Merge branch 'main' into add-ec-jwk-support

Author: bshaffer

.github/workflows/tests.yml

@@ -41,3 +41,17 @@ jobs:
           composer require friendsofphp/php-cs-fixer
           vendor/bin/php-cs-fixer fix --diff --dry-run .
           vendor/bin/php-cs-fixer fix --rules=native_function_invocation --allow-risky=yes --diff src
+
+  staticanalysis:
+    runs-on: ubuntu-latest
+    name: PHPStan Static Analysis
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.0'
+    - name: Run Script
+      run: |
+        composer global require phpstan/phpstan
+        ~/.composer/vendor/bin/phpstan analyse

phpstan.neon.dist

@@ -0,0 +1,5 @@
+parameters:
+    level: 7
+    paths:
+    - src
+    treatPhpDocTypesAsCertain: false

src/JWK.php

@@ -34,7 +34,7 @@ class JWK
     /**
      * Parse a set of JWK keys
      *
-     * @param array $jwks The JSON Web Key Set as an associative array
+     * @param array<mixed> $jwks The JSON Web Key Set as an associative array
      *
      * @return array<string, Key> An associative array of key IDs (kid) to Key objects
      *
@@ -59,7 +59,7 @@ public static function parseKeySet(array $jwks): array
         foreach ($jwks['keys'] as $k => $v) {
             $kid = isset($v['kid']) ? $v['kid'] : $k;
             if ($key = self::parseKey($v)) {
-                $keys[$kid] = $key;
+                $keys[(string) $kid] = $key;
             }
         }
 
@@ -73,7 +73,7 @@ public static function parseKeySet(array $jwks): array
     /**
      * Parse a JWK key
      *
-     * @param array $jwk An individual JWK
+     * @param array<mixed> $jwk An individual JWK
      *
      * @return Key The key object for the JWK
      *
@@ -194,10 +194,16 @@ private static function createPemFromCrvAndXYCoordinates(string $crv, string $x,
      *
      * @uses encodeLength
      */
-    private static function createPemFromModulusAndExponent(string $n, string $e): string
-    {
-        $modulus = JWT::urlsafeB64Decode($n);
-        $publicExponent = JWT::urlsafeB64Decode($e);
+    private static function createPemFromModulusAndExponent(
+        string $n,
+        string $e
+    ): string {
+        if (false === ($modulus = JWT::urlsafeB64Decode($n))) {
+            throw new UnexpectedValueException('Invalid JWK encoding');
+        }
+        if (false === ($publicExponent = JWT::urlsafeB64Decode($e))) {
+            throw new UnexpectedValueException('Invalid header encoding');
+        }
 
         $components = [
             'modulus' => \pack('Ca*a*', 2, self::encodeLength(\strlen($modulus)), $modulus),

src/JWT.php

@@ -7,6 +7,8 @@
 use Exception;
 use InvalidArgumentException;
 use OpenSSLAsymmetricKey;
+use OpenSSLCertificate;
+use TypeError;
 use UnexpectedValueException;
 use DateTime;
 use stdClass;
@@ -37,6 +39,9 @@ class JWT
      */
     public static int $leeway = 0;
 
+    /**
+     * @var array<string, string[]>
+     */
     public static array $supported_algs = [
         'ES384' => ['openssl', 'SHA384'],
         'ES256' => ['openssl', 'SHA256'],
@@ -85,10 +90,16 @@ public static function decode(string $jwt, Key|array|ArrayAccess $keyOrKeyArray)
             throw new UnexpectedValueException('Wrong number of segments');
         }
         list($headb64, $bodyb64, $cryptob64) = $tks;
-        if (null === ($header = static::jsonDecode(static::urlsafeB64Decode($headb64)))) {
+        if (false === ($headerRaw = static::urlsafeB64Decode($headb64))) {
+            throw new UnexpectedValueException('Invalid header encoding');
+        }
+        if (null === ($header = static::jsonDecode($headerRaw))) {
             throw new UnexpectedValueException('Invalid header encoding');
         }
-        if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
+        if (false === ($payloadRaw = static::urlsafeB64Decode($bodyb64))) {
+            throw new UnexpectedValueException('Invalid claims encoding');
+        }
+        if (null === ($payload = static::jsonDecode($payloadRaw))) {
             throw new UnexpectedValueException('Invalid claims encoding');
         }
         if (!$payload instanceof stdClass) {
@@ -115,7 +126,7 @@ public static function decode(string $jwt, Key|array|ArrayAccess $keyOrKeyArray)
             // OpenSSL expects an ASN.1 DER sequence for ES256/ES384 signatures
             $sig = self::signatureToDER($sig);
         }
-        if (!static::verify("$headb64.$bodyb64", $sig, $key->getKeyMaterial(), $header->alg)) {
+        if (!self::verify("$headb64.$bodyb64", $sig, $key->getKeyMaterial(), $header->alg)) {
             throw new SignatureInvalidException('Signature verification failed');
         }
 
@@ -147,11 +158,10 @@ public static function decode(string $jwt, Key|array|ArrayAccess $keyOrKeyArray)
     /**
      * Converts and signs a PHP object or array into a JWT string.
      *
-     * @param array                       $payload    PHP array
-     * @param string|OpenSSLAsymmetricKey $key        The secret key.
-     *                                             If the algorithm used is asymmetric, this is the private key
-     * @param string            $keyId
-     * @param array             $head              An array with header elements to attach
+     * @param array<mixed>          $payload PHP array
+     * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate|array<mixed> $key The secret key.
+     * @param string                $keyId
+     * @param array<string, string> $head    An array with header elements to attach
      *
      * @return string A signed JWT
      *
@@ -160,7 +170,7 @@ public static function decode(string $jwt, Key|array|ArrayAccess $keyOrKeyArray)
      */
     public static function encode(
         array $payload,
-        string|OpenSSLAsymmetricKey $key,
+        string|OpenSSLAsymmetricKey|OpenSSLCertificate|array $key,
         string $alg,
         string $keyId = null,
         array $head = null
@@ -173,8 +183,8 @@ public static function encode(
             $header = \array_merge($head, $header);
         }
         $segments = [];
-        $segments[] = static::urlsafeB64Encode(static::jsonEncode($header));
-        $segments[] = static::urlsafeB64Encode(static::jsonEncode($payload));
+        $segments[] = static::urlsafeB64Encode((string) static::jsonEncode($header));
+        $segments[] = static::urlsafeB64Encode((string) static::jsonEncode($payload));
         $signing_input = \implode('.', $segments);
 
         $signature = static::sign($signing_input, $key, $alg);
@@ -186,23 +196,29 @@ public static function encode(
     /**
      * Sign a string with a given key and algorithm.
      *
-     * @param string                      $msg  The message to sign
-     * @param string|OpenSSLAsymmetricKey $key  The secret key.
-     * @param string                      $alg  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
-     *                                                   'HS512', 'RS256', 'RS384', and 'RS512'
+     * @param string $msg  The message to sign
+     * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate|array<mixed>  $key  The secret key.
+     * @param string $alg  Supported algorithms are 'ES384','ES256', 'HS256', 'HS384',
+     *                    'HS512', 'RS256', 'RS384', and 'RS512'
      *
      * @return string An encrypted message
      *
      * @throws DomainException Unsupported algorithm or bad key was specified
      */
-    public static function sign(string $msg, string|OpenSSLAsymmetricKey $key, string $alg): string
-    {
+    public static function sign(
+        string $msg,
+        string|OpenSSLAsymmetricKey|OpenSSLCertificate|array $key,
+        string $alg
+    ): string {
         if (empty(static::$supported_algs[$alg])) {
             throw new DomainException('Algorithm not supported');
         }
         list($function, $algorithm) = static::$supported_algs[$alg];
         switch ($function) {
             case 'hash_hmac':
+                if (!is_string($key)) {
+                    throw new InvalidArgumentException('key must be a string when using hmac');
+                }
                 return \hash_hmac($algorithm, $msg, $key, true);
             case 'openssl':
                 $signature = '';
@@ -220,25 +236,30 @@ public static function sign(string $msg, string|OpenSSLAsymmetricKey $key, strin
                 if (!function_exists('sodium_crypto_sign_detached')) {
                     throw new DomainException('libsodium is not available');
                 }
+                if (!is_string($key)) {
+                    throw new InvalidArgumentException('key must be a string when using EdDSA');
+                }
                 try {
                     // The last non-empty line is used as the key.
                     $lines = array_filter(explode("\n", $key));
-                    $key = base64_decode(end($lines));
+                    $key = base64_decode((string) end($lines));
                     return sodium_crypto_sign_detached($msg, $key);
                 } catch (Exception $e) {
                     throw new DomainException($e->getMessage(), 0, $e);
                 }
         }
+
+        throw new DomainException('Algorithm not supported');
     }
 
     /**
      * Verify a signature with the message, key and method. Not all methods
      * are symmetric, so we must have a separate verify and sign method.
      *
-     * @param string                      $msg        The original message (header and body)
-     * @param string                      $signature  The original signature
-     * @param string|OpenSSLAsymmetricKey $key        For HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey
-     * @param string                      $alg        The algorithm
+     * @param string $msg         The original message (header and body)
+     * @param string $signature   The original signature
+     * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate|array<mixed>  $keyMaterial For HS*, a string key works. for RS*, must be an instance of OpenSSLAsymmetricKey
+     * @param string $alg         The algorithm
      *
      * @return bool
      *
@@ -247,7 +268,7 @@ public static function sign(string $msg, string|OpenSSLAsymmetricKey $key, strin
     private static function verify(
         string $msg,
         string $signature,
-        string|OpenSSLAsymmetricKey $keyMaterial,
+        string|OpenSSLAsymmetricKey|OpenSSLCertificate|array $keyMaterial,
         string $alg
     ): bool {
         if (empty(static::$supported_algs[$alg])) {
@@ -271,16 +292,22 @@ private static function verify(
               if (!function_exists('sodium_crypto_sign_verify_detached')) {
                   throw new DomainException('libsodium is not available');
               }
+              if (!is_string($keyMaterial)) {
+                  throw new InvalidArgumentException('key must be a string when using EdDSA');
+              }
               try {
                   // The last non-empty line is used as the key.
                   $lines = array_filter(explode("\n", $keyMaterial));
-                  $key = base64_decode(end($lines));
+                  $key = base64_decode((string) end($lines));
                   return sodium_crypto_sign_verify_detached($signature, $msg, $key);
               } catch (Exception $e) {
                   throw new DomainException($e->getMessage(), 0, $e);
               }
             case 'hash_hmac':
             default:
+                if (!is_string($keyMaterial)) {
+                    throw new InvalidArgumentException('key must be a string when using hmac');
+                }
                 $hash = \hash_hmac($algorithm, $msg, $keyMaterial, true);
                 return self::constantTimeEquals($hash, $signature);
         }
@@ -300,7 +327,7 @@ public static function jsonDecode(string $input): mixed
         $obj = \json_decode($input, false, 512, JSON_BIGINT_AS_STRING);
 
         if ($errno = \json_last_error()) {
-            static::handleJsonError($errno);
+            self::handleJsonError($errno);
         } elseif ($obj === null && $input !== 'null') {
             throw new DomainException('Null result with non-null input');
         }
@@ -310,13 +337,13 @@ public static function jsonDecode(string $input): mixed
     /**
      * Encode a PHP array into a JSON string.
      *
-     * @param array $input A PHP array
+     * @param array<mixed> $input A PHP array
      *
-     * @return string JSON representation of the PHP array
+     * @return string|false JSON representation of the PHP array
      *
      * @throws DomainException Provided object could not be encoded to valid JSON
      */
-    public static function jsonEncode(array $input): string
+    public static function jsonEncode(array $input): string|false
     {
         if (PHP_VERSION_ID >= 50400) {
             $json = \json_encode($input, \JSON_UNESCAPED_SLASHES);
@@ -325,7 +352,7 @@ public static function jsonEncode(array $input): string
             $json = \json_encode($input);
         }
         if ($errno = \json_last_error()) {
-            static::handleJsonError($errno);
+            self::handleJsonError($errno);
         } elseif ($json === 'null' && $input !== null) {
             throw new DomainException('Null result with non-null input');
         }
@@ -339,7 +366,7 @@ public static function jsonEncode(array $input): string
      *
      * @return string A decoded string
      */
-    public static function urlsafeB64Decode(string $input): string
+    public static function urlsafeB64Decode(string $input): string|false
     {
         $remainder = \strlen($input) % 4;
         if ($remainder) {
@@ -378,29 +405,22 @@ private static function getKey(Key|array|ArrayAccess $keyOrKeyArray, ?string $ki
             return $keyOrKeyArray;
         }
 
-        if (is_array($keyOrKeyArray) || $keyOrKeyArray instanceof ArrayAccess) {
-            foreach ($keyOrKeyArray as $keyId => $key) {
-                if (!$key instanceof Key) {
-                    throw new TypeError(
-                        '$keyOrKeyArray must be an instance of Firebase\JWT\Key key or an '
-                        . 'array of Firebase\JWT\Key keys'
-                    );
-                }
-            }
-            if (!isset($kid)) {
-                throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
-            }
-            if (!isset($keyOrKeyArray[$kid])) {
-                throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
+        foreach ($keyOrKeyArray as $keyId => $key) {
+            if (!$key instanceof Key) {
+                throw new TypeError(
+                    '$keyOrKeyArray must be an instance of Firebase\JWT\Key key or an '
+                    . 'array of Firebase\JWT\Key keys'
+                );
             }
-
-            return $keyOrKeyArray[$kid];
+        }
+        if (!isset($kid)) {
+            throw new UnexpectedValueException('"kid" empty, unable to lookup correct key');
+        }
+        if (!isset($keyOrKeyArray[$kid])) {
+            throw new UnexpectedValueException('"kid" invalid, unable to lookup correct key');
         }
 
-        throw new UnexpectedValueException(
-            '$keyOrKeyArray must be an instance of Firebase\JWT\Key key or an '
-            . 'array of Firebase\JWT\Key keys'
-        );
+        return $keyOrKeyArray[$kid];
     }
 
     /**
@@ -413,13 +433,13 @@ public static function constantTimeEquals(string $left, string $right): bool
         if (\function_exists('hash_equals')) {
             return \hash_equals($left, $right);
         }
-        $len = \min(static::safeStrlen($left), static::safeStrlen($right));
+        $len = \min(self::safeStrlen($left), self::safeStrlen($right));
 
         $status = 0;
         for ($i = 0; $i < $len; $i++) {
             $status |= (\ord($left[$i]) ^ \ord($right[$i]));
         }
-        $status |= (static::safeStrlen($left) ^ static::safeStrlen($right));
+        $status |= (self::safeStrlen($left) ^ self::safeStrlen($right));
 
         return ($status === 0);
     }
@@ -473,7 +493,8 @@ private static function safeStrlen(string $str): int
     private static function signatureToDER(string $sig): string
     {
         // Separate the signature into r-value and s-value
-        list($r, $s) = \str_split($sig, (int) (\strlen($sig) / 2));
+        $length = max(1, (int) (\strlen($sig) / 2));
+        list($r, $s) = \str_split($sig, $length > 0 ? $length : 1);
 
         // Trim leading zeros
         $r = \ltrim($r, "\x00");
@@ -553,7 +574,7 @@ private static function signatureFromDER(string $der, int $keySize): string
      * @param int $offset the offset of the data stream containing the object
      * to decode
      *
-     * @return array [$offset, $data] the new offset and the decoded object
+     * @return array{int, string|null} the new offset and the decoded object
      */
     private static function readDER(string $der, int $offset = 0): array
     {