173 lines
4.9 KiB
PHP
173 lines
4.9 KiB
PHP
<?php
|
|
|
|
namespace OAuth2\Encryption;
|
|
|
|
/**
|
|
* @link https://github.com/F21/jwt
|
|
* @author F21
|
|
*/
|
|
class Jwt implements EncryptionInterface
|
|
{
|
|
public function encode($payload, $key, $algo = 'HS256')
|
|
{
|
|
$header = $this->generateJwtHeader($payload, $algo);
|
|
|
|
$segments = array(
|
|
$this->urlSafeB64Encode(json_encode($header)),
|
|
$this->urlSafeB64Encode(json_encode($payload))
|
|
);
|
|
|
|
$signing_input = implode('.', $segments);
|
|
|
|
$signature = $this->sign($signing_input, $key, $algo);
|
|
$segments[] = $this->urlsafeB64Encode($signature);
|
|
|
|
return implode('.', $segments);
|
|
}
|
|
|
|
public function decode($jwt, $key = null, $allowedAlgorithms = true)
|
|
{
|
|
if (!strpos($jwt, '.')) {
|
|
return false;
|
|
}
|
|
|
|
$tks = explode('.', $jwt);
|
|
|
|
if (count($tks) != 3) {
|
|
return false;
|
|
}
|
|
|
|
list($headb64, $payloadb64, $cryptob64) = $tks;
|
|
|
|
if (null === ($header = json_decode($this->urlSafeB64Decode($headb64), true))) {
|
|
return false;
|
|
}
|
|
|
|
if (null === $payload = json_decode($this->urlSafeB64Decode($payloadb64), true)) {
|
|
return false;
|
|
}
|
|
|
|
$sig = $this->urlSafeB64Decode($cryptob64);
|
|
|
|
if ((bool) $allowedAlgorithms) {
|
|
if (!isset($header['alg'])) {
|
|
return false;
|
|
}
|
|
|
|
// check if bool arg supplied here to maintain BC
|
|
if (is_array($allowedAlgorithms) && !in_array($header['alg'], $allowedAlgorithms)) {
|
|
return false;
|
|
}
|
|
|
|
if (!$this->verifySignature($sig, "$headb64.$payloadb64", $key, $header['alg'])) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return $payload;
|
|
}
|
|
|
|
private function verifySignature($signature, $input, $key, $algo = 'HS256')
|
|
{
|
|
// use constants when possible, for HipHop support
|
|
switch ($algo) {
|
|
case'HS256':
|
|
case'HS384':
|
|
case'HS512':
|
|
return $this->hash_equals(
|
|
$this->sign($input, $key, $algo),
|
|
$signature
|
|
);
|
|
|
|
case 'RS256':
|
|
return openssl_verify($input, $signature, $key, defined('OPENSSL_ALGO_SHA256') ? OPENSSL_ALGO_SHA256 : 'sha256') === 1;
|
|
|
|
case 'RS384':
|
|
return @openssl_verify($input, $signature, $key, defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'sha384') === 1;
|
|
|
|
case 'RS512':
|
|
return @openssl_verify($input, $signature, $key, defined('OPENSSL_ALGO_SHA512') ? OPENSSL_ALGO_SHA512 : 'sha512') === 1;
|
|
|
|
default:
|
|
throw new \InvalidArgumentException("Unsupported or invalid signing algorithm.");
|
|
}
|
|
}
|
|
|
|
private function sign($input, $key, $algo = 'HS256')
|
|
{
|
|
switch ($algo) {
|
|
case 'HS256':
|
|
return hash_hmac('sha256', $input, $key, true);
|
|
|
|
case 'HS384':
|
|
return hash_hmac('sha384', $input, $key, true);
|
|
|
|
case 'HS512':
|
|
return hash_hmac('sha512', $input, $key, true);
|
|
|
|
case 'RS256':
|
|
return $this->generateRSASignature($input, $key, defined('OPENSSL_ALGO_SHA256') ? OPENSSL_ALGO_SHA256 : 'sha256');
|
|
|
|
case 'RS384':
|
|
return $this->generateRSASignature($input, $key, defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'sha384');
|
|
|
|
case 'RS512':
|
|
return $this->generateRSASignature($input, $key, defined('OPENSSL_ALGO_SHA512') ? OPENSSL_ALGO_SHA512 : 'sha512');
|
|
|
|
default:
|
|
throw new \Exception("Unsupported or invalid signing algorithm.");
|
|
}
|
|
}
|
|
|
|
private function generateRSASignature($input, $key, $algo)
|
|
{
|
|
if (!openssl_sign($input, $signature, $key, $algo)) {
|
|
throw new \Exception("Unable to sign data.");
|
|
}
|
|
|
|
return $signature;
|
|
}
|
|
|
|
public function urlSafeB64Encode($data)
|
|
{
|
|
$b64 = base64_encode($data);
|
|
$b64 = str_replace(array('+', '/', "\r", "\n", '='),
|
|
array('-', '_'),
|
|
$b64);
|
|
|
|
return $b64;
|
|
}
|
|
|
|
public function urlSafeB64Decode($b64)
|
|
{
|
|
$b64 = str_replace(array('-', '_'),
|
|
array('+', '/'),
|
|
$b64);
|
|
|
|
return base64_decode($b64);
|
|
}
|
|
|
|
/**
|
|
* Override to create a custom header
|
|
*/
|
|
protected function generateJwtHeader($payload, $algorithm)
|
|
{
|
|
return array(
|
|
'typ' => 'JWT',
|
|
'alg' => $algorithm,
|
|
);
|
|
}
|
|
|
|
protected function hash_equals($a, $b)
|
|
{
|
|
if (function_exists('hash_equals')) {
|
|
return hash_equals($a, $b);
|
|
}
|
|
$diff = strlen($a) ^ strlen($b);
|
|
for ($i = 0; $i < strlen($a) && $i < strlen($b); $i++) {
|
|
$diff |= ord($a[$i]) ^ ord($b[$i]);
|
|
}
|
|
|
|
return $diff === 0;
|
|
}
|
|
}
|