string(%d) "%s"
   ["hash_type"]=>
-  string(5) "SHA-1"
+  string(7) "OpenSSL"
 }
 ===DONE===
diff --git a/ext/phar/tests/test_signaturealgos.phpt b/ext/phar/tests/test_signaturealgos.phpt
index 74f9e639ae..990cf1e66a 100644
--- a/ext/phar/tests/test_signaturealgos.phpt
+++ b/ext/phar/tests/test_signaturealgos.phpt
@@ -3,6 +3,7 @@ Phar: verify signature parsing works
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("hash")) die("skip extension hash conflicts"); ?>
+<?php if (!extension_loaded("openssl")) die("skip extension openssl conflicts"); ?>
 --INI--
 phar.require_hash=0
 phar.readonly=0
@@ -20,6 +21,9 @@ var_dump($r['hash_type']);
 $a = new Phar(dirname(__FILE__) . '/files/md5.phar');
 $r = $a->getSignature();
 var_dump($r['hash_type']);
+$a = new Phar(dirname(__FILE__) . '/files/openssl.phar');
+$r = $a->getSignature();
+var_dump($r['hash_type']);
 ?>
 ===DONE===
 --EXPECT--
@@ -27,4 +31,5 @@ string(5) "SHA-1"
 string(7) "SHA-512"
 string(7) "SHA-256"
 string(3) "MD5"
+string(7) "OpenSSL"
 ===DONE===
-- 
2.40.0