verify() public static méthode

Verify a signature with the mesage, key and method. Not all methods are symmetric, so we must have a separate verify and sign method.
public static verify ( string $msg, string $signature, string | resource $key, string $method = 'HS256' ) : boolean
$msg string the original message
$signature string
$key string | resource for HS*, a string key works. for RS*, must be a resource of an openssl public key
$method string
Résultat boolean
Exemple #1
0
 /**
  * Decodes a JWT string into a PHP object.
  *
  * @param string      $jwt       The JWT
  * @param string|Array|null $key The secret key, or map of keys
  * @param bool        $verify    Don't skip verification process
  *
  * @return object      The JWT's payload as a PHP object
  * @throws UnexpectedValueException Provided JWT was invalid
  * @throws DomainException          Algorithm was not provided
  * 
  * @uses jsonDecode
  * @uses urlsafeB64Decode
  */
 public static function decode($jwt, $key = null, $verify = true)
 {
     $tks = explode('.', $jwt);
     if (count($tks) != 3) {
         throw new UnexpectedValueException('Wrong number of segments');
     }
     list($headb64, $bodyb64, $cryptob64) = $tks;
     if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64)))) {
         throw new UnexpectedValueException('Invalid segment encoding');
     }
     if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($bodyb64)))) {
         throw new UnexpectedValueException('Invalid segment encoding');
     }
     $sig = JWT::urlsafeB64Decode($cryptob64);
     if ($verify) {
         if (empty($header->alg)) {
             throw new DomainException('Empty algorithm');
         }
         if (is_array($key)) {
             if (isset($header->kid)) {
                 $key = $key[$header->kid];
             } else {
                 throw new DomainException('"kid" empty, unable to lookup correct key');
             }
         }
         if (!JWT::verify("{$headb64}.{$bodyb64}", $sig, $key, $header->alg)) {
             throw new UnexpectedValueException('Signature verification failed');
         }
         // Check token expiry time if defined.
         if (isset($payload->exp) && time() >= $payload->exp) {
             throw new UnexpectedValueException('Expired Token');
         }
     }
     return $payload;
 }
 /**
  * Validate Jwt token
  *
  * @param string $token_field_name
  *
  * @Then /^(?:the )?response should contain jwt token in field "([^"]*)"$/
  */
 public function responseShouldContainJwtToken($token_field_name)
 {
     $response = $this->response->json();
     Assertions::assertArrayHasKey($token_field_name, $response);
     $tks = explode('.', $response[$token_field_name]);
     Assertions::assertEquals(3, count($tks));
     list($headb64, $bodyb64, $cryptob64) = $tks;
     $sig = \JWT::urlsafeB64Decode($cryptob64);
     $header = \JWT::jsonDecode(\JWT::urlsafeB64Decode($headb64));
     Assertions::assertTrue(\JWT::verify("{$headb64}.{$bodyb64}", $sig, $this->config['secret_key'], $header->alg));
 }
Exemple #3
0
 /**
  * Decodes a JWT string into a PHP object.
  *
  * @param string            $jwt            The JWT
  * @param string|array|null $key            The key, or map of keys.
  *                                          If the algorithm used is asymmetric, this is the public key
  * @param array             $allowed_algs   List of supported verification algorithms
  *                                          Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256'
  *
  * @return object The JWT's payload as a PHP object
  *
  * @throws DomainException              Algorithm was not provided
  * @throws UnexpectedValueException     Provided JWT was invalid
  * @throws SignatureInvalidException    Provided JWT was invalid because the signature verification failed
  * @throws BeforeValidException         Provided JWT is trying to be used before it's eligible as defined by 'nbf'
  * @throws BeforeValidException         Provided JWT is trying to be used before it's been created as defined by 'iat'
  * @throws ExpiredException             Provided JWT has since expired, as defined by the 'exp' claim
  *
  * @uses jsonDecode
  * @uses urlsafeB64Decode
  */
 public static function decode($jwt, $key, $allowed_algs = array())
 {
     if (empty($key)) {
         throw new InvalidArgumentException('Key may not be empty');
     }
     $tks = explode('.', $jwt);
     if (count($tks) != 3) {
         throw new UnexpectedValueException('Wrong number of segments');
     }
     list($headb64, $bodyb64, $cryptob64) = $tks;
     if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64)))) {
         throw new UnexpectedValueException('Invalid header encoding');
     }
     if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($bodyb64)))) {
         throw new UnexpectedValueException('Invalid claims encoding');
     }
     $sig = JWT::urlsafeB64Decode($cryptob64);
     if (empty($header->alg)) {
         throw new DomainException('Empty algorithm');
     }
     if (empty(self::$supported_algs[$header->alg])) {
         throw new DomainException('Algorithm not supported');
     }
     if (!is_array($allowed_algs) || !in_array($header->alg, $allowed_algs)) {
         throw new DomainException('Algorithm not allowed');
     }
     if (is_array($key) || $key instanceof \ArrayAccess) {
         if (isset($header->kid)) {
             $key = $key[$header->kid];
         } else {
             throw new DomainException('"kid" empty, unable to lookup correct key');
         }
     }
     // Check the signature
     if (!JWT::verify("{$headb64}.{$bodyb64}", $sig, $key, $header->alg)) {
         throw new Exception('Signature verification failed');
     }
     // Check if the nbf if it is defined. This is the time that the
     // token can actually be used. If it's not yet that time, abort.
     if (isset($payload->nbf) && $payload->nbf > time() + self::$leeway) {
         throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf));
     }
     // Check that this token has been created before 'now'. This prevents
     // using tokens that have been created for later use (and haven't
     // correctly used the nbf claim).
     if (isset($payload->iat) && $payload->iat > time() + self::$leeway) {
         throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat));
     }
     // Check if this token has expired.
     if (isset($payload->exp) && time() - self::$leeway >= $payload->exp) {
         throw new ExpiredException('Expired token');
     }
     return $payload;
 }
Exemple #4
0
 public static function decode($jwt, $key, $allowed_algs = array())
 {
     if (empty($key)) {
         throw new Exception('密钥不能为空');
     }
     $tks = explode('.', $jwt);
     if (count($tks) != 3) {
         throw new Exception('分段有错误');
     }
     list($headb64, $bodyb64, $cryptob64) = $tks;
     if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64)))) {
         throw new Exception('head编码错误');
     }
     if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($bodyb64)))) {
         throw new Exception('声明编码错误');
     }
     $sig = JWT::urlsafeB64Decode($cryptob64);
     if (empty($header->alg)) {
         throw new Exception('加密算法为空');
     }
     if (empty(self::$supported_algs[$header->alg])) {
         throw new Exception('加密算法不支持');
     }
     if (!is_array($allowed_algs) || !in_array($header->alg, $allowed_algs)) {
         throw new Exception('加密算法不允许使用');
     }
     if (is_array($key) || $key instanceof \ArrayAccess) {
         if (isset($header->kid)) {
             $key = $key[$header->kid];
         } else {
             throw new Exception('"kid"为空');
         }
     }
     // Check the signature
     if (!JWT::verify("{$headb64}.{$bodyb64}", $sig, $key, $header->alg)) {
         throw new Exception('签名认证失败');
     }
     if (isset($payload->nbf) && $payload->nbf > time() + self::$leeway) {
         throw new Exception('此日期前不能使用 ' . date(DateTime::ISO8601, $payload->nbf));
     }
     if (isset($payload->iat) && $payload->iat > time() + self::$leeway) {
         throw new Exception('令牌此日期前不能使用 ' . date(DateTime::ISO8601, $payload->iat));
     }
     // Check if this token has expired.
     if (isset($payload->exp) && time() - self::$leeway >= $payload->exp) {
         throw new Exception('令牌已过期');
     }
     return $payload;
 }
Exemple #5
0
 /**
  * Decodes a JWT string into a PHP object.
  *
  * @param string      $jwt       The JWT
  * @param string|Array|null $key The secret key, or map of keys
  * @param bool        $verify    Don't skip verification process
  *
  * @return object      The JWT's payload as a PHP object
  *
  * @throws DomainException              Algorithm was not provided
  * @throws UnexpectedValueException     Provided JWT was invalid
  * @throws SignatureInvalidException    Provided JWT was invalid because the signature verification failed
  * @throws BeforeValidException         Provided JWT is trying to be used before it's eligible as defined by 'nbf'
  * @throws BeforeValidException         Provided JWT is trying to be used before it's been created as defined by 'iat'
  * @throws ExpiredException             Provided JWT has since expired, as defined by the 'exp' claim
  *
  * @uses jsonDecode
  * @uses urlsafeB64Decode
  */
 public static function decode($jwt, $key = null, $verify = true)
 {
     $tks = explode('.', $jwt);
     if (count($tks) != 3) {
         return null;
     }
     list($headb64, $bodyb64, $cryptob64) = $tks;
     if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64)))) {
         return null;
     }
     if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($bodyb64)))) {
         return null;
     }
     $sig = JWT::urlsafeB64Decode($cryptob64);
     if ($verify) {
         if (empty($header->alg)) {
             return null;
         }
         if (is_array($key)) {
             if (isset($header->kid)) {
                 $key = $key[$header->kid];
             } else {
                 return null;
             }
         }
         // Check the signature
         if (!JWT::verify("{$headb64}.{$bodyb64}", $sig, $key, $header->alg)) {
             return null;
         }
         // Check if the nbf if it is defined. This is the time that the
         // token can actually be used. If it's not yet that time, abort.
         if (isset($payload->nbf) && $payload->nbf > time()) {
             return null;
         }
         // Check that this token has been created before 'now'. This prevents
         // using tokens that have been created for later use (and haven't
         // correctly used the nbf claim).
         if (isset($payload->iat) && $payload->iat > time()) {
             return null;
         }
         // Check if this token has expired.
         if (isset($payload->exp) && time() >= $payload->exp) {
             return null;
         }
     }
     return $payload;
 }
Exemple #6
0
 /**
  * Decodes a JWT string into a PHP object.
  *
  * @param string      $jwt       The JWT
  * @param string|Array|null $key The secret key, or map of keys
  * @param bool        $verify    Don't skip verification process
  *
  * @return object      The JWT's payload as a PHP object
  *
  * @throws DomainException              Algorithm was not provided
  * @throws UnexpectedValueException     Provided JWT was invalid
  * @throws SignatureInvalidException    Provided JWT was invalid because the signature verification failed
  * @throws BeforeValidException         Provided JWT is trying to be used before it's eligible as defined by 'nbf'
  * @throws BeforeValidException         Provided JWT is trying to be used before it's been created as defined by 'iat'
  * @throws ExpiredException             Provided JWT has since expired, as defined by the 'exp' claim
  *
  * @uses jsonDecode
  * @uses urlsafeB64Decode
  */
 public static function decode($jwt, $key = null, $verify = true)
 {
     $tks = JWT::split($jwt);
     if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($tks['header'])))) {
         throw new UnexpectedValueException('Invalid header encoding');
     }
     if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($tks['body'])))) {
         throw new UnexpectedValueException('Invalid claims encoding');
     }
     $signature = JWT::urlsafeB64Decode($tks['sig']);
     if ($verify) {
         if (empty($header->alg)) {
             throw new DomainException('Empty algorithm');
         }
         if (is_array($key)) {
             if (isset($header->kid)) {
                 $key = $key[$header->kid];
             } else {
                 throw new DomainException('"kid" empty, unable to lookup correct key');
             }
         }
         // Check the signature
         if ($key && !JWT::verify($tks['header'], $tks['body'], $signature, $key, $header->alg)) {
             throw new SignatureInvalidException('Signature verification failed');
         }
         // Check if the nbf if it is defined. This is the time that the
         // token can actually be used. If it's not yet that time, abort.
         if (isset($payload->nbf) && $payload->nbf > time()) {
             throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf));
         }
         // Check that this token has been created before 'now'. This prevents
         // using tokens that have been created for later use (and haven't
         // correctly used the nbf claim).
         if (isset($payload->iat) && $payload->iat > time()) {
             throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat));
         }
         // Check if this token has expired.
         if (isset($payload->exp) && time() >= $payload->exp) {
             throw new ExpiredException('Expired token');
         }
     }
     return array($header, $payload, $signature);
 }
Exemple #7
0
 public function testVerify()
 {
     $msg = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.Iio6aHR0cDovL2FwcGxpY2F0aW9uL2NsaWNreT9ibGFoPTEuMjMmZi5vbz00NTYgQUMwMDAgMTIzIg.E_U8X2YpMT5K1cEiT_3-IvBYfrdIFIeVYeOqre_Z5Cg';
     $tks = JWT::split($msg);
     list(, , $signature) = JWT::decode($tks);
     $this->assertTrue(JWT::verify($tks['header'], $tks['body'], $signature, 'my_key'));
 }
Exemple #8
0
 /**
  * Decodes a JWT string into a PHP object.
  *
  * @param string      $jwt           The JWT
  * @param string|Array|null $key     The secret key, or map of keys
  * @param Array       $allowed_algs  List of supported verification algorithms
  * @param Array       $options       Extra options (audience, issuer, jwtid, subject)
  *
  * @return object      The JWT's payload as a PHP object
  *
  * @throws DomainException              Algorithm was not provided
  * @throws UnexpectedValueException     Provided JWT was invalid
  * @throws SignatureInvalidException    Provided JWT was invalid because the signature verification failed
  * @throws BeforeValidException         Provided JWT is trying to be used before it's eligible as defined by 'nbf'
  * @throws BeforeValidException         Provided JWT is trying to be used before it's been created as defined by 'iat'
  * @throws ExpiredException             Provided JWT has since expired, as defined by the 'exp' claim
  * @throws InvalidAudienceException     Provided JWT is having a 'aud' value other than audience option
  * @throws InvalidIssuerException       Provided JWT is having a 'iss' value other than issuer option
  * @throws InvalidJWTIdException        Provided JWT is having a 'jit' value other than jwtid option
  * @throws InvalidSubjectException      Provided JWT is having a 'sub' value other than subject option
  *
  * @uses jsonDecode
  * @uses urlsafeB64Decode
  */
 public static function decode($jwt, $key = null, $allowed_algs = array(), $options = array())
 {
     $tks = explode('.', $jwt);
     if (count($tks) != 3) {
         throw new UnexpectedValueException('Wrong number of segments');
     }
     list($headb64, $bodyb64, $cryptob64) = $tks;
     if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64)))) {
         throw new UnexpectedValueException('Invalid header encoding');
     }
     if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($bodyb64)))) {
         throw new UnexpectedValueException('Invalid claims encoding');
     }
     $sig = JWT::urlsafeB64Decode($cryptob64);
     if (isset($key)) {
         if (empty($header->alg)) {
             throw new DomainException('Empty algorithm');
         }
         if (empty(self::$supported_algs[$header->alg])) {
             throw new DomainException('Algorithm not supported');
         }
         if (!is_array($allowed_algs) || !in_array($header->alg, $allowed_algs)) {
             throw new DomainException('Algorithm not allowed');
         }
         if (is_array($key) || $key instanceof \ArrayAccess) {
             if (isset($header->kid)) {
                 $key = $key[$header->kid];
             } else {
                 throw new DomainException('"kid" empty, unable to lookup correct key');
             }
         }
         // Check the signature
         if (!JWT::verify("{$headb64}.{$bodyb64}", $sig, $key, $header->alg)) {
             throw new SignatureInvalidException('Signature verification failed');
         }
         // Check if the nbf if it is defined. This is the time that the
         // token can actually be used. If it's not yet that time, abort.
         if (isset($payload->nbf) && $payload->nbf > time() + self::$leeway) {
             throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf));
         }
         // Check that this token has been created before 'now'. This prevents
         // using tokens that have been created for later use (and haven't
         // correctly used the nbf claim).
         if (isset($payload->iat) && $payload->iat > time() + self::$leeway) {
             throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat));
         }
         // Check if this token has expired.
         if (isset($payload->exp) && time() - self::$leeway >= $payload->exp) {
             throw new ExpiredException('Expired token');
         }
         if (isset($options['issuer']) && is_string($options['issuer'])) {
             if (!isset($payload->iss) || !is_string($payload->iss) || $payload->iss !== $options['issuer']) {
                 throw new InvalidIssuerException('Invalid issuer');
             }
         }
         if (isset($options['subject']) && is_string($options['subject'])) {
             if (!isset($payload->sub) || !is_string($payload->sub) || $payload->sub !== $options['subject']) {
                 throw new InvalidSubjectException('Invalid subject');
             }
         }
         if (isset($options['jwtid']) && is_string($options['jwtid'])) {
             if (!isset($payload->jti) || !is_string($payload->jti) || $payload->jti !== $options['jwtid']) {
                 throw new InvalidJWTIdException('Invalid JWT ID');
             }
         }
         if (isset($options['audience']) && (is_string($options['audience']) || is_array($options['audience']))) {
             if (!isset($payload->aud)) {
                 throw new InvalidAudienceException('Invalid audience');
             }
             $target = is_array($payload->aud) ? $payload->aud : array($payload->aud);
             $audiences = is_array($options['audience']) ? $options['audience'] : array($options['audience']);
             $audienceFound = false;
             foreach ($audiences as $audience) {
                 if (is_string($audience) && array_search($audience, $payload->aud) !== false) {
                     $audienceFound = true;
                     break;
                 }
             }
             if (!$audienceFound) {
                 throw new InvalidAudienceException('Invalid audience');
             }
         }
     }
     return $payload;
 }