feat: add ed25519 support to JWK (public keys)

edudobay · edudobay · commit 6d618806574c · 2022-04-03T22:20:19.000-03:00
Reference documentation: https://datatracker.ietf.org/doc/html/rfc8037
diff --git a/src/JWK.php b/src/JWK.php
@@ -31,6 +31,11 @@ class JWK
         // 'P-521' => '1.3.132.0.35', // Len: 132 (not supported)
     ];
 
+    // 'crv' identifier => JWT 'alg'
+    private const OKP_CURVES = [
+        'Ed25519' => 'EdDSA',
+    ];
+
     /**
      * Parse a set of JWK keys
      *
@@ -93,9 +98,10 @@ public static function parseKey(array $jwk): ?Key
             throw new UnexpectedValueException('JWK must contain a "kty" parameter');
         }
 
-        if (!isset($jwk['alg'])) {
-            // The "alg" parameter is optional in a KTY, but is required for parsing in
-            // this library. Add it manually to your JWK array if it doesn't already exist.
+        $ktyRequiringAlg = ['RSA', 'EC'];
+        if (!isset($jwk['alg']) && \in_array($jwk['kty'], $ktyRequiringAlg, true)) {
+            // The "alg" parameter is optional in a KTY, but is required for parsing certain key
+            // types in this library. Add it manually to your JWK array if it doesn't already exist.
             // @see https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
             throw new UnexpectedValueException('JWK must contain an "alg" parameter');
         }
@@ -137,8 +143,28 @@ public static function parseKey(array $jwk): ?Key
 
                 $publicKey = self::createPemFromCrvAndXYCoordinates($jwk['crv'], $jwk['x'], $jwk['y']);
                 return new Key($publicKey, $jwk['alg']);
+            case 'OKP':
+                if (isset($jwk['d'])) {
+                    // The key is actually a private key
+                    throw new UnexpectedValueException('Key data must be for a public key');
+                }
+
+                if (! isset($jwk['crv'])) {
+                    throw new UnexpectedValueException('crv not set');
+                }
+
+                if (!isset(self::OKP_CURVES[$jwk['crv']])) {
+                    throw new DomainException('Unrecognised or unsupported OKP curve');
+                }
+
+                if (empty($jwk['x'])) {
+                    throw new UnexpectedValueException('x not set');
+                }
+
+                $publicKey = \base64_encode(JWT::urlsafeB64Decode($jwk['x']));
+                $alg = self::OKP_CURVES[$jwk['crv']];
+                return new Key($publicKey, $alg);
             default:
-                // Currently only RSA is supported
                 break;
         }
 
diff --git a/src/JWT.php b/src/JWT.php
@@ -198,7 +198,7 @@ public static function encode(
      *
      * @param string $msg  The message to sign
      * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate|array<mixed>  $key  The secret key.
-     * @param string $alg  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     * @param string $alg  Supported algorithms are 'EdDSA', 'ES384', 'ES256', 'HS256', 'HS384',
      *                    'HS512', 'RS256', 'RS384', and 'RS512'
      *
      * @return string An encrypted message
@@ -258,7 +258,7 @@ public static function sign(
      *
      * @param string $msg         The original message (header and body)
      * @param string $signature   The original signature
-     * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate|array<mixed>  $keyMaterial For HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey
+     * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate|array<mixed>  $keyMaterial For Ed*, ES*, HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey
      * @param string $alg         The algorithm
      *
      * @return bool
diff --git a/tests/JWKTest.php b/tests/JWKTest.php
@@ -139,6 +139,7 @@ public function provideDecodeByJwkKeySet()
         return [
             ['rsa1-private.pem', 'rsa-jwkset.json', 'RS256'],
             ['ecdsa256-private.pem', 'ec-jwkset.json', 'ES256'],
+            ['ed25519-1.sec', 'ed25519-jwkset.json', 'EdDSA'],
         ];
     }
 
diff --git a/tests/data/ed25519-jwkset.json b/tests/data/ed25519-jwkset.json
@@ -0,0 +1,10 @@
+{
+    "keys": [
+        {
+            "kid": "jwk1",
+            "kty": "OKP",
+            "crv": "Ed25519",
+            "x": "uOSJMhbKSG4V5xUHS7B9YHmVg_1yVd-G-Io6oBFhSfY"
+        }
+    ]
+}

Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,7 @@ public static function encode(`
`198`	`198`	`*`
`199`	`199`	`* @param string $msg The message to sign`
`200`	`200`	`* @param string\|OpenSSLAsymmetricKey\|OpenSSLCertificate\|array<mixed> $key The secret key.`
`201`		`- * @param string $alg Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',`
	`201`	`+ * @param string $alg Supported algorithms are 'EdDSA', 'ES384', 'ES256', 'HS256', 'HS384',`
`202`	`202`	`* 'HS512', 'RS256', 'RS384', and 'RS512'`
`203`	`203`	`*`
`204`	`204`	`* @return string An encrypted message`
`@@ -258,7 +258,7 @@ public static function sign(`
`258`	`258`	`*`
`259`	`259`	`* @param string $msg The original message (header and body)`
`260`	`260`	`* @param string $signature The original signature`
`261`		`- * @param string\|OpenSSLAsymmetricKey\|OpenSSLCertificate\|array<mixed> $keyMaterial For HS, a string key works. for RS, must be an instance of OpenSSLAsymmetricKey`
	`261`	`+ * @param string\|OpenSSLAsymmetricKey\|OpenSSLCertificate\|array<mixed> $keyMaterial For Ed, ES, HS, a string key works. for RS, must be an instance of OpenSSLAsymmetricKey`
`262`	`262`	`* @param string $alg The algorithm`
`263`	`263`	`*`
`264`	`264`	`* @return bool`
Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,7 @@ public function provideDecodeByJwkKeySet()`
`139`	`139`	`return [`
`140`	`140`	`['rsa1-private.pem', 'rsa-jwkset.json', 'RS256'],`
`141`	`141`	`['ecdsa256-private.pem', 'ec-jwkset.json', 'ES256'],`
	`142`	`+ ['ed25519-1.sec', 'ed25519-jwkset.json', 'EdDSA'],`
`142`	`143`	`];`
`143`	`144`	`}`
`144`	`145`