ZF-8846: Incomplete Public Key assumption for PEM in Rsa.php


ZF currently assumes the public key should be derived automatically from the Zend_Crypt_Rsa_Key_Private in function setPemString from Rsa.php. This assumption may deny valid usage when using PEM formatted keys, and using an operation such as verifySignature which does not necesarily need the private key.

For example, usage such as: $rsa = new Zend_Crypt_Rsa(array('pemPath'=>'smth.pem')); $resp = $rsa->verifySignature($dataToCheck, $token, Zend_Crypt_Rsa::BASE64); where smth.pem contains only the public key will throw an exception in ZF 1.9.7 (tested starting with 1.8.0)

One possible solution would be to try to import the public key, in case generation from private key failed. public function setPemString($value) { $this->_pemString = $value; try { $this->_privateKey = new Zend_Crypt_Rsa_Key_Private($this->_pemString, $this->_passPhrase); $this->_publicKey = $this->_privateKey->getPublicKey(); } catch (Zend_Crypt_Exception $ex){ $this->_privateKey = null; $this->_publicKey = new Zend_Crypt_Rsa_Key_Public($this->_pemString); }



Fixed in r22041