<?php

[0] Fix | Delete

class wfCrypt {

[1] Fix | Delete

private static function getPubKey(){

[2] Fix | Delete

#Command to generate our keypair was: openssl req -x509 -newkey rsa:2048 -keyout mycert.key -out mycert.pem -nodes -subj "/C=US/ST=Washington/L=Seattle/O=Wordfence/OU=IT/CN=wordfence.com" -days 7300

[3] Fix | Delete

#This is a 2048 bit key using SHA256 with RSA.

[4] Fix | Delete

$key = <<<ENDKEY

[5] Fix | Delete

-----BEGIN CERTIFICATE-----

[6] Fix | Delete

MIIDrTCCApWgAwIBAgIJAIg6Va5tcvwyMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNV

[7] Fix | Delete

BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRIw

[8] Fix | Delete

EAYDVQQKDAlXb3JkZmVuY2UxCzAJBgNVBAsMAklUMRYwFAYDVQQDDA13b3JkZmVu

[9] Fix | Delete

Y2UuY29tMB4XDTE1MDMxMjA1NTIzMFoXDTM1MDMwNzA1NTIzMFowbTELMAkGA1UE

[10] Fix | Delete

BhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEjAQ

[11] Fix | Delete

BgNVBAoMCVdvcmRmZW5jZTELMAkGA1UECwwCSVQxFjAUBgNVBAMMDXdvcmRmZW5j

[12] Fix | Delete

ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/9Ogj1PIQsuZu

[13] Fix | Delete

dTUNWlG0zaDNWpeY1ZiB/6oBS/YXkGFuG8R/nZ/kYsRmBm6yRp/3jC/HiPjg+7Zc

[14] Fix | Delete

bA/CKoHdUlNjFZ+10DmS369wVX+c0oV9f720b/a0xN0qeKxJTiN2NsAl5szYv2CQ

[15] Fix | Delete

Bvzjeb5VfKgrfV9tgYr38swudxvexponYaK0OlDL3u/Xca4SLRKmB+ZYCcZJttoG

[16] Fix | Delete

SNFsQMlLHWWmM0FJH9qZ3x8MtRM5KsNEWO+/op511Rr36ZnLJdzUnETsaxHKwuCv

[17] Fix | Delete

0+D9b0mwk8K/c67l63v4+zywXNkdYIslgo7Aeeyb6t0lyyfruXutEyMinmApACT2

[18] Fix | Delete

sDMAbYk7AgMBAAGjUDBOMB0GA1UdDgQWBBTstr/AoPQyLLIt4/peFSjj0FFXHzAf

[19] Fix | Delete

BgNVHSMEGDAWgBTstr/AoPQyLLIt4/peFSjj0FFXHzAMBgNVHRMEBTADAQH/MA0G

[20] Fix | Delete

CSqGSIb3DQEBCwUAA4IBAQA9HsK+XdZh2MGP2SDdggA+MxkNBCCFBtcsmQrpiLUW

[21] Fix | Delete

67xt59FPRMwTgSA9Lt8uqcWaXoHXiaTnXTRtN/BKZR0F71HQfiV6zy511blIRlk2

[22] Fix | Delete

nV+vYzwLUENCZ31hQEZsY+uYqBSTiHecUKohn8A9pOOEpis2YEn2zVo4cobdyGa1

[23] Fix | Delete

zCnaAN99KT8s9lOO0UW0J52qZhvv4y8YhELtrXKBsFatGEsVIM0NFI+ZDsNpMnSQ

[24] Fix | Delete

cmUtLiIJtk5hxNbOaIz2vzbOkbzJ3ehzODJ1X5rya7X0v2akLLhwP9jqz5ua6ttP

[25] Fix | Delete

duLv4Q6v3LY6pwDoyKQMDqNNxVjaFmx5HyFWRPofpu/T

[26] Fix | Delete

-----END CERTIFICATE-----

[27] Fix | Delete

ENDKEY;

[28] Fix | Delete

return $key;

[29] Fix | Delete

}

[30] Fix | Delete

public static function makeSymHexKey($length){

[31] Fix | Delete

return bin2hex(wfWAFUtils::random_bytes($length / 2));

[32] Fix | Delete

}

[33] Fix | Delete

public static function pubCrypt($symKey){ //encrypts a symmetric key and returns it base64

[34] Fix | Delete

openssl_public_encrypt($symKey, $encSymKey, self::getPubKey(), OPENSSL_PKCS1_OAEP_PADDING); //The default OPENSSL_PKCS1_PADDING is deprecated.

[35] Fix | Delete

return base64_encode($encSymKey);

[36] Fix | Delete

}

[37] Fix | Delete

[38] Fix | Delete

/**

[39] Fix | Delete

* Returns the payload symmetrically encrypted and signed by the noc1 public key. The payload is converted to JSON,

[40] Fix | Delete

* encrypted using a randomly-generated symmetric key, and then hashed and signed with the noc1 public key.

[41] Fix | Delete

*

[42] Fix | Delete

* This is NOT cryptographically secure for verifying that this server sent or was aware of the context of the

[43] Fix | Delete

* message, rather it is intended to be used in tandem with verification via another method (e.g., a call that

[44] Fix | Delete

* validates due to the site URL matching the license key or noc1 does a call itself to the server to retrieve the

[45] Fix | Delete

* encrypted payload). It is solely a means to provide data to noc1 that only it can read.

[46] Fix | Delete

*

[47] Fix | Delete

* @param array $payload

[48] Fix | Delete

* @return array The encrypted and signed payload in the form array('message' => <encrypted message in hex>, 'signature' => <signature in hex>).

[49] Fix | Delete

*/

[50] Fix | Delete

public static function noc1_encrypt($payload) {

[51] Fix | Delete

$payloadJSON = json_encode($payload);

[52] Fix | Delete

[53] Fix | Delete

$keyData = file_get_contents(dirname(__FILE__) . '/noc1.key');

[54] Fix | Delete

$key = @openssl_get_publickey($keyData);

[55] Fix | Delete

if ($key !== false) {

[56] Fix | Delete

$symmetricKey = wfWAFUtils::random_bytes(32);

[57] Fix | Delete

$iv = wfWAFUtils::random_bytes(16);

[58] Fix | Delete

$encrypted = @openssl_encrypt($payloadJSON, 'aes-256-cbc', $symmetricKey, OPENSSL_RAW_DATA, $iv);

[59] Fix | Delete

if ($encrypted !== false) {

[60] Fix | Delete

$success = openssl_public_encrypt($symmetricKey, $symmetricKeyEncrypted, $key, OPENSSL_PKCS1_OAEP_PADDING);

[61] Fix | Delete

if ($success) {

[62] Fix | Delete

$message = $iv . $symmetricKeyEncrypted . $encrypted;

[63] Fix | Delete

$signatureRaw = hash('sha256', $message, true);

[64] Fix | Delete

$success = openssl_public_encrypt($signatureRaw, $signature, $key, OPENSSL_PKCS1_OAEP_PADDING);

[65] Fix | Delete

if ($success) {

[66] Fix | Delete

$package = array('message' => bin2hex($message), 'signature' => bin2hex($signature));

[67] Fix | Delete

return $package;

[68] Fix | Delete

}

[69] Fix | Delete

}

[70] Fix | Delete

}

[71] Fix | Delete

}

[72] Fix | Delete

return array();

[73] Fix | Delete

}

[74] Fix | Delete

[75] Fix | Delete

/**

[76] Fix | Delete

* Returns a SHA256 HMAC for $payload using the local long key.

[77] Fix | Delete

*

[78] Fix | Delete

* @param $payload

[79] Fix | Delete

* @return false|string

[80] Fix | Delete

*/

[81] Fix | Delete

public static function local_sign($payload) {

[82] Fix | Delete

return hash_hmac('sha256', $payload, wfConfig::get('longEncKey'));

[83] Fix | Delete

}

[84] Fix | Delete

}

[85] Fix | Delete

[86] Fix | Delete