search

brefphp / extra-php-extensions

Community-maintained extra PHP extensions usable in AWS Lambda with the Bref PHP runtimes.
https://bref.sh/docs/environment/php.html#extra-extensions
213 stars 110 forks source link

gnupg: Invalid crypto engine #556

Open davidsickmiller opened 2 days ago

davidsickmiller commented 2 days ago

It seems https://github.com/brefphp/extra-php-extensions/issues/443 made progress but did not entirely fix the gnupg extension.

Here's a compact way to reproduce:

serverless.yml:

service: app

provider:
    name: aws
    region: us-east-1

plugins:
    - ./vendor/bref/bref
    - ./vendor/bref/extra-php-extensions

functions:
    api:
        handler: index.php
        description: ''
        runtime: php-82-fpm
        layers:
            - ${bref-extra:gnupg-php-82}
        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
        events:
            -   httpApi: '*'

# Exclude files from deployment
package:
    patterns:
        - '!node_modules/**'
        - '!tests/**'

index.php:

<?php

$private_key = '
-----BEGIN PGP PRIVATE KEY BLOCK-----

lFgEZvWkVhYJKwYBBAHaRw8BAQdADyH8X242kfSuOH4zYalDZpLW/iqWMmkNUMcc
2DCIDCIAAP4wZkLqfwIv3ZS49ZfzaEDdR0TNGa0iC8ya54Q9g00orxCdtCdEYXZp
ZCBTaWNrbWlsbGVyIDxkYXZpZEBzaWNrbWlsbGVyLmNvbT6IkwQTFgoAOxYhBIOg
Mqw1sH8uJUF5wec8VyIdSJLgBQJm9aRWAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMB
Ah4HAheAAAoJEOc8VyIdSJLgnWIA/0WeDxs/OHFcR64Q7vDOuVVFaRdB1JTKkgbv
vOO7soPUAQDhXCSMHRdqbpxapnTPzoJqXVpQudBy3ORsGoJg3IudCJxdBGb1pFYS
CisGAQQBl1UBBQEBB0Cm79TUlhkBtq9JmhzUDg+E2xMh05jhnE3zx7lHyplMCgMB
CAcAAP9sQJOadtcbVaxej0HwENHUhsr7YsyisEofr1LSFG0b4BGXiHgEGBYKACAW
IQSDoDKsNbB/LiVBecHnPFciHUiS4AUCZvWkVgIbDAAKCRDnPFciHUiS4DNKAQDl
r6VSAtZyVfavlhoj0nfygwJrPgnrX1My1Jt1HQcQ0AD+LpPqHPwkegE9FgiYoitO
b3DF7c+lM/KU5/TPymFlPgs=
=F8cF
-----END PGP PRIVATE KEY BLOCK-----
';
$cipher_text = '
-----BEGIN PGP MESSAGE-----

hF4D6aX1CVD1e6ASAQdAjZDl2T5tqc2zNmhHjz8Uw2wdm2W/Aeb2GJ9LY0jR6Gkw
M6K3Csqqrz+K20hGYtlCb96wC0smo/o2Llx5zGBRvZXtI7LqKlH2FJ9vBvPBJ17L
1FUBCQIQ3ayc6tSeesT/ovmdAEikHjO/yvsLYnTzpixCRc8A14cTJdjsILr2o4Np
aGvZ6CBZ+08cU1Z7jVT3yIRu+Xp0/k883pc5uuesnlD4//b5DYek
=YYfC
-----END PGP MESSAGE-----
';

$gpg = new gnupg(['home_dir' => '/tmp']);
$info = $gpg->import($private_key);
if ($info === false) {
    echo "Error after import():\n";
    echo "Error: " . $gpg->geterror() . "\n";
    echo "Errorinfo: " . print_r($gpg->geterrorinfo(), true) . "\n";
    exit(1);
}
if ($gpg->adddecryptkey($info['fingerprint'], '') === false) {
    echo "Error after adddecryptkey():\n";
    echo "Error: " . $gpg->geterror() . "\n";
    echo "Errorinfo: " . print_r($gpg->geterrorinfo(), true) . "\n";
    exit(1);
}
$plaintext = $gpg->decrypt($cipher_text);
if ($plaintext === false) {
    echo "Error after decrypt():\n";
    echo "Error: " . $gpg->geterror() . "\n";
    echo "Errorinfo: " . print_r($gpg->geterrorinfo(), true) . "\n";
    exit(1);
}

echo "plaintext is:\n$plaintext\n";

Expected output:

plaintext is:
test message

Actual output:

Error after import():
Error: import failed
Errorinfo: Array
(
    [generic_message] => import failed
    [gpgme_code] => 117440662
    [gpgme_source] => GPGME
    [gpgme_message] => Invalid crypto engine
)
davidsickmiller commented 2 days ago

I found a SO post where someone explained how they built the gpg CLI tool to run on AWS Lambda: https://stackoverflow.com/a/74550493/718475

I see they additionally included libksba and npth, in addition to what bref has here: https://github.com/brefphp/aws-lambda-layers/commit/6fd602b0dd81bd088bffcf4b59a603446d5e60a6#diff-e19f7bc59a823b79d6ff9dccd85f850cfd902c1c1874c1f92ce46a7cf9891a20R40

Those two are also on this list of "Libraries required to build GnuPG": https://www.gnupg.org/software/libraries.html

Maybe we're just missing those two files?