feat(alg): Add ES512 support #566
+31
−31
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -38,7 +38,7 @@ class JWT | |
| * | ||
| * @var int | ||
| */ | ||
| public static int $leeway = 0; | ||
|
|
||
| /** | ||
| * Allow the current timestamp to be specified. | ||
|
|
@@ -47,15 +47,16 @@ class JWT | |
| * | ||
| * @var ?int | ||
| */ | ||
| public static ?int $timestamp = null; | ||
|
|
||
| /** | ||
| * @var array<string, string[]> | ||
| */ | ||
| public static array $supported_algs = [ | ||
| 'ES256' => ['openssl', 'SHA256'], | ||
| 'ES256K' => ['openssl', 'SHA256'], | ||
| 'ES384' => ['openssl', 'SHA384'], | ||
| 'ES512' => ['openssl', 'SHA512'], | ||
| 'HS256' => ['hash_hmac', 'SHA256'], | ||
| 'HS384' => ['hash_hmac', 'SHA384'], | ||
| 'HS512' => ['hash_hmac', 'SHA512'], | ||
|
|
@@ -75,10 +76,10 @@ class JWT | |
| * the public key. | ||
| * Each Key object contains an algorithm and | ||
| * matching key. | ||
| * Supported algorithms are 'ES256', 'ES256K', 'ES384', 'ES512', | ||
| * 'HS256', 'HS384', 'HS512', 'RS256', 'RS384' | ||
| * and 'RS512'. | ||
| * @param stdClass|null $headers Optional. Populates stdClass with headers. | ||
| * | ||
| * @return stdClass The JWT's payload as a PHP object | ||
| * | ||
|
|
@@ -95,7 +96,7 @@ class JWT | |
| */ | ||
| public static function decode( | ||
| string $jwt, | ||
| Key|ArrayAccess|array $keyOrKeyArray, | ||
| ?stdClass &$headers = null | ||
| ): stdClass { | ||
| // Validate JWT | ||
|
|
@@ -142,8 +143,8 @@ public static function decode( | |
| // See issue #351 | ||
| throw new UnexpectedValueException('Incorrect key for this algorithm'); | ||
| } | ||
| if (\in_array($header->alg, ['ES256', 'ES256K', 'ES384', 'ES512'], true)) { | ||
| // OpenSSL expects an ASN.1 DER sequence for ES256/ES256K/ES384/ES512 signatures | ||
| $sig = self::signatureToDER($sig); | ||
| } | ||
| if (!self::verify("{$headb64}.{$bodyb64}", $sig, $key->getKeyMaterial(), $header->alg)) { | ||
|
|
@@ -184,12 +185,12 @@ public static function decode( | |
| /** | ||
| * Converts and signs a PHP array into a JWT string. | ||
| * | ||
bshaffer marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| * @param array $payload PHP array | ||
| * @param string|array|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key. | ||
| * @param string $alg Supported algorithms are 'ES256', 'ES256K', 'ES384', 'ES512', | ||
| * 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512' | ||
| * @param string|null $keyId | ||
| * @param array<string, string>|null $head An array with header elements to attach | ||
| * | ||
| * @return string A signed JWT | ||
| * | ||
|
|
@@ -198,7 +199,7 @@ public static function decode( | |
| */ | ||
| public static function encode( | ||
| array $payload, | ||
| string|array|OpenSSLAsymmetricKey|OpenSSLCertificate $key, | ||
bshaffer marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| string $alg, | ||
| ?string $keyId = null, | ||
| ?array $head = null | ||
|
|
@@ -226,17 +227,17 @@ public static function encode( | |
| * Sign a string with a given key and algorithm. | ||
| * | ||
| * @param string $msg The message to sign | ||
| * @param string|array|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key. | ||
| * @param string $alg Supported algorithms are 'EdDSA', 'ES256', 'ES256K', 'ES384', 'ES512', | ||
| * 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512' | ||
| * | ||
| * @return string An encrypted message | ||
| * | ||
| * @throws DomainException Unsupported algorithm or bad key was specified | ||
| */ | ||
| public static function sign( | ||
| string $msg, | ||
| string|array|OpenSSLAsymmetricKey|OpenSSLCertificate $key, | ||
| string $alg | ||
| ): string { | ||
| if (empty(static::$supported_algs[$alg])) { | ||
|
|
@@ -262,6 +263,8 @@ public static function sign( | |
| $signature = self::signatureFromDER($signature, 256); | ||
| } elseif ($alg === 'ES384') { | ||
| $signature = self::signatureFromDER($signature, 384); | ||
| } elseif ($alg === 'ES512') { | ||
| $signature = self::signatureFromDER($signature, 512); | ||
|
Collaborator
There was a problem hiding this comment. am I right in understanding this is the only real code change (other than adding Line 487 in 27179e1 |
||
| } | ||
| return $signature; | ||
| case 'sodium_crypto': | ||
|
|
@@ -293,7 +296,7 @@ public static function sign( | |
| * | ||
| * @param string $msg The original message (header and body) | ||
| * @param string $signature The original signature | ||
| * @param string|array|OpenSSLAsymmetricKey|OpenSSLCertificate $keyMaterial For Ed*, ES*, HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey | ||
| * @param string $alg The algorithm | ||
| * | ||
| * @return bool | ||
|
|
@@ -303,7 +306,7 @@ public static function sign( | |
| private static function verify( | ||
| string $msg, | ||
| string $signature, | ||
| string|array|OpenSSLAsymmetricKey|OpenSSLCertificate $keyMaterial, | ||
| string $alg | ||
| ): bool { | ||
| if (empty(static::$supported_algs[$alg])) { | ||
|
|
@@ -364,7 +367,7 @@ private static function verify( | |
| * | ||
| * @throws DomainException Provided string was invalid JSON | ||
| */ | ||
| public static function jsonDecode(string $input): mixed | ||
| { | ||
| $obj = \json_decode($input, false, 512, JSON_BIGINT_AS_STRING); | ||
|
|
||
|
|
@@ -379,7 +382,7 @@ public static function jsonDecode(string $input) | |
| /** | ||
| * Encode a PHP array into a JSON string. | ||
| * | ||
| * @param array $input A PHP array | ||
| * | ||
| * @return string JSON representation of the PHP array | ||
| * | ||
|
|
@@ -457,7 +460,7 @@ public static function urlsafeB64Encode(string $input): string | |
| * @return Key | ||
| */ | ||
| private static function getKey( | ||
| Key|ArrayAccess|array $keyOrKeyArray, | ||
| ?string $kid | ||
| ): Key { | ||
| if ($keyOrKeyArray instanceof Key) { | ||
|
|
@@ -519,11 +522,7 @@ private static function handleJsonError(int $errno): void | |
| JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON', | ||
| JSON_ERROR_UTF8 => 'Malformed UTF-8 characters' //PHP >= 5.3.3 | ||
| ]; | ||
| throw new DomainException($messages[$errno] ?? 'Unknown JSON error: ' . $errno); | ||
| } | ||
|
|
||
| /** | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would we require the extension? This would block existing users from upgrading who are not currently using
openssl.