diff options
author | Anton Luka Šijanec <anton@sijanec.eu> | 2022-01-11 12:35:47 +0100 |
---|---|---|
committer | Anton Luka Šijanec <anton@sijanec.eu> | 2022-01-11 12:35:47 +0100 |
commit | 19985dbb8c0aa66dc4bf7905abc1148de909097d (patch) | |
tree | 2cd5a5d20d7e80fc2a51adf60d838d8a2c40999e /vendor/web-token/jwt-core/Util/KeyChecker.php | |
download | 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.gz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.bz2 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.lz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.xz 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.zst 1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.zip |
Diffstat (limited to 'vendor/web-token/jwt-core/Util/KeyChecker.php')
-rw-r--r-- | vendor/web-token/jwt-core/Util/KeyChecker.php | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/vendor/web-token/jwt-core/Util/KeyChecker.php b/vendor/web-token/jwt-core/Util/KeyChecker.php new file mode 100644 index 0000000..09385a4 --- /dev/null +++ b/vendor/web-token/jwt-core/Util/KeyChecker.php @@ -0,0 +1,107 @@ +<?php + +declare(strict_types=1); + +/* + * The MIT License (MIT) + * + * Copyright (c) 2014-2018 Spomky-Labs + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +namespace Jose\Component\Core\Util; + +use Jose\Component\Core\JWK; + +/** + * @internal + */ +class KeyChecker +{ + /** + * @throws \InvalidArgumentException + */ + public static function checkKeyUsage(JWK $key, string $usage): bool + { + if ($key->has('use')) { + return self::checkUsage($key, $usage); + } + if ($key->has('key_ops')) { + return self::checkOperation($key, $usage); + } + + return true; + } + + private static function checkOperation(JWK $key, string $usage): bool + { + $ops = $key->get('key_ops'); + if (!\is_array($ops)) { + $ops = [$ops]; + } + switch ($usage) { + case 'verification': + if (!\in_array('verify', $ops, true)) { + throw new \InvalidArgumentException('Key cannot be used to verify a signature'); + } + + return true; + case 'signature': + if (!\in_array('sign', $ops, true)) { + throw new \InvalidArgumentException('Key cannot be used to sign'); + } + + return true; + case 'encryption': + if (!\in_array('encrypt', $ops, true) && !\in_array('wrapKey', $ops, true)) { + throw new \InvalidArgumentException('Key cannot be used to encrypt'); + } + + return true; + case 'decryption': + if (!\in_array('decrypt', $ops, true) && !\in_array('unwrapKey', $ops, true)) { + throw new \InvalidArgumentException('Key cannot be used to decrypt'); + } + + return true; + default: + throw new \InvalidArgumentException('Unsupported key usage.'); + } + } + + private static function checkUsage(JWK $key, string $usage): bool + { + $use = $key->get('use'); + switch ($usage) { + case 'verification': + case 'signature': + if ('sig' !== $use) { + throw new \InvalidArgumentException('Key cannot be used to sign or verify a signature.'); + } + + return true; + case 'encryption': + case 'decryption': + if ('enc' !== $use) { + throw new \InvalidArgumentException('Key cannot be used to encrypt or decrypt.'); + } + + return true; + default: + throw new \InvalidArgumentException('Unsupported key usage.'); + } + } + + public static function checkKeyAlgorithm(JWK $key, string $algorithm) + { + if (!$key->has('alg')) { + return; + } + + if ($key->get('alg') !== $algorithm) { + throw new \InvalidArgumentException(\sprintf('Key is only allowed for algorithm "%s".', $key->get('alg'))); + } + } +} |