feat!: require Key object, use JSON_UNESCAPED_SLASHES, remove constants (#376)

Author: bshaffer

.gitignore

@@ -3,3 +3,4 @@ phpunit.phar
 phpunit.phar.asc
 composer.phar
 composer.lock
+.phpunit.result.cache

README.md

@@ -200,8 +200,7 @@ $jwks = ['keys' => []];
 
 // JWK::parseKeySet($jwks) returns an associative array of **kid** to private
 // key. Pass this as the second parameter to JWT::decode.
-// NOTE: The deprecated $supportedAlgorithm must be supplied when parsing from JWK.
-JWT::decode($payload, JWK::parseKeySet($jwks), $supportedAlgorithm);
+JWT::decode($payload, JWK::parseKeySet($jwks));
 ```
 
 Changelog

src/JWK.php

@@ -47,7 +47,15 @@ public static function parseKeySet(array $jwks)
         foreach ($jwks['keys'] as $k => $v) {
             $kid = isset($v['kid']) ? $v['kid'] : $k;
             if ($key = self::parseKey($v)) {
-                $keys[$kid] = $key;
+                if (isset($v['alg'])) {
+                    $keys[$kid] = new Key($key, $v['alg']);
+                } else {
+                    // The "alg" parameter is optional in a KTY, but is required
+                    // for parsing in this library. Add it manually to your JWK
+                    // array if it doesn't already exist.
+                    // @see https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
+                    throw new InvalidArgumentException('JWK key is missing "alg"');
+                }
             }
         }
 

src/JWT.php

@@ -25,9 +25,12 @@
  */
 class JWT
 {
-    const ASN1_INTEGER = 0x02;
-    const ASN1_SEQUENCE = 0x10;
-    const ASN1_BIT_STRING = 0x03;
+    // const ASN1_INTEGER = 0x02;
+    // const ASN1_SEQUENCE = 0x10;
+    // const ASN1_BIT_STRING = 0x03;
+    private static $asn1Integer = 0x02;
+    private static $asn1Sequence = 0x10;
+    private static $asn1BitString = 0x03;
 
     /**
      * When checking nbf, iat or expiration times,
@@ -60,13 +63,11 @@ class JWT
      * Decodes a JWT string into a PHP object.
      *
      * @param string                    $jwt            The JWT
-     * @param Key|array<Key>|mixed      $keyOrKeyArray  The Key or array of Key objects.
+     * @param Key|array<Key>            $keyOrKeyArray  The Key or array of Key objects.
      *                                                  If the algorithm used is asymmetric, this is the public key
      *                                                  Each Key object contains an algorithm and matching key.
      *                                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
      *                                                  'HS512', 'RS256', 'RS384', and 'RS512'
-     * @param array                     $allowed_algs   [DEPRECATED] List of supported verification algorithms. Only
-     *                                                  should be used for backwards  compatibility.
      *
      * @return object The JWT's payload as a PHP object
      *
@@ -81,8 +82,9 @@ class JWT
      * @uses jsonDecode
      * @uses urlsafeB64Decode
      */
-    public static function decode($jwt, $keyOrKeyArray, array $allowed_algs = array())
+    public static function decode($jwt, $keyOrKeyArray)
     {
+        // Validate JWT
         $timestamp = \is_null(static::$timestamp) ? \time() : static::$timestamp;
 
         if (empty($keyOrKeyArray)) {
@@ -109,31 +111,18 @@ public static function decode($jwt, $keyOrKeyArray, array $allowed_algs = array(
             throw new UnexpectedValueException('Algorithm not supported');
         }
 
-        list($keyMaterial, $algorithm) = self::getKeyMaterialAndAlgorithm(
-            $keyOrKeyArray,
-            empty($header->kid) ? null : $header->kid
-        );
+        $key = self::getKey($keyOrKeyArray, empty($header->kid) ? null : $header->kid);
 
-        if (empty($algorithm)) {
-            // Use deprecated "allowed_algs" to determine if the algorithm is supported.
-            // This opens up the possibility of an attack in some implementations.
-            // @see https://github.com/firebase/php-jwt/issues/351
-            if (!\in_array($header->alg, $allowed_algs)) {
-                throw new UnexpectedValueException('Algorithm not allowed');
-            }
-        } else {
-            // Check the algorithm
-            if (!self::constantTimeEquals($algorithm, $header->alg)) {
-                // See issue #351
-                throw new UnexpectedValueException('Incorrect key for this algorithm');
-            }
+        // Check the algorithm
+        if (!self::constantTimeEquals($key->getAlgorithm(), $header->alg)) {
+            // See issue #351
+            throw new UnexpectedValueException('Incorrect key for this algorithm');
         }
         if ($header->alg === 'ES256' || $header->alg === 'ES384') {
             // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures
             $sig = self::signatureToDER($sig);
         }
-
-        if (!static::verify("$headb64.$bodyb64", $sig, $keyMaterial, $header->alg)) {
+        if (!static::verify("$headb64.$bodyb64", $sig, $key->getKeyMaterial(), $header->alg)) {
             throw new SignatureInvalidException('Signature verification failed');
         }
 
@@ -179,7 +168,7 @@ public static function decode($jwt, $keyOrKeyArray, array $allowed_algs = array(
      * @uses jsonEncode
      * @uses urlsafeB64Encode
      */
-    public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $head = null)
+    public static function encode($payload, $key, $alg, $keyId = null, $head = null)
     {
         $header = array('typ' => 'JWT', 'alg' => $alg);
         if ($keyId !== null) {
@@ -212,7 +201,7 @@ public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $he
      *
      * @throws DomainException Unsupported algorithm or bad key was specified
      */
-    public static function sign($msg, $key, $alg = 'HS256')
+    public static function sign($msg, $key, $alg)
     {
         if (empty(static::$supported_algs[$alg])) {
             throw new DomainException('Algorithm not supported');
@@ -345,7 +334,12 @@ public static function jsonDecode($input)
      */
     public static function jsonEncode($input)
     {
-        $json = \json_encode($input);
+        if (PHP_VERSION_ID >= 50400) {
+            $json = \json_encode($input, \JSON_UNESCAPED_SLASHES);
+        } else {
+            // PHP 5.3 only
+            $json = \json_encode($input);
+        }
         if ($errno = \json_last_error()) {
             static::handleJsonError($errno);
         } elseif ($json === 'null' && $input !== null) {
@@ -394,40 +388,34 @@ public static function urlsafeB64Encode($input)
      *
      * @return array containing the keyMaterial and algorithm
      */
-    private static function getKeyMaterialAndAlgorithm($keyOrKeyArray, $kid = null)
+    private static function getKey($keyOrKeyArray, $kid = null)
     {
-        if (
-            is_string($keyOrKeyArray)
-            || is_resource($keyOrKeyArray)
-            || $keyOrKeyArray instanceof OpenSSLAsymmetricKey
-        ) {
-            return array($keyOrKeyArray, null);
-        }
-
         if ($keyOrKeyArray instanceof Key) {
-            return array($keyOrKeyArray->getKeyMaterial(), $keyOrKeyArray->getAlgorithm());
+            return $keyOrKeyArray;
         }
 
         if (is_array($keyOrKeyArray) || $keyOrKeyArray instanceof ArrayAccess) {
+            foreach ($keyOrKeyArray as $keyId => $key) {
+                if (!$key instanceof Key) {
+                    throw new UnexpectedValueException(
+                        '$keyOrKeyArray must be an instance of Firebase\JWT\Key key or an '
+                        . 'array of Firebase\JWT\Key keys'
+                    );
+                }
+            }
             if (!isset($kid)) {
                 throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
             }
             if (!isset($keyOrKeyArray[$kid])) {
                 throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
             }
 
-            $key = $keyOrKeyArray[$kid];
-
-            if ($key instanceof Key) {
-                return array($key->getKeyMaterial(), $key->getAlgorithm());
-            }
-
-            return array($key, null);
+            return $keyOrKeyArray[$kid];
         }
 
         throw new UnexpectedValueException(
-            '$keyOrKeyArray must be a string|resource key, an array of string|resource keys, '
-            . 'an instance of Firebase\JWT\Key key or an array of Firebase\JWT\Key keys'
+            '$keyOrKeyArray must be an instance of Firebase\JWT\Key key or an '
+            . 'array of Firebase\JWT\Key keys'
         );
     }
 
@@ -515,9 +503,9 @@ private static function signatureToDER($sig)
         }
 
         return self::encodeDER(
-            self::ASN1_SEQUENCE,
-            self::encodeDER(self::ASN1_INTEGER, $r) .
-            self::encodeDER(self::ASN1_INTEGER, $s)
+            self::$asn1Sequence,
+            self::encodeDER(self::$asn1Integer, $r) .
+            self::encodeDER(self::$asn1Integer, $s)
         );
     }
 
@@ -531,7 +519,7 @@ private static function signatureToDER($sig)
     private static function encodeDER($type, $value)
     {
         $tag_header = 0;
-        if ($type === self::ASN1_SEQUENCE) {
+        if ($type === self::$asn1Sequence) {
             $tag_header |= 0x20;
         }
 
@@ -596,7 +584,7 @@ private static function readDER($der, $offset = 0)
         }
 
         // Value
-        if ($type == self::ASN1_BIT_STRING) {
+        if ($type == self::$asn1BitString) {
             $pos++; // Skip the first contents octet (padding indicator)
             $data = \substr($der, $pos, $len - 1);
             $pos += $len - 1;

tests/JWKTest.php

@@ -38,34 +38,50 @@ public function testParsePrivateKey()
             'UnexpectedValueException',
             'RSA private keys are not supported'
         );
-        
+
         $jwkSet = json_decode(
-            file_get_contents(__DIR__ . '/rsa-jwkset.json'),
+            file_get_contents(__DIR__ . '/data/rsa-jwkset.json'),
             true
         );
         $jwkSet['keys'][0]['d'] = 'privatekeyvalue';
-        
+
+        JWK::parseKeySet($jwkSet);
+    }
+
+    public function testParsePrivateKeyWithoutAlg()
+    {
+        $this->setExpectedException(
+            'InvalidArgumentException',
+            'JWK key is missing "alg"'
+        );
+
+        $jwkSet = json_decode(
+            file_get_contents(__DIR__ . '/data/rsa-jwkset.json'),
+            true
+        );
+        unset($jwkSet['keys'][0]['alg']);
+
         JWK::parseKeySet($jwkSet);
     }
-    
+
     public function testParseKeyWithEmptyDValue()
     {
         $jwkSet = json_decode(
-            file_get_contents(__DIR__ . '/rsa-jwkset.json'),
+            file_get_contents(__DIR__ . '/data/rsa-jwkset.json'),
             true
         );
-        
+
         // empty or null values are ok
         $jwkSet['keys'][0]['d'] = null;
-        
+
         $keys = JWK::parseKeySet($jwkSet);
         $this->assertTrue(is_array($keys));
     }
 
     public function testParseJwkKeySet()
     {
         $jwkSet = json_decode(
-            file_get_contents(__DIR__ . '/rsa-jwkset.json'),
+            file_get_contents(__DIR__ . '/data/rsa-jwkset.json'),
             true
         );
         $keys = JWK::parseKeySet($jwkSet);
@@ -93,7 +109,7 @@ public function testParseJwkKeySet_empty()
      */
     public function testDecodeByJwkKeySetTokenExpired()
     {
-        $privKey1 = file_get_contents(__DIR__ . '/rsa1-private.pem');
+        $privKey1 = file_get_contents(__DIR__ . '/data/rsa1-private.pem');
         $payload = array('exp' => strtotime('-1 hour'));
         $msg = JWT::encode($payload, $privKey1, 'RS256', 'jwk1');
 
@@ -107,7 +123,7 @@ public function testDecodeByJwkKeySetTokenExpired()
      */
     public function testDecodeByJwkKeySet()
     {
-        $privKey1 = file_get_contents(__DIR__ . '/rsa1-private.pem');
+        $privKey1 = file_get_contents(__DIR__ . '/data/rsa1-private.pem');
         $payload = array('sub' => 'foo', 'exp' => strtotime('+10 seconds'));
         $msg = JWT::encode($payload, $privKey1, 'RS256', 'jwk1');
 
@@ -121,7 +137,7 @@ public function testDecodeByJwkKeySet()
      */
     public function testDecodeByMultiJwkKeySet()
     {
-        $privKey2 = file_get_contents(__DIR__ . '/rsa2-private.pem');
+        $privKey2 = file_get_contents(__DIR__ . '/data/rsa2-private.pem');
         $payload = array('sub' => 'bar', 'exp' => strtotime('+10 seconds'));
         $msg = JWT::encode($payload, $privKey2, 'RS256', 'jwk2');