示例#1
0
 /**
  * Decodes a serialised JWT.
  *
  * @param string $token the serialised JWT
  * @param SimpleJWT\Keys\KeySet $keys the key set containing the key to verify the
  * JWT's signature
  * @param string $expected_alg the expected value of the `alg` parameter, which
  * should be agreed between the parties out-of-band
  * @param string $kid the ID of the key to use to verify the signature. If null, this
  * is automatically retrieved
  * @param bool|array $skip_validation an array of headers or claims that
  * should be ignored as part of the validation process (e.g. if expired tokens
  * are to be accepted), or false if all validation
  * is to be performed.
  * @param string $format the JWT serialisation format
  * @return JWT the decoded JWT
  * @throws InvalidTokenException if the token is invalid for any reason
  */
 public static function decode($token, $keys, $expected_alg, $kid = null, $skip_validation = array(), $format = self::COMPACT_FORMAT)
 {
     if ($skip_validation === false) {
         $skip_validation = array();
     }
     switch ($format) {
         case self::COMPACT_FORMAT:
             $parts = explode('.', $token, 3);
             if (count($parts) != 3) {
                 throw new InvalidTokenException('Cannot decode compact serialisation', InvalidTokenException::TOKEN_PARSE_ERROR);
             }
             list($protected, $payload, $signature) = $parts;
             break;
         case self::JSON_FORMAT:
             $obj = json_decode($token, true);
             if ($obj == null) {
                 throw new InvalidTokenException('Cannot decode JSON', InvalidTokenException::TOKEN_PARSE_ERROR);
             }
             $payload = $obj['payload'];
             if (isset($obj['signatures'])) {
                 foreach ($obj['signatures'] as $signature_obj) {
                     if (isset($signature_obj['header']['kid'])) {
                         $target_kid = $signature_obj['header']['kid'];
                         if ($target_kid == $kid || $keys->getById($target_kid) != null) {
                             $unprotected = $signature_obj['header'];
                             $protected = $signature_obj['protected'];
                             $signature = $signature_obj['signature'];
                             break;
                         }
                     }
                     throw new InvalidTokenException('Cannot find verifiable signature', InvalidTokenException::TOKEN_PARSE_ERROR);
                 }
             } else {
                 $unprotected = $obj['header'];
                 $protected = $obj['protected'];
                 $signature = $obj['signature'];
             }
             break;
         default:
             throw new \InvalidArgumentException('Incorrect format');
     }
     $headers = json_decode(Util::base64url_decode($protected), true);
     if ($headers == null) {
         throw new InvalidTokenException('Cannot decode header', InvalidTokenException::TOKEN_PARSE_ERROR);
     }
     // Process crit
     if (isset($headers['crit'])) {
         foreach ($headers['crit'] as $critical) {
             if (!in_array($critical, array('nbf', 'exp', 'alg', 'kid'))) {
                 throw new InvalidTokenException('Critical header not supported: ' . $critical, InvalidTokenException::UNSUPPORTED_ERROR);
             }
         }
     }
     if (isset($unprotected)) {
         $headers = array_merge($headers, $unprotected);
     }
     $claims = json_decode(Util::base64url_decode($payload), true);
     if ($claims == null) {
         throw new InvalidTokenException('Cannot decode claims', InvalidTokenException::TOKEN_PARSE_ERROR);
     }
     // Check signatures
     if ($headers['alg'] != $expected_alg) {
         throw new InvalidTokenException('Unexpected algorithm', InvalidTokenException::SIGNATURE_VERIFICATION_ERROR);
     }
     $signer = AlgorithmFactory::create($expected_alg);
     $signing_input = $protected . '.' . $payload;
     try {
         if (isset($headers['kid'])) {
             $kid = $headers['kid'];
         }
         $result = $signer->verify($signature, $signing_input, $keys, $kid);
     } catch (KeyException $e) {
         throw new InvalidTokenException($e->getMessage(), InvalidTokenException::SIGNATURE_VERIFICATION_ERROR, $e);
     } catch (CryptException $e) {
         throw new InvalidTokenException($e->getMessage(), InvalidTokenException::SIGNATURE_VERIFICATION_ERROR, $e);
     }
     if (!$result) {
         throw new InvalidTokenException('Incorrect signature', InvalidTokenException::SIGNATURE_VERIFICATION_ERROR);
     }
     // Check time, etc
     $time = time();
     if (isset($claims['nbf']) && !in_array('nbf', $skip_validation)) {
         if ($time < $claims['nbf'] - self::$TIME_ALLOWANCE) {
             throw new InvalidTokenException('Too early due to nbf claim', InvalidTokenException::TOO_EARLY_ERROR, null, $claims['nbf']);
         }
     }
     if (isset($claims['exp']) && !in_array('exp', $skip_validation)) {
         if ($time > $claims['exp'] + self::$TIME_ALLOWANCE) {
             throw new InvalidTokenException('Too late due to exp claim', InvalidTokenException::TOO_LATE_ERROR, null, $claims['exp']);
         }
     }
     return new JWT($headers, $claims);
 }
示例#2
0
 /**
  * Decrypts a JWE.
  *
  * @param string $token the serialised JWE
  * @param SimpleJWT\Keys\KeySet $keys the key set containing the key to verify the
  * JWT's signature
  * @param string $expected_alg the expected value of the `alg` parameter, which
  * should be agreed between the parties out-of-band
  * @param string $format the JWE serialisation format
  * @return JWE the decrypted JWE
  * @throws InvalidTokenException if the token is invalid for any reason
  */
 public static function decrypt($token, $keys, $expected_alg, $format = self::COMPACT_FORMAT)
 {
     switch ($format) {
         case self::COMPACT_FORMAT:
             $parts = explode('.', $token, 5);
             if (count($parts) != 5) {
                 throw new InvalidTokenException('Cannot decode compact serialisation', InvalidTokenException::TOKEN_PARSE_ERROR);
             }
             list($protected, $encrypted_key, $iv, $ciphertext, $tag) = $parts;
             break;
         case self::JSON_FORMAT:
             $obj = json_decode($token, true);
             if ($obj == null) {
                 throw new InvalidTokenException('Cannot decode JSON', InvalidTokenException::TOKEN_PARSE_ERROR);
             }
             $protected = $obj['protected'];
             $unprotected = $obj['unprotected'];
             $iv = $obj['iv'];
             $ciphertext = $obj['ciphertext'];
             $tag = $obj['tag'];
             if (isset($obj['recipients'])) {
                 foreach ($obj['recipients'] as $recipient) {
                     if (isset($recipient_obj['header']['kid'])) {
                         $target_kid = $recipient_obj['header']['kid'];
                         if ($keys->getById($target_kid) != null) {
                             $unprotected = isset($unprotected) ? array_merge($unprotected, $recipient_obj['header']) : $recipient_obj['header'];
                             $encrypted_key = $recipient_obj['encrypted_key'];
                             break;
                         }
                     }
                     throw new InvalidTokenException('Cannot find verifiable signature', InvalidTokenException::TOKEN_PARSE_ERROR);
                 }
             } else {
                 $unprotected = isset($unprotected) ? array_merge($unprotected, $obj['header']) : $obj['header'];
                 $encrypted_key = $obj['encrypted_key'];
             }
             break;
         default:
             throw new \InvalidArgumentException('Incorrect format');
     }
     $headers = json_decode(Util::base64url_decode($protected), true);
     if ($headers == null) {
         throw new InvalidTokenException('Cannot decode header', InvalidTokenException::TOKEN_PARSE_ERROR);
     }
     if (isset($unprotected)) {
         $headers = array_merge($headers, $unprotected);
     }
     // Process crit
     if (isset($headers['crit'])) {
         foreach ($headers['crit'] as $critical) {
             if (!in_array($critical, array('alg', 'enc', 'kid', 'zip'))) {
                 throw new InvalidTokenException('Critical header not supported: ' . $critical, InvalidTokenException::UNSUPPORTED_ERROR);
             }
         }
     }
     if (!isset($headers['alg'])) {
         throw new InvalidTokenException('alg parameter missing', InvalidTokenException::TOKEN_PARSE_ERROR);
     }
     if (!isset($headers['enc'])) {
         throw new InvalidTokenException('enc parameter missing', InvalidTokenException::TOKEN_PARSE_ERROR);
     }
     if ($headers['alg'] != $expected_alg) {
         throw new InvalidTokenException('Unexpected algorithm', InvalidTokenException::DECRYPTION_ERROR);
     }
     $key_enc = AlgorithmFactory::create($headers['alg']);
     $content_enc = AlgorithmFactory::create($headers['enc']);
     if ($key_enc instanceof KeyDerivationAlgorithm) {
         try {
             $agreed_key = $key_enc->deriveKey($keys, $headers, $kid);
         } catch (KeyException $e) {
             throw new InvalidTokenException($e->getMessage(), InvalidTokenException::DECRYPTION_ERROR, $e);
         } catch (CryptException $e) {
             throw new InvalidTokenException($e->getMessage(), InvalidTokenException::DECRYPTION_ERROR, $e);
         }
         if ($key_enc instanceof KeyEncryptionAlgorithm) {
             // Key agreement with wrapping
             $keys->add(new SymmetricKey(array('kty' => SymmetricKey::KTY, 'alg' => $this->headers['alg'], 'k' => Util::base64url_encode($agreed_key), 'kid' => '#key-agreement-with-wrapping'), 'php'));
             $kid = '#key-agreement-with-wrapping';
         } else {
             // Direct key agreement or direct encryption
             $cek = $agreed_key;
             if ($encrypted_key != '') {
                 throw new InvalidTokenException('encrypted key should be empty', InvalidTokenException::TOKEN_PARSE_ERROR);
             }
         }
     }
     if (!isset($cek) && $key_enc instanceof KeyEncryptionAlgorithm) {
         try {
             if (!isset($kid)) {
                 $kid = isset($headers['kid']) ? $headers['kid'] : null;
             }
             $cek = $key_enc->decryptKey($encrypted_key, $keys, $headers, $kid);
         } catch (KeyException $e) {
             throw new InvalidTokenException($e->getMessage(), InvalidTokenException::DECRYPTION_ERROR, $e);
         } catch (CryptException $e) {
             throw new InvalidTokenException($e->getMessage(), InvalidTokenException::DECRYPTION_ERROR, $e);
         }
     }
     if (!$cek) {
         throw new InvalidTokenException('alg parameter incorrect', InvalidTokenException::TOKEN_PARSE_ERROR);
     }
     try {
         $plaintext = $content_enc->decryptAndVerify($ciphertext, $tag, $cek, $protected, $iv);
         if (isset($headers['zip'])) {
             switch ($headers['zip']) {
                 case 'DEF':
                     $plaintext = gzinflate($plaintext);
                     break;
                 default:
                     throw new InvalidTokenException('Unsupported zip header:' . $headers['zip'], InvalidTokenException::UNSUPPORTED_ERROR);
             }
         }
     } catch (CryptException $e) {
         throw new InvalidTokenException($e->getMessage(), InvalidTokenException::DECRYPTION_ERROR, $e);
     }
     return new JWE($headers, $plaintext);
 }