feat: require "Key" object when decoding JWTs

Author: bshaffer

src/JWK.php

@@ -47,7 +47,15 @@ public static function parseKeySet(array $jwks)
         foreach ($jwks['keys'] as $k => $v) {
             $kid = isset($v['kid']) ? $v['kid'] : $k;
             if ($key = self::parseKey($v)) {
-                $keys[$kid] = $key;
+                if (isset($v['alg'])) {
+                    $keys[$kid] = new Key($key, $v['alg']);
+                } else {
+                    // The "alg" parameter is optional in a KTY, but is required
+                    // for parsing in this library. Add it manually to y our JWK
+                    // array if it doesn't already exist.
+                    // @see https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
+                    throw new InvalidArgumentException('JWK key is missing "alg"');
+                }
             }
         }
 

src/JWT.php

@@ -5,8 +5,6 @@
 use ArrayAccess;
 use DomainException;
 use Exception;
-use Firebase\JWT\Keys\JWTKey;
-use Firebase\JWT\Keys\Keyring;
 use InvalidArgumentException;
 use UnexpectedValueException;
 use DateTime;
@@ -61,9 +59,9 @@ class JWT
      * Decodes a JWT string into a PHP object.
      *
      * @param string                    $jwt            The JWT
-     * @param string|array|resource     $key            The key, or map of keys.
+     * @param Key|array<Key>            $key            The Key or array of Key objects.
      *                                                  If the algorithm used is asymmetric, this is the public key
-     * @param array                     $allowed_algs   List of supported verification algorithms
+     *                                                  Each Key object contains an algorithm and matching key.
      *                                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
      *                                                  'HS512', 'RS256', 'RS384', and 'RS512'
      *
@@ -79,13 +77,10 @@ class JWT
      * @uses jsonDecode
      * @uses urlsafeB64Decode
      */
-    public static function decode($jwt, $key, array $allowed_algs = array())
+    public static function decode($jwt, $keyOrArrayOfKeys)
     {
+        // Validate JWT
         $timestamp = \is_null(static::$timestamp) ? \time() : static::$timestamp;
-
-        if (empty($key)) {
-            throw new InvalidArgumentException('Key may not be empty');
-        }
         $tks = \explode('.', $jwt);
         if (\count($tks) != 3) {
             throw new UnexpectedValueException('Wrong number of segments');
@@ -106,35 +101,45 @@ public static function decode($jwt, $key, array $allowed_algs = array())
         if (empty(static::$supported_algs[$header->alg])) {
             throw new UnexpectedValueException('Algorithm not supported');
         }
-        if (!\in_array($header->alg, $allowed_algs)) {
-            throw new UnexpectedValueException('Algorithm not allowed');
-        }
-        if ($header->alg === 'ES256' || $header->alg === 'ES384') {
-            // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures
-            $sig = self::signatureToDER($sig);
+
+        // Validate the key
+        if (empty($keyOrArrayOfKeys)) {
+            throw new InvalidArgumentException('$keyOrArrayOfKeys may not be empty');
         }
 
-        /** @var Keyring|JWTKey $key */
-        $key = self::getKeyType($key, $allowed_algs);
-        if ($key instanceof Keyring) {
-            if (isset($header->kid)) {
-                if (!isset($key[$header->kid])) {
-                    throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
+        if ($keyOrArrayOfKeys instanceof Key) {
+            $key = $keyOrArrayOfKeys;
+        } elseif (is_array($keyOrArrayOfKeys) || $keyOrArrayOfKeys instanceof ArrayAccess) {
+            foreach ($keyOrArrayOfKeys as $kid => $key) {
+                if (!$key instanceof Key) {
+                    throw new InvalidArgumentException('Type error: array values in $keyOrArrayOfKeys must be instances of Key');
                 }
-                $key = $key[$header->kid];
-            } else {
+            }
+
+            if (!isset($header->kid)) {
                 throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
             }
-        }
-        if (!($key instanceof JWTKey)) {
-            throw new UnexpectedValueException('$key should be an instance of JWTKey');
+            if (!isset($keyOrArrayOfKeys[$header->kid])) {
+                throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
+            }
+            $key = $keyOrArrayOfKeys[$header->kid];
+        } else {
+            throw new UnexpectedValueException(
+                '$keyOrArrayOfKeys must be an instance of Firebase\JWT\Key or an array of Firebase\JWT\Key objects'
+            );
         }
 
-        // Check the signature
-        if (!$key->isValidForAlg($header->alg)) {
+        // Check the algorithm
+        if (!self::constantTimeEquals($key->getAlgorithm(), $header->alg)) {
             // See issue #351
             throw new UnexpectedValueException('Incorrect key for this algorithm');
         }
+
+        // Check the signature
+        if ($header->alg === 'ES256' || $header->alg === 'ES384') {
+            // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures
+            $sig = self::signatureToDER($sig);
+        }
         if (!static::verify("$headb64.$bodyb64", $sig, $key->getKeyMaterial(), $header->alg)) {
             throw new SignatureInvalidException('Signature verification failed');
         }
@@ -406,29 +411,6 @@ public static function constantTimeEquals($left, $right)
         return ($status === 0);
     }
 
-    /**
-     * @param string|array|ArrayAccess $oldType
-     * @param string[] $algs
-     * @return KeyInterface
-     */
-    public static function getKeyType($oldType, $algs)
-    {
-        if ($oldType instanceof KeyInterface) {
-            return $oldType;
-        }
-        if (is_string($oldType)) {
-            return new JWTKey($oldType, $algs);
-        }
-        if (is_array($oldType) || $oldType instanceof ArrayAccess) {
-            $keyring = new Keyring(array());
-            foreach ($oldType as $kid => $key) {
-                $keyring[$kid] = new JWTKey($key, $algs);
-            }
-            return $keyring;
-        }
-        throw new InvalidArgumentException('Invalid type: Must be string or array');
-    }
-
     /**
      * Helper method to create a JSON error.
      *
@@ -459,7 +441,7 @@ private static function handleJsonError($errno)
      *
      * @return int
      */
-    public static function safeStrlen($str)
+    private static function safeStrlen($str)
     {
         if (\function_exists('mb_strlen')) {
             return \mb_strlen($str, '8bit');

src/Key.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace Firebase\JWT;
+
+use InvalidArgumentException;
+
+class Key
+{
+    /** @var string $algorithm */
+    private $algorithm;
+
+    /** @var string $keyMaterial */
+    private $keyMaterial;
+
+    /**
+     * @param string|resource $keyMaterial
+     * @param string $algorithm
+     */
+    public function __construct($keyMaterial, $algorithm)
+    {
+        if (!(is_string($keyMaterial) || is_resource($keyMaterial)) || empty($keyMaterial)) {
+            throw new InvalidArgumentException('Type error: $keyMaterial must be a string');
+        }
+        if (!is_string($algorithm)|| empty($keyMaterial)) {
+            throw new InvalidArgumentException('Type error: $algorithm must be a string');
+        }
+        $this->keyMaterial = $keyMaterial;
+        $this->algorithm = $algorithm;
+    }
+
+    public function __toString()
+    {
+        return $this->keyMaterial;
+    }
+
+    /**
+     * Return the algorithm valid for this key
+     *
+     * @return string
+     */
+    public function getAlgorithm()
+    {
+        return $this->algorithm;
+    }
+
+    /**
+     * @return string
+     */
+    public function getKeyMaterial()
+    {
+        return $this->keyMaterial;
+    }
+}