/**
* Extracts the base 64 value from the PEM certificate
*
* @param Key $key
* @param string $header
*
* @return string
*
* @throws InvalidArgumentException When given key is not a ECDSA key
*/
private function getKeyContent(Key $key, $header)
{
$match = null;
preg_match('/[\\-]{5}BEGIN ' . $header . '[\\-]{5}(.*)[\\-]{5}END ' . $header . '[\\-]{5}/', str_replace([PHP_EOL, "\n", "\r"], '', $key->getContent()), $match);
if (isset($match[1])) {
return $match[1];
}
throw new InvalidArgumentException('This is not a valid ECDSA key.');
}
/**
* @test
*
* @uses Lcobucci\JWT\Signer\Key::__construct
* @uses Lcobucci\JWT\Signer\Key::setContent
*
* @covers Lcobucci\JWT\Signer\Key::getPassphrase
*/
public function getPassphraseShouldReturnConfiguredData()
{
$key = new Key('testing', 'test');
$this->assertEquals('test', $key->getPassphrase());
}
/**
* @ref https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
*
* @param string $token
* @param Key $key
*
* @return string
*/
private function createMaliciousToken(string $token, Key $key) : string
{
$dec = new Parser();
$asplode = explode('.', $token);
// The user is lying; we insist that we're using HMAC-SHA512, with the
// public key as the HMAC secret key. This just builds a forged message:
$asplode[0] = $dec->base64UrlEncode('{"alg":"HS512","typ":"JWT"}');
$hmac = hash_hmac('sha512', $asplode[0] . '.' . $asplode[1], $key->getContent(), true);
$asplode[2] = $dec->base64UrlEncode($hmac);
return implode('.', $asplode);
}