misc

src/Namshi/JOSE/JWS.php

@@ -106,7 +106,7 @@ public static function load($jwsTokenString, $allowUnsecure = false, Encoder $en
             $payload = json_decode($encoder->decode($parts[1]), true);
 
             if (is_array($header) && is_array($payload)) {
-                if ($header['alg'] === 'None' && !$allowUnsecure) {
+                if (strtolower($header['alg']) === 'none' && !$allowUnsecure) {
                     throw new InvalidArgumentException(sprintf('The token "%s" cannot be validated in a secure context, as it uses the unallowed "none" algorithm', $jwsTokenString));
                 }
 

tests/Namshi/JOSE/Test/JWSTest.php

@@ -25,7 +25,7 @@ public function setup()
     /**
      * @expectedException InvalidArgumentException
      */
-    public function testLoadingUnsecureJws()
+    public function testLoadingUnsecureJwsWithNoneAlgo()
     {
         $date       = new DateTime('tomorrow');
         $data       = array(
@@ -42,6 +42,27 @@ public function testLoadingUnsecureJws()
         $payload = $jws->getPayload();
         $this->assertEquals('b', $payload['a']);
     }
+
+    /**
+     * @expectedException InvalidArgumentException
+     */
+    public function testLoadingUnsecureJwsWithLowercaseNone()
+    {
+        $date       = new DateTime('tomorrow');
+        $data       = array(
+            'a'     => 'b',
+            'exp'   => $date->format('U')
+        );
+        $this->jws  = new JWS(array('alg' => 'none'));
+        $this->jws->setPayload($data);
+        $this->jws->sign('111');
+
+        $jws        = JWS::load($this->jws->getTokenString());
+        $this->assertFalse($jws->verify('111'));
+
+        $payload = $jws->getPayload();
+        $this->assertEquals('b', $payload['a']);
+    }
 
     public function testAllowingUnsecureJws()
     {