feat: add ES384 support (#324)

sdrsdr · web-flow · commit 9af3b99c1c92 · 2021-05-19T11:19:30.000-07:00
diff --git a/src/JWT.php b/src/JWT.php
@@ -42,6 +42,7 @@ class JWT
     public static $timestamp = null;
 
     public static $supported_algs = array(
+        'ES384' => array('openssl', 'SHA384'),
         'ES256' => array('openssl', 'SHA256'),
         'HS256' => array('hash_hmac', 'SHA256'),
         'HS384' => array('hash_hmac', 'SHA384'),
@@ -58,7 +59,8 @@ class JWT
      * @param string|array|resource     $key            The key, or map of keys.
      *                                                  If the algorithm used is asymmetric, this is the public key
      * @param array                     $allowed_algs   List of supported verification algorithms
-     *                                                  Supported algorithms are 'ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
+     *                                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     *                                                  'HS512', 'RS256', 'RS384', and 'RS512'
      *
      * @return object The JWT's payload as a PHP object
      *
@@ -102,8 +104,8 @@ public static function decode($jwt, $key, array $allowed_algs = array())
         if (!\in_array($header->alg, $allowed_algs)) {
             throw new UnexpectedValueException('Algorithm not allowed');
         }
-        if ($header->alg === 'ES256') {
-            // OpenSSL expects an ASN.1 DER sequence for ES256 signatures
+        if ($header->alg === 'ES256' || $header->alg === 'ES384') {
+            // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures
             $sig = self::signatureToDER($sig);
         }
 
@@ -155,7 +157,8 @@ public static function decode($jwt, $key, array $allowed_algs = array())
      * @param string        $key        The secret key.
      *                                  If the algorithm used is asymmetric, this is the private key
      * @param string        $alg        The signing algorithm.
-     *                                  Supported algorithms are 'ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
+     *                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     *                                  'HS512', 'RS256', 'RS384', and 'RS512'
      * @param mixed         $keyId
      * @param array         $head       An array with header elements to attach
      *
@@ -190,7 +193,8 @@ public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $he
      * @param string            $msg    The message to sign
      * @param string|resource   $key    The secret key
      * @param string            $alg    The signing algorithm.
-     *                                  Supported algorithms are 'ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'
+     *                                  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     *                                  'HS512', 'RS256', 'RS384', and 'RS512'
      *
      * @return string An encrypted message
      *
@@ -214,6 +218,9 @@ public static function sign($msg, $key, $alg = 'HS256')
                     if ($alg === 'ES256') {
                         $signature = self::signatureFromDER($signature, 256);
                     }
+                    if ($alg === 'ES384') {
+                        $signature = self::signatureFromDER($signature, 384);
+                    }
                     return $signature;
                 }
         }
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
@@ -300,4 +300,20 @@ public function testEncodeAndDecodeEcdsaToken()
 
         $this->assertEquals('bar', $decoded->foo);
     }
+
+    /**
+     * @runInSeparateProcess
+     */
+    public function testEncodeAndDecodeEcdsa384Token()
+    {
+        $privateKey = file_get_contents(__DIR__ . '/ecdsa384-private.pem');
+        $payload = array('foo' => 'bar');
+        $encoded = JWT::encode($payload, $privateKey, 'ES384');
+
+        // Verify decoding succeeds
+        $publicKey = file_get_contents(__DIR__ . '/ecdsa384-public.pem');
+        $decoded = JWT::decode($encoded, $publicKey, array('ES384'));
+
+        $this->assertEquals('bar', $decoded->foo);
+    }
 }
diff --git a/tests/ecdsa384-private.pem b/tests/ecdsa384-private.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDBQJuwafREZ1494Fm2MTVXuZbWXVAOwIAxGhyLdc3CChzi0FVXZq8e6
+65oR0Qq9Jv2gBwYFK4EEACKhZANiAAQWFddzIqZaROR1VtZhhTd20mqknQmYsZ+0
+R03NQQUQpJTkyWcuv8WNyd6zO9cCoQEzi94kX907/OEWTjhuH8QtdunT+ef1BpWJ
+W1Cm5O+m7b155/Ho99QypfQr74hLg1A=
+-----END EC PRIVATE KEY-----
diff --git a/tests/ecdsa384-public.pem b/tests/ecdsa384-public.pem
@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEFhXXcyKmWkTkdVbWYYU3dtJqpJ0JmLGf
+tEdNzUEFEKSU5MlnLr/FjcneszvXAqEBM4veJF/dO/zhFk44bh/ELXbp0/nn9QaV
+iVtQpuTvpu29eefx6PfUMqX0K++IS4NQ
+-----END PUBLIC KEY-----

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ class JWT`
`42`	`42`	`public static $timestamp = null;`
`43`	`43`
`44`	`44`	`public static $supported_algs = array(`
	`45`	`+ 'ES384' => array('openssl', 'SHA384'),`
`45`	`46`	`'ES256' => array('openssl', 'SHA256'),`
`46`	`47`	`'HS256' => array('hash_hmac', 'SHA256'),`
`47`	`48`	`'HS384' => array('hash_hmac', 'SHA384'),`
`@@ -58,7 +59,8 @@ class JWT`
`58`	`59`	`* @param string\|array\|resource $key The key, or map of keys.`
`59`	`60`	`* If the algorithm used is asymmetric, this is the public key`
`60`	`61`	`* @param array $allowed_algs List of supported verification algorithms`
`61`		`- * Supported algorithms are 'ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'`
	`62`	`+ * Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',`
	`63`	`+ * 'HS512', 'RS256', 'RS384', and 'RS512'`
`62`	`64`	`*`
`63`	`65`	`* @return object The JWT's payload as a PHP object`
`64`	`66`	`*`
`@@ -102,8 +104,8 @@ public static function decode($jwt, $key, array $allowed_algs = array())`
`102`	`104`	`if (!\in_array($header->alg, $allowed_algs)) {`
`103`	`105`	`throw new UnexpectedValueException('Algorithm not allowed');`
`104`	`106`	`}`
`105`		`- if ($header->alg === 'ES256') {`
`106`		`- // OpenSSL expects an ASN.1 DER sequence for ES256 signatures`
	`107`	`+ if ($header->alg === 'ES256' \|\| $header->alg === 'ES384') {`
	`108`	`+ // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures`
`107`	`109`	`$sig = self::signatureToDER($sig);`
`108`	`110`	`}`
`109`	`111`
`@@ -155,7 +157,8 @@ public static function decode($jwt, $key, array $allowed_algs = array())`
`155`	`157`	`* @param string $key The secret key.`
`156`	`158`	`* If the algorithm used is asymmetric, this is the private key`
`157`	`159`	`* @param string $alg The signing algorithm.`
`158`		`- * Supported algorithms are 'ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'`
	`160`	`+ * Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',`
	`161`	`+ * 'HS512', 'RS256', 'RS384', and 'RS512'`
`159`	`162`	`* @param mixed $keyId`
`160`	`163`	`* @param array $head An array with header elements to attach`
`161`	`164`	`*`
`@@ -190,7 +193,8 @@ public static function encode($payload, $key, $alg = 'HS256', $keyId = null, $he`
`190`	`193`	`* @param string $msg The message to sign`
`191`	`194`	`* @param string\|resource $key The secret key`
`192`	`195`	`* @param string $alg The signing algorithm.`
`193`		`- * Supported algorithms are 'ES256', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', and 'RS512'`
	`196`	`+ * Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',`
	`197`	`+ * 'HS512', 'RS256', 'RS384', and 'RS512'`
`194`	`198`	`*`
`195`	`199`	`* @return string An encrypted message`
`196`	`200`	`*`
`@@ -214,6 +218,9 @@ public static function sign($msg, $key, $alg = 'HS256')`
`214`	`218`	`if ($alg === 'ES256') {`
`215`	`219`	`$signature = self::signatureFromDER($signature, 256);`
`216`	`220`	`}`
	`221`	`+ if ($alg === 'ES384') {`
	`222`	`+ $signature = self::signatureFromDER($signature, 384);`
	`223`	`+ }`
`217`	`224`	`return $signature;`
`218`	`225`	`}`
`219`	`226`	`}`