1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
<?php
declare(strict_types=1);
/*
* The MIT License (MIT)
*
* Copyright (c) 2014-2018 Spomky-Labs
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
namespace Jose\Component\Core\Util;
use Jose\Component\Core\JWK;
/**
* @internal
*/
class KeyChecker
{
/**
* @throws \InvalidArgumentException
*/
public static function checkKeyUsage(JWK $key, string $usage): bool
{
if ($key->has('use')) {
return self::checkUsage($key, $usage);
}
if ($key->has('key_ops')) {
return self::checkOperation($key, $usage);
}
return true;
}
private static function checkOperation(JWK $key, string $usage): bool
{
$ops = $key->get('key_ops');
if (!\is_array($ops)) {
$ops = [$ops];
}
switch ($usage) {
case 'verification':
if (!\in_array('verify', $ops, true)) {
throw new \InvalidArgumentException('Key cannot be used to verify a signature');
}
return true;
case 'signature':
if (!\in_array('sign', $ops, true)) {
throw new \InvalidArgumentException('Key cannot be used to sign');
}
return true;
case 'encryption':
if (!\in_array('encrypt', $ops, true) && !\in_array('wrapKey', $ops, true)) {
throw new \InvalidArgumentException('Key cannot be used to encrypt');
}
return true;
case 'decryption':
if (!\in_array('decrypt', $ops, true) && !\in_array('unwrapKey', $ops, true)) {
throw new \InvalidArgumentException('Key cannot be used to decrypt');
}
return true;
default:
throw new \InvalidArgumentException('Unsupported key usage.');
}
}
private static function checkUsage(JWK $key, string $usage): bool
{
$use = $key->get('use');
switch ($usage) {
case 'verification':
case 'signature':
if ('sig' !== $use) {
throw new \InvalidArgumentException('Key cannot be used to sign or verify a signature.');
}
return true;
case 'encryption':
case 'decryption':
if ('enc' !== $use) {
throw new \InvalidArgumentException('Key cannot be used to encrypt or decrypt.');
}
return true;
default:
throw new \InvalidArgumentException('Unsupported key usage.');
}
}
public static function checkKeyAlgorithm(JWK $key, string $algorithm)
{
if (!$key->has('alg')) {
return;
}
if ($key->get('alg') !== $algorithm) {
throw new \InvalidArgumentException(\sprintf('Key is only allowed for algorithm "%s".', $key->get('alg')));
}
}
}
|
