Analyzers corrected

Spomky · Spomky · commit 6be397bb173a · 2019-09-06T13:38:43.000+02:00
diff --git a/composer.json b/composer.json
@@ -52,7 +52,6 @@
     },
     "require": {
         "php": "^7.2",
-        "ext-gmp": "*",
         "ext-json": "*",
         "ext-mbstring": "*",
         "ext-openssl": "*",
@@ -71,6 +70,7 @@
     "require-dev": {
         "ext-curl": "*",
         "ext-gmp": "*",
+        "ext-sodium": "*",
         "bjeavons/zxcvbn-php": "^0.4.0",
         "blackfire/php-sdk": "^1.14",
         "nyholm/psr7": "^1.0",
diff --git a/src/Bundle/JoseFramework/Resources/config/analyzers.php b/src/Bundle/JoseFramework/Resources/config/analyzers.php
@@ -11,6 +11,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
+use Jose\Component\Core\Util\Ecc\NistCurve;
 use Jose\Component\KeyManagement\Analyzer;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 use ZxcvbnPhp\Zxcvbn;
@@ -37,13 +38,16 @@
     $container->set(Analyzer\OctAnalyzer::class);
     $container->set(Analyzer\MixedKeyTypes::class);
     $container->set(Analyzer\MixedPublicAndPrivateKeys::class);
-    $container->set(Analyzer\ES256KeyAnalyzer::class);
-    $container->set(Analyzer\ES384KeyAnalyzer::class);
-    $container->set(Analyzer\ES512KeyAnalyzer::class);
     $container->set(Analyzer\HS256KeyAnalyzer::class);
     $container->set(Analyzer\HS384KeyAnalyzer::class);
     $container->set(Analyzer\HS512KeyAnalyzer::class);
 
+    if (class_exists(NistCurve::class)) {
+        $container->set(Analyzer\ES256KeyAnalyzer::class);
+        $container->set(Analyzer\ES384KeyAnalyzer::class);
+        $container->set(Analyzer\ES512KeyAnalyzer::class);
+    }
+
     if (class_exists(Zxcvbn::class)) {
         $container->set(Analyzer\ZxcvbnKeyAnalyzer::class);
     }
diff --git a/src/Bundle/JoseFramework/composer.json b/src/Bundle/JoseFramework/composer.json
@@ -52,7 +52,8 @@
             "v1.1": "1.1.x-dev",
             "v1.2": "1.2.x-dev",
             "v1.3": "1.3.x-dev",
-            "v2.0": "2.0.x-dev"
+            "v2.0": "2.0.x-dev",
+            "v2.1": "2.1.x-dev"
         }
     },
     "config": {
diff --git a/src/Component/Checker/ExpirationTimeChecker.php b/src/Component/Checker/ExpirationTimeChecker.php
@@ -17,18 +17,23 @@
  * This class is a claim checker.
  * When the "exp" is present, it will compare the value with the current timestamp.
  */
-final class ExpirationTimeChecker implements ClaimChecker
+final class ExpirationTimeChecker implements ClaimChecker, HeaderChecker
 {
-    private const CLAIM_NAME = 'exp';
+    private const NAME = 'exp';
 
     /**
      * @var int
      */
     private $allowedTimeDrift;
+    /**
+     * @var bool
+     */
+    private $protectedHeaderOnly;
 
-    public function __construct(int $allowedTimeDrift = 0)
+    public function __construct(int $allowedTimeDrift = 0, bool $protectedHeaderOnly = false)
     {
         $this->allowedTimeDrift = $allowedTimeDrift;
+        $this->protectedHeaderOnly = $protectedHeaderOnly;
     }
 
     /**
@@ -37,15 +42,35 @@ public function __construct(int $allowedTimeDrift = 0)
     public function checkClaim($value): void
     {
         if (!\is_int($value)) {
-            throw new InvalidClaimException('"exp" must be an integer.', self::CLAIM_NAME, $value);
+            throw new InvalidClaimException('"exp" must be an integer.', self::NAME, $value);
         }
         if (time() > $value + $this->allowedTimeDrift) {
-            throw new InvalidClaimException('The token expired.', self::CLAIM_NAME, $value);
+            throw new InvalidClaimException('The token expired.', self::NAME, $value);
         }
     }
 
     public function supportedClaim(): string
     {
-        return self::CLAIM_NAME;
+        return self::NAME;
+    }
+
+    public function checkHeader($value): void
+    {
+        if (!\is_int($value)) {
+            throw new InvalidHeaderException('"exp" must be an integer.', self::NAME, $value);
+        }
+        if (time() > $value + $this->allowedTimeDrift) {
+            throw new InvalidHeaderException('The token expired.', self::NAME, $value);
+        }
+    }
+
+    public function supportedHeader(): string
+    {
+        return self::NAME;
+    }
+
+    public function protectedHeaderOnly(): bool
+    {
+        return $this->protectedHeaderOnly;
     }
 }
diff --git a/src/Component/Checker/IssuedAtChecker.php b/src/Component/Checker/IssuedAtChecker.php
@@ -17,18 +17,23 @@
  * This class is a claim checker.
  * When the "iat" is present, it will compare the value with the current timestamp.
  */
-final class IssuedAtChecker implements ClaimChecker
+final class IssuedAtChecker implements ClaimChecker, HeaderChecker
 {
-    private const CLAIM_NAME = 'iat';
+    private const NAME = 'iat';
 
     /**
      * @var int
      */
     private $allowedTimeDrift;
+    /**
+     * @var bool
+     */
+    private $protectedHeaderOnly;
 
-    public function __construct(int $allowedTimeDrift = 0)
+    public function __construct(int $allowedTimeDrift = 0, bool $protectedHeaderOnly = false)
     {
         $this->allowedTimeDrift = $allowedTimeDrift;
+        $this->protectedHeaderOnly = $protectedHeaderOnly;
     }
 
     /**
@@ -37,15 +42,35 @@ public function __construct(int $allowedTimeDrift = 0)
     public function checkClaim($value): void
     {
         if (!\is_int($value)) {
-            throw new InvalidClaimException('The claim "iat" must be an integer.', self::CLAIM_NAME, $value);
+            throw new InvalidClaimException('"iat" must be an integer.', self::NAME, $value);
         }
         if (time() < $value - $this->allowedTimeDrift) {
-            throw new InvalidClaimException('The JWT is issued in the future.', self::CLAIM_NAME, $value);
+            throw new InvalidClaimException('The JWT is issued in the future.', self::NAME, $value);
         }
     }
 
     public function supportedClaim(): string
     {
-        return self::CLAIM_NAME;
+        return self::NAME;
+    }
+
+    public function checkHeader($value): void
+    {
+        if (!\is_int($value)) {
+            throw new InvalidHeaderException('The header "iat" must be an integer.', self::NAME, $value);
+        }
+        if (time() < $value - $this->allowedTimeDrift) {
+            throw new InvalidHeaderException('The JWT is issued in the future.', self::NAME, $value);
+        }
+    }
+
+    public function supportedHeader(): string
+    {
+        return self::NAME;
+    }
+
+    public function protectedHeaderOnly(): bool
+    {
+        return $this->protectedHeaderOnly;
     }
 }
diff --git a/src/Component/Checker/NotBeforeChecker.php b/src/Component/Checker/NotBeforeChecker.php
@@ -17,18 +17,23 @@
  * This class is a claim checker.
  * When the "nbf" is present, it will compare the value with the current timestamp.
  */
-final class NotBeforeChecker implements ClaimChecker
+final class NotBeforeChecker implements ClaimChecker, HeaderChecker
 {
-    private const CLAIM_NAME = 'nbf';
+    private const NAME = 'nbf';
 
     /**
      * @var int
      */
     private $allowedTimeDrift;
+    /**
+     * @var bool
+     */
+    private $protectedHeaderOnly;
 
-    public function __construct(int $allowedTimeDrift = 0)
+    public function __construct(int $allowedTimeDrift = 0, bool $protectedHeaderOnly = false)
     {
         $this->allowedTimeDrift = $allowedTimeDrift;
+        $this->protectedHeaderOnly = $protectedHeaderOnly;
     }
 
     /**
@@ -37,15 +42,35 @@ public function __construct(int $allowedTimeDrift = 0)
     public function checkClaim($value): void
     {
         if (!\is_int($value)) {
-            throw new InvalidClaimException('"nbf" must be an integer.', self::CLAIM_NAME, $value);
+            throw new InvalidClaimException('"nbf" must be an integer.', self::NAME, $value);
         }
         if (time() < $value - $this->allowedTimeDrift) {
-            throw new InvalidClaimException('The JWT can not be used yet.', self::CLAIM_NAME, $value);
+            throw new InvalidClaimException('The JWT can not be used yet.', self::NAME, $value);
         }
     }
 
     public function supportedClaim(): string
     {
-        return self::CLAIM_NAME;
+        return self::NAME;
+    }
+
+    public function checkHeader($value): void
+    {
+        if (!\is_int($value)) {
+            throw new InvalidHeaderException('"nbf" must be an integer.', self::NAME, $value);
+        }
+        if (time() < $value - $this->allowedTimeDrift) {
+            throw new InvalidHeaderException('The JWT can not be used yet.', self::NAME, $value);
+        }
+    }
+
+    public function supportedHeader(): string
+    {
+        return self::NAME;
+    }
+
+    public function protectedHeaderOnly(): bool
+    {
+        return $this->protectedHeaderOnly;
     }
 }
diff --git a/src/Component/Encryption/Serializer/JSONFlattenedSerializer.php b/src/Component/Encryption/Serializer/JSONFlattenedSerializer.php
@@ -88,9 +88,9 @@ public function unserialize(string $input): JWE
         );
     }
 
-    private function checkData(array $data): void
+    private function checkData(?array $data): void
     {
-        if (!isset($data['ciphertext']) || isset($data['recipients'])) {
+        if (null === $data || !isset($data['ciphertext']) || isset($data['recipients'])) {
             throw new InvalidArgumentException('Unsupported input.');
         }
     }
diff --git a/src/Component/Encryption/Serializer/JSONGeneralSerializer.php b/src/Component/Encryption/Serializer/JSONGeneralSerializer.php
@@ -97,9 +97,9 @@ public function unserialize(string $input): JWE
         );
     }
 
-    private function checkData(array $data): void
+    private function checkData(?array $data): void
     {
-        if (!isset($data['ciphertext']) || !isset($data['recipients'])) {
+        if (null === $data || !isset($data['ciphertext']) || !isset($data['recipients'])) {
             throw new InvalidArgumentException('Unsupported input.');
         }
     }
diff --git a/src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php b/src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php
@@ -16,9 +16,17 @@
 use Base64Url\Base64Url;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\Util\Ecc\NistCurve;
+use RuntimeException;
 
 final class ES256KeyAnalyzer implements KeyAnalyzer
 {
+    public function __construct()
+    {
+        if (!class_exists(NistCurve::class)) {
+            throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer');
+        }
+    }
+
     public function analyze(JWK $jwk, MessageBag $bag): void
     {
         if ('EC' !== $jwk->get('kty')) {
diff --git a/src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php b/src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php
@@ -16,9 +16,17 @@
 use Base64Url\Base64Url;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\Util\Ecc\NistCurve;
+use RuntimeException;
 
 final class ES384KeyAnalyzer implements KeyAnalyzer
 {
+    public function __construct()
+    {
+        if (!class_exists(NistCurve::class)) {
+            throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer');
+        }
+    }
+
     public function analyze(JWK $jwk, MessageBag $bag): void
     {
         if ('EC' !== $jwk->get('kty')) {
diff --git a/src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php b/src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php
@@ -16,9 +16,17 @@
 use Base64Url\Base64Url;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\Util\Ecc\NistCurve;
+use RuntimeException;
 
 final class ES512KeyAnalyzer implements KeyAnalyzer
 {
+    public function __construct()
+    {
+        if (!class_exists(NistCurve::class)) {
+            throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer');
+        }
+    }
+
     public function analyze(JWK $jwk, MessageBag $bag): void
     {
         if ('EC' !== $jwk->get('kty')) {
diff --git a/src/Component/KeyManagement/composer.json b/src/Component/KeyManagement/composer.json
@@ -21,11 +21,9 @@
     },
     "require": {
         "ext-openssl": "*",
-        "ext-gmp": "*",
         "psr/http-factory": "^1.0",
         "psr/http-client": "^1.0",
-        "web-token/jwt-core": "^2.1",
-        "web-token/jwt-util-ecc": "^2.1"
+        "web-token/jwt-core": "^2.0"
     },
     "require-dev": {
         "php-http/message-factory": "^1.0",
@@ -35,6 +33,7 @@
     },
     "suggest": {
         "ext-sodium": "Sodium is required for OKP key creation, EdDSA signature algorithm and ECDH-ES key encryption with OKP keys",
+        "web-token/jwt-util-ecc": "To use EC key analyzers.",
         "php-http/message-factory": "To enable JKU/X5U support.",
         "php-http/httplug": "To enable JKU/X5U support."
     },
diff --git a/src/Component/Signature/JWSVerifier.php b/src/Component/Signature/JWSVerifier.php
@@ -88,9 +88,8 @@ public function verifyWithKeySet(JWS $jws, JWKSet $jwkset, int $signatureIndex,
     private function verifySignature(JWS $jws, JWKSet $jwkset, Signature $signature, ?string $detachedPayload = null, JWK &$successJwk = null): bool
     {
         $input = $this->getInputToVerify($jws, $signature, $detachedPayload);
+        $algorithm = $this->getAlgorithm($signature);
         foreach ($jwkset->all() as $jwk) {
-            $algorithm = $this->getAlgorithm($signature);
-
             try {
                 KeyChecker::checkKeyUsage($jwk, 'verification');
                 KeyChecker::checkKeyAlgorithm($jwk, $algorithm->name());
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_16_128.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_16_128.php
@@ -27,7 +27,7 @@ public function name(): string
 
     public function getIVSize(): int
     {
-        return 13;
+        return 13 * 8;
     }
 
     protected function getMode(): string
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_16_64.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_16_64.php
@@ -27,7 +27,7 @@ public function name(): string
 
     public function getIVSize(): int
     {
-        return 13;
+        return 13 * 8;
     }
 
     protected function getMode(): string
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_64_128.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_64_128.php
@@ -27,7 +27,7 @@ public function name(): string
 
     public function getIVSize(): int
     {
-        return 7;
+        return 7 * 8;
     }
 
     protected function getMode(): string
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_64_64.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A128CCM_64_64.php
@@ -27,7 +27,7 @@ public function name(): string
 
     public function getIVSize(): int
     {
-        return 7;
+        return 7 * 8;
     }
 
     protected function getMode(): string
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_16_128.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_16_128.php
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_16_64.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_16_64.php
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_64_128.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_64_128.php
diff --git a/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_64_64.php b/src/EncryptionAlgorithm/Experimental/ContentEncryption/A256CCM_64_64.php
diff --git a/src/SignatureAlgorithm/ECDSA/composer.json b/src/SignatureAlgorithm/ECDSA/composer.json

Original file line number	Diff line number	Diff line change
`@@ -88,9 +88,9 @@ public function unserialize(string $input): JWE`
`88`	`88`	`);`
`89`	`89`	`}`
`90`	`90`
`91`		`- private function checkData(array $data): void`
	`91`	`+ private function checkData(?array $data): void`
`92`	`92`	`{`
`93`		`- if (!isset($data['ciphertext']) \|\| isset($data['recipients'])) {`
	`93`	`+ if (null === $data \|\| !isset($data['ciphertext']) \|\| isset($data['recipients'])) {`
`94`	`94`	`throw new InvalidArgumentException('Unsupported input.');`
`95`	`95`	`}`
`96`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -97,9 +97,9 @@ public function unserialize(string $input): JWE`
`97`	`97`	`);`
`98`	`98`	`}`
`99`	`99`
`100`		`- private function checkData(array $data): void`
	`100`	`+ private function checkData(?array $data): void`
`101`	`101`	`{`
`102`		`- if (!isset($data['ciphertext']) \|\| !isset($data['recipients'])) {`
	`102`	`+ if (null === $data \|\| !isset($data['ciphertext']) \|\| !isset($data['recipients'])) {`
`103`	`103`	`throw new InvalidArgumentException('Unsupported input.');`
`104`	`104`	`}`
`105`	`105`	`}`