/** * @REST\Get("/jwks", name="oidc_jwks", defaults={"_format"="json"}) * @REST\View(templateVar="jwks") */ public function getAction() { $keyStorage = $this->get('oauth2.storage.public_key'); $pubKey = new RSA(); $pubKey->loadKey($keyStorage->getPublicKey()); $publicKey = \JOSE_JWK::encode($pubKey); $publicKey->components['kid'] = 'pub'; $jwks = new \JOSE_JWKSet(array($publicKey)); return new JsonResponse(json_decode($jwks->toString())); }
function testThumbprint() { $rsa = new RSA(); $rsa->loadKey($this->rsa_keys['public']); $jwk = JOSE_JWK::encode($rsa); $this->assertInstanceOf('JOSE_JWK', $jwk); $this->assertEquals('nuBTimkcSt_AuEsD8Yv3l8CoGV31bu_3gsRDGN1iVKA', $jwk->thumbprint()); $this->assertEquals('nuBTimkcSt_AuEsD8Yv3l8CoGV31bu_3gsRDGN1iVKA', $jwk->thumbprint('sha256')); $this->assertEquals('6v7pXTnQLMiQgvJlPJUdhAUSuGLzgF8C1r3ABAMFet6bc53ea-Pq4ZGbGu3RoAFsNRT1-RhTzDqtqXuLU6NOtw', $jwk->thumbprint('sha512')); }
function postCheck($post, &$result) { $result = array(); $raw = json_decode($post, true); // adds my public key $public_key = new RSA(); $public_key->loadKey(file_get_contents('pub.key')); $jwk = JOSE_JWK::encode($public_key); //print_r($jwk); $jwt = new JOSE_JWT(); $jwt->raw = $raw["protected"] . "." . $raw["payload"] . "." . $raw["signature"]; $jwt->header = json_decode(JOSE_URLSafeBase64::decode($raw["protected"]), true); $jwt->claims = json_decode(JOSE_URLSafeBase64::decode($raw["payload"]), true); $jwt->signature = JOSE_URLSafeBase64::decode($raw["signature"]); // echo "S:\n"; echo JOSE_URLSafeBase64::decode($raw["signature"]); file_put_contents("/tmp/jwt", print_r($jwt, true)); //print_r($jwt); print_r($jwt->verify($public_key)); }
function testVerifyWithJWK() { $key = new RSA(); $key->loadKey($this->rsa_keys['public']); $jwk = JOSE_JWK::encode($key); $input = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.GzzxRgDHjgBjDkbMsKaFhWnQ43xKlh8T7Ce34b9ye4afuIfE2EglIlK1itGRx1PtH7UOcwtXVWElJ0lHuuTl6hCUL5SDOMJxiPfr5SkTZFWy2SlSYNtdRfra6NPeEa3-a_15dUYv41QY14TCl5HaP7jeMLeqcTlMcjra9fDPMWUciSyWay6025wUiSQBmWW-19GNZQnRHxXNX3lCVMEQMASYT-6QqBvoiJ6vezIt08RghgGdMH1iGY_Gnb7ISuA-lvKk6fcQvQ3MN5Cx0CeqXlXP8NQQF0OwkUgTjNGsKmCG6jKlLZLeXJb72KVK1yR-6jp7OQqqzrovIP7lp-FwIw'; $jwt = JOSE_JWT::decode($input); $jws = new JOSE_JWS($jwt); $this->assertInstanceOf('JOSE_JWS', $jws->verify($jwk)); }
/** * {@inheritDoc} */ public function getPublicKeyThumbprint($publicKey) { $rsa = $this->getRsa(); $rsa->loadKey($publicKey); return \JOSE_JWK::encode($rsa)->thumbprint(); }
/** * Sign an array of parameters using provided keys and nonce * * @param array $params * @param string $privateKey * @param string $publicKey * @param string $nonce * * @return string Json encoded signed params * * @throws \InvalidArgumentException */ protected function signParams(array $params, $privateKey, $publicKey, $nonce) { if (empty($nonce)) { throw new \InvalidArgumentException('Empty nonce provided'); } $RsaPublicKey = $this->getRsa(); $RsaPublicKey->loadKey($publicKey); $jwt = new \JOSE_JWT($params); $jwt->header['jwk'] = \JOSE_JWK::encode($RsaPublicKey)->components; $jwt->header['nonce'] = $nonce; // as of 20151203, boulder doesn't support SHA512 return $jwt->sign($privateKey, 'RS256')->toJson(); }
/** * Call a ACME standard URL using JWS encoding signing for $this->userKey * @param string $api api url to call (short name, like "new-reg" or starting by http) * @param array $params list of key=>value to sent as a json object or array. * @return array the api call result (header + decoded content) */ private function stdCall($api, $params, $resource = null) { $this->init(); $public_key = new RSA(); $public_key->loadKey($this->userKey["publickey"]); $jwk = \JOSE_JWK::encode($public_key); // => JOSE_JWK instance if (substr($api, 0, 4) == "http") { $url = $api; if (is_null($resource)) { throw new AcmeException("stdCall with URL api MUST include resource name", 14); } } else { $url = $this->apiUrl[$api]; if (is_null($resource)) { $resource = $api; } } $params["resource"] = $resource; $jwt = new \JOSE_JWT($params); $jwt->header['jwk'] = $jwk->components; $jwt->header['nonce'] = $this->nonce; // as of 20151203, boulder doesn't support SHA512 $jws = $jwt->sign($this->userKey["privatekey"], 'RS256'); // call the API $httpResult = $this->http->post($url, $jws->toJson()); // save the new Nonce if (isset($httpResult[0]["Replay-Nonce"]) && $httpResult[0]["Replay-Nonce"]) { $this->nonce = $httpResult[0]["Replay-Nonce"][0]; // we save this nonce, so that next call will have it ready to use: $this->db->setStatus(array("nonce" => $this->nonce)); } else { $this->nonce = null; } $httpResult[1] = json_decode($httpResult[1]); return $httpResult; }
function testDecodeWithUnexpectedAlg() { $components = array('kty' => 'EC', 'crv' => 'crv', 'x' => 'x', 'y' => 'y'); $this->setExpectedException('JOSE_Exception_UnexpectedAlgorithm'); JOSE_JWK::decode($components); }