Disabling none by default

namshi · Feb 17, 2015 · 35ea443 · 35ea443
1 parent ce5cef8
commit 35ea443
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/src/Namshi/JOSE/JWS.php b/src/Namshi/JOSE/JWS.php
@@ -84,7 +84,7 @@ public function getTokenString()
      * @return JWS
      * @throws \InvalidArgumentException
      */
-    public static function load($jwsTokenString)
+    public static function load($jwsTokenString, $allowUnsecure = false)
     {
         $encoder = strpbrk($jwsTokenString, '+/=') ? new Base64Encoder() : new Base64UrlSafeEncoder();
         $parts   = explode('.', $jwsTokenString);
@@ -94,6 +94,10 @@ public static function load($jwsTokenString)
             $payload = json_decode($encoder->decode($parts[1]), true);
 
             if (is_array($header) && is_array($payload)) {
+                if ($header['alg'] === 'None' && !$allowUnsecure) {
+                    throw new InvalidArgumentException(sprintf('The token "%s" cannot be validated in a secure context, as it uses the unallowed "none" algorithm', $jwsTokenString));
+                }
+
                 $jws = new self($header['alg'], isset($header['typ']) ? $header['typ'] : null);
                 $jws->setEncoder($encoder);
                 $jws->setPayload($payload);

diff --git a/tests/Namshi/JOSE/Test/JWSTest.php b/tests/Namshi/JOSE/Test/JWSTest.php
@@ -21,6 +21,40 @@ public function setup()
         $this->jws->setPayload($data);
     }
 
+    /**
+     * @expectedException InvalidArgumentException
+     */
+    public function testLoadingUnsecureJws()
+    {
+        $date       = new DateTime('tomorrow');
+        $data       = array(
+            'a'     => 'b',
+            'exp'   => $date->format('U')
+        );
+        $this->jws  = new JWS('None');
+        $this->jws->setPayload($data);
+        $this->jws->sign('111');
+        $jws        = JWS::load($this->jws->getTokenString());
+        $this->assertFalse($jws->verify('111'));
+        $payload = $jws->getPayload();
+        $this->assertEquals('b', $payload['a']);
+    }
+    public function testAllowingUnsecureJws()
+    {
+        $date       = new DateTime('tomorrow');
+        $data       = array(
+            'a'     => 'b',
+            'exp'   => $date->format('U')
+        );
+        $this->jws  = new JWS('None');
+        $this->jws->setPayload($data);
+        $this->jws->sign('111');
+        $jws        = JWS::load($this->jws->getTokenString(), true);
+        $this->assertTrue($jws->verify('111'));
+        $payload = $jws->getPayload();
+        $this->assertEquals('b', $payload['a']);
+    }
+
     public function testVerificationRS256()
     {
         $privateKey = openssl_pkey_get_private(SSL_KEYS_PATH . "private.key", self::SSL_KEY_PASSPHRASE);