public function testTestBC() { $data = array(array('order_nr' => 'ae123123'), array('username' => 'asdasdasd'), array('anything' => '!@#$%^&*()_+')); foreach ($data as $payload) { $jwsOld = new JWS(array('alg' => 'RS256')); $jwsOld->setEncoder(new Base64Encoder()); $jwsOld->setPayload($payload); $jwsOld->sign(openssl_pkey_get_private(SSL_KEYS_PATH . 'private.key', self::SSL_KEY_PASSPHRASE)); $t = $jwsOld->getTokenString(); $jwsNew = JWS::load($t); $this->assertTrue($jwsNew->verify(openssl_pkey_get_public(SSL_KEYS_PATH . 'public.key'))); } }
/** * Decode a JSON Web Token. * * @param string $token * * @throws \Tymon\JWTAuth\Exceptions\JWTException * * @return array */ public function decode($token) { try { // Let's never allow insecure tokens $jws = $this->jws->load($token, false); } catch (InvalidArgumentException $e) { throw new TokenInvalidException('Could not decode token: ' . $e->getMessage()); } if (!$jws->verify($this->getVerificationKey(), $this->getAlgo())) { throw new TokenInvalidException('Token Signature could not be verified.'); } return (array) $jws->getPayload(); }
public function testTestBC() { $data = array(array("order_nr" => "ae123123"), array("username" => "asdasdasd"), array("anything" => "!@#\$%^&*()_+")); foreach ($data as $payload) { $jwsOld = new JWS("RS256"); $jwsOld->setEncoder(new Base64Encoder()); $jwsOld->setPayload($payload); $jwsOld->sign(openssl_pkey_get_private(SSL_KEYS_PATH . "private.key", self::SSL_KEY_PASSPHRASE)); $t = $jwsOld->getTokenString(); $jwsNew = JWS::load($t); $this->assertTrue($jwsNew->verify(openssl_pkey_get_public(SSL_KEYS_PATH . "public.key"))); } }
/** * Decode a JSON Web Token * * @param string $token * * @throws \Tymon\JWTAuth\Exceptions\JWTException * * @return array */ public function decode($token) { try { // let's never allow unsecure tokens $jws = $this->jws->load($token, false); } catch (Exception $e) { throw new TokenInvalidException('Could not decode token: ' . $e->getMessage()); } if (!$jws->verify($this->secret, $this->algo)) { throw new TokenInvalidException('Token Signature could not be verified.'); } return (array) $jws->getPayload(); }
/** * @param RequestInterface $request * * @return RequestInterface */ public function __invoke(RequestInterface $request) { $uri = $request->getUri(); $path = $uri->getPath(); $path .= $uri->getQuery() != null ? '?' . $uri->getQuery() : ''; $payload = ['key' => 'master', 'exp' => time() + $this->exp, 'method' => $request->getMethod(), 'path' => $path]; if (in_array($request->getMethod(), ['PUT', 'POST'])) { $body = $request->getBody(); $computedHash = \GuzzleHttp\Psr7\hash($body, 'sha256'); $payload['body'] = ['alg' => 'sha256', 'hash' => $computedHash]; } $jws = new JWS(['typ' => 'JWT', 'alg' => 'HS256']); $jws->setPayload($payload)->sign($this->secret); $token = $jws->getTokenString(); return $request->withHeader('Authorization', 'JWT token="' . $token . '"'); }
/** * @param string $token * * @return array * * @throws InvalidJWTException */ public function decode($token) { $jws = JWS::load($token); if (!$jws->verify($this->key, self::ALG)) { throw new InvalidJWTException('Invalid JWT'); } if ($this->isExpired($payload = $jws->getPayload())) { throw new InvalidJWTException('Expired JWT'); } return $payload; }
/** * {@inheritdoc} */ public function decode($token) { try { $jws = JWS::load($token); } catch (\InvalidArgumentException $e) { return false; } if (!$jws->isValid($this->getPublicKey(), self::ALGORYTHM)) { return false; } return $jws->getPayload(); }
/** * Decode a JSON Web Token * * @param string $token * @return array * @throws \Tymon\JWTAuth\Exceptions\JWTException */ public function decode($token) { try { $jws = JWS::load($token); } catch (Exception $e) { throw new TokenInvalidException('Could not decode token: ' . $e->getMessage()); } if (!$jws->verify($this->secret, $this->algo)) { throw new TokenInvalidException('Token Signature could not be verified.'); } return $jws->getPayload(); }
public function testVerifyIncorrectPubKey() { $content = new JWS(['alg' => 'RS256']); $content->setPayload(['prop' => 'val'], false); $content->sign(openssl_pkey_get_private('file://' . $GLOBALS['KEYs']['private'], $GLOBALS['KEYs']['password'])); $obj = new Statement(['actor' => ['mbox' => COMMON_MBOX], 'verb' => ['id' => COMMON_VERB_ID], 'object' => new Activity(['id' => COMMON_ACTIVITY_ID . '/StatementTest/testSignNoPassword']), 'attachments' => [['usageType' => 'http://adlnet.gov/expapi/attachments/signature', 'display' => ['en-US' => 'test display'], 'contentType' => 'application/octet-stream', 'content' => $content->getTokenString()]]]); $newKey = openssl_pkey_new(['private_key_bits' => 2048, 'private_key_type' => OPENSSL_KEYTYPE_RSA]); $pubKey = openssl_pkey_get_details($newKey); $pubKey = $pubKey["key"]; $result = $obj->verify(['publicKey' => $pubKey]); $this->assertFalse($result['success'], 'success'); $this->assertSame($result['reason'], 'Failed to verify signature', 'reason'); }
public function testLoadingWithAnyOrderOfHeaders() { $privateKey = openssl_pkey_get_private(SSL_KEYS_PATH . "private.key", self::SSL_KEY_PASSPHRASE); $public_key = openssl_pkey_get_public(SSL_KEYS_PATH . "public.key"); $header = $this->jws->getHeader(); $reversedHeader = array_reverse($header); $this->assertFalse($header === $reversedHeader); $this->jws->setHeader($reversedHeader); $this->jws->sign($privateKey); $tokenString = $this->jws->getTokenString(); $jws = JWS::load($tokenString); $this->assertTrue($reversedHeader === $jws->getHeader()); }
public function testVerificationCustomizedHeader() { $header = $this->jws->getHeader(); $header['test'] = true; $this->jws->setHeader($header); $privateKey = openssl_pkey_get_private(SSL_KEYS_PATH . 'private.key', self::SSL_KEY_PASSPHRASE); $this->jws->sign($privateKey); $jws = JWS::load($this->jws->getTokenString()); $public_key = openssl_pkey_get_public(SSL_KEYS_PATH . 'public.key'); $headerFromSig = $jws->getHeader(); $this->assertSame($headerFromSig['test'], true); $this->assertTrue($jws->verify($public_key)); }
public function verify($options = array()) { if (!isset($options['version'])) { $options['version'] = Version::latest(); } $signatureAttachment = null; $signatureIndex = 0; foreach ($this->getAttachments() as $attachment) { if ($attachment->getUsageType() === self::SIGNATURE_USAGE_TYPE) { $signatureAttachment = $attachment; break; } $signatureIndex++; } if ($signatureAttachment === null) { return array('success' => false, 'reason' => "Unable to locate signature attachment (usage type)"); } try { $jws = JWS::load($signatureAttachment->getContent()); } catch (\InvalidArgumentException $e) { return array('success' => false, 'reason' => 'Failed to load JWS: ' . $e); } $header = $jws->getHeader(); // // there is a JWS spec security issue with allowing non-RS algorithms // to be specified and it is against the Tin Can spec anyways so we // want to fail hard on non-RS algorithms // if (!in_array($header['alg'], array('RS256', 'RS384', 'RS512'), true)) { throw new \InvalidArgumentException("Refusing to verify signature: Invalid signing algorithm ('" . $options['algorithm'] . "')"); } if (isset($options['publicKey'])) { $publicKeyFile = $options['publicKey']; } else { if (isset($header['x5c'])) { $cert = "-----BEGIN CERTIFICATE-----\r\n" . chunk_split($header['x5c'][0], 64, "\r\n") . "-----END CERTIFICATE-----\r\n"; $cert = openssl_x509_read($cert); if (!$cert) { return array('success' => false, 'reason' => 'failed to read cert in x5c: ' . openssl_error_string()); } $publicKeyFile = openssl_pkey_get_public($cert); if (!$publicKeyFile) { return array('success' => false, 'reason' => 'x5c failed to provide public key: ' . openssl_error_string()); } } else { return array('success' => false, 'reason' => 'No public key found or provided for verification'); } } if (!$jws->verify($publicKeyFile)) { return array('success' => false, 'reason' => 'Failed to verify signature'); } $payload = $jws->getPayload(); // // serializing this statement as if it was going to be // made into a signature should provide us with what we // can expect in the payload, if the two don't match then // the signature isn't valid, it also gives us a clone // that we can then manipulate without affecting the // original instance // // use the version from the payload as it indicates the // version in use when the statement was serialized to // begin with // $version = $payload['version'] ? $payload['version'] : Version::latest(); $serialization = $this->serializeForSignature($version); // // remove the signature attachment before comparing the // serializations, if it was the only attachment and the // signature doesn't include the 'attachments' property // then unset it as well // unset($serialization['attachments'][$signatureIndex]); if (count($serialization['attachments']) === 0 && !isset($payload['attachments'])) { unset($serialization['attachments']); } // // authority and stored are most often populated by the LRS, // and presumably for signature purposes are *never* included // in the signature so we are safe to remove them here // unset($serialization['stored']); unset($serialization['authority']); // // the payload 'version' is instructive of how to serialize the // statement for comparison, that 'version' is not required and // when not set we need to remove the 'version' in the serialization // which will be the current latest supported by the library // which shouldn't be compared against what is in the signature // if (!isset($payload['version'])) { unset($serialization['version']); } // // a statement can be signed without having first provided an // id, in that case the id is set by the receiving LRS, so if // the serialization has one, presumably from retrieval from // an LRS, remove it so that it is not compared // // if the statement did provide an id before signing then the // LRS should have maintained that id, so they can be compared // if (!isset($payload['id'])) { unset($serialization['id']); } // // the same applies to timestamp // if (!isset($payload['timestamp'])) { unset($serialization['timestamp']); } // // now we can construct an object from both the payload and the // serialization of this instance and compare the two for a match // in meaning // $fromSerialization = new self($serialization); $comparison = $fromSerialization->compareWithSignature(new self($payload)); if (!$comparison['success']) { return array('success' => false, 'reason' => 'Statement to signature comparison failed: ' . $comparison['reason']); } return array('success' => true, 'jws' => $jws); }