public function testTestBC()
{
$data = array(array('order_nr' => 'ae123123'), array('username' => 'asdasdasd'), array('anything' => '!@#$%^&*()_+'));
foreach ($data as $payload) {
$jwsOld = new JWS(array('alg' => 'RS256'));
$jwsOld->setEncoder(new Base64Encoder());
$jwsOld->setPayload($payload);
$jwsOld->sign(openssl_pkey_get_private(SSL_KEYS_PATH . 'private.key', self::SSL_KEY_PASSPHRASE));
$t = $jwsOld->getTokenString();
$jwsNew = JWS::load($t);
$this->assertTrue($jwsNew->verify(openssl_pkey_get_public(SSL_KEYS_PATH . 'public.key')));
}
}
/**
* Decode a JSON Web Token.
*
* @param string $token
*
* @throws \Tymon\JWTAuth\Exceptions\JWTException
*
* @return array
*/
public function decode($token)
{
try {
// Let's never allow insecure tokens
$jws = $this->jws->load($token, false);
} catch (InvalidArgumentException $e) {
throw new TokenInvalidException('Could not decode token: ' . $e->getMessage());
}
if (!$jws->verify($this->getVerificationKey(), $this->getAlgo())) {
throw new TokenInvalidException('Token Signature could not be verified.');
}
return (array) $jws->getPayload();
}
public function testTestBC()
{
$data = array(array("order_nr" => "ae123123"), array("username" => "asdasdasd"), array("anything" => "!@#\$%^&*()_+"));
foreach ($data as $payload) {
$jwsOld = new JWS("RS256");
$jwsOld->setEncoder(new Base64Encoder());
$jwsOld->setPayload($payload);
$jwsOld->sign(openssl_pkey_get_private(SSL_KEYS_PATH . "private.key", self::SSL_KEY_PASSPHRASE));
$t = $jwsOld->getTokenString();
$jwsNew = JWS::load($t);
$this->assertTrue($jwsNew->verify(openssl_pkey_get_public(SSL_KEYS_PATH . "public.key")));
}
}
/**
* Decode a JSON Web Token
*
* @param string $token
*
* @throws \Tymon\JWTAuth\Exceptions\JWTException
*
* @return array
*/
public function decode($token)
{
try {
// let's never allow unsecure tokens
$jws = $this->jws->load($token, false);
} catch (Exception $e) {
throw new TokenInvalidException('Could not decode token: ' . $e->getMessage());
}
if (!$jws->verify($this->secret, $this->algo)) {
throw new TokenInvalidException('Token Signature could not be verified.');
}
return (array) $jws->getPayload();
}
/**
* @param RequestInterface $request
*
* @return RequestInterface
*/
public function __invoke(RequestInterface $request)
{
$uri = $request->getUri();
$path = $uri->getPath();
$path .= $uri->getQuery() != null ? '?' . $uri->getQuery() : '';
$payload = ['key' => 'master', 'exp' => time() + $this->exp, 'method' => $request->getMethod(), 'path' => $path];
if (in_array($request->getMethod(), ['PUT', 'POST'])) {
$body = $request->getBody();
$computedHash = \GuzzleHttp\Psr7\hash($body, 'sha256');
$payload['body'] = ['alg' => 'sha256', 'hash' => $computedHash];
}
$jws = new JWS(['typ' => 'JWT', 'alg' => 'HS256']);
$jws->setPayload($payload)->sign($this->secret);
$token = $jws->getTokenString();
return $request->withHeader('Authorization', 'JWT token="' . $token . '"');
}
/**
* @param string $token
*
* @return array
*
* @throws InvalidJWTException
*/
public function decode($token)
{
$jws = JWS::load($token);
if (!$jws->verify($this->key, self::ALG)) {
throw new InvalidJWTException('Invalid JWT');
}
if ($this->isExpired($payload = $jws->getPayload())) {
throw new InvalidJWTException('Expired JWT');
}
return $payload;
}
/**
* {@inheritdoc}
*/
public function decode($token)
{
try {
$jws = JWS::load($token);
} catch (\InvalidArgumentException $e) {
return false;
}
if (!$jws->isValid($this->getPublicKey(), self::ALGORYTHM)) {
return false;
}
return $jws->getPayload();
}
/**
* Decode a JSON Web Token
*
* @param string $token
* @return array
* @throws \Tymon\JWTAuth\Exceptions\JWTException
*/
public function decode($token)
{
try {
$jws = JWS::load($token);
} catch (Exception $e) {
throw new TokenInvalidException('Could not decode token: ' . $e->getMessage());
}
if (!$jws->verify($this->secret, $this->algo)) {
throw new TokenInvalidException('Token Signature could not be verified.');
}
return $jws->getPayload();
}
public function testVerifyIncorrectPubKey()
{
$content = new JWS(['alg' => 'RS256']);
$content->setPayload(['prop' => 'val'], false);
$content->sign(openssl_pkey_get_private('file://' . $GLOBALS['KEYs']['private'], $GLOBALS['KEYs']['password']));
$obj = new Statement(['actor' => ['mbox' => COMMON_MBOX], 'verb' => ['id' => COMMON_VERB_ID], 'object' => new Activity(['id' => COMMON_ACTIVITY_ID . '/StatementTest/testSignNoPassword']), 'attachments' => [['usageType' => 'http://adlnet.gov/expapi/attachments/signature', 'display' => ['en-US' => 'test display'], 'contentType' => 'application/octet-stream', 'content' => $content->getTokenString()]]]);
$newKey = openssl_pkey_new(['private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
$pubKey = openssl_pkey_get_details($newKey);
$pubKey = $pubKey["key"];
$result = $obj->verify(['publicKey' => $pubKey]);
$this->assertFalse($result['success'], 'success');
$this->assertSame($result['reason'], 'Failed to verify signature', 'reason');
}
public function testLoadingWithAnyOrderOfHeaders()
{
$privateKey = openssl_pkey_get_private(SSL_KEYS_PATH . "private.key", self::SSL_KEY_PASSPHRASE);
$public_key = openssl_pkey_get_public(SSL_KEYS_PATH . "public.key");
$header = $this->jws->getHeader();
$reversedHeader = array_reverse($header);
$this->assertFalse($header === $reversedHeader);
$this->jws->setHeader($reversedHeader);
$this->jws->sign($privateKey);
$tokenString = $this->jws->getTokenString();
$jws = JWS::load($tokenString);
$this->assertTrue($reversedHeader === $jws->getHeader());
}
public function testVerificationCustomizedHeader()
{
$header = $this->jws->getHeader();
$header['test'] = true;
$this->jws->setHeader($header);
$privateKey = openssl_pkey_get_private(SSL_KEYS_PATH . 'private.key', self::SSL_KEY_PASSPHRASE);
$this->jws->sign($privateKey);
$jws = JWS::load($this->jws->getTokenString());
$public_key = openssl_pkey_get_public(SSL_KEYS_PATH . 'public.key');
$headerFromSig = $jws->getHeader();
$this->assertSame($headerFromSig['test'], true);
$this->assertTrue($jws->verify($public_key));
}
public function verify($options = array())
{
if (!isset($options['version'])) {
$options['version'] = Version::latest();
}
$signatureAttachment = null;
$signatureIndex = 0;
foreach ($this->getAttachments() as $attachment) {
if ($attachment->getUsageType() === self::SIGNATURE_USAGE_TYPE) {
$signatureAttachment = $attachment;
break;
}
$signatureIndex++;
}
if ($signatureAttachment === null) {
return array('success' => false, 'reason' => "Unable to locate signature attachment (usage type)");
}
try {
$jws = JWS::load($signatureAttachment->getContent());
} catch (\InvalidArgumentException $e) {
return array('success' => false, 'reason' => 'Failed to load JWS: ' . $e);
}
$header = $jws->getHeader();
//
// there is a JWS spec security issue with allowing non-RS algorithms
// to be specified and it is against the Tin Can spec anyways so we
// want to fail hard on non-RS algorithms
//
if (!in_array($header['alg'], array('RS256', 'RS384', 'RS512'), true)) {
throw new \InvalidArgumentException("Refusing to verify signature: Invalid signing algorithm ('" . $options['algorithm'] . "')");
}
if (isset($options['publicKey'])) {
$publicKeyFile = $options['publicKey'];
} else {
if (isset($header['x5c'])) {
$cert = "-----BEGIN CERTIFICATE-----\r\n" . chunk_split($header['x5c'][0], 64, "\r\n") . "-----END CERTIFICATE-----\r\n";
$cert = openssl_x509_read($cert);
if (!$cert) {
return array('success' => false, 'reason' => 'failed to read cert in x5c: ' . openssl_error_string());
}
$publicKeyFile = openssl_pkey_get_public($cert);
if (!$publicKeyFile) {
return array('success' => false, 'reason' => 'x5c failed to provide public key: ' . openssl_error_string());
}
} else {
return array('success' => false, 'reason' => 'No public key found or provided for verification');
}
}
if (!$jws->verify($publicKeyFile)) {
return array('success' => false, 'reason' => 'Failed to verify signature');
}
$payload = $jws->getPayload();
//
// serializing this statement as if it was going to be
// made into a signature should provide us with what we
// can expect in the payload, if the two don't match then
// the signature isn't valid, it also gives us a clone
// that we can then manipulate without affecting the
// original instance
//
// use the version from the payload as it indicates the
// version in use when the statement was serialized to
// begin with
//
$version = $payload['version'] ? $payload['version'] : Version::latest();
$serialization = $this->serializeForSignature($version);
//
// remove the signature attachment before comparing the
// serializations, if it was the only attachment and the
// signature doesn't include the 'attachments' property
// then unset it as well
//
unset($serialization['attachments'][$signatureIndex]);
if (count($serialization['attachments']) === 0 && !isset($payload['attachments'])) {
unset($serialization['attachments']);
}
//
// authority and stored are most often populated by the LRS,
// and presumably for signature purposes are *never* included
// in the signature so we are safe to remove them here
//
unset($serialization['stored']);
unset($serialization['authority']);
//
// the payload 'version' is instructive of how to serialize the
// statement for comparison, that 'version' is not required and
// when not set we need to remove the 'version' in the serialization
// which will be the current latest supported by the library
// which shouldn't be compared against what is in the signature
//
if (!isset($payload['version'])) {
unset($serialization['version']);
}
//
// a statement can be signed without having first provided an
// id, in that case the id is set by the receiving LRS, so if
// the serialization has one, presumably from retrieval from
// an LRS, remove it so that it is not compared
//
// if the statement did provide an id before signing then the
// LRS should have maintained that id, so they can be compared
//
if (!isset($payload['id'])) {
unset($serialization['id']);
}
//
// the same applies to timestamp
//
if (!isset($payload['timestamp'])) {
unset($serialization['timestamp']);
}
//
// now we can construct an object from both the payload and the
// serialization of this instance and compare the two for a match
// in meaning
//
$fromSerialization = new self($serialization);
$comparison = $fromSerialization->compareWithSignature(new self($payload));
if (!$comparison['success']) {
return array('success' => false, 'reason' => 'Statement to signature comparison failed: ' . $comparison['reason']);
}
return array('success' => true, 'jws' => $jws);
}
