Exemplo n.º 1
0
 /**
  * Extracts the base 64 value from the PEM certificate
  *
  * @param Key $key
  * @param string $header
  *
  * @return string
  *
  * @throws InvalidArgumentException When given key is not a ECDSA key
  */
 private function getKeyContent(Key $key, $header)
 {
     $match = null;
     preg_match('/[\\-]{5}BEGIN ' . $header . '[\\-]{5}(.*)[\\-]{5}END ' . $header . '[\\-]{5}/', str_replace([PHP_EOL, "\n", "\r"], '', $key->getContent()), $match);
     if (isset($match[1])) {
         return $match[1];
     }
     throw new InvalidArgumentException('This is not a valid ECDSA key.');
 }
Exemplo n.º 2
0
 /**
  * @test
  *
  * @uses Lcobucci\JWT\Signer\Key::__construct
  * @uses Lcobucci\JWT\Signer\Key::setContent
  *
  * @covers Lcobucci\JWT\Signer\Key::getContent
  */
 public function getContentShouldReturnConfiguredData()
 {
     $key = new Key('testing', 'test');
     $this->assertEquals('testing', $key->getContent());
 }
Exemplo n.º 3
0
 /**
  * @ref https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
  *
  * @param string $token
  * @param Key $key
  *
  * @return string
  */
 private function createMaliciousToken(string $token, Key $key) : string
 {
     $dec = new Parser();
     $asplode = explode('.', $token);
     // The user is lying; we insist that we're using HMAC-SHA512, with the
     // public key as the HMAC secret key. This just builds a forged message:
     $asplode[0] = $dec->base64UrlEncode('{"alg":"HS512","typ":"JWT"}');
     $hmac = hash_hmac('sha512', $asplode[0] . '.' . $asplode[1], $key->getContent(), true);
     $asplode[2] = $dec->base64UrlEncode($hmac);
     return implode('.', $asplode);
 }