diff options
| author | Anton Luka Šijanec <anton@sijanec.eu> | 2022-01-11 12:35:47 +0100 |
|---|---|---|
| committer | Anton Luka Šijanec <anton@sijanec.eu> | 2022-01-11 12:35:47 +0100 |
| commit | 19985dbb8c0aa66dc4bf7905abc1148de909097d (patch) | |
| tree | 2cd5a5d20d7e80fc2a51adf60d838d8a2c40999e /vendor/web-token/jwt-key-mgmt | |
| download | 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.gz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.bz2 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.lz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.xz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.zst 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.zip | |
Diffstat (limited to 'vendor/web-token/jwt-key-mgmt')
19 files changed, 1738 insertions, 0 deletions
diff --git a/vendor/web-token/jwt-key-mgmt/JKUFactory.php b/vendor/web-token/jwt-key-mgmt/JKUFactory.php new file mode 100644 index 0000000..16d24bc --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/JKUFactory.php @@ -0,0 +1,50 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement; + +use Http\Client\HttpClient; +use Http\Message\RequestFactory; +use Jose\Component\Core\Converter\JsonConverter; +use Jose\Component\Core\JWKSet; + +class JKUFactory extends UrlKeySetFactory +{ + private $jsonConverter; + + /** + * JKUFactory constructor. + */ + public function __construct(?JsonConverter $jsonConverter, HttpClient $client, RequestFactory $requestFactory) + { + parent::__construct($client, $requestFactory); + $this->jsonConverter = $jsonConverter ?? new \Jose\Component\Core\Util\JsonConverter(); + } + + /** + * This method will try to fetch the url a retrieve the key set. + * Throws an exception in case of failure. + * + * @throws \InvalidArgumentException + */ + public function loadFromUrl(string $url, array $header = []): JWKSet + { + $content = $this->getContent($url, $header); + $data = $this->jsonConverter->decode($content); + if (!\is_array($data)) { + throw new \RuntimeException('Invalid content.'); + } + + return JWKSet::createFromKeyData($data); + } +} diff --git a/vendor/web-token/jwt-key-mgmt/JWKFactory.php b/vendor/web-token/jwt-key-mgmt/JWKFactory.php new file mode 100644 index 0000000..3748938 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/JWKFactory.php @@ -0,0 +1,304 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement; + +use Base64Url\Base64Url; +use InvalidArgumentException; +use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; +use Jose\Component\Core\Util\Ecc\Curve; +use Jose\Component\Core\Util\ECKey; +use Jose\Component\KeyManagement\KeyConverter\KeyConverter; +use Jose\Component\KeyManagement\KeyConverter\RSAKey; +use function openssl_pkey_get_details; +use function openssl_pkey_new; +use RuntimeException; + +class JWKFactory +{ + /** + * Creates a RSA key with the given key size and additional values. + * + * @param int $size The key size in bits + * @param array $values values to configure the key + */ + public static function createRSAKey(int $size, array $values = []): JWK + { + if (0 !== $size % 8) { + throw new InvalidArgumentException('Invalid key size.'); + } + + if (512 > $size) { + throw new InvalidArgumentException('Key length is too short. It needs to be at least 512 bits.'); + } + + $key = openssl_pkey_new([ + 'private_key_bits' => $size, + 'private_key_type' => OPENSSL_KEYTYPE_RSA, + ]); + $details = openssl_pkey_get_details($key); + \openssl_free_key($key); + $rsa = RSAKey::createFromKeyDetails($details['rsa']); + $values = \array_merge( + $values, + $rsa->toArray() + ); + + return new JWK($values); + } + + /** + * Creates a EC key with the given curve and additional values. + * + * @param string $curve The curve + * @param array $values values to configure the key + */ + public static function createECKey(string $curve, array $values = []): JWK + { + return ECKey::createECKey($curve, $values); + } + + /** + * Creates a octet key with the given key size and additional values. + * + * @param int $size The key size in bits + * @param array $values values to configure the key + */ + public static function createOctKey(int $size, array $values = []): JWK + { + if (0 !== $size % 8) { + throw new InvalidArgumentException('Invalid key size.'); + } + $values = \array_merge( + $values, + [ + 'kty' => 'oct', + 'k' => Base64Url::encode(\random_bytes($size / 8)), + ] + ); + + return new JWK($values); + } + + /** + * Creates a OKP key with the given curve and additional values. + * + * @param string $curve The curve + * @param array $values values to configure the key + */ + public static function createOKPKey(string $curve, array $values = []): JWK + { + switch ($curve) { + case 'X25519': + $keyPair = \sodium_crypto_box_keypair(); + $secret = \sodium_crypto_box_secretkey($keyPair); + $x = \sodium_crypto_box_publickey($keyPair); + + break; + case 'Ed25519': + $keyPair = \sodium_crypto_sign_keypair(); + $secret = \sodium_crypto_sign_secretkey($keyPair); + $x = \sodium_crypto_sign_publickey($keyPair); + + break; + default: + throw new InvalidArgumentException(\sprintf('Unsupported "%s" curve', $curve)); + } + $secretLength = mb_strlen($secret, '8bit'); + $d = mb_substr($secret, 0, -$secretLength / 2, '8bit'); + + $values = \array_merge( + $values, + [ + 'kty' => 'OKP', + 'crv' => $curve, + 'd' => Base64Url::encode($d), + 'x' => Base64Url::encode($x), + ] + ); + + return new JWK($values); + } + + /** + * Creates a none key with the given additional values. + * Please note that this key type is not pat of any specification. + * It is used to prevent the use of the "none" algorithm with other key types. + * + * @param array $values values to configure the key + */ + public static function createNoneKey(array $values = []): JWK + { + $values = \array_merge( + $values, + [ + 'kty' => 'none', + 'alg' => 'none', + 'use' => 'sig', + ] + ); + + return new JWK($values); + } + + /** + * Creates a key from a Json string. + * + * @return JWK|JWKSet + */ + public static function createFromJsonObject(string $value) + { + $json = \json_decode($value, true); + if (!\is_array($json)) { + throw new InvalidArgumentException('Invalid key or key set.'); + } + + return self::createFromValues($json); + } + + /** + * Creates a key or key set from the given input. + * + * @return JWK|JWKSet + */ + public static function createFromValues(array $values) + { + if (\array_key_exists('keys', $values) && \is_array($values['keys'])) { + return JWKSet::createFromKeyData($values); + } + + return new JWK($values); + } + + /** + * This method create a JWK object using a shared secret. + */ + public static function createFromSecret(string $secret, array $additional_values = []): JWK + { + $values = \array_merge( + $additional_values, + [ + 'kty' => 'oct', + 'k' => Base64Url::encode($secret), + ] + ); + + return new JWK($values); + } + + /** + * This method will try to load a X.509 certificate and convert it into a public key. + */ + public static function createFromCertificateFile(string $file, array $additional_values = []): JWK + { + $values = KeyConverter::loadKeyFromCertificateFile($file); + $values = \array_merge($values, $additional_values); + + return new JWK($values); + } + + /** + * Extract a keyfrom a key set identified by the given index . + * + * @param int|string $index + */ + public static function createFromKeySet(JWKSet $jwkset, $index): JWK + { + return $jwkset->get($index); + } + + /** + * This method will try to load a PKCS#12 file and convert it into a public key. + * + * @throws \Exception + */ + public static function createFromPKCS12CertificateFile(string $file, ?string $secret = '', array $additional_values = []): JWK + { + $res = \openssl_pkcs12_read(\file_get_contents($file), $certs, $secret); + if (false === $res || !\is_array($certs) || !\array_key_exists('pkey', $certs)) { + throw new RuntimeException('Unable to load the certificates.'); + } + + return self::createFromKey($certs['pkey'], null, $additional_values); + } + + /** + * This method will try to convert a X.509 certificate into a public key. + */ + public static function createFromCertificate(string $certificate, array $additional_values = []): JWK + { + $values = KeyConverter::loadKeyFromCertificate($certificate); + $values = \array_merge($values, $additional_values); + + return new JWK($values); + } + + /** + * This method will try to convert a X.509 certificate resource into a public key. + * + * @param resource $res + * + * @throws \Exception + */ + public static function createFromX509Resource($res, array $additional_values = []): JWK + { + $values = KeyConverter::loadKeyFromX509Resource($res); + $values = \array_merge($values, $additional_values); + + return new JWK($values); + } + + /** + * This method will try to load and convert a key file into a JWK object. + * If the key is encrypted, the password must be set. + * + * @throws \Exception + */ + public static function createFromKeyFile(string $file, ?string $password = null, array $additional_values = []): JWK + { + $values = KeyConverter::loadFromKeyFile($file, $password); + $values = \array_merge($values, $additional_values); + + return new JWK($values); + } + + /** + * This method will try to load and convert a key into a JWK object. + * If the key is encrypted, the password must be set. + * + * @throws \Exception + */ + public static function createFromKey(string $key, ?string $password = null, array $additional_values = []): JWK + { + $values = KeyConverter::loadFromKey($key, $password); + $values = \array_merge($values, $additional_values); + + return new JWK($values); + } + + /** + * This method will try to load and convert a X.509 certificate chain into a public key. + * + * Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean! + * It is mandatory to verify the root CA or intermediate CA are trusted. + * If not done, it may lead to potential security issues. + */ + public static function createFromX5C(array $x5c, array $additional_values = []): JWK + { + $values = KeyConverter::loadFromX5C($x5c); + $values = \array_merge($values, $additional_values); + + return new JWK($values); + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/AlgorithmAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/AlgorithmAnalyzer.php new file mode 100644 index 0000000..a7ebcad --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/AlgorithmAnalyzer.php @@ -0,0 +1,26 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Jose\Component\Core\JWK; + +final class AlgorithmAnalyzer implements KeyAnalyzer +{ + public function analyze(JWK $jwk, MessageBag $bag) + { + if (!$jwk->has('alg')) { + $bag->add(Message::medium('The parameter "alg" should be added.')); + } + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzer.php new file mode 100644 index 0000000..470b788 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzer.php @@ -0,0 +1,24 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Jose\Component\Core\JWK; + +interface KeyAnalyzer +{ + /** + * This method will analyse the key and add messages to the message bag if needed. + */ + public function analyze(JWK $jwk, MessageBag $bag); +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzerManager.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzerManager.php new file mode 100644 index 0000000..2b8b4a9 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzerManager.php @@ -0,0 +1,50 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Jose\Component\Core\JWK; + +class KeyAnalyzerManager +{ + /** + * @var KeyAnalyzer[] + */ + private $analyzers = []; + + /** + * Adds a Key Analyzer to the manager. + * + * @return KeyAnalyzerManager + */ + public function add(KeyAnalyzer $analyzer): self + { + $this->analyzers[] = $analyzer; + + return $this; + } + + /** + * This method will analyze the JWK object using all analyzers. + * It returns a message bag that may contains messages. + */ + public function analyze(JWK $jwk): MessageBag + { + $bag = new MessageBag(); + foreach ($this->analyzers as $analyzer) { + $analyzer->analyze($jwk, $bag); + } + + return $bag; + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyIdentifierAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyIdentifierAnalyzer.php new file mode 100644 index 0000000..71acb70 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyIdentifierAnalyzer.php @@ -0,0 +1,26 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Jose\Component\Core\JWK; + +final class KeyIdentifierAnalyzer implements KeyAnalyzer +{ + public function analyze(JWK $jwk, MessageBag $bag) + { + if (!$jwk->has('kid')) { + $bag->add(Message::medium('The parameter "kid" should be added.')); + } + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/Message.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/Message.php new file mode 100644 index 0000000..4baf868 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/Message.php @@ -0,0 +1,96 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +class Message implements \JsonSerializable +{ + /** + * @var string + */ + private $message; + + /** + * @var string + */ + private $severity; + + public const SEVERITY_LOW = 'low'; + + public const SEVERITY_MEDIUM = 'medium'; + + public const SEVERITY_HIGH = 'high'; + + /** + * Message constructor. + */ + private function __construct(string $message, string $severity) + { + $this->message = $message; + $this->severity = $severity; + } + + /** + * Creates a message with severity=low. + * + * @return Message + */ + public static function low(string $message): self + { + return new self($message, self::SEVERITY_LOW); + } + + /** + * Creates a message with severity=medium. + * + * @return Message + */ + public static function medium(string $message): self + { + return new self($message, self::SEVERITY_MEDIUM); + } + + /** + * Creates a message with severity=high. + * + * @return Message + */ + public static function high(string $message): self + { + return new self($message, self::SEVERITY_HIGH); + } + + /** + * Returns the message. + */ + public function getMessage(): string + { + return $this->message; + } + + /** + * Returns the severity of the message. + */ + public function getSeverity(): string + { + return $this->severity; + } + + public function jsonSerialize() + { + return [ + 'message' => $this->message, + 'severity' => $this->severity, + ]; + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/MessageBag.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/MessageBag.php new file mode 100644 index 0000000..b41795f --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/MessageBag.php @@ -0,0 +1,59 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +class MessageBag implements \JsonSerializable, \IteratorAggregate, \Countable +{ + /** + * @var Message[] + */ + private $messages = []; + + /** + * Adds a message to the message bag. + * + * @return MessageBag + */ + public function add(Message $message): self + { + $this->messages[] = $message; + + return $this; + } + + /** + * Returns all messages. + * + * @return Message[] + */ + public function all(): array + { + return $this->messages; + } + + public function jsonSerialize() + { + return \array_values($this->messages); + } + + public function count() + { + return \count($this->messages); + } + + public function getIterator() + { + return new \ArrayIterator($this->messages); + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/NoneAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/NoneAnalyzer.php new file mode 100644 index 0000000..a293efd --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/NoneAnalyzer.php @@ -0,0 +1,28 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Jose\Component\Core\JWK; + +final class NoneAnalyzer implements KeyAnalyzer +{ + public function analyze(JWK $jwk, MessageBag $bag) + { + if ('none' !== $jwk->get('kty')) { + return; + } + + $bag->add(Message::high('This key is a meant to be used with the algorithm "none". This algorithm is not secured and should be used with care.')); + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/OctAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/OctAnalyzer.php new file mode 100644 index 0000000..4c2d7c1 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/OctAnalyzer.php @@ -0,0 +1,50 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Base64Url\Base64Url; +use Jose\Component\Core\JWK; +use ZxcvbnPhp\Zxcvbn; + +final class OctAnalyzer implements KeyAnalyzer +{ + public function analyze(JWK $jwk, MessageBag $bag) + { + if ('oct' !== $jwk->get('kty')) { + return; + } + $k = Base64Url::decode($jwk->get('k')); + $kLength = 8 * \mb_strlen($k, '8bit'); + if ($kLength < 128) { + $bag->add(Message::high('The key length is less than 128 bits.')); + } + + if (\class_exists(Zxcvbn::class)) { + $zxcvbn = new Zxcvbn(); + $strength = $zxcvbn->passwordStrength($k); + switch (true) { + case $strength['score'] < 3: + $bag->add(Message::high('The octet string is weak and easily guessable. Please change your key as soon as possible.')); + + break; + case 3 === $strength['score']: + $bag->add(Message::medium('The octet string is safe, but a longer key is preferable.')); + + break; + default: + break; + } + } + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/RsaAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/RsaAnalyzer.php new file mode 100644 index 0000000..6274aa0 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/RsaAnalyzer.php @@ -0,0 +1,34 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Base64Url\Base64Url; +use Jose\Component\Core\JWK; + +final class RsaAnalyzer implements KeyAnalyzer +{ + public function analyze(JWK $jwk, MessageBag $bag) + { + if ('RSA' !== $jwk->get('kty')) { + return; + } + $n = 8 * \mb_strlen(Base64Url::decode($jwk->get('n')), '8bit'); + if ($n < 2048) { + $bag->add(Message::high('The key length is less than 2048 bits.')); + } + if ($jwk->has('d') && (!$jwk->has('p') || !$jwk->has('q') || !$jwk->has('dp') || !$jwk->has('dq') || !$jwk->has('p') || !$jwk->has('qi'))) { + $bag->add(Message::medium('The key is a private RSA key, but Chinese Remainder Theorem primes are missing. These primes are not mandatory, but signatures and decryption processes are faster when available.')); + } + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/UsageAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/UsageAnalyzer.php new file mode 100644 index 0000000..8cdfaf6 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/UsageAnalyzer.php @@ -0,0 +1,31 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyAnalyzer; + +use Jose\Component\Core\JWK; + +final class UsageAnalyzer implements KeyAnalyzer +{ + public function analyze(JWK $jwk, MessageBag $bag) + { + if (!$jwk->has('use')) { + $bag->add(Message::medium('The parameter "use" should be added.')); + } elseif (!\in_array($jwk->get('use'), ['sig', 'enc'], true)) { + $bag->add(Message::high(\sprintf('The parameter "use" has an unsupported value "%s". Please use "sig" (signature) or "enc" (encryption).', $jwk->get('use')))); + } + if ($jwk->has('key_ops') && !\in_array($jwk->get('key_ops'), ['sign', 'verify', 'encrypt', 'decrypt', 'wrapKey', 'unwrapKey'], true)) { + $bag->add(Message::high(\sprintf('The parameter "key_ops" has an unsupported value "%s". Please use one of the following values: %s.', $jwk->get('use'), \implode(', ', ['verify', 'sign', 'encryp', 'decrypt', 'wrapKey', 'unwrapKey'])))); + } + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyConverter/ECKey.php b/vendor/web-token/jwt-key-mgmt/KeyConverter/ECKey.php new file mode 100644 index 0000000..4ab0090 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyConverter/ECKey.php @@ -0,0 +1,273 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyConverter; + +use Base64Url\Base64Url; +use FG\ASN1\ASNObject; +use FG\ASN1\ExplicitlyTaggedObject; +use FG\ASN1\Universal\BitString; +use FG\ASN1\Universal\Integer; +use FG\ASN1\Universal\ObjectIdentifier; +use FG\ASN1\Universal\OctetString; +use FG\ASN1\Universal\Sequence; + +/** + * @internal + */ +class ECKey +{ + /** + * @var array + */ + private $values = []; + + /** + * ECKey constructor. + */ + private function __construct(array $data) + { + $this->loadJWK($data); + } + + /** + * @return ECKey + */ + public static function createFromPEM(string $pem): self + { + $data = self::loadPEM($pem); + + return new self($data); + } + + /** + * @throws \Exception + */ + private static function loadPEM(string $data): array + { + $data = \base64_decode(\preg_replace('#-.*-|\r|\n#', '', $data), true); + $asnObject = ASNObject::fromBinary($data); + + if (!$asnObject instanceof Sequence) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + $children = $asnObject->getChildren(); + if (self::isPKCS8($children)) { + $children = self::loadPKCS8($children); + } + + if (4 === \count($children)) { + return self::loadPrivatePEM($children); + } + if (2 === \count($children)) { + return self::loadPublicPEM($children); + } + + throw new \Exception('Unable to load the key.'); + } + + /** + * @param ASNObject[] $children + */ + private static function loadPKCS8(array $children): array + { + $binary = \hex2bin($children[2]->getContent()); + $asnObject = ASNObject::fromBinary($binary); + if (!$asnObject instanceof Sequence) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + return $asnObject->getChildren(); + } + + /** + * @param ASNObject[] $children + */ + private static function loadPublicPEM(array $children): array + { + if (!$children[0] instanceof Sequence) { + throw new \InvalidArgumentException('Unsupported key type.'); + } + + $sub = $children[0]->getChildren(); + if (!$sub[0] instanceof ObjectIdentifier) { + throw new \InvalidArgumentException('Unsupported key type.'); + } + if ('1.2.840.10045.2.1' !== $sub[0]->getContent()) { + throw new \InvalidArgumentException('Unsupported key type.'); + } + if (!$sub[1] instanceof ObjectIdentifier) { + throw new \InvalidArgumentException('Unsupported key type.'); + } + if (!$children[1] instanceof BitString) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + $bits = $children[1]->getContent(); + $bits_length = \mb_strlen($bits, '8bit'); + if ('04' !== \mb_substr($bits, 0, 2, '8bit')) { + throw new \InvalidArgumentException('Unsupported key type'); + } + + $values = ['kty' => 'EC']; + $values['crv'] = self::getCurve($sub[1]->getContent()); + $values['x'] = Base64Url::encode(\hex2bin(\mb_substr($bits, 2, ($bits_length - 2) / 2, '8bit'))); + $values['y'] = Base64Url::encode(\hex2bin(\mb_substr($bits, ($bits_length - 2) / 2 + 2, ($bits_length - 2) / 2, '8bit'))); + + return $values; + } + + private static function getCurve(string $oid): string + { + $curves = self::getSupportedCurves(); + $curve = \array_search($oid, $curves, true); + if (!\is_string($curve)) { + throw new \InvalidArgumentException('Unsupported OID.'); + } + + return $curve; + } + + private static function getSupportedCurves(): array + { + return [ + 'P-256' => '1.2.840.10045.3.1.7', + 'P-384' => '1.3.132.0.34', + 'P-521' => '1.3.132.0.35', + ]; + } + + private static function verifyVersion(ASNObject $children) + { + if (!$children instanceof Integer || '1' !== $children->getContent()) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + } + + private static function getXAndY(ASNObject $children, ?string &$x, ?string &$y) + { + if (!$children instanceof ExplicitlyTaggedObject || !\is_array($children->getContent())) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + if (!$children->getContent()[0] instanceof BitString) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + $bits = $children->getContent()[0]->getContent(); + $bits_length = \mb_strlen($bits, '8bit'); + + if ('04' !== \mb_substr($bits, 0, 2, '8bit')) { + throw new \InvalidArgumentException('Unsupported key type'); + } + + $x = \mb_substr($bits, 2, ($bits_length - 2) / 2, '8bit'); + $y = \mb_substr($bits, ($bits_length - 2) / 2 + 2, ($bits_length - 2) / 2, '8bit'); + } + + private static function getD(ASNObject $children): string + { + if (!$children instanceof OctetString) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + return $children->getContent(); + } + + private static function loadPrivatePEM(array $children): array + { + self::verifyVersion($children[0]); + $x = null; + $y = null; + $d = self::getD($children[1]); + self::getXAndY($children[3], $x, $y); + + if (!$children[2] instanceof ExplicitlyTaggedObject || !\is_array($children[2]->getContent())) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + if (!$children[2]->getContent()[0] instanceof ObjectIdentifier) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + $curve = $children[2]->getContent()[0]->getContent(); + + $values = ['kty' => 'EC']; + $values['crv'] = self::getCurve($curve); + $values['d'] = Base64Url::encode(\hex2bin($d)); + $values['x'] = Base64Url::encode(\hex2bin($x)); + $values['y'] = Base64Url::encode(\hex2bin($y)); + + return $values; + } + + /** + * @param ASNObject[] $children + */ + private static function isPKCS8(array $children): bool + { + if (3 !== \count($children)) { + return false; + } + + $classes = [0 => Integer::class, 1 => Sequence::class, 2 => OctetString::class]; + foreach ($classes as $k => $class) { + if (!$children[$k] instanceof $class) { + return false; + } + } + + return true; + } + + /** + * @param ECKey $private + * + * @return ECKey + */ + public static function toPublic(self $private): self + { + $data = $private->toArray(); + if (\array_key_exists('d', $data)) { + unset($data['d']); + } + + return new self($data); + } + + /** + * @return array + */ + public function toArray() + { + return $this->values; + } + + private function loadJWK(array $jwk) + { + $keys = [ + 'kty' => 'The key parameter "kty" is missing.', + 'crv' => 'Curve parameter is missing', + 'x' => 'Point parameters are missing.', + 'y' => 'Point parameters are missing.', + ]; + foreach ($keys as $k => $v) { + if (!\array_key_exists($k, $jwk)) { + throw new \InvalidArgumentException($v); + } + } + + if ('EC' !== $jwk['kty']) { + throw new \InvalidArgumentException('JWK is not an Elliptic Curve key.'); + } + $this->values = $jwk; + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php b/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php new file mode 100644 index 0000000..17a5428 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyConverter/KeyConverter.php @@ -0,0 +1,256 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyConverter; + +use Base64Url\Base64Url; + +/** + * @internal + */ +class KeyConverter +{ + /** + * @throws \InvalidArgumentException + */ + public static function loadKeyFromCertificateFile(string $file): array + { + if (!\file_exists($file)) { + throw new \InvalidArgumentException(\sprintf('File "%s" does not exist.', $file)); + } + $content = \file_get_contents($file); + + return self::loadKeyFromCertificate($content); + } + + /** + * @throws \InvalidArgumentException + */ + public static function loadKeyFromCertificate(string $certificate): array + { + try { + $res = \openssl_x509_read($certificate); + } catch (\Exception $e) { + $certificate = self::convertDerToPem($certificate); + $res = \openssl_x509_read($certificate); + } + if (false === $res) { + throw new \InvalidArgumentException('Unable to load the certificate.'); + } + + $values = self::loadKeyFromX509Resource($res); + \openssl_x509_free($res); + + return $values; + } + + /** + * @param resource $res + * + * @throws \Exception + */ + public static function loadKeyFromX509Resource($res): array + { + $key = \openssl_get_publickey($res); + + $details = \openssl_pkey_get_details($key); + if (isset($details['key'])) { + $values = self::loadKeyFromPEM($details['key']); + \openssl_x509_export($res, $out); + $x5c = \preg_replace('#-.*-#', '', $out); + $x5c = \preg_replace('~\R~', PHP_EOL, $x5c); + $x5c = \trim($x5c); + $values['x5c'] = [$x5c]; + + $values['x5t'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha1', true)); + $values['x5t#256'] = Base64Url::encode(\openssl_x509_fingerprint($res, 'sha256', true)); + + return $values; + } + + throw new \InvalidArgumentException('Unable to load the certificate'); + } + + /** + * @throws \Exception + */ + public static function loadFromKeyFile(string $file, ?string $password = null): array + { + $content = \file_get_contents($file); + + return self::loadFromKey($content, $password); + } + + /** + * @throws \Exception + */ + public static function loadFromKey(string $key, ?string $password = null): array + { + try { + return self::loadKeyFromDER($key, $password); + } catch (\Exception $e) { + return self::loadKeyFromPEM($key, $password); + } + } + + /** + * @throws \Exception + */ + private static function loadKeyFromDER(string $der, ?string $password = null): array + { + $pem = self::convertDerToPem($der); + + return self::loadKeyFromPEM($pem, $password); + } + + /** + * @throws \Exception + */ + private static function loadKeyFromPEM(string $pem, ?string $password = null): array + { + if (\preg_match('#DEK-Info: (.+),(.+)#', $pem, $matches)) { + $pem = self::decodePem($pem, $matches, $password); + } + + self::sanitizePEM($pem); + + $res = \openssl_pkey_get_private($pem); + if (false === $res) { + $res = \openssl_pkey_get_public($pem); + } + if (false === $res) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + $details = \openssl_pkey_get_details($res); + if (!\is_array($details) || !\array_key_exists('type', $details)) { + throw new \InvalidArgumentException('Unable to get details of the key'); + } + + switch ($details['type']) { + case OPENSSL_KEYTYPE_EC: + $ec_key = ECKey::createFromPEM($pem); + + return $ec_key->toArray(); + case OPENSSL_KEYTYPE_RSA: + $rsa_key = RSAKey::createFromPEM($pem); + $rsa_key->optimize(); + + return $rsa_key->toArray(); + default: + throw new \InvalidArgumentException('Unsupported key type'); + } + } + + /** + * This method modifies the PEM to get 64 char lines and fix bug with old OpenSSL versions. + */ + private static function sanitizePEM(string &$pem) + { + \preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER); + $ciphertext = \preg_replace('#-.*-|\r|\n| #', '', $pem); + + $pem = $matches[0][0].PHP_EOL; + $pem .= \chunk_split($ciphertext, 64, PHP_EOL); + $pem .= $matches[0][1].PHP_EOL; + } + + /** + * Be careful! The certificate chain is loaded, but it is NOT VERIFIED by any mean! + * It is mandatory to verify the root CA or intermediate CA are trusted. + * If not done, it may lead to potential security issues. + */ + public static function loadFromX5C(array $x5c): array + { + $certificate = null; + $last_issuer = null; + $last_subject = null; + foreach ($x5c as $cert) { + $current_cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.\chunk_split($cert,64,PHP_EOL).'-----END CERTIFICATE-----'; + $x509 = \openssl_x509_read($current_cert); + if (false === $x509) { + $last_issuer = null; + $last_subject = null; + + break; + } + $parsed = \openssl_x509_parse($x509); + + \openssl_x509_free($x509); + if (false === $parsed) { + $last_issuer = null; + $last_subject = null; + + break; + } + if (null === $last_subject) { + $last_subject = $parsed['subject']; + $last_issuer = $parsed['issuer']; + $certificate = $current_cert; + } else { + if (\json_encode($last_issuer) === \json_encode($parsed['subject'])) { + $last_subject = $parsed['subject']; + $last_issuer = $parsed['issuer']; + } else { + $last_issuer = null; + $last_subject = null; + + break; + } + } + } + + return self::loadKeyFromCertificate($certificate); + } + + /** + * @param string[] $matches + */ + private static function decodePem(string $pem, array $matches, ?string $password = null): string + { + if (null === $password) { + throw new \InvalidArgumentException('Password required for encrypted keys.'); + } + + $iv = \pack('H*', \trim($matches[2])); + $iv_sub = \mb_substr($iv, 0, 8, '8bit'); + $symkey = \pack('H*', \md5($password.$iv_sub)); + $symkey .= \pack('H*', \md5($symkey.$password.$iv_sub)); + $key = \preg_replace('#^(?:Proc-Type|DEK-Info): .*#m', '', $pem); + $ciphertext = \base64_decode(\preg_replace('#-.*-|\r|\n#', '', $key), true); + + $decoded = \openssl_decrypt($ciphertext, \mb_strtolower($matches[1]), $symkey, OPENSSL_RAW_DATA, $iv); + if (!\is_string($decoded)) { + throw new \InvalidArgumentException('Incorrect password. Key decryption failed.'); + } + + $number = \preg_match_all('#-{5}.*-{5}#', $pem, $result); + if (2 !== $number) { + throw new \InvalidArgumentException('Unable to load the key'); + } + + $pem = $result[0][0].PHP_EOL; + $pem .= \chunk_split(\base64_encode($decoded), 64); + $pem .= $result[0][1].PHP_EOL; + + return $pem; + } + + private static function convertDerToPem(string $der_data): string + { + $pem = \chunk_split(\base64_encode($der_data), 64, PHP_EOL); + $pem = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$pem.'-----END CERTIFICATE-----'.PHP_EOL; + + return $pem; + } +} diff --git a/vendor/web-token/jwt-key-mgmt/KeyConverter/RSAKey.php b/vendor/web-token/jwt-key-mgmt/KeyConverter/RSAKey.php new file mode 100644 index 0000000..f76b5d4 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/KeyConverter/RSAKey.php @@ -0,0 +1,244 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement\KeyConverter; + +use Base64Url\Base64Url; +use Jose\Component\Core\JWK; +use Jose\Component\Core\Util\BigInteger; + +/** + * @internal + */ +class RSAKey +{ + /** + * @var array + */ + private $values = []; + + /** + * RSAKey constructor. + */ + private function __construct(array $data) + { + $this->loadJWK($data); + } + + /** + * @return RSAKey + */ + public static function createFromKeyDetails(array $details): self + { + $values = ['kty' => 'RSA']; + $keys = [ + 'n' => 'n', + 'e' => 'e', + 'd' => 'd', + 'p' => 'p', + 'q' => 'q', + 'dp' => 'dmp1', + 'dq' => 'dmq1', + 'qi' => 'iqmp', + ]; + foreach ($details as $key => $value) { + if (\in_array($key, $keys, true)) { + $value = Base64Url::encode($value); + $values[\array_search($key, $keys, true)] = $value; + } + } + + return new self($values); + } + + /** + * @return RSAKey + */ + public static function createFromPEM(string $pem): self + { + $res = \openssl_pkey_get_private($pem); + if (false === $res) { + $res = \openssl_pkey_get_public($pem); + } + if (false === $res) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + $details = \openssl_pkey_get_details($res); + \openssl_free_key($res); + if (!\array_key_exists('rsa', $details)) { + throw new \InvalidArgumentException('Unable to load the key.'); + } + + return self::createFromKeyDetails($details['rsa']); + } + + /** + * @return RSAKey + */ + public static function createFromJWK(JWK $jwk): self + { + return new self($jwk->all()); + } + + public function isPublic(): bool + { + return !\array_key_exists('d', $this->values); + } + + /** + * @param RSAKey $private + * + * @return RSAKey + */ + public static function toPublic(self $private): self + { + $data = $private->toArray(); + $keys = ['p', 'd', 'q', 'dp', 'dq', 'qi']; + foreach ($keys as $key) { + if (\array_key_exists($key, $data)) { + unset($data[$key]); + } + } + + return new self($data); + } + + public function toArray(): array + { + return $this->values; + } + + private function loadJWK(array $jwk) + { + if (!\array_key_exists('kty', $jwk)) { + throw new \InvalidArgumentException('The key parameter "kty" is missing.'); + } + if ('RSA' !== $jwk['kty']) { + throw new \InvalidArgumentException('The JWK is not a RSA key.'); + } + + $this->values = $jwk; + } + + public function toJwk(): JWK + { + return new JWK($this->values); + } + + /** + * This method will try to add Chinese Remainder Theorem (CRT) parameters. + * With those primes, the decryption process is really fast. + */ + public function optimize() + { + if (\array_key_exists('d', $this->values)) { + $this->populateCRT(); + } + } + + /** + * This method adds Chinese Remainder Theorem (CRT) parameters if primes 'p' and 'q' are available. + */ + private function populateCRT() + { + if (!\array_key_exists('p', $this->values) && !\array_key_exists('q', $this->values)) { + $d = BigInteger::createFromBinaryString(Base64Url::decode($this->values['d'])); + $e = BigInteger::createFromBinaryString(Base64Url::decode($this->values['e'])); + $n = BigInteger::createFromBinaryString(Base64Url::decode($this->values['n'])); + + list($p, $q) = $this->findPrimeFactors($d, $e, $n); + $this->values['p'] = Base64Url::encode($p->toBytes()); + $this->values['q'] = Base64Url::encode($q->toBytes()); + } + + if (\array_key_exists('dp', $this->values) && \array_key_exists('dq', $this->values) && \array_key_exists('qi', $this->values)) { + return; + } + + $one = BigInteger::createFromDecimal(1); + $d = BigInteger::createFromBinaryString(Base64Url::decode($this->values['d'])); + $p = BigInteger::createFromBinaryString(Base64Url::decode($this->values['p'])); + $q = BigInteger::createFromBinaryString(Base64Url::decode($this->values['q'])); + + $this->values['dp'] = Base64Url::encode($d->mod($p->subtract($one))->toBytes()); + $this->values['dq'] = Base64Url::encode($d->mod($q->subtract($one))->toBytes()); + $this->values['qi'] = Base64Url::encode($q->modInverse($p)->toBytes()); + } + + /** + * @return BigInteger[] + */ + private function findPrimeFactors(BigInteger $d, BigInteger $e, BigInteger $n): array + { + $zero = BigInteger::createFromDecimal(0); + $one = BigInteger::createFromDecimal(1); + $two = BigInteger::createFromDecimal(2); + + $k = $d->multiply($e)->subtract($one); + + if ($k->isEven()) { + $r = $k; + $t = $zero; + + do { + $r = $r->divide($two); + $t = $t->add($one); + } while ($r->isEven()); + + $found = false; + $y = null; + + for ($i = 1; $i <= 100; ++$i) { + $g = BigInteger::random($n->subtract($one)); + $y = $g->modPow($r, $n); + + if ($y->equals($one) || $y->equals($n->subtract($one))) { + continue; + } + + for ($j = $one; $j->lowerThan($t->subtract($one)); $j = $j->add($one)) { + $x = $y->modPow($two, $n); + + if ($x->equals($one)) { + $found = true; + + break; + } + + if ($x->equals($n->subtract($one))) { + continue; + } + + $y = $x; + } + + $x = $y->modPow($two, $n); + if ($x->equals($one)) { + $found = true; + + break; + } + } + + if (true === $found) { + $p = $y->subtract($one)->gcd($n); + $q = $n->divide($p); + + return [$p, $q]; + } + } + + throw new \InvalidArgumentException('Unable to find prime factors.'); + } +} diff --git a/vendor/web-token/jwt-key-mgmt/LICENSE b/vendor/web-token/jwt-key-mgmt/LICENSE new file mode 100644 index 0000000..a098645 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014-2018 Spomky-Labs + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/web-token/jwt-key-mgmt/UrlKeySetFactory.php b/vendor/web-token/jwt-key-mgmt/UrlKeySetFactory.php new file mode 100644 index 0000000..329a204 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/UrlKeySetFactory.php @@ -0,0 +1,54 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement; + +use Http\Client\HttpClient; +use Http\Message\RequestFactory; + +abstract class UrlKeySetFactory +{ + /** + * @var HttpClient + */ + private $client; + + /** + * @var RequestFactory + */ + private $requestFactory; + + /** + * UrlKeySetFactory constructor. + */ + public function __construct(HttpClient $client, RequestFactory $requestFactory) + { + $this->client = $client; + $this->requestFactory = $requestFactory; + } + + /** + * @throws \RuntimeException + */ + protected function getContent(string $url, array $header = []): string + { + $request = $this->requestFactory->createRequest('GET', $url, $header); + $response = $this->client->sendRequest($request); + + if ($response->getStatusCode() >= 400) { + throw new \RuntimeException('Unable to get the key set.', $response->getStatusCode()); + } + + return $response->getBody()->getContents(); + } +} diff --git a/vendor/web-token/jwt-key-mgmt/X5UFactory.php b/vendor/web-token/jwt-key-mgmt/X5UFactory.php new file mode 100644 index 0000000..1163b59 --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/X5UFactory.php @@ -0,0 +1,66 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\KeyManagement; + +use Http\Client\HttpClient; +use Http\Message\RequestFactory; +use Jose\Component\Core\Converter\JsonConverter; +use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; +use Jose\Component\KeyManagement\KeyConverter\KeyConverter; + +class X5UFactory extends UrlKeySetFactory +{ + private $jsonConverter; + + /** + * X5UFactory constructor. + */ + public function __construct(?JsonConverter $jsonConverter, HttpClient $client, RequestFactory $requestFactory) + { + $this->jsonConverter = $jsonConverter ?? new \Jose\Component\Core\Util\JsonConverter(); + parent::__construct($client, $requestFactory); + } + + /** + * This method will try to fetch the url a retrieve the key set. + * Throws an exception in case of failure. + * + * @throws \InvalidArgumentException + */ + public function loadFromUrl(string $url, array $header = []): JWKSet + { + $content = $this->getContent($url, $header); + $data = $this->jsonConverter->decode($content); + if (!\is_array($data)) { + throw new \RuntimeException('Invalid content.'); + } + + $keys = []; + foreach ($data as $kid => $cert) { + if (false === \mb_strpos($cert, '-----BEGIN CERTIFICATE-----')) { + $cert = '-----BEGIN CERTIFICATE-----'.PHP_EOL.$cert.PHP_EOL.'-----END CERTIFICATE-----'; + } + $jwk = KeyConverter::loadKeyFromCertificate($cert); + if (\is_string($kid)) { + $jwk['kid'] = $kid; + $keys[$kid] = new JWK($jwk); + } else { + $keys[] = new JWK($jwk); + } + } + + return new JWKSet($keys); + } +} diff --git a/vendor/web-token/jwt-key-mgmt/composer.json b/vendor/web-token/jwt-key-mgmt/composer.json new file mode 100644 index 0000000..d3999ad --- /dev/null +++ b/vendor/web-token/jwt-key-mgmt/composer.json @@ -0,0 +1,46 @@ +{ + "name": "web-token/jwt-key-mgmt", + "description": "Key Management component of the JWT Framework.", + "type": "library", + "license": "MIT", + "keywords": ["JWS", "JWT", "JWE", "JWA", "JWK", "JWKSet", "Jot", "Jose", "RFC7515", "RFC7516", "RFC7517", "RFC7518", "RFC7519", "RFC7520", "Bundle", "Symfony"], + "homepage": "https://github.com/web-token", + "authors": [ + { + "name": "Florent Morselli", + "homepage": "https://github.com/Spomky" + },{ + "name": "All contributors", + "homepage": "https://github.com/web-token/jwt-key-mgmt/contributors" + } + ], + "autoload": { + "psr-4": { + "Jose\\Component\\KeyManagement\\": "" + } + }, + "require": { + "lib-openssl": "*", + "paragonie/sodium_compat": "^1.2", + "web-token/jwt-core": "^1.3", + "web-token/jwt-util-ecc": "^1.3" + }, + "require-dev": { + "php-http/message-factory": "^1.0", + "php-http/httplug": "^1.1", + "php-http/mock-client": "^1.0", + "phpunit/phpunit": "^6.0|^7.0" + }, + "suggest": { + "php-http/message-factory": "To enable JKU/X5U support.", + "php-http/httplug": "To enable JKU/X5U support." + }, + "extra": { + "branch-alias": { + "dev-master": "1.3.x-dev" + } + }, + "config": { + "sort-packages": true + } +} |