Skip to content

Invalid handling of key_ops -> string vs array #640

New issue
New issue
Open
Open
Invalid handling of key_ops -> string vs array#640
@surikman

Description

@surikman
surikman
opened on Nov 3, 2025

Version(s) affected

3.3.X

Description

I am using version 4.1.0 but, if you look at older versions, 3.3.X already had this issue.

Problem is with key_ops -> there are two different manipulations.

  1. as string in \Jose\Component\KeyManagement\Analyzer\UsageAnalyzer::analyze it is expected here key_ops is string and if not in array of given ops it addd message to bag (but it failed in sprintf with Array to string conversion error)
  2. as array in \Jose\Component\Core\JWKSet::canKeyBeUsedFor introduced in 3.3.X version

key_ops needs to be as array according to https://www.rfc-editor.org/rfc/rfc7517.html#section-4.3

Its value is an array of key operation values

How to reproduce

This issue could be reproduce when symfony framework.profiler.collect is set to true (if collect is false, obviously analyzer is turned off)

Possible Solution

changing \Jose\Component\KeyManagement\Analyzer\UsageAnalyzer::analyze to work with key_ops as array

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions