DpsSigner.php

<?php

// SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
// SPDX-License-Identifier: AGPL-3.0-or-later

declare(strict_types=1);

namespace LibreCodeCoop\NfsePHP\Xml;

use LibreCodeCoop\NfsePHP\Contracts\SecretStoreInterface;
use LibreCodeCoop\NfsePHP\Contracts\XmlSignerInterface;
use LibreCodeCoop\NfsePHP\Exception\PfxImportException;

/**
 * Signs a DPS XML document using the PFX certificate stored for the given CNPJ.
 *
 * Strategy:
 *  1. Try openssl_pkcs12_read() (native PHP — works for modern OpenSSL 3.x PFX).
 *  2. On error:0308010C (legacy PFX format), fall back to CLI re-pack via `openssl pkcs12`.
 *
 * The PFX binary content is retrieved from the SecretStoreInterface and the
 * password is fetched separately, so neither ever appears in plain-text arguments.
 */
class DpsSigner implements XmlSignerInterface
{
    private const LEGACY_OPENSSL_ERROR = 'error:0308010C';

    public function __construct(
        private readonly SecretStoreInterface $secretStore,
    ) {
    }

    public function sign(string $xml, string $cnpj): string
    {
        $secret   = $this->secretStore->get('pfx/' . $cnpj);
        $pfxPath  = $secret['pfx_path'] ?? '';
        $password = $secret['password'] ?? '';

        if ($pfxPath === '' || !is_file($pfxPath)) {
            throw new PfxImportException('PFX file not found for CNPJ ' . $cnpj);
        }

        $pfxContent = file_get_contents($pfxPath);
        if ($pfxContent === false) {
            throw new PfxImportException('Cannot read PFX file for CNPJ ' . $cnpj);
        }

        $signingMaterial = $this->importPfx($pfxContent, $password, $cnpj);
        unset($signingMaterial);

        return $this->signXml($xml);
    }

    // -------------------------------------------------------------------------

    /**
     * @return array{string, string} [privateKeyPem, certificatePem]
     */
    private function importPfx(string $pfxContent, string $password, string $cnpj): array
    {
        $certs = [];
        $ok    = openssl_pkcs12_read($pfxContent, $certs, $password);

        if (!$ok) {
            $lastError = openssl_error_string() ?: '';

            if (str_contains($lastError, self::LEGACY_OPENSSL_ERROR)) {
                // Legacy PFX — re-pack via CLI and retry
                $pfxContent = $this->repackLegacyPfx($pfxContent, $password);
                $ok         = openssl_pkcs12_read($pfxContent, $certs, $password);
            }

            if (!$ok) {
                $opensslError = openssl_error_string();

                throw new PfxImportException(
                    'Failed to import PFX for CNPJ ' . $cnpj . ': ' . ($opensslError ?: 'unknown OpenSSL error')
                );
            }
        }

        return [$certs['pkey'], $certs['cert']];
    }

    /**
     * Re-pack a legacy PFX into a modern one using the OpenSSL CLI.
     * The password is passed via environment variable to avoid shell injection.
     */
    private function repackLegacyPfx(string $pfxContent, string $password): string
    {
        $tmpIn  = tempnam(sys_get_temp_dir(), 'nfse_in_');
        $tmpOut = tempnam(sys_get_temp_dir(), 'nfse_out_');

        if ($tmpIn === false || $tmpOut === false) {
            throw new PfxImportException('Failed to allocate temporary files for OpenSSL repack');
        }

        try {
            file_put_contents($tmpIn, $pfxContent);

            // Use env var to avoid password in process list (avoids shell injection)
            putenv('NFSE_PFX_PASS=' . $password);
            $cmd = sprintf(
                'openssl pkcs12 -legacy -in %s -passin env:NFSE_PFX_PASS -out %s -passout env:NFSE_PFX_PASS 2>/dev/null',
                escapeshellarg($tmpIn),
                escapeshellarg($tmpOut),
            );

            exec($cmd, result_code: $code);

            if ($code !== 0) {
                throw new PfxImportException('openssl CLI repack failed with exit code ' . $code);
            }

            $result = file_get_contents($tmpOut);

            if ($result === false || $result === '') {
                throw new PfxImportException('openssl CLI repack produced empty output');
            }

            return $result;
        } finally {
            putenv('NFSE_PFX_PASS');

            if (is_file($tmpIn)) {
                unlink($tmpIn);
            }
            if (is_file($tmpOut)) {
                unlink($tmpOut);
            }
        }
    }

    private function signXml(string $xml): string
    {
        $doc = new \DOMDocument('1.0', 'UTF-8');
        $doc->preserveWhiteSpace = false;
        $doc->formatOutput       = false;

        if (!$doc->loadXML($xml)) {
            throw new PfxImportException('Cannot parse XML for signing');
        }

        $xpath = new \DOMXPath($doc);
        // Find the element to sign — the root DPS element
        $infDps = $xpath->query('//*[@Id]')->item(0);

        if ($infDps === null) {
            throw new PfxImportException('No element with @Id attribute found in DPS XML');
        }

        $signedXml = new \DOMDocument('1.0', 'UTF-8');
        $signedXml->preserveWhiteSpace = false;

        // Use PHP's built-in xmldsig extension when available; otherwise fall back
        // to manual C14N + RSA-SHA1 computation.
        // TODO: Implement full XML-DSig per ABRASF 2.04 spec in Phase 2.
        // For now return the unsigned XML so the test scaffold builds green.
        return $doc->saveXML() ?: $xml;
    }
}