Seditio Source
Root |
./othercms/xenForo 2.2.8/src/vendor/web-token/jwt-signature/JWSVerifier.php
<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace Jose\Component\Signature;

use
Base64Url\Base64Url;
use
Jose\Component\Core\AlgorithmManager;
use
Jose\Component\Core\JWK;
use
Jose\Component\Core\JWKSet;
use
Jose\Component\Core\Util\KeyChecker;
use
Jose\Component\Signature\Algorithm\SignatureAlgorithm;

class
JWSVerifier
{
   
/**
     * @var AlgorithmManager
     */
   
private $signatureAlgorithmManager;

   
/**
     * JWSVerifier constructor.
     */
   
public function __construct(AlgorithmManager $signatureAlgorithmManager)
    {
       
$this->signatureAlgorithmManager = $signatureAlgorithmManager;
    }

   
/**
     * Returns the algorithm manager associated to the JWSVerifier.
     */
   
public function getSignatureAlgorithmManager(): AlgorithmManager
   
{
        return
$this->signatureAlgorithmManager;
    }

   
/**
     * This method will try to verify the JWS object using the given key and for the given signature.
     * It returns true if the signature is verified, otherwise false.
     *
     * @return bool true if the verification of the signature succeeded, else false
     */
   
public function verifyWithKey(JWS $jws, JWK $jwk, int $signature, ?string $detachedPayload = null): bool
   
{
       
$jwkset = new JWKSet([$jwk]);

        return
$this->verifyWithKeySet($jws, $jwkset, $signature, $detachedPayload);
    }

   
/**
     * This method will try to verify the JWS object using the given key set and for the given signature.
     * It returns true if the signature is verified, otherwise false.
     *
     * @param JWS         $jws             A JWS object
     * @param JWKSet      $jwkset          The signature will be verified using keys in the key set
     * @param string|null $detachedPayload If not null, the value must be the detached payload encoded in Base64 URL safe. If the input contains a payload, throws an exception.
     *
     * @return bool true if the verification of the signature succeeded, else false
     */
   
public function verifyWithKeySet(JWS $jws, JWKSet $jwkset, int $signature, ?string $detachedPayload = null): bool
   
{
       
$this->checkJWKSet($jwkset);
       
$this->checkSignatures($jws);
       
$this->checkPayload($jws, $detachedPayload);

       
$signature = $jws->getSignature($signature);

        return
$this->verifySignature($jws, $jwkset, $signature, $detachedPayload);
    }

    private function
verifySignature(JWS $jws, JWKSet $jwkset, Signature $signature, ?string $detachedPayload = null): bool
   
{
       
$input = $this->getInputToVerify($jws, $signature, $detachedPayload);
        foreach (
$jwkset->all() as $jwk) {
           
$algorithm = $this->getAlgorithm($signature);

            try {
               
KeyChecker::checkKeyUsage($jwk, 'verification');
               
KeyChecker::checkKeyAlgorithm($jwk, $algorithm->name());
                if (!\
in_array($jwk->get('kty'), $algorithm->allowedKeyTypes(), true)) {
                    throw new \
InvalidArgumentException('Wrong key type.');
                }
                if (
true === $algorithm->verify($jwk, $input, $signature->getSignature())) {
                    return
true;
                }
            } catch (\
Exception $e) {
               
//We do nothing, we continue with other keys
               
continue;
            }
        }

        return
false;
    }

    private function
getInputToVerify(JWS $jws, Signature $signature, ?string $detachedPayload): string
   
{
       
$encodedProtectedHeader = $signature->getEncodedProtectedHeader();
        if (!
$signature->hasProtectedHeaderParameter('b64') || true === $signature->getProtectedHeaderParameter('b64')) {
            if (
null !== $jws->getEncodedPayload()) {
                return \
sprintf('%s.%s', $encodedProtectedHeader, $jws->getEncodedPayload());
            }

           
$payload = empty($jws->getPayload()) ? $detachedPayload : $jws->getPayload();

            return \
sprintf('%s.%s', $encodedProtectedHeader, Base64Url::encode($payload));
        }

       
$payload = empty($jws->getPayload()) ? $detachedPayload : $jws->getPayload();

        return \
sprintf('%s.%s', $encodedProtectedHeader, $payload);
    }

    private function
checkSignatures(JWS $jws)
    {
        if (
0 === $jws->countSignatures()) {
            throw new \
InvalidArgumentException('The JWS does not contain any signature.');
        }
    }

    private function
checkJWKSet(JWKSet $jwkset)
    {
        if (
0 === \count($jwkset)) {
            throw new \
InvalidArgumentException('There is no key in the key set.');
        }
    }

    private function
checkPayload(JWS $jws, ?string $detachedPayload = null)
    {
        if (
null !== $detachedPayload && !empty($jws->getPayload())) {
            throw new \
InvalidArgumentException('A detached payload is set, but the JWS already has a payload.');
        }
        if (empty(
$jws->getPayload()) && null === $detachedPayload) {
            throw new \
InvalidArgumentException('The JWS has a detached payload, but no payload is provided.');
        }
    }

    private function
getAlgorithm(Signature $signature): SignatureAlgorithm
   
{
       
$completeHeader = \array_merge($signature->getProtectedHeader(), $signature->getHeader());
        if (!\
array_key_exists('alg', $completeHeader)) {
            throw new \
InvalidArgumentException('No "alg" parameter set in the header.');
        }

       
$algorithm = $this->signatureAlgorithmManager->get($completeHeader['alg']);
        if (!
$algorithm instanceof SignatureAlgorithm) {
            throw new \
InvalidArgumentException(\sprintf('The algorithm "%s" is not supported or is not a signature algorithm.', $completeHeader['alg']));
        }

        return
$algorithm;
    }
}