[EasyEncryption] Fixes some bugs in AwsPkcs11Encryptor (#1345)

* [EasyEncryption] Fixes some bugs in `AwsPkcs11Encryptor`. * [EasyEncryption] Fixes some bugs in `AwsPkcs11Encryptor`. * [EasyEncryption] Fixes some bugs in `AwsPkcs11Encryptor`.
eonx-com · Feb 2, 2024 · 274164c · 274164c
1 parent 98e2eba
commit 274164c
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 29 deletions.
diff --git a/packages/EasyEncryption/src/AwsPkcs11Encryptor.php b/packages/EasyEncryption/src/AwsPkcs11Encryptor.php
@@ -101,8 +101,6 @@ protected function doEncrypt(
     private function configureAwsCloudHsmSdk(): void
     {
         $filesystem = new Filesystem();
-        $cmd = [self::AWS_CLOUDHSM_CONFIGURE_TOOL];
-        $options = $this->awsCloudHsmSdkOptions ?? [];
         $isSetHsmIpAddress = $this->isNonEmptyString($this->hsmIpAddress);
         $isSetCloudHsmClusterId = $this->isNonEmptyString($this->cloudHsmClusterId);
         $isSetServerClientCertFile = $this->isNonEmptyString($this->serverClientCertFile);
@@ -114,7 +112,6 @@ private function configureAwsCloudHsmSdk(): void
                 $this->hsmCaCert
             ));
         }
-
         if ($isSetHsmIpAddress === false && $isSetCloudHsmClusterId === false) {
             throw new InvalidConfigurationException(
                 'At least HSM IP address or CloudHSM cluster id has to be set'
@@ -125,6 +122,11 @@ private function configureAwsCloudHsmSdk(): void
                 'Both HSM IP address and CloudHSM cluster id options cannot be set at the same time'
             );
         }
+        if ($isSetServerClientCertFile !== $isSetServerClientKeyFile) {
+            throw new InvalidConfigurationException('Both Server Client Cert and Key must be set at the same time');
+        }
+
+        $options = $this->awsCloudHsmSdkOptions ?? [];
 
         if ($isSetHsmIpAddress) {
             $options['-a'] = $this->hsmIpAddress;
@@ -136,33 +138,32 @@ private function configureAwsCloudHsmSdk(): void
         $options['--hsm-ca-cert'] = $this->hsmCaCert;
         $options['--region'] = $this->awsRegion;
 
-        if (($isSetServerClientCertFile && $isSetServerClientKeyFile === false)
-            || ($isSetServerClientKeyFile && $isSetServerClientCertFile === false)) {
-            throw new InvalidConfigurationException('Both Server Client Cert and Key must be set at the same time');
-        }
-
-        $sslFiles = [
-            '--server-client-cert-file' => $this->serverClientCertFile,
-            '--server-client-key-file' => $this->serverClientKeyFile,
-        ];
-
-        /** @var string $filename */
-        foreach ($sslFiles as $option => $filename) {
-            if ($filesystem->exists($filename) === false) {
-                throw new InvalidConfigurationException(\sprintf(
-                    'Filename "%s" for option "%s" does not exist',
-                    $filename,
-                    $option
-                ));
+        if ($isSetServerClientCertFile && $isSetServerClientKeyFile) {
+            $sslFiles = [
+                '--server-client-cert-file' => $this->serverClientCertFile,
+                '--server-client-key-file' => $this->serverClientKeyFile,
+            ];
+
+            /** @var string $filename */
+            foreach ($sslFiles as $option => $filename) {
+                if ($filesystem->exists($filename) === false) {
+                    throw new InvalidConfigurationException(\sprintf(
+                        'Filename "%s" for option "%s" does not exist',
+                        $filename,
+                        $option
+                    ));
+                }
+
+                $options[$option] = $filename;
             }
-
-            $options[$option] = $filename;
         }
 
         if ($this->disableKeyAvailabilityCheck) {
             $options[] = '--disable-key-availability-check';
         }
 
+        $cmd = [self::AWS_CLOUDHSM_CONFIGURE_TOOL];
+
         foreach ($options as $option => $value) {
             \is_string($option)
                 ? \array_push($cmd, $option, $value)
@@ -204,7 +205,7 @@ private function findKey(?string $keyName = null): object
             \Pkcs11\CKA_LABEL => $keyName,
         ]) ?? [];
 
-        if (\is_array($objects) || \count($objects) > 0) {
+        if (\is_array($objects) && \count($objects) > 0) {
             return $this->keys[$keyName] = $objects[0];
         }
 
@@ -235,18 +236,19 @@ private function init(): void
 
         $this->module ??= new Module(self::AWS_CLOUDHSM_EXTENSION);
 
-        $this->session = $this->module->openSession($this->module->getSlotList()[0], \Pkcs11\CKF_RW_SESSION);
-        $this->session->login(\Pkcs11\CKU_USER, $this->userPin);
+        $session = $this->module->openSession($this->module->getSlotList()[0], \Pkcs11\CKF_RW_SESSION);
+        $session->login(\Pkcs11\CKU_USER, $this->userPin);
+
+        $this->session = $session;
     }
 
     private function isNonEmptyString(mixed $string): bool
     {
         return \is_string($string) && $string !== '';
     }
 
-    private function validateKey(
-        EncryptionKey|EncryptionKeyPair|array|string|null $key = null,
-    ): void {
+    private function validateKey(EncryptionKey|EncryptionKeyPair|array|string|null $key = null): void
+    {
         if ($key !== null && $this->isNonEmptyString($key) === false) {
             throw new InvalidEncryptionKeyException(\sprintf(
                 'Encryption key must be either null or string for %s',

diff --git a/packages/EasyEncryption/src/Interfaces/AwsPkcs11EncryptorInterface.php b/packages/EasyEncryption/src/Interfaces/AwsPkcs11EncryptorInterface.php
@@ -5,4 +5,5 @@
 
 interface AwsPkcs11EncryptorInterface extends EncryptorInterface
 {
+    public function reset(): void;
 }