mirror of
https://github.com/nuxsmin/sysPass.git
synced 2026-03-05 08:04:09 +01:00
234 lines
6.8 KiB
PHP
234 lines
6.8 KiB
PHP
<?php
|
|
/*
|
|
* sysPass
|
|
*
|
|
* @author nuxsmin
|
|
* @link https://syspass.org
|
|
* @copyright 2012-2024, Rubén Domínguez nuxsmin@$syspass.org
|
|
*
|
|
* This file is part of sysPass.
|
|
*
|
|
* sysPass is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* sysPass is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
namespace SP\Domain\Export\Services;
|
|
|
|
use DOMDocument;
|
|
use DOMElement;
|
|
use DOMXPath;
|
|
use SP\Core\Application;
|
|
use SP\Core\Crypt\Hash;
|
|
use SP\Domain\Common\Services\Service;
|
|
use SP\Domain\Common\Services\ServiceException;
|
|
use SP\Domain\Core\Crypt\CryptInterface;
|
|
use SP\Domain\Core\Exceptions\CryptException;
|
|
use SP\Domain\Export\Ports\XmlVerifyService;
|
|
use SP\Util\VersionUtil;
|
|
|
|
use function SP\__u;
|
|
|
|
/**
|
|
* Class XmlVerify
|
|
*
|
|
* Verify a sysPass exported file format
|
|
*/
|
|
final class XmlVerify extends Service implements XmlVerifyService
|
|
{
|
|
use XmlTrait;
|
|
|
|
private const NODES = ['Category', 'Client', 'Tag', 'Account'];
|
|
private const XML_MIN_VERSION = [2, 1, 0, 0];
|
|
private readonly DOMDocument $document;
|
|
|
|
public function __construct(
|
|
Application $application,
|
|
private readonly CryptInterface $crypt,
|
|
private readonly string $schema = XML_SCHEMA
|
|
) {
|
|
parent::__construct($application);
|
|
|
|
$this->document = new DOMDocument('1.0', 'UTF-8');
|
|
}
|
|
|
|
/**
|
|
* @param string $xmlFile
|
|
* @param string|null $password
|
|
* @return VerifyResult
|
|
* @throws ServiceException
|
|
*/
|
|
public function verify(string $xmlFile, ?string $password = null): VerifyResult
|
|
{
|
|
$self = clone $this;
|
|
|
|
$self->setup($xmlFile);
|
|
$self->validateSchema();
|
|
|
|
$version = $self->getXmlVersion();
|
|
|
|
self::checkVersion($version);
|
|
|
|
if (!self::checkXmlHash($self->document, $password ?? $self->config->getConfigData()->getPasswordSalt())) {
|
|
throw ServiceException::error(__u('Error while checking integrity hash'));
|
|
}
|
|
|
|
if (!empty($password)) {
|
|
$self->checkPassword($password);
|
|
$self->processEncrypted($password);
|
|
}
|
|
|
|
return new VerifyResult($version, $self->detectEncrypted(), $self->countItemNodes());
|
|
}
|
|
|
|
/**
|
|
* @throws ServiceException
|
|
*/
|
|
private function setup(string $file): void
|
|
{
|
|
if (!$this->document->load($file, LIBXML_NOBLANKS)) {
|
|
$error = libxml_get_last_error();
|
|
throw ServiceException::error('Unable to load XML file', $error->message);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @throws ServiceException
|
|
*/
|
|
private function validateSchema(): void
|
|
{
|
|
if (!$this->document->schemaValidate($this->schema)) {
|
|
$error = libxml_get_last_error();
|
|
throw ServiceException::error('Invalid XML schema', $error->message);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Obtener la versión del XML
|
|
*/
|
|
private function getXmlVersion(): string
|
|
{
|
|
return (new DOMXPath($this->document))->query('/Root/Meta/Version')->item(0)->nodeValue;
|
|
}
|
|
|
|
/**
|
|
* @throws ServiceException
|
|
*/
|
|
private static function checkVersion(string $version): void
|
|
{
|
|
if (VersionUtil::checkVersion($version, [self::XML_MIN_VERSION])) {
|
|
throw ServiceException::error(
|
|
sprintf(
|
|
'Sorry, this XML version is not compatible. Please use >= %s',
|
|
implode('.', array_slice(self::XML_MIN_VERSION, 0, 2))
|
|
)
|
|
);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Obtener la versión del XML
|
|
*/
|
|
public static function checkXmlHash(DOMDocument $document, string $key): bool
|
|
{
|
|
$xpath = new DOMXPath($document);
|
|
$hash = $xpath->query('/Root/Meta/Hash')->item(0)?->nodeValue;
|
|
$sign = $xpath->query('/Root/Meta/Hash/@sign')->item(0)?->nodeValue;
|
|
|
|
if (!empty($hash) && !empty($sign)) {
|
|
return Hash::checkMessage($hash, $key, $sign);
|
|
}
|
|
|
|
return $hash !== null && $hash === self::generateHashFromNodes($document);
|
|
}
|
|
|
|
/**
|
|
* @throws ServiceException
|
|
*/
|
|
private function checkPassword(string $password): void
|
|
{
|
|
$hash = $this->document
|
|
->getElementsByTagName('Encrypted')
|
|
->item(0)
|
|
->attributes
|
|
?->getNamedItem('hash')
|
|
->nodeValue;
|
|
|
|
if (empty($hash) || !Hash::checkHashKey($password, $hash)) {
|
|
throw ServiceException::error(__u('Wrong encryption password'));
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Process the encrypted data and then build the unencrypted DOM
|
|
*
|
|
* @throws ServiceException
|
|
*/
|
|
private function processEncrypted(string $password): DOMDocument
|
|
{
|
|
$dataNodes = (new DOMXPath($this->document))->query('/Root/Encrypted/Data');
|
|
|
|
$decode = VersionUtil::checkVersion($this->getXmlVersion(), '320.0');
|
|
|
|
/** @var $node DOMElement */
|
|
foreach ($dataNodes as $node) {
|
|
$data = $decode ? base64_decode($node->nodeValue) : $node->nodeValue;
|
|
|
|
try {
|
|
$xmlDecrypted = $this->crypt->decrypt($data, $node->getAttribute('key'), $password);
|
|
} catch (CryptException $e) {
|
|
throw ServiceException::error(__u('Wrong encryption password'), null, $e->getCode(), $e);
|
|
}
|
|
|
|
$newXmlData = new DOMDocument('1.0', 'UTF-8');
|
|
|
|
if (!$newXmlData->loadXML($xmlDecrypted)) {
|
|
throw ServiceException::error(__u('Error loading XML data'));
|
|
}
|
|
|
|
$this->document
|
|
->documentElement
|
|
->appendChild($this->document->importNode($newXmlData->documentElement, true));
|
|
}
|
|
|
|
// Remove the encrypted data after processing
|
|
$this->document->documentElement->removeChild($dataNodes->item(0)->parentNode);
|
|
|
|
// Validate XML schema again after processing the encrypted data
|
|
$this->validateSchema();
|
|
|
|
return $this->document;
|
|
}
|
|
|
|
/**
|
|
* Verificar si existen datos encriptados
|
|
*/
|
|
private function detectEncrypted(): bool
|
|
{
|
|
return $this->document->getElementsByTagName('Encrypted')->length > 0;
|
|
}
|
|
|
|
/**
|
|
* @return int[]
|
|
*/
|
|
private function countItemNodes(): array
|
|
{
|
|
$result = [];
|
|
|
|
foreach (self::NODES as $node) {
|
|
$result[$node] = $this->document->getElementsByTagName($node)->length;
|
|
}
|
|
|
|
return $result;
|
|
}
|
|
}
|