merely suggest phpseclib/phpseclib as a possible dependency, not requ…

[ghost]

…ire it. Applications using the JOSE library can require it themselves if they need it

[ghost]

Hm... the unit tests break now as they also test phplibsec functionality. Also, with phpseclib the required version of PHP will be lower than 5.4.8 I guess...

[Spomky]

# composer.json
....,
    "require-dev": {
        "phpseclib/phpseclib": "~0.3"
    },
....

You should also throw exception in case openssl is not available and phpseclib not installed.

[ghost]

In that situation I think it makes sense to check if the following constants are defined.

    OPENSSL_ALGO_SHA256              2       openssl 5.4.8       5.4.8        
    OPENSSL_ALGO_SHA384              2       openssl 5.4.8       5.4.8        
    OPENSSL_ALGO_SHA512              2       openssl 5.4.8       5.4.8        

These are only available starting PHP 5.4.8. So if you are using a PHP version < 5.4.8 then phpseclib/phpseclib must be used for the RSA signing.

Maybe it makes sense to automatically detect this. So if the constants are defined, use OpenSSL, if not use phpseclib...

[Spomky]

These are only available starting PHP 5.4.8. So if you are using a PHP version < 5.4.8 then phpseclib/phpseclib must be used for the RSA signing.

No, phpseclib MUST NOT be required because PHP version < 5.4.8.

You just have to check if the openssl extension is loaded or not:

if (!extension_loaded('openssl')) {
    // Check if phpseclib is available (class_exists), else throw an exception.
}

[odino]

Agree with @Spomky -- is there any reliable way to test this on travis? I guess we can just moch the method that selects which SSL engine to choose

[cirpo]

👍 for @Spomky

[odino]

closing this for now as it's on hold since a while