diff options
Diffstat (limited to 'vendor/web-token/jwt-signature/JWSVerifier.php')
| -rw-r--r-- | vendor/web-token/jwt-signature/JWSVerifier.php | 160 |
1 files changed, 160 insertions, 0 deletions
diff --git a/vendor/web-token/jwt-signature/JWSVerifier.php b/vendor/web-token/jwt-signature/JWSVerifier.php new file mode 100644 index 0000000..bf49150 --- /dev/null +++ b/vendor/web-token/jwt-signature/JWSVerifier.php @@ -0,0 +1,160 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\Signature; + +use Base64Url\Base64Url; +use Jose\Component\Core\AlgorithmManager; +use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; +use Jose\Component\Core\Util\KeyChecker; +use Jose\Component\Signature\Algorithm\SignatureAlgorithm; + +class JWSVerifier +{ + /** + * @var AlgorithmManager + */ + private $signatureAlgorithmManager; + + /** + * JWSVerifier constructor. + */ + public function __construct(AlgorithmManager $signatureAlgorithmManager) + { + $this->signatureAlgorithmManager = $signatureAlgorithmManager; + } + + /** + * Returns the algorithm manager associated to the JWSVerifier. + */ + public function getSignatureAlgorithmManager(): AlgorithmManager + { + return $this->signatureAlgorithmManager; + } + + /** + * This method will try to verify the JWS object using the given key and for the given signature. + * It returns true if the signature is verified, otherwise false. + * + * @return bool true if the verification of the signature succeeded, else false + */ + public function verifyWithKey(JWS $jws, JWK $jwk, int $signature, ?string $detachedPayload = null): bool + { + $jwkset = new JWKSet([$jwk]); + + return $this->verifyWithKeySet($jws, $jwkset, $signature, $detachedPayload); + } + + /** + * This method will try to verify the JWS object using the given key set and for the given signature. + * It returns true if the signature is verified, otherwise false. + * + * @param JWS $jws A JWS object + * @param JWKSet $jwkset The signature will be verified using keys in the key set + * @param string|null $detachedPayload If not null, the value must be the detached payload encoded in Base64 URL safe. If the input contains a payload, throws an exception. + * + * @return bool true if the verification of the signature succeeded, else false + */ + public function verifyWithKeySet(JWS $jws, JWKSet $jwkset, int $signature, ?string $detachedPayload = null): bool + { + $this->checkJWKSet($jwkset); + $this->checkSignatures($jws); + $this->checkPayload($jws, $detachedPayload); + + $signature = $jws->getSignature($signature); + + return $this->verifySignature($jws, $jwkset, $signature, $detachedPayload); + } + + private function verifySignature(JWS $jws, JWKSet $jwkset, Signature $signature, ?string $detachedPayload = null): bool + { + $input = $this->getInputToVerify($jws, $signature, $detachedPayload); + foreach ($jwkset->all() as $jwk) { + $algorithm = $this->getAlgorithm($signature); + + try { + KeyChecker::checkKeyUsage($jwk, 'verification'); + KeyChecker::checkKeyAlgorithm($jwk, $algorithm->name()); + if (!\in_array($jwk->get('kty'), $algorithm->allowedKeyTypes(), true)) { + throw new \InvalidArgumentException('Wrong key type.'); + } + if (true === $algorithm->verify($jwk, $input, $signature->getSignature())) { + return true; + } + } catch (\Exception $e) { + //We do nothing, we continue with other keys + continue; + } + } + + return false; + } + + private function getInputToVerify(JWS $jws, Signature $signature, ?string $detachedPayload): string + { + $encodedProtectedHeader = $signature->getEncodedProtectedHeader(); + if (!$signature->hasProtectedHeaderParameter('b64') || true === $signature->getProtectedHeaderParameter('b64')) { + if (null !== $jws->getEncodedPayload()) { + return \sprintf('%s.%s', $encodedProtectedHeader, $jws->getEncodedPayload()); + } + + $payload = empty($jws->getPayload()) ? $detachedPayload : $jws->getPayload(); + + return \sprintf('%s.%s', $encodedProtectedHeader, Base64Url::encode($payload)); + } + + $payload = empty($jws->getPayload()) ? $detachedPayload : $jws->getPayload(); + + return \sprintf('%s.%s', $encodedProtectedHeader, $payload); + } + + private function checkSignatures(JWS $jws) + { + if (0 === $jws->countSignatures()) { + throw new \InvalidArgumentException('The JWS does not contain any signature.'); + } + } + + private function checkJWKSet(JWKSet $jwkset) + { + if (0 === \count($jwkset)) { + throw new \InvalidArgumentException('There is no key in the key set.'); + } + } + + private function checkPayload(JWS $jws, ?string $detachedPayload = null) + { + if (null !== $detachedPayload && !empty($jws->getPayload())) { + throw new \InvalidArgumentException('A detached payload is set, but the JWS already has a payload.'); + } + if (empty($jws->getPayload()) && null === $detachedPayload) { + throw new \InvalidArgumentException('The JWS has a detached payload, but no payload is provided.'); + } + } + + private function getAlgorithm(Signature $signature): SignatureAlgorithm + { + $completeHeader = \array_merge($signature->getProtectedHeader(), $signature->getHeader()); + if (!\array_key_exists('alg', $completeHeader)) { + throw new \InvalidArgumentException('No "alg" parameter set in the header.'); + } + + $algorithm = $this->signatureAlgorithmManager->get($completeHeader['alg']); + if (!$algorithm instanceof SignatureAlgorithm) { + throw new \InvalidArgumentException(\sprintf('The algorithm "%s" is not supported or is not a signature algorithm.', $completeHeader['alg'])); + } + + return $algorithm; + } +} |