From 04f1529a3d2600e5dde9ec5f8f70801510eb3694 Mon Sep 17 00:00:00 2001 From: Spomky Date: Wed, 10 Jul 2019 12:08:49 +0200 Subject: [PATCH 1/5] Fixes GMP requirement --- phpstan.neon | 1 - .../Encryption/Serializer/JSONFlattenedSerializer.php | 2 +- .../Encryption/Serializer/JSONGeneralSerializer.php | 2 +- src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php | 8 ++++++++ src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php | 8 ++++++++ src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php | 8 ++++++++ src/Component/KeyManagement/composer.json | 5 ++--- src/Ecc/composer.json | 1 + src/SignatureAlgorithm/ECDSA/composer.json | 3 +-- 9 files changed, 30 insertions(+), 8 deletions(-) diff --git a/phpstan.neon b/phpstan.neon index c591eff5..be0b2e15 100644 --- a/phpstan.neon +++ b/phpstan.neon @@ -19,7 +19,6 @@ parameters: - '#Parameter \#1 \$value of static method Jose\\Component\\Core\\Util\\BigInteger::createFromGMPResource\(\) expects GMP, resource given\.#' - '#Return type \(void\) of method Jose\\Bundle\\JoseFramework\\Routing\\JWKSetLoader::getResolver\(\) should be compatible with return type \(Symfony\\Component\\Config\\Loader\\LoaderResolverInterface\) of method Symfony\\Component\\Config\\Loader\\LoaderInterface::getResolver\(\)#' - '#Instanceof between Jose\\Component\\Core\\JWK and Jose\\Component\\Core\\JWK will always evaluate to true\.#' - - '#Function openssl_pkey_derive not found\.#' includes: - vendor/phpstan/phpstan-phpunit/extension.neon - vendor/phpstan/phpstan-phpunit/rules.neon diff --git a/src/Component/Encryption/Serializer/JSONFlattenedSerializer.php b/src/Component/Encryption/Serializer/JSONFlattenedSerializer.php index 95fbd237..b712ea46 100644 --- a/src/Component/Encryption/Serializer/JSONFlattenedSerializer.php +++ b/src/Component/Encryption/Serializer/JSONFlattenedSerializer.php @@ -90,7 +90,7 @@ public function unserialize(string $input): JWE private function checkData(?array $data): void { - if ($data === null || !isset($data['ciphertext']) || isset($data['recipients'])) { + if (null === $data || !isset($data['ciphertext']) || isset($data['recipients'])) { throw new InvalidArgumentException('Unsupported input.'); } } diff --git a/src/Component/Encryption/Serializer/JSONGeneralSerializer.php b/src/Component/Encryption/Serializer/JSONGeneralSerializer.php index 3758443d..bf09c101 100644 --- a/src/Component/Encryption/Serializer/JSONGeneralSerializer.php +++ b/src/Component/Encryption/Serializer/JSONGeneralSerializer.php @@ -99,7 +99,7 @@ public function unserialize(string $input): JWE private function checkData(?array $data): void { - if ($data === null || !isset($data['ciphertext']) || !isset($data['recipients'])) { + if (null === $data || !isset($data['ciphertext']) || !isset($data['recipients'])) { throw new InvalidArgumentException('Unsupported input.'); } } diff --git a/src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php b/src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php index 637a5c91..0543b5c6 100644 --- a/src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php +++ b/src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php @@ -16,9 +16,17 @@ use Base64Url\Base64Url; use Jose\Component\Core\JWK; use Jose\Component\Core\Util\Ecc\NistCurve; +use RuntimeException; final class ES256KeyAnalyzer implements KeyAnalyzer { + public function __construct() + { + if (!class_exists(NistCurve::class)) { + throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer'); + } + } + public function analyze(JWK $jwk, MessageBag $bag): void { if ('EC' !== $jwk->get('kty')) { diff --git a/src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php b/src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php index 7c6b5d56..166d227c 100644 --- a/src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php +++ b/src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php @@ -16,9 +16,17 @@ use Base64Url\Base64Url; use Jose\Component\Core\JWK; use Jose\Component\Core\Util\Ecc\NistCurve; +use RuntimeException; final class ES384KeyAnalyzer implements KeyAnalyzer { + public function __construct() + { + if (!class_exists(NistCurve::class)) { + throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer'); + } + } + public function analyze(JWK $jwk, MessageBag $bag): void { if ('EC' !== $jwk->get('kty')) { diff --git a/src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php b/src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php index 12c5a5dd..9ea262c8 100644 --- a/src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php +++ b/src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php @@ -16,9 +16,17 @@ use Base64Url\Base64Url; use Jose\Component\Core\JWK; use Jose\Component\Core\Util\Ecc\NistCurve; +use RuntimeException; final class ES512KeyAnalyzer implements KeyAnalyzer { + public function __construct() + { + if (!class_exists(NistCurve::class)) { + throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer'); + } + } + public function analyze(JWK $jwk, MessageBag $bag): void { if ('EC' !== $jwk->get('kty')) { diff --git a/src/Component/KeyManagement/composer.json b/src/Component/KeyManagement/composer.json index f016cd39..4048932d 100644 --- a/src/Component/KeyManagement/composer.json +++ b/src/Component/KeyManagement/composer.json @@ -21,11 +21,9 @@ }, "require": { "ext-openssl": "*", - "ext-gmp": "*", "psr/http-factory": "^1.0", "psr/http-client": "^1.0", - "web-token/jwt-core": "^2.0", - "web-token/jwt-util-ecc": "^2.0" + "web-token/jwt-core": "^2.0" }, "require-dev": { "php-http/message-factory": "^1.0", @@ -34,6 +32,7 @@ "phpunit/phpunit": "^8.0" }, "suggest": { + "web-token/jwt-util-ecc": "To use EC key analyzers.", "php-http/message-factory": "To enable JKU/X5U support.", "php-http/httplug": "To enable JKU/X5U support." }, diff --git a/src/Ecc/composer.json b/src/Ecc/composer.json index 71e2999e..9e6b7768 100644 --- a/src/Ecc/composer.json +++ b/src/Ecc/composer.json @@ -20,6 +20,7 @@ } }, "require": { + "ext-gmp": "*", "thecodingmachine/safe": "^0.1.14" }, "require-dev": { diff --git a/src/SignatureAlgorithm/ECDSA/composer.json b/src/SignatureAlgorithm/ECDSA/composer.json index 2f2f2e29..73a5a5b8 100644 --- a/src/SignatureAlgorithm/ECDSA/composer.json +++ b/src/SignatureAlgorithm/ECDSA/composer.json @@ -20,8 +20,7 @@ } }, "require": { - "web-token/jwt-signature": "^2.0", - "web-token/jwt-util-ecc": "^2.0" + "web-token/jwt-signature": "^2.0" }, "require-dev": { "phpunit/phpunit": "^8.0" From 32e39197f16e44bf243a9591a41339d447ae79e4 Mon Sep 17 00:00:00 2001 From: Spomky Date: Wed, 10 Jul 2019 12:12:47 +0200 Subject: [PATCH 2/5] Bug fixed with SF services --- .../JoseFramework/Resources/config/analyzers.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Bundle/JoseFramework/Resources/config/analyzers.php b/src/Bundle/JoseFramework/Resources/config/analyzers.php index 527330bc..26706b23 100644 --- a/src/Bundle/JoseFramework/Resources/config/analyzers.php +++ b/src/Bundle/JoseFramework/Resources/config/analyzers.php @@ -11,6 +11,7 @@ * of the MIT license. See the LICENSE file for details. */ +use Jose\Component\Core\Util\Ecc\NistCurve; use Jose\Component\KeyManagement\Analyzer; use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator; use ZxcvbnPhp\Zxcvbn; @@ -37,13 +38,16 @@ $container->set(Analyzer\OctAnalyzer::class); $container->set(Analyzer\MixedKeyTypes::class); $container->set(Analyzer\MixedPublicAndPrivateKeys::class); - $container->set(Analyzer\ES256KeyAnalyzer::class); - $container->set(Analyzer\ES384KeyAnalyzer::class); - $container->set(Analyzer\ES512KeyAnalyzer::class); $container->set(Analyzer\HS256KeyAnalyzer::class); $container->set(Analyzer\HS384KeyAnalyzer::class); $container->set(Analyzer\HS512KeyAnalyzer::class); + if (class_exists(NistCurve::class)) { + $container->set(Analyzer\ES256KeyAnalyzer::class); + $container->set(Analyzer\ES384KeyAnalyzer::class); + $container->set(Analyzer\ES512KeyAnalyzer::class); + } + if (class_exists(Zxcvbn::class)) { $container->set(Analyzer\ZxcvbnKeyAnalyzer::class); } From f2071a12d1f07465aaca6b55b8b65fea8e26fd75 Mon Sep 17 00:00:00 2001 From: Spomky Date: Wed, 10 Jul 2019 13:13:45 +0200 Subject: [PATCH 3/5] gmp not required for RSxxx algs, only PSxxx --- .../Source/Signature/SignatureSource.php | 4 +- .../config/Algorithms/signature_rsa.php | 24 ++++--- src/SignatureAlgorithm/Experimental/RS1.php | 9 +-- src/SignatureAlgorithm/RSA/PS256.php | 9 +-- src/SignatureAlgorithm/RSA/PS384.php | 9 +-- src/SignatureAlgorithm/RSA/PS512.php | 9 +-- src/SignatureAlgorithm/RSA/RS256.php | 9 +-- src/SignatureAlgorithm/RSA/RS384.php | 9 +-- src/SignatureAlgorithm/RSA/RS512.php | 9 +-- src/SignatureAlgorithm/RSA/RSA.php | 6 ++ src/SignatureAlgorithm/RSA/RSAPKCS1.php | 66 ++++++++++++++++++ src/SignatureAlgorithm/RSA/RSAPSS.php | 69 +++++++++++++++++++ src/SignatureAlgorithm/RSA/Util/RSA.php | 13 +++- src/SignatureAlgorithm/RSA/composer.json | 4 +- 14 files changed, 177 insertions(+), 72 deletions(-) create mode 100644 src/SignatureAlgorithm/RSA/RSAPKCS1.php create mode 100644 src/SignatureAlgorithm/RSA/RSAPSS.php diff --git a/src/Bundle/JoseFramework/DependencyInjection/Source/Signature/SignatureSource.php b/src/Bundle/JoseFramework/DependencyInjection/Source/Signature/SignatureSource.php index 02918c11..45daa1e2 100644 --- a/src/Bundle/JoseFramework/DependencyInjection/Source/Signature/SignatureSource.php +++ b/src/Bundle/JoseFramework/DependencyInjection/Source/Signature/SignatureSource.php @@ -21,7 +21,7 @@ use Jose\Component\Signature\Algorithm\HMAC; use Jose\Component\Signature\Algorithm\HS1; use Jose\Component\Signature\Algorithm\None; -use Jose\Component\Signature\Algorithm\RSA; +use Jose\Component\Signature\Algorithm\RSAPSS; use Jose\Component\Signature\JWSBuilderFactory; use Jose\Component\Signature\JWSVerifierFactory; use Symfony\Component\Config\Definition\Builder\NodeDefinition; @@ -125,7 +125,7 @@ public function getCompilerPasses(): array private function getAlgorithmsFiles(): array { return [ - RSA::class => 'signature_rsa.php', + RSAPSS::class => 'signature_rsa.php', ECDSA::class => 'signature_ecdsa.php', EdDSA::class => 'signature_eddsa.php', HMAC::class => 'signature_hmac.php', diff --git a/src/Bundle/JoseFramework/Resources/config/Algorithms/signature_rsa.php b/src/Bundle/JoseFramework/Resources/config/Algorithms/signature_rsa.php index 62d4a321..105e65e9 100644 --- a/src/Bundle/JoseFramework/Resources/config/Algorithms/signature_rsa.php +++ b/src/Bundle/JoseFramework/Resources/config/Algorithms/signature_rsa.php @@ -33,15 +33,17 @@ ->tag('jose.algorithm', ['alias' => 'RS512']) ; - $container->set(Algorithm\PS256::class) - ->tag('jose.algorithm', ['alias' => 'PS256']) - ; - - $container->set(Algorithm\PS384::class) - ->tag('jose.algorithm', ['alias' => 'PS384']) - ; - - $container->set(Algorithm\PS512::class) - ->tag('jose.algorithm', ['alias' => 'PS512']) - ; + if (extension_loaded('gmp')) { + $container->set(Algorithm\PS256::class) + ->tag('jose.algorithm', ['alias' => 'PS256']) + ; + + $container->set(Algorithm\PS384::class) + ->tag('jose.algorithm', ['alias' => 'PS384']) + ; + + $container->set(Algorithm\PS512::class) + ->tag('jose.algorithm', ['alias' => 'PS512']) + ; + } }; diff --git a/src/SignatureAlgorithm/Experimental/RS1.php b/src/SignatureAlgorithm/Experimental/RS1.php index 409ffc82..78933f7d 100644 --- a/src/SignatureAlgorithm/Experimental/RS1.php +++ b/src/SignatureAlgorithm/Experimental/RS1.php @@ -13,9 +13,7 @@ namespace Jose\Component\Signature\Algorithm; -use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; - -final class RS1 extends RSA +final class RS1 extends RSAPKCS1 { public function name(): string { @@ -26,9 +24,4 @@ protected function getAlgorithm(): string { return 'sha1'; } - - protected function getSignatureMethod(): int - { - return JoseRSA::SIGNATURE_PKCS1; - } } diff --git a/src/SignatureAlgorithm/RSA/PS256.php b/src/SignatureAlgorithm/RSA/PS256.php index 2020c1b0..b8a57ef3 100644 --- a/src/SignatureAlgorithm/RSA/PS256.php +++ b/src/SignatureAlgorithm/RSA/PS256.php @@ -13,9 +13,7 @@ namespace Jose\Component\Signature\Algorithm; -use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; - -final class PS256 extends RSA +final class PS256 extends RSAPSS { public function name(): string { @@ -26,9 +24,4 @@ protected function getAlgorithm(): string { return 'sha256'; } - - protected function getSignatureMethod(): int - { - return JoseRSA::SIGNATURE_PSS; - } } diff --git a/src/SignatureAlgorithm/RSA/PS384.php b/src/SignatureAlgorithm/RSA/PS384.php index 6c202378..42fbd0bc 100644 --- a/src/SignatureAlgorithm/RSA/PS384.php +++ b/src/SignatureAlgorithm/RSA/PS384.php @@ -13,9 +13,7 @@ namespace Jose\Component\Signature\Algorithm; -use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; - -final class PS384 extends RSA +final class PS384 extends RSAPSS { public function name(): string { @@ -26,9 +24,4 @@ protected function getAlgorithm(): string { return 'sha384'; } - - protected function getSignatureMethod(): int - { - return JoseRSA::SIGNATURE_PSS; - } } diff --git a/src/SignatureAlgorithm/RSA/PS512.php b/src/SignatureAlgorithm/RSA/PS512.php index c53aa542..58d5d42b 100644 --- a/src/SignatureAlgorithm/RSA/PS512.php +++ b/src/SignatureAlgorithm/RSA/PS512.php @@ -13,9 +13,7 @@ namespace Jose\Component\Signature\Algorithm; -use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; - -final class PS512 extends RSA +final class PS512 extends RSAPSS { public function name(): string { @@ -26,9 +24,4 @@ protected function getAlgorithm(): string { return 'sha512'; } - - protected function getSignatureMethod(): int - { - return JoseRSA::SIGNATURE_PSS; - } } diff --git a/src/SignatureAlgorithm/RSA/RS256.php b/src/SignatureAlgorithm/RSA/RS256.php index 781b8a3d..36005163 100644 --- a/src/SignatureAlgorithm/RSA/RS256.php +++ b/src/SignatureAlgorithm/RSA/RS256.php @@ -13,9 +13,7 @@ namespace Jose\Component\Signature\Algorithm; -use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; - -final class RS256 extends RSA +final class RS256 extends RSAPKCS1 { public function name(): string { @@ -26,9 +24,4 @@ protected function getAlgorithm(): string { return 'sha256'; } - - protected function getSignatureMethod(): int - { - return JoseRSA::SIGNATURE_PKCS1; - } } diff --git a/src/SignatureAlgorithm/RSA/RS384.php b/src/SignatureAlgorithm/RSA/RS384.php index 04fb6cea..57b6d78f 100644 --- a/src/SignatureAlgorithm/RSA/RS384.php +++ b/src/SignatureAlgorithm/RSA/RS384.php @@ -13,9 +13,7 @@ namespace Jose\Component\Signature\Algorithm; -use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; - -final class RS384 extends RSA +final class RS384 extends RSAPKCS1 { public function name(): string { @@ -26,9 +24,4 @@ protected function getAlgorithm(): string { return 'sha384'; } - - protected function getSignatureMethod(): int - { - return JoseRSA::SIGNATURE_PKCS1; - } } diff --git a/src/SignatureAlgorithm/RSA/RS512.php b/src/SignatureAlgorithm/RSA/RS512.php index 7769f7cc..da946d08 100644 --- a/src/SignatureAlgorithm/RSA/RS512.php +++ b/src/SignatureAlgorithm/RSA/RS512.php @@ -13,9 +13,7 @@ namespace Jose\Component\Signature\Algorithm; -use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; - -final class RS512 extends RSA +final class RS512 extends RSAPKCS1 { public function name(): string { @@ -26,9 +24,4 @@ protected function getAlgorithm(): string { return 'sha512'; } - - protected function getSignatureMethod(): int - { - return JoseRSA::SIGNATURE_PKCS1; - } } diff --git a/src/SignatureAlgorithm/RSA/RSA.php b/src/SignatureAlgorithm/RSA/RSA.php index aa71d7d0..ff4a1ab7 100644 --- a/src/SignatureAlgorithm/RSA/RSA.php +++ b/src/SignatureAlgorithm/RSA/RSA.php @@ -18,6 +18,9 @@ use Jose\Component\Core\Util\RSAKey; use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; +/** + * @deprecated Please use either RSAPSS or RSAPKCS1 depending on the padding mode + */ abstract class RSA implements SignatureAlgorithm { public function allowedKeyTypes(): array @@ -29,6 +32,9 @@ public function verify(JWK $key, string $input, string $signature): bool { $this->checkKey($key); $pub = RSAKey::createFromJWK($key->toPublic()); + if (JoseRSA::SIGNATURE_PKCS1 === $this->getSignatureMethod()) { + return 1 === openssl_verify($input, $signature, $pub->toPEM(), $this->getAlgorithm()); + } return JoseRSA::verify($pub, $input, $signature, $this->getAlgorithm(), $this->getSignatureMethod()); } diff --git a/src/SignatureAlgorithm/RSA/RSAPKCS1.php b/src/SignatureAlgorithm/RSA/RSAPKCS1.php new file mode 100644 index 00000000..ea3258fb --- /dev/null +++ b/src/SignatureAlgorithm/RSA/RSAPKCS1.php @@ -0,0 +1,66 @@ +checkKey($key); + $pub = RSAKey::createFromJWK($key->toPublic()); + + return 1 === openssl_verify($input, $signature, $pub->toPEM(), $this->getAlgorithm()); + } + + public function sign(JWK $key, string $input): string + { + $this->checkKey($key); + if (!$key->has('d')) { + throw new InvalidArgumentException('The key is not a private key.'); + } + + $priv = RSAKey::createFromJWK($key); + + $result = openssl_sign($input, $signature, $priv->toPEM(), $this->getAlgorithm()); + if (true !== $result) { + throw new RuntimeException('Unable to sign'); + } + + return $signature; + } + + abstract protected function getAlgorithm(): string; + + private function checkKey(JWK $key): void + { + if (!\in_array($key->get('kty'), $this->allowedKeyTypes(), true)) { + throw new InvalidArgumentException('Wrong key type.'); + } + foreach (['n', 'e'] as $k) { + if (!$key->has($k)) { + throw new InvalidArgumentException(sprintf('The key parameter "%s" is missing.', $k)); + } + } + } +} diff --git a/src/SignatureAlgorithm/RSA/RSAPSS.php b/src/SignatureAlgorithm/RSA/RSAPSS.php new file mode 100644 index 00000000..5c8b5ae9 --- /dev/null +++ b/src/SignatureAlgorithm/RSA/RSAPSS.php @@ -0,0 +1,69 @@ +checkKey($key); + $pub = RSAKey::createFromJWK($key->toPublic()); + + return JoseRSA::verify($pub, $input, $signature, $this->getAlgorithm(), JoseRSA::SIGNATURE_PSS); + } + + public function sign(JWK $key, string $input): string + { + $this->checkKey($key); + if (!$key->has('d')) { + throw new InvalidArgumentException('The key is not a private key.'); + } + + $priv = RSAKey::createFromJWK($key); + + return JoseRSA::sign($priv, $input, $this->getAlgorithm(), JoseRSA::SIGNATURE_PSS); + } + + abstract protected function getAlgorithm(): string; + + private function checkKey(JWK $key): void + { + if (!\in_array($key->get('kty'), $this->allowedKeyTypes(), true)) { + throw new InvalidArgumentException('Wrong key type.'); + } + foreach (['n', 'e'] as $k) { + if (!$key->has($k)) { + throw new InvalidArgumentException(sprintf('The key parameter "%s" is missing.', $k)); + } + } + } +} diff --git a/src/SignatureAlgorithm/RSA/Util/RSA.php b/src/SignatureAlgorithm/RSA/Util/RSA.php index 40058a45..28d9325a 100644 --- a/src/SignatureAlgorithm/RSA/Util/RSA.php +++ b/src/SignatureAlgorithm/RSA/Util/RSA.php @@ -40,7 +40,12 @@ public static function sign(RSAKey $key, string $message, string $hash, int $mod case self::SIGNATURE_PSS: return self::signWithPSS($key, $message, $hash); case self::SIGNATURE_PKCS1: - return self::signWithPKCS15($key, $message, $hash); + $result = openssl_sign($message, $signature, $key->toPEM(), $hash); + if (true !== $result) { + throw new RuntimeException('Unable to sign the data'); + } + + return $signature; default: throw new InvalidArgumentException('Unsupported mode.'); } @@ -60,6 +65,8 @@ public static function signWithPSS(RSAKey $key, string $message, string $hash): /** * Create a signature. + * + * @deprecated Please use openssl_sign */ public static function signWithPKCS15(RSAKey $key, string $message, string $hash): string { @@ -76,7 +83,7 @@ public static function verify(RSAKey $key, string $message, string $signature, s case self::SIGNATURE_PSS: return self::verifyWithPSS($key, $message, $signature, $hash); case self::SIGNATURE_PKCS1: - return self::verifyWithPKCS15($key, $message, $signature, $hash); + return 1 === openssl_verify($message, $signature, $key->toPEM(), $hash); default: throw new InvalidArgumentException('Unsupported mode.'); } @@ -100,6 +107,8 @@ public static function verifyWithPSS(RSAKey $key, string $message, string $signa /** * Verifies a signature. + * + * @deprecated Please use openssl_sign */ public static function verifyWithPKCS15(RSAKey $key, string $message, string $signature, string $hash): bool { diff --git a/src/SignatureAlgorithm/RSA/composer.json b/src/SignatureAlgorithm/RSA/composer.json index 40ef65c6..990393af 100644 --- a/src/SignatureAlgorithm/RSA/composer.json +++ b/src/SignatureAlgorithm/RSA/composer.json @@ -20,9 +20,11 @@ } }, "require": { - "ext-gmp": "*", "web-token/jwt-signature": "^2.0" }, + "suggest": { + "ext-gmp": "To use PSxxx algorihtms" + }, "require-dev": { "phpunit/phpunit": "^8.0" }, From 1867e4fe2b88ebc35d67d3922d2c74f1e347eccb Mon Sep 17 00:00:00 2001 From: Spomky Date: Wed, 10 Jul 2019 13:16:19 +0200 Subject: [PATCH 4/5] Minor correction --- src/SignatureAlgorithm/RSA/RSA.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/SignatureAlgorithm/RSA/RSA.php b/src/SignatureAlgorithm/RSA/RSA.php index ff4a1ab7..3549535d 100644 --- a/src/SignatureAlgorithm/RSA/RSA.php +++ b/src/SignatureAlgorithm/RSA/RSA.php @@ -32,9 +32,6 @@ public function verify(JWK $key, string $input, string $signature): bool { $this->checkKey($key); $pub = RSAKey::createFromJWK($key->toPublic()); - if (JoseRSA::SIGNATURE_PKCS1 === $this->getSignatureMethod()) { - return 1 === openssl_verify($input, $signature, $pub->toPEM(), $this->getAlgorithm()); - } return JoseRSA::verify($pub, $input, $signature, $this->getAlgorithm(), $this->getSignatureMethod()); } From aeb0f420c1bbd99f09680e1d925997d56030b3b7 Mon Sep 17 00:00:00 2001 From: Spomky Date: Thu, 18 Jul 2019 22:52:42 +0200 Subject: [PATCH 5/5] Minor correction --- src/SignatureAlgorithm/RSA/RSA.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/SignatureAlgorithm/RSA/RSA.php b/src/SignatureAlgorithm/RSA/RSA.php index 3549535d..04ba7aed 100644 --- a/src/SignatureAlgorithm/RSA/RSA.php +++ b/src/SignatureAlgorithm/RSA/RSA.php @@ -17,12 +17,20 @@ use Jose\Component\Core\JWK; use Jose\Component\Core\Util\RSAKey; use Jose\Component\Signature\Algorithm\Util\RSA as JoseRSA; +use RuntimeException; /** * @deprecated Please use either RSAPSS or RSAPKCS1 depending on the padding mode */ abstract class RSA implements SignatureAlgorithm { + public function __construct() + { + if (!\extension_loaded('gmp')) { + throw new RuntimeException(static::class.' requires gmp extension'); + } + } + public function allowedKeyTypes(): array { return ['RSA'];