-
Notifications
You must be signed in to change notification settings - Fork 1.3k
feat(alg): Add ES512 support #566
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,5 @@ | ||
| vendor | ||
| node_modules | ||
| phpunit.phar | ||
| phpunit.phar.asc | ||
| composer.phar | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| ARG PHP_VERSION=8.5 | ||
| ARG COMPOSER_VERSION=latest | ||
| ARG NODE_VERSION=current | ||
|
|
||
| FROM docker.io/composer:${COMPOSER_VERSION} AS composer | ||
|
|
||
| FROM docker.io/node:${NODE_VERSION}-alpine AS node | ||
|
|
||
| FROM docker.io/php:${PHP_VERSION}-fpm-alpine AS app | ||
|
|
||
| WORKDIR /srv/app | ||
|
|
||
| # Update base | ||
| RUN apk update && apk upgrade | ||
|
|
||
| # persistent / runtime deps | ||
| RUN apk add --no-cache \ | ||
| openssl \ | ||
| ; | ||
|
|
||
| # TODO: Remove hardcoded imagick version after stable-release | ||
| RUN set -eux; \ | ||
| apk add --no-cache --virtual .build-deps \ | ||
| $PHPIZE_DEPS \ | ||
| libsodium-dev \ | ||
| ; \ | ||
| \ | ||
| docker-php-ext-install -j$(nproc) \ | ||
| sodium \ | ||
| ; \ | ||
| \ | ||
| runDeps="$( \ | ||
| scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \ | ||
| | tr ',' '\n' \ | ||
| | sort -u \ | ||
| | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ | ||
| )"; \ | ||
| apk add --no-cache --virtual .app-phpexts-rundeps $runDeps; \ | ||
| \ | ||
| apk del .build-deps | ||
|
|
||
| RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" | ||
|
|
||
| # Add dev-tools | ||
| COPY --from=composer /usr/bin/composer /usr/bin/composer | ||
| ENV PATH="${PATH}:/root/.composer/vendor/bin:/srv/app/vendor/bin" | ||
| COPY --from=node /usr/lib /usr/lib | ||
| COPY --from=node /usr/local/lib /usr/local/lib | ||
| COPY --from=node /usr/local/include /usr/local/include | ||
| COPY --from=node /usr/local/bin /usr/local/bin | ||
| COPY --from=node /opt /opt | ||
|
|
||
| COPY . . | ||
| RUN rm -f .env .env.* | ||
|
|
||
| RUN chown -R www-data:root /srv/app; \ | ||
| chmod -R g=u /srv/app |
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -40,7 +40,7 @@ | |||||||
| * | ||||||||
| * @var int | ||||||||
| */ | ||||||||
| public static $leeway = 0; | ||||||||
| public static int $leeway = 0; | ||||||||
|
|
||||||||
| /** | ||||||||
| * Allow the current timestamp to be specified. | ||||||||
|
|
@@ -49,15 +49,16 @@ | |||||||
| * | ||||||||
| * @var ?int | ||||||||
| */ | ||||||||
| public static $timestamp = null; | ||||||||
| public static ?int $timestamp = null; | ||||||||
|
|
||||||||
| /** | ||||||||
| * @var array<string, string[]> | ||||||||
| */ | ||||||||
| public static $supported_algs = [ | ||||||||
| 'ES384' => ['openssl', 'SHA384'], | ||||||||
| public static array $supported_algs = [ | ||||||||
| 'ES256' => ['openssl', 'SHA256'], | ||||||||
| 'ES256K' => ['openssl', 'SHA256'], | ||||||||
| 'ES384' => ['openssl', 'SHA384'], | ||||||||
| 'ES512' => ['openssl', 'SHA512'], | ||||||||
| 'HS256' => ['hash_hmac', 'SHA256'], | ||||||||
| 'HS384' => ['hash_hmac', 'SHA384'], | ||||||||
| 'HS512' => ['hash_hmac', 'SHA512'], | ||||||||
|
|
@@ -77,10 +78,10 @@ | |||||||
| * the public key. | ||||||||
| * Each Key object contains an algorithm and | ||||||||
| * matching key. | ||||||||
| * Supported algorithms are 'ES384','ES256', | ||||||||
| * Supported algorithms are 'ES256', 'ES256K', 'ES384', 'ES512', | ||||||||
| * 'HS256', 'HS384', 'HS512', 'RS256', 'RS384' | ||||||||
| * and 'RS512'. | ||||||||
| * @param stdClass $headers Optional. Populates stdClass with headers. | ||||||||
| * @param stdClass|null $headers Optional. Populates stdClass with headers. | ||||||||
| * | ||||||||
| * @return stdClass The JWT's payload as a PHP object | ||||||||
| * | ||||||||
|
|
@@ -97,7 +98,7 @@ | |||||||
| */ | ||||||||
| public static function decode( | ||||||||
| string $jwt, | ||||||||
| #[\SensitiveParameter] $keyOrKeyArray, | ||||||||
| #[\SensitiveParameter] Key|ArrayAccess|array $keyOrKeyArray, | ||||||||
| ?stdClass &$headers = null | ||||||||
| ): stdClass { | ||||||||
| // Validate JWT | ||||||||
|
|
@@ -154,9 +155,9 @@ | |||||||
| // See issue #351 | ||||||||
| throw new UnexpectedValueException('Incorrect key for this algorithm'); | ||||||||
| } | ||||||||
| if (\in_array($header->alg, ['ES256', 'ES256K', 'ES384'], true)) { | ||||||||
| // OpenSSL expects an ASN.1 DER sequence for ES256/ES256K/ES384 signatures | ||||||||
| $sig = self::signatureToDER($sig); | ||||||||
| if (\in_array($header->alg, ['ES256', 'ES256K', 'ES384', 'ES512'], true)) { | ||||||||
| // OpenSSL expects an ASN.1 DER sequence for ES256/ES256K/ES384/ES512 signatures | ||||||||
| $sig = self::signatureToDER($sig, $header->alg); | ||||||||
| } | ||||||||
| if (!self::verify("{$headb64}.{$bodyb64}", $sig, $key->getKeyMaterial(), $header->alg)) { | ||||||||
| throw new SignatureInvalidException('Signature verification failed'); | ||||||||
|
|
@@ -197,12 +198,12 @@ | |||||||
| /** | ||||||||
| * Converts and signs a PHP array into a JWT string. | ||||||||
| * | ||||||||
| * @param array<mixed> $payload PHP array | ||||||||
| * @param array<mixed> $payload PHP array | ||||||||
| * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key. | ||||||||
| * @param string $alg Supported algorithms are 'ES384','ES256', 'ES256K', 'HS256', | ||||||||
| * 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512' | ||||||||
| * @param string $keyId | ||||||||
| * @param array<string, string|string[]> $head An array with header elements to attach | ||||||||
| * @param string $alg Supported algorithms are 'ES256', 'ES256K', 'ES384', 'ES512', | ||||||||
| * 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512' | ||||||||
| * @param string|null $keyId | ||||||||
| * @param array<string, string>|null $head An array with header elements to attach | ||||||||
| * | ||||||||
| * @return string A signed JWT | ||||||||
| * | ||||||||
|
|
@@ -211,7 +212,7 @@ | |||||||
| */ | ||||||||
| public static function encode( | ||||||||
| array $payload, | ||||||||
| #[\SensitiveParameter] $key, | ||||||||
| #[\SensitiveParameter] string|OpenSSLAsymmetricKey|OpenSSLCertificate $key, | ||||||||
| string $alg, | ||||||||
| ?string $keyId = null, | ||||||||
| ?array $head = null | ||||||||
|
|
@@ -239,17 +240,17 @@ | |||||||
| * Sign a string with a given key and algorithm. | ||||||||
| * | ||||||||
| * @param string $msg The message to sign | ||||||||
| * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key. | ||||||||
| * @param string $alg Supported algorithms are 'EdDSA', 'ES384', 'ES256', 'ES256K', 'HS256', | ||||||||
| * 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512' | ||||||||
| * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate $key The secret key. | ||||||||
| * @param string $alg Supported algorithms are 'EdDSA', 'ES256', 'ES256K', 'ES384', 'ES512', | ||||||||
| * 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512' | ||||||||
| * | ||||||||
| * @return string An encrypted message | ||||||||
| * | ||||||||
| * @throws DomainException Unsupported algorithm or bad key was specified | ||||||||
| */ | ||||||||
| public static function sign( | ||||||||
| string $msg, | ||||||||
| #[\SensitiveParameter] $key, | ||||||||
| #[\SensitiveParameter] string|OpenSSLAsymmetricKey|OpenSSLCertificate $key, | ||||||||
| string $alg | ||||||||
| ): string { | ||||||||
| if (empty(static::$supported_algs[$alg])) { | ||||||||
|
|
@@ -278,9 +279,11 @@ | |||||||
| throw new DomainException('OpenSSL unable to sign data'); | ||||||||
| } | ||||||||
| if ($alg === 'ES256' || $alg === 'ES256K') { | ||||||||
| $signature = self::signatureFromDER($signature, 256); | ||||||||
| $signature = self::signatureFromDER($signature, 256, $alg); | ||||||||
| } elseif ($alg === 'ES384') { | ||||||||
| $signature = self::signatureFromDER($signature, 384); | ||||||||
| $signature = self::signatureFromDER($signature, 384, $alg); | ||||||||
| } elseif ($alg === 'ES512') { | ||||||||
| $signature = self::signatureFromDER($signature, 521, $alg); | ||||||||
| } | ||||||||
| return $signature; | ||||||||
| case 'sodium_crypto': | ||||||||
|
|
@@ -312,7 +315,7 @@ | |||||||
| * | ||||||||
| * @param string $msg The original message (header and body) | ||||||||
| * @param string $signature The original signature | ||||||||
| * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate $keyMaterial For Ed*, ES*, HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey | ||||||||
| * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate $keyMaterial For Ed*, ES*, HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey | ||||||||
| * @param string $alg The algorithm | ||||||||
| * | ||||||||
| * @return bool | ||||||||
|
|
@@ -322,7 +325,7 @@ | |||||||
| private static function verify( | ||||||||
| string $msg, | ||||||||
| string $signature, | ||||||||
| #[\SensitiveParameter] $keyMaterial, | ||||||||
| #[\SensitiveParameter] string|OpenSSLAsymmetricKey|OpenSSLCertificate $keyMaterial, | ||||||||
| string $alg | ||||||||
| ): bool { | ||||||||
| if (empty(static::$supported_algs[$alg])) { | ||||||||
|
|
@@ -392,7 +395,7 @@ | |||||||
| * | ||||||||
| * @throws DomainException Provided string was invalid JSON | ||||||||
| */ | ||||||||
| public static function jsonDecode(string $input) | ||||||||
| public static function jsonDecode(string $input): mixed | ||||||||
| { | ||||||||
| $obj = \json_decode($input, false, 512, JSON_BIGINT_AS_STRING); | ||||||||
|
|
||||||||
|
|
@@ -485,7 +488,7 @@ | |||||||
| * @return Key | ||||||||
| */ | ||||||||
| private static function getKey( | ||||||||
| #[\SensitiveParameter] $keyOrKeyArray, | ||||||||
| #[\SensitiveParameter] Key|ArrayAccess|array $keyOrKeyArray, | ||||||||
| ?string $kid | ||||||||
| ): Key { | ||||||||
| if ($keyOrKeyArray instanceof Key) { | ||||||||
|
|
@@ -547,11 +550,7 @@ | |||||||
| JSON_ERROR_SYNTAX => 'Syntax error, malformed JSON', | ||||||||
| JSON_ERROR_UTF8 => 'Malformed UTF-8 characters' //PHP >= 5.3.3 | ||||||||
| ]; | ||||||||
| throw new DomainException( | ||||||||
| isset($messages[$errno]) | ||||||||
| ? $messages[$errno] | ||||||||
| : 'Unknown JSON error: ' . $errno | ||||||||
| ); | ||||||||
| throw new DomainException($messages[$errno] ?? 'Unknown JSON error: ' . $errno); | ||||||||
| } | ||||||||
|
|
||||||||
| /** | ||||||||
|
|
@@ -573,12 +572,16 @@ | |||||||
| * Convert an ECDSA signature to an ASN.1 DER sequence | ||||||||
| * | ||||||||
| * @param string $sig The ECDSA signature to convert | ||||||||
| * @param string $alg The algorithm | ||||||||
| * @return string The encoded DER object | ||||||||
| */ | ||||||||
| private static function signatureToDER(string $sig): string | ||||||||
| private static function signatureToDER(string $sig, string $alg): string | ||||||||
| { | ||||||||
| // Separate the signature into r-value and s-value | ||||||||
| $length = max(1, (int) (\strlen($sig) / 2)); | ||||||||
| $length = match ($alg) { | ||||||||
| 'ES512' => 66, | ||||||||
| default => max(1, (int) (\strlen($sig) / 2)), | ||||||||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||
| }; | ||||||||
| list($r, $s) = \str_split($sig, $length); | ||||||||
|
|
||||||||
| // Trim leading zeros | ||||||||
|
|
@@ -630,10 +633,11 @@ | |||||||
| * | ||||||||
| * @param string $der binary signature in DER format | ||||||||
| * @param int $keySize the number of bits in the key | ||||||||
| * @param string $alg The algorithm | ||||||||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. $alg parameter here is never used
Suggested change
|
||||||||
| * | ||||||||
| * @return string the signature | ||||||||
| */ | ||||||||
| private static function signatureFromDER(string $der, int $keySize): string | ||||||||
| private static function signatureFromDER(string $der, int $keySize, string $alg): string | ||||||||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. $alg parameter here is never used
Suggested change
|
||||||||
| { | ||||||||
| // OpenSSL returns the ECDSA signatures as a binary ASN.1 DER SEQUENCE | ||||||||
| list($offset, $_) = self::readDER($der); | ||||||||
|
|
@@ -646,8 +650,9 @@ | |||||||
| $s = \ltrim($s, "\x00"); | ||||||||
|
|
||||||||
| // Pad out r and s so that they are $keySize bits long | ||||||||
| $r = \str_pad($r, $keySize / 8, "\x00", STR_PAD_LEFT); | ||||||||
| $s = \str_pad($s, $keySize / 8, "\x00", STR_PAD_LEFT); | ||||||||
| $length = \ceil($keySize / 8); | ||||||||
| $r = \str_pad($r, $length, "\x00", STR_PAD_LEFT); | ||||||||
| $s = \str_pad($s, $length, "\x00", STR_PAD_LEFT); | ||||||||
|
|
||||||||
| return $r . $s; | ||||||||
| } | ||||||||
|
|
||||||||
Uh oh!
There was an error while loading. Please reload this page.