feat: add SensitiveParameter attribute to security-critical parameters

meihei3 · meihei3 · commit 0acafbb72d3c · 2025-05-18T14:22:01.000+09:00
diff --git a/src/JWK.php b/src/JWK.php
@@ -52,7 +52,7 @@ class JWK
      *
      * @uses parseKey
      */
-    public static function parseKeySet(array $jwks, ?string $defaultAlg = null): array
+    public static function parseKeySet(#[\SensitiveParameter] array $jwks, ?string $defaultAlg = null): array
     {
         $keys = [];
 
@@ -93,7 +93,7 @@ public static function parseKeySet(array $jwks, ?string $defaultAlg = null): arr
      *
      * @uses createPemFromModulusAndExponent
      */
-    public static function parseKey(array $jwk, ?string $defaultAlg = null): ?Key
+    public static function parseKey(#[\SensitiveParameter] array $jwk, ?string $defaultAlg = null): ?Key
     {
         if (empty($jwk)) {
             throw new InvalidArgumentException('JWK must not be empty');
diff --git a/src/JWT.php b/src/JWT.php
@@ -95,7 +95,7 @@ class JWT
      */
     public static function decode(
         string $jwt,
-        $keyOrKeyArray,
+        #[\SensitiveParameter] $keyOrKeyArray,
         ?stdClass &$headers = null
     ): stdClass {
         // Validate JWT
@@ -208,7 +208,7 @@ public static function decode(
      */
     public static function encode(
         array $payload,
-        $key,
+        #[\SensitiveParameter] $key,
         string $alg,
         ?string $keyId = null,
         ?array $head = null
@@ -246,7 +246,7 @@ public static function encode(
      */
     public static function sign(
         string $msg,
-        $key,
+        #[\SensitiveParameter] $key,
         string $alg
     ): string {
         if (empty(static::$supported_algs[$alg])) {
@@ -313,7 +313,7 @@ public static function sign(
     private static function verify(
         string $msg,
         string $signature,
-        $keyMaterial,
+        #[\SensitiveParameter] $keyMaterial,
         string $alg
     ): bool {
         if (empty(static::$supported_algs[$alg])) {
@@ -467,7 +467,7 @@ public static function urlsafeB64Encode(string $input): string
      * @return Key
      */
     private static function getKey(
-        $keyOrKeyArray,
+        #[\SensitiveParameter] $keyOrKeyArray,
         ?string $kid
     ): Key {
         if ($keyOrKeyArray instanceof Key) {
diff --git a/src/Key.php b/src/Key.php
@@ -14,7 +14,7 @@ class Key
      * @param string $algorithm
      */
     public function __construct(
-        private $keyMaterial,
+        #[\SensitiveParameter] private $keyMaterial,
         private string $algorithm
     ) {
         if (

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ class JWK`
`52`	`52`	`*`
`53`	`53`	`* @uses parseKey`
`54`	`54`	`*/`
`55`		`- public static function parseKeySet(array $jwks, ?string $defaultAlg = null): array`
	`55`	`+ public static function parseKeySet(#[\SensitiveParameter] array $jwks, ?string $defaultAlg = null): array`
`56`	`56`	`{`
`57`	`57`	`$keys = [];`
`58`	`58`
`@@ -93,7 +93,7 @@ public static function parseKeySet(array $jwks, ?string $defaultAlg = null): arr`
`93`	`93`	`*`
`94`	`94`	`* @uses createPemFromModulusAndExponent`
`95`	`95`	`*/`
`96`		`- public static function parseKey(array $jwk, ?string $defaultAlg = null): ?Key`
	`96`	`+ public static function parseKey(#[\SensitiveParameter] array $jwk, ?string $defaultAlg = null): ?Key`
`97`	`97`	`{`
`98`	`98`	`if (empty($jwk)) {`
`99`	`99`	`throw new InvalidArgumentException('JWK must not be empty');`