1 files changed, 107 insertions, 0 deletions
diff --git a/vendor/web-token/jwt-core/Util/KeyChecker.php b/vendor/web-token/jwt-core/Util/KeyChecker.php
new file mode 100644
index 0000000..09385a4
--- /dev/null
+++ b/vendor/web-token/jwt-core/Util/KeyChecker.php
@@ -0,0 +1,107 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2014-2018 Spomky-Labs
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+namespace Jose\Component\Core\Util;
+
+use Jose\Component\Core\JWK;
+
+/**
+ * @internal
+ */
+class KeyChecker
+{
+    /**
+     * @throws \InvalidArgumentException
+     */
+    public static function checkKeyUsage(JWK $key, string $usage): bool
+    {
+        if ($key->has('use')) {
+            return self::checkUsage($key, $usage);
+        }
+        if ($key->has('key_ops')) {
+            return self::checkOperation($key, $usage);
+        }
+
+        return true;
+    }
+
+    private static function checkOperation(JWK $key, string $usage): bool
+    {
+        $ops = $key->get('key_ops');
+        if (!\is_array($ops)) {
+            $ops = [$ops];
+        }
+        switch ($usage) {
+            case 'verification':
+                if (!\in_array('verify', $ops, true)) {
+                    throw new \InvalidArgumentException('Key cannot be used to verify a signature');
+                }
+
+                return true;
+            case 'signature':
+                if (!\in_array('sign', $ops, true)) {
+                    throw new \InvalidArgumentException('Key cannot be used to sign');
+                }
+
+                return true;
+            case 'encryption':
+                if (!\in_array('encrypt', $ops, true) && !\in_array('wrapKey', $ops, true)) {
+                    throw new \InvalidArgumentException('Key cannot be used to encrypt');
+                }
+
+                return true;
+            case 'decryption':
+                if (!\in_array('decrypt', $ops, true) && !\in_array('unwrapKey', $ops, true)) {
+                    throw new \InvalidArgumentException('Key cannot be used to decrypt');
+                }
+
+                return true;
+            default:
+                throw new \InvalidArgumentException('Unsupported key usage.');
+        }
+    }
+
+    private static function checkUsage(JWK $key, string $usage): bool
+    {
+        $use = $key->get('use');
+        switch ($usage) {
+            case 'verification':
+            case 'signature':
+                if ('sig' !== $use) {
+                    throw new \InvalidArgumentException('Key cannot be used to sign or verify a signature.');
+                }
+
+                return true;
+            case 'encryption':
+            case 'decryption':
+                if ('enc' !== $use) {
+                    throw new \InvalidArgumentException('Key cannot be used to encrypt or decrypt.');
+                }
+
+                return true;
+            default:
+                throw new \InvalidArgumentException('Unsupported key usage.');
+        }
+    }
+
+    public static function checkKeyAlgorithm(JWK $key, string $algorithm)
+    {
+        if (!$key->has('alg')) {
+            return;
+        }
+
+        if ($key->get('alg') !== $algorithm) {
+            throw new \InvalidArgumentException(\sprintf('Key is only allowed for algorithm "%s".', $key->get('alg')));
+        }
+    }
+}