Feature: Introduce RSA::fromRSAPublicKeyFile, rework JWKSet

SocialConnect · Jul 18, 2019 · 452ca3d · 452ca3d
1 parent 8c6921f
commit 452ca3d
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ Implementation:
 
 - JWT (JSON Web Token) [RFC 7519](https://tools.ietf.org/html/rfc7519)
 - JWK (JSON Web Keys) [RFC 7517](https://tools.ietf.org/html/rfc7517)
+- JWKs (JSON Web Key Set) [RFC 7517](https://tools.ietf.org/html/rfc7517#section-8.4)
 
 ## Encode
 

diff --git a/src/JWK.php b/src/JWK.php
@@ -157,6 +157,20 @@ protected function parseRSAKey(array $parameters)
         }
     }
 
+    /**
+     * @param string $file
+     * @return JWK
+     */
+    public static function fromRSAPublicKeyFile(string $file): JWK
+    {
+        $contentOrFalse = file_get_contents($file);
+        if ($contentOrFalse === false) {
+            throw new RuntimeException('Unable to read public key');
+        }
+
+        return self::fromRSAPublicKey($contentOrFalse);
+    }
+
     /**
      * @param string $content
      * @return JWK

diff --git a/src/JWKSet.php b/src/JWKSet.php
@@ -17,24 +17,26 @@ class JWKSet
     protected $keys;
 
     /**
-     * @param array<string, array> $keys
+     * @param array<string, array> $parameters
      */
-    public function __construct(array $keys)
+    public function __construct(array $parameters)
     {
-        $this->keys = array_map(static function ($key) {
-            return new JWK($key);
-        }, $keys);
+        if (isset($parameters['keys'])) {
+            $this->keys = $parameters['keys'];
+        } else {
+            throw new \InvalidArgumentException('JWKs must define keys');
+        }
     }
 
     /**
      * @param string $kid
      * @return JWK
      */
-    public function findKeyByKind(string $kid)
+    public function findKeyByKid(string $kid)
     {
-        foreach ($this->keys as $key => $jwk) {
-            if ($key === $kid) {
-                return $jwk;
+        foreach ($this->keys as $jwk) {
+            if (isset($jwk['kid']) && $jwk['kid'] === $kid) {
+                return new JWK($jwk);
             }
         }
 

diff --git a/src/JWT.php b/src/JWT.php
@@ -103,14 +103,14 @@ public function __construct(array $payload, array $headers = [], $signature = nu
 
     /**
      * @param string $token
-     * @param string|JWKSet $publicKeyOrSecret
+     * @param string|JWKSet|mixed $publicKeyOrSecret
      * @param DecodeOptions $options
      * @return JWT
      * @throws InvalidJWT
      */
     public static function decode(string $token, $publicKeyOrSecret, DecodeOptions $options)
     {
-        if (!is_string($publicKeyOrSecret) && !$publicKeyOrSecret instanceof JWKSet) {
+        if (!is_string($publicKeyOrSecret) && !($publicKeyOrSecret instanceof JWKSet)) {
             throw new \InvalidArgumentException('$privateKeyOrSecret must be string/JWK/JWKSet');
         }
 
@@ -263,7 +263,7 @@ protected function verifySignature($data, $publicKeyOrSecret, DecodeOptions $opt
         }
 
         if ($publicKeyOrSecret instanceof JWKSet) {
-            $jwk = $publicKeyOrSecret->findKeyByKind($this->headers['kid']);
+            $jwk = $publicKeyOrSecret->findKeyByKid($this->headers['kid']);
             $secretOrKey = $jwk->getPublicKey();
         } else {
             $secretOrKey = $publicKeyOrSecret;

diff --git a/tests/JWKTest.php b/tests/JWKTest.php
@@ -12,7 +12,7 @@ class JWKTest extends AbstractTestCase
 {
     public function testFromRSA256PublicKey()
     {
-        $jwk = JWK::fromRSAPublicKey(file_get_contents(__DIR__ . '/assets/rs256.key.pub'));
+        $jwk = JWK::fromRSAPublicKeyFile(__DIR__ . '/assets/rs256.key.pub');
 
         parent::assertSame(
             [
@@ -27,7 +27,7 @@ public function testFromRSA256PublicKey()
 
     public function testFromRSA384PublicKey()
     {
-        $jwk = JWK::fromRSAPublicKey(file_get_contents(__DIR__ . '/assets/rs384.key.pub'));
+        $jwk = JWK::fromRSAPublicKeyFile(__DIR__ . '/assets/rs384.key.pub');
 
         parent::assertSame(
             [
@@ -42,7 +42,7 @@ public function testFromRSA384PublicKey()
 
     public function testFromRSA512PublicKey()
     {
-        $jwk = JWK::fromRSAPublicKey(file_get_contents(__DIR__ . '/assets/rs512.key.pub'));
+        $jwk = JWK::fromRSAPublicKeyFile(__DIR__ . '/assets/rs512.key.pub');
 
         parent::assertSame(
             [

diff --git a/tests/JWTTest.php b/tests/JWTTest.php
@@ -165,7 +165,7 @@ public function testValidateHeaderSuccess()
         self::callProtectedMethod(
             $token,
             'validateHeader',
-            new JWKSet([]),
+            new JWKSet(['keys' => []]),
             new DecodeOptions(['RS256'])
         );
 
@@ -208,7 +208,7 @@ public function testValidateHeaderNoKid()
         self::callProtectedMethod(
             $token,
             'validateHeader',
-            new JWKSet([]),
+            new JWKSet(['keys' => []]),
             new DecodeOptions(['RS256'])
         );
     }
@@ -284,7 +284,14 @@ public function getEncodeToDecodeDataProvider()
             [
                 file_get_contents(__DIR__ . '/assets/rs512.key'),
                 new JWKSet([
-                    $kid => JWK::fromRSAPublicKey(file_get_contents(__DIR__ . '/assets/rs512.key.pub'))->toArray()
+                    'keys' => [
+                        array_merge(
+                            JWK::fromRSAPublicKeyFile(__DIR__ . '/assets/rs512.key.pub')->toArray(),
+                            [
+                                'kid' => $kid
+                            ]
+                        )
+                    ]
                 ]),
                 'RS512',
                 ['kid' => $kid],