summaryrefslogtreecommitdiffstats
path: root/vendor/web-token/jwt-key-mgmt/KeyAnalyzer
diff options
context:
space:
mode:
authorAnton Luka Šijanec <anton@sijanec.eu>2022-01-11 12:35:47 +0100
committerAnton Luka Šijanec <anton@sijanec.eu>2022-01-11 12:35:47 +0100
commit19985dbb8c0aa66dc4bf7905abc1148de909097d (patch)
tree2cd5a5d20d7e80fc2a51adf60d838d8a2c40999e /vendor/web-token/jwt-key-mgmt/KeyAnalyzer
download1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar
1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.gz
1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.bz2
1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.lz
1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.xz
1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.tar.zst
1ka-19985dbb8c0aa66dc4bf7905abc1148de909097d.zip
Diffstat (limited to 'vendor/web-token/jwt-key-mgmt/KeyAnalyzer')
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/AlgorithmAnalyzer.php26
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzer.php24
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzerManager.php50
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyIdentifierAnalyzer.php26
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/Message.php96
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/MessageBag.php59
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/NoneAnalyzer.php28
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/OctAnalyzer.php50
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/RsaAnalyzer.php34
-rw-r--r--vendor/web-token/jwt-key-mgmt/KeyAnalyzer/UsageAnalyzer.php31
10 files changed, 424 insertions, 0 deletions
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/AlgorithmAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/AlgorithmAnalyzer.php
new file mode 100644
index 0000000..a7ebcad
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/AlgorithmAnalyzer.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Jose\Component\Core\JWK;
+
+final class AlgorithmAnalyzer implements KeyAnalyzer
+{
+ public function analyze(JWK $jwk, MessageBag $bag)
+ {
+ if (!$jwk->has('alg')) {
+ $bag->add(Message::medium('The parameter "alg" should be added.'));
+ }
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzer.php
new file mode 100644
index 0000000..470b788
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzer.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Jose\Component\Core\JWK;
+
+interface KeyAnalyzer
+{
+ /**
+ * This method will analyse the key and add messages to the message bag if needed.
+ */
+ public function analyze(JWK $jwk, MessageBag $bag);
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzerManager.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzerManager.php
new file mode 100644
index 0000000..2b8b4a9
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyAnalyzerManager.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Jose\Component\Core\JWK;
+
+class KeyAnalyzerManager
+{
+ /**
+ * @var KeyAnalyzer[]
+ */
+ private $analyzers = [];
+
+ /**
+ * Adds a Key Analyzer to the manager.
+ *
+ * @return KeyAnalyzerManager
+ */
+ public function add(KeyAnalyzer $analyzer): self
+ {
+ $this->analyzers[] = $analyzer;
+
+ return $this;
+ }
+
+ /**
+ * This method will analyze the JWK object using all analyzers.
+ * It returns a message bag that may contains messages.
+ */
+ public function analyze(JWK $jwk): MessageBag
+ {
+ $bag = new MessageBag();
+ foreach ($this->analyzers as $analyzer) {
+ $analyzer->analyze($jwk, $bag);
+ }
+
+ return $bag;
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyIdentifierAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyIdentifierAnalyzer.php
new file mode 100644
index 0000000..71acb70
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/KeyIdentifierAnalyzer.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Jose\Component\Core\JWK;
+
+final class KeyIdentifierAnalyzer implements KeyAnalyzer
+{
+ public function analyze(JWK $jwk, MessageBag $bag)
+ {
+ if (!$jwk->has('kid')) {
+ $bag->add(Message::medium('The parameter "kid" should be added.'));
+ }
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/Message.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/Message.php
new file mode 100644
index 0000000..4baf868
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/Message.php
@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+class Message implements \JsonSerializable
+{
+ /**
+ * @var string
+ */
+ private $message;
+
+ /**
+ * @var string
+ */
+ private $severity;
+
+ public const SEVERITY_LOW = 'low';
+
+ public const SEVERITY_MEDIUM = 'medium';
+
+ public const SEVERITY_HIGH = 'high';
+
+ /**
+ * Message constructor.
+ */
+ private function __construct(string $message, string $severity)
+ {
+ $this->message = $message;
+ $this->severity = $severity;
+ }
+
+ /**
+ * Creates a message with severity=low.
+ *
+ * @return Message
+ */
+ public static function low(string $message): self
+ {
+ return new self($message, self::SEVERITY_LOW);
+ }
+
+ /**
+ * Creates a message with severity=medium.
+ *
+ * @return Message
+ */
+ public static function medium(string $message): self
+ {
+ return new self($message, self::SEVERITY_MEDIUM);
+ }
+
+ /**
+ * Creates a message with severity=high.
+ *
+ * @return Message
+ */
+ public static function high(string $message): self
+ {
+ return new self($message, self::SEVERITY_HIGH);
+ }
+
+ /**
+ * Returns the message.
+ */
+ public function getMessage(): string
+ {
+ return $this->message;
+ }
+
+ /**
+ * Returns the severity of the message.
+ */
+ public function getSeverity(): string
+ {
+ return $this->severity;
+ }
+
+ public function jsonSerialize()
+ {
+ return [
+ 'message' => $this->message,
+ 'severity' => $this->severity,
+ ];
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/MessageBag.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/MessageBag.php
new file mode 100644
index 0000000..b41795f
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/MessageBag.php
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+class MessageBag implements \JsonSerializable, \IteratorAggregate, \Countable
+{
+ /**
+ * @var Message[]
+ */
+ private $messages = [];
+
+ /**
+ * Adds a message to the message bag.
+ *
+ * @return MessageBag
+ */
+ public function add(Message $message): self
+ {
+ $this->messages[] = $message;
+
+ return $this;
+ }
+
+ /**
+ * Returns all messages.
+ *
+ * @return Message[]
+ */
+ public function all(): array
+ {
+ return $this->messages;
+ }
+
+ public function jsonSerialize()
+ {
+ return \array_values($this->messages);
+ }
+
+ public function count()
+ {
+ return \count($this->messages);
+ }
+
+ public function getIterator()
+ {
+ return new \ArrayIterator($this->messages);
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/NoneAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/NoneAnalyzer.php
new file mode 100644
index 0000000..a293efd
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/NoneAnalyzer.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Jose\Component\Core\JWK;
+
+final class NoneAnalyzer implements KeyAnalyzer
+{
+ public function analyze(JWK $jwk, MessageBag $bag)
+ {
+ if ('none' !== $jwk->get('kty')) {
+ return;
+ }
+
+ $bag->add(Message::high('This key is a meant to be used with the algorithm "none". This algorithm is not secured and should be used with care.'));
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/OctAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/OctAnalyzer.php
new file mode 100644
index 0000000..4c2d7c1
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/OctAnalyzer.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Base64Url\Base64Url;
+use Jose\Component\Core\JWK;
+use ZxcvbnPhp\Zxcvbn;
+
+final class OctAnalyzer implements KeyAnalyzer
+{
+ public function analyze(JWK $jwk, MessageBag $bag)
+ {
+ if ('oct' !== $jwk->get('kty')) {
+ return;
+ }
+ $k = Base64Url::decode($jwk->get('k'));
+ $kLength = 8 * \mb_strlen($k, '8bit');
+ if ($kLength < 128) {
+ $bag->add(Message::high('The key length is less than 128 bits.'));
+ }
+
+ if (\class_exists(Zxcvbn::class)) {
+ $zxcvbn = new Zxcvbn();
+ $strength = $zxcvbn->passwordStrength($k);
+ switch (true) {
+ case $strength['score'] < 3:
+ $bag->add(Message::high('The octet string is weak and easily guessable. Please change your key as soon as possible.'));
+
+ break;
+ case 3 === $strength['score']:
+ $bag->add(Message::medium('The octet string is safe, but a longer key is preferable.'));
+
+ break;
+ default:
+ break;
+ }
+ }
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/RsaAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/RsaAnalyzer.php
new file mode 100644
index 0000000..6274aa0
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/RsaAnalyzer.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Base64Url\Base64Url;
+use Jose\Component\Core\JWK;
+
+final class RsaAnalyzer implements KeyAnalyzer
+{
+ public function analyze(JWK $jwk, MessageBag $bag)
+ {
+ if ('RSA' !== $jwk->get('kty')) {
+ return;
+ }
+ $n = 8 * \mb_strlen(Base64Url::decode($jwk->get('n')), '8bit');
+ if ($n < 2048) {
+ $bag->add(Message::high('The key length is less than 2048 bits.'));
+ }
+ if ($jwk->has('d') && (!$jwk->has('p') || !$jwk->has('q') || !$jwk->has('dp') || !$jwk->has('dq') || !$jwk->has('p') || !$jwk->has('qi'))) {
+ $bag->add(Message::medium('The key is a private RSA key, but Chinese Remainder Theorem primes are missing. These primes are not mandatory, but signatures and decryption processes are faster when available.'));
+ }
+ }
+}
diff --git a/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/UsageAnalyzer.php b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/UsageAnalyzer.php
new file mode 100644
index 0000000..8cdfaf6
--- /dev/null
+++ b/vendor/web-token/jwt-key-mgmt/KeyAnalyzer/UsageAnalyzer.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+namespace Jose\Component\KeyManagement\KeyAnalyzer;
+
+use Jose\Component\Core\JWK;
+
+final class UsageAnalyzer implements KeyAnalyzer
+{
+ public function analyze(JWK $jwk, MessageBag $bag)
+ {
+ if (!$jwk->has('use')) {
+ $bag->add(Message::medium('The parameter "use" should be added.'));
+ } elseif (!\in_array($jwk->get('use'), ['sig', 'enc'], true)) {
+ $bag->add(Message::high(\sprintf('The parameter "use" has an unsupported value "%s". Please use "sig" (signature) or "enc" (encryption).', $jwk->get('use'))));
+ }
+ if ($jwk->has('key_ops') && !\in_array($jwk->get('key_ops'), ['sign', 'verify', 'encrypt', 'decrypt', 'wrapKey', 'unwrapKey'], true)) {
+ $bag->add(Message::high(\sprintf('The parameter "key_ops" has an unsupported value "%s". Please use one of the following values: %s.', $jwk->get('use'), \implode(', ', ['verify', 'sign', 'encryp', 'decrypt', 'wrapKey', 'unwrapKey']))));
+ }
+ }
+}