aboutsummaryrefslogtreecommitdiffstats
path: root/library/oauth2/src/OAuth2/Encryption/Jwt.php
diff options
context:
space:
mode:
Diffstat (limited to 'library/oauth2/src/OAuth2/Encryption/Jwt.php')
-rw-r--r--library/oauth2/src/OAuth2/Encryption/Jwt.php173
1 files changed, 173 insertions, 0 deletions
diff --git a/library/oauth2/src/OAuth2/Encryption/Jwt.php b/library/oauth2/src/OAuth2/Encryption/Jwt.php
new file mode 100644
index 000000000..ee576e643
--- /dev/null
+++ b/library/oauth2/src/OAuth2/Encryption/Jwt.php
@@ -0,0 +1,173 @@
+<?php
+
+namespace OAuth2\Encryption;
+
+/**
+ * @link https://github.com/F21/jwt
+ * @author F21
+ */
+class Jwt implements EncryptionInterface
+{
+ public function encode($payload, $key, $algo = 'HS256')
+ {
+ $header = $this->generateJwtHeader($payload, $algo);
+
+ $segments = array(
+ $this->urlSafeB64Encode(json_encode($header)),
+ $this->urlSafeB64Encode(json_encode($payload))
+ );
+
+ $signing_input = implode('.', $segments);
+
+ $signature = $this->sign($signing_input, $key, $algo);
+ $segments[] = $this->urlsafeB64Encode($signature);
+
+ return implode('.', $segments);
+ }
+
+ public function decode($jwt, $key = null, $allowedAlgorithms = true)
+ {
+ if (!strpos($jwt, '.')) {
+ return false;
+ }
+
+ $tks = explode('.', $jwt);
+
+ if (count($tks) != 3) {
+ return false;
+ }
+
+ list($headb64, $payloadb64, $cryptob64) = $tks;
+
+ if (null === ($header = json_decode($this->urlSafeB64Decode($headb64), true))) {
+ return false;
+ }
+
+ if (null === $payload = json_decode($this->urlSafeB64Decode($payloadb64), true)) {
+ return false;
+ }
+
+ $sig = $this->urlSafeB64Decode($cryptob64);
+
+ if ((bool) $allowedAlgorithms) {
+ if (!isset($header['alg'])) {
+ return false;
+ }
+
+ // check if bool arg supplied here to maintain BC
+ if (is_array($allowedAlgorithms) && !in_array($header['alg'], $allowedAlgorithms)) {
+ return false;
+ }
+
+ if (!$this->verifySignature($sig, "$headb64.$payloadb64", $key, $header['alg'])) {
+ return false;
+ }
+ }
+
+ return $payload;
+ }
+
+ private function verifySignature($signature, $input, $key, $algo = 'HS256')
+ {
+ // use constants when possible, for HipHop support
+ switch ($algo) {
+ case'HS256':
+ case'HS384':
+ case'HS512':
+ return $this->hash_equals(
+ $this->sign($input, $key, $algo),
+ $signature
+ );
+
+ case 'RS256':
+ return openssl_verify($input, $signature, $key, defined('OPENSSL_ALGO_SHA256') ? OPENSSL_ALGO_SHA256 : 'sha256') === 1;
+
+ case 'RS384':
+ return @openssl_verify($input, $signature, $key, defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'sha384') === 1;
+
+ case 'RS512':
+ return @openssl_verify($input, $signature, $key, defined('OPENSSL_ALGO_SHA512') ? OPENSSL_ALGO_SHA512 : 'sha512') === 1;
+
+ default:
+ throw new \InvalidArgumentException("Unsupported or invalid signing algorithm.");
+ }
+ }
+
+ private function sign($input, $key, $algo = 'HS256')
+ {
+ switch ($algo) {
+ case 'HS256':
+ return hash_hmac('sha256', $input, $key, true);
+
+ case 'HS384':
+ return hash_hmac('sha384', $input, $key, true);
+
+ case 'HS512':
+ return hash_hmac('sha512', $input, $key, true);
+
+ case 'RS256':
+ return $this->generateRSASignature($input, $key, defined('OPENSSL_ALGO_SHA256') ? OPENSSL_ALGO_SHA256 : 'sha256');
+
+ case 'RS384':
+ return $this->generateRSASignature($input, $key, defined('OPENSSL_ALGO_SHA384') ? OPENSSL_ALGO_SHA384 : 'sha384');
+
+ case 'RS512':
+ return $this->generateRSASignature($input, $key, defined('OPENSSL_ALGO_SHA512') ? OPENSSL_ALGO_SHA512 : 'sha512');
+
+ default:
+ throw new \Exception("Unsupported or invalid signing algorithm.");
+ }
+ }
+
+ private function generateRSASignature($input, $key, $algo)
+ {
+ if (!openssl_sign($input, $signature, $key, $algo)) {
+ throw new \Exception("Unable to sign data.");
+ }
+
+ return $signature;
+ }
+
+ public function urlSafeB64Encode($data)
+ {
+ $b64 = base64_encode($data);
+ $b64 = str_replace(array('+', '/', "\r", "\n", '='),
+ array('-', '_'),
+ $b64);
+
+ return $b64;
+ }
+
+ public function urlSafeB64Decode($b64)
+ {
+ $b64 = str_replace(array('-', '_'),
+ array('+', '/'),
+ $b64);
+
+ return base64_decode($b64);
+ }
+
+ /**
+ * Override to create a custom header
+ */
+ protected function generateJwtHeader($payload, $algorithm)
+ {
+ return array(
+ 'typ' => 'JWT',
+ 'alg' => $algorithm,
+ );
+ }
+
+ protected function hash_equals($a, $b)
+ {
+ if (function_exists('hash_equals')) {
+ return hash_equals($a, $b);
+ }
+ $diff = strlen($a) ^ strlen($b);
+ for ($i = 0; $i < strlen($a) && $i < strlen($b); $i++) {
+ $diff |= ord($a[$i]) ^ ord($b[$i]);
+ }
+
+ return $diff === 0;
+ }
+}