/**
* @REST\Get("/jwks", name="oidc_jwks", defaults={"_format"="json"})
* @REST\View(templateVar="jwks")
*/
public function getAction()
{
$keyStorage = $this->get('oauth2.storage.public_key');
$pubKey = new RSA();
$pubKey->loadKey($keyStorage->getPublicKey());
$publicKey = \JOSE_JWK::encode($pubKey);
$publicKey->components['kid'] = 'pub';
$jwks = new \JOSE_JWKSet(array($publicKey));
return new JsonResponse(json_decode($jwks->toString()));
}
function testThumbprint()
{
$rsa = new RSA();
$rsa->loadKey($this->rsa_keys['public']);
$jwk = JOSE_JWK::encode($rsa);
$this->assertInstanceOf('JOSE_JWK', $jwk);
$this->assertEquals('nuBTimkcSt_AuEsD8Yv3l8CoGV31bu_3gsRDGN1iVKA', $jwk->thumbprint());
$this->assertEquals('nuBTimkcSt_AuEsD8Yv3l8CoGV31bu_3gsRDGN1iVKA', $jwk->thumbprint('sha256'));
$this->assertEquals('6v7pXTnQLMiQgvJlPJUdhAUSuGLzgF8C1r3ABAMFet6bc53ea-Pq4ZGbGu3RoAFsNRT1-RhTzDqtqXuLU6NOtw', $jwk->thumbprint('sha512'));
}
function postCheck($post, &$result)
{
$result = array();
$raw = json_decode($post, true);
// adds my public key
$public_key = new RSA();
$public_key->loadKey(file_get_contents('pub.key'));
$jwk = JOSE_JWK::encode($public_key);
//print_r($jwk);
$jwt = new JOSE_JWT();
$jwt->raw = $raw["protected"] . "." . $raw["payload"] . "." . $raw["signature"];
$jwt->header = json_decode(JOSE_URLSafeBase64::decode($raw["protected"]), true);
$jwt->claims = json_decode(JOSE_URLSafeBase64::decode($raw["payload"]), true);
$jwt->signature = JOSE_URLSafeBase64::decode($raw["signature"]);
// echo "S:\n"; echo JOSE_URLSafeBase64::decode($raw["signature"]);
file_put_contents("/tmp/jwt", print_r($jwt, true));
//print_r($jwt);
print_r($jwt->verify($public_key));
}
function testVerifyWithJWK()
{
$key = new RSA();
$key->loadKey($this->rsa_keys['public']);
$jwk = JOSE_JWK::encode($key);
$input = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.GzzxRgDHjgBjDkbMsKaFhWnQ43xKlh8T7Ce34b9ye4afuIfE2EglIlK1itGRx1PtH7UOcwtXVWElJ0lHuuTl6hCUL5SDOMJxiPfr5SkTZFWy2SlSYNtdRfra6NPeEa3-a_15dUYv41QY14TCl5HaP7jeMLeqcTlMcjra9fDPMWUciSyWay6025wUiSQBmWW-19GNZQnRHxXNX3lCVMEQMASYT-6QqBvoiJ6vezIt08RghgGdMH1iGY_Gnb7ISuA-lvKk6fcQvQ3MN5Cx0CeqXlXP8NQQF0OwkUgTjNGsKmCG6jKlLZLeXJb72KVK1yR-6jp7OQqqzrovIP7lp-FwIw';
$jwt = JOSE_JWT::decode($input);
$jws = new JOSE_JWS($jwt);
$this->assertInstanceOf('JOSE_JWS', $jws->verify($jwk));
}
/**
* {@inheritDoc}
*/
public function getPublicKeyThumbprint($publicKey)
{
$rsa = $this->getRsa();
$rsa->loadKey($publicKey);
return \JOSE_JWK::encode($rsa)->thumbprint();
}
/**
* Sign an array of parameters using provided keys and nonce
*
* @param array $params
* @param string $privateKey
* @param string $publicKey
* @param string $nonce
*
* @return string Json encoded signed params
*
* @throws \InvalidArgumentException
*/
protected function signParams(array $params, $privateKey, $publicKey, $nonce)
{
if (empty($nonce)) {
throw new \InvalidArgumentException('Empty nonce provided');
}
$RsaPublicKey = $this->getRsa();
$RsaPublicKey->loadKey($publicKey);
$jwt = new \JOSE_JWT($params);
$jwt->header['jwk'] = \JOSE_JWK::encode($RsaPublicKey)->components;
$jwt->header['nonce'] = $nonce;
// as of 20151203, boulder doesn't support SHA512
return $jwt->sign($privateKey, 'RS256')->toJson();
}
/**
* Call a ACME standard URL using JWS encoding signing for $this->userKey
* @param string $api api url to call (short name, like "new-reg" or starting by http)
* @param array $params list of key=>value to sent as a json object or array.
* @return array the api call result (header + decoded content)
*/
private function stdCall($api, $params, $resource = null)
{
$this->init();
$public_key = new RSA();
$public_key->loadKey($this->userKey["publickey"]);
$jwk = \JOSE_JWK::encode($public_key);
// => JOSE_JWK instance
if (substr($api, 0, 4) == "http") {
$url = $api;
if (is_null($resource)) {
throw new AcmeException("stdCall with URL api MUST include resource name", 14);
}
} else {
$url = $this->apiUrl[$api];
if (is_null($resource)) {
$resource = $api;
}
}
$params["resource"] = $resource;
$jwt = new \JOSE_JWT($params);
$jwt->header['jwk'] = $jwk->components;
$jwt->header['nonce'] = $this->nonce;
// as of 20151203, boulder doesn't support SHA512
$jws = $jwt->sign($this->userKey["privatekey"], 'RS256');
// call the API
$httpResult = $this->http->post($url, $jws->toJson());
// save the new Nonce
if (isset($httpResult[0]["Replay-Nonce"]) && $httpResult[0]["Replay-Nonce"]) {
$this->nonce = $httpResult[0]["Replay-Nonce"][0];
// we save this nonce, so that next call will have it ready to use:
$this->db->setStatus(array("nonce" => $this->nonce));
} else {
$this->nonce = null;
}
$httpResult[1] = json_decode($httpResult[1]);
return $httpResult;
}
function testDecodeWithUnexpectedAlg()
{
$components = array('kty' => 'EC', 'crv' => 'crv', 'x' => 'x', 'y' => 'y');
$this->setExpectedException('JOSE_Exception_UnexpectedAlgorithm');
JOSE_JWK::decode($components);
}
