web-token
diff --git a/‎phpstan.neon
Lines changed: 1 addition & 1 deletion b/‎phpstan.neon
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Component/Encryption/Serializer/CompactSerializer.php
Lines changed: 4 additions & 0 deletions b/‎src/Component/Encryption/Serializer/CompactSerializer.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Component/Encryption/Serializer/JSONFlattenedSerializer.php
Lines changed: 4 additions & 0 deletions b/‎src/Component/Encryption/Serializer/JSONFlattenedSerializer.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Component/Encryption/Serializer/JSONGeneralSerializer.php
Lines changed: 4 additions & 0 deletions b/‎src/Component/Encryption/Serializer/JSONGeneralSerializer.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php
Lines changed: 9 additions & 35 deletions b/‎src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php
Lines changed: 9 additions & 35 deletions
diff --git a/‎src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php
Lines changed: 9 additions & 35 deletions b/‎src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php
Lines changed: 9 additions & 35 deletions
diff --git a/‎src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php
Lines changed: 9 additions & 35 deletions b/‎src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php
Lines changed: 9 additions & 35 deletions
diff --git a/‎src/Component/KeyManagement/Analyzer/ESKeyAnalyzer.php
Lines changed: 76 additions & 0 deletions b/‎src/Component/KeyManagement/Analyzer/ESKeyAnalyzer.php
Lines changed: 76 additions & 0 deletions
diff --git a/‎src/Component/KeyManagement/Analyzer/HS256KeyAnalyzer.php
Lines changed: 8 additions & 16 deletions b/‎src/Component/KeyManagement/Analyzer/HS256KeyAnalyzer.php
Lines changed: 8 additions & 16 deletions
diff --git a/‎src/Component/KeyManagement/Analyzer/HS384KeyAnalyzer.php
Lines changed: 8 additions & 16 deletions b/‎src/Component/KeyManagement/Analyzer/HS384KeyAnalyzer.php
Lines changed: 8 additions & 16 deletions
@@ -1,5 +1,5 @@
 parameters:
-    level: 8
+    level: max
     paths:
         - src
     checkMissingIterableValueType: false
 
@@ -6,6 +6,7 @@
 
 use function count;
 use InvalidArgumentException;
+use function is_array;
 use Jose\Component\Core\Util\JsonConverter;
 use Jose\Component\Encryption\JWE;
 use Jose\Component\Encryption\Recipient;
@@ -58,6 +59,9 @@ public function unserialize(string $input): JWE
         try {
             $encodedSharedProtectedHeader = $parts[0];
             $sharedProtectedHeader = JsonConverter::decode(Base64UrlSafe::decode($encodedSharedProtectedHeader));
+            if (! is_array($sharedProtectedHeader)) {
+                throw new InvalidArgumentException('Unsupported input.');
+            }
             $encryptedKey = $parts[1] === '' ? null : Base64UrlSafe::decode($parts[1]);
             $iv = Base64UrlSafe::decode($parts[2]);
             $ciphertext = Base64UrlSafe::decode($parts[3]);
 
@@ -7,6 +7,7 @@
 use function array_key_exists;
 use function count;
 use InvalidArgumentException;
+use function is_array;
 use Jose\Component\Core\Util\JsonConverter;
 use Jose\Component\Encryption\JWE;
 use Jose\Component\Encryption\Recipient;
@@ -59,6 +60,9 @@ public function serialize(JWE $jwe, ?int $recipientIndex = null): string
     public function unserialize(string $input): JWE
     {
         $data = JsonConverter::decode($input);
+        if (! is_array($data)) {
+            throw new InvalidArgumentException('Unsupported input.');
+        }
         $this->checkData($data);
 
         $ciphertext = Base64UrlSafe::decode($data['ciphertext']);
 
@@ -7,6 +7,7 @@
 use function array_key_exists;
 use function count;
 use InvalidArgumentException;
+use function is_array;
 use Jose\Component\Core\Util\JsonConverter;
 use Jose\Component\Encryption\JWE;
 use Jose\Component\Encryption\Recipient;
@@ -65,6 +66,9 @@ public function serialize(JWE $jwe, ?int $recipientIndex = null): string
     public function unserialize(string $input): JWE
     {
         $data = JsonConverter::decode($input);
+        if (! is_array($data)) {
+            throw new InvalidArgumentException('Unsupported input.');
+        }
         $this->checkData($data);
 
         $ciphertext = Base64UrlSafe::decode($data['ciphertext']);
 
@@ -4,46 +4,20 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
-use Brick\Math\BigInteger;
-use Jose\Component\Core\JWK;
-use Jose\Component\Core\Util\Ecc\NistCurve;
-use ParagonIE\ConstantTime\Base64UrlSafe;
-use RuntimeException;
-
-final class ES256KeyAnalyzer implements KeyAnalyzer
+final class ES256KeyAnalyzer extends ESKeyAnalyzer
 {
-    public function __construct()
+    protected function getAlgorithmName(): string
     {
-        if (! class_exists(NistCurve::class)) {
-            throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer');
-        }
+        return 'ES256';
     }
 
-    public function analyze(JWK $jwk, MessageBag $bag): void
+    protected function getCurveName(): string
     {
-        if ($jwk->get('kty') !== 'EC') {
-            return;
-        }
-        if (! $jwk->has('crv')) {
-            $bag->add(Message::high('Invalid key. The components "crv" is missing.'));
+        return 'P-256';
+    }
 
-            return;
-        }
-        if ($jwk->get('crv') !== 'P-256') {
-            return;
-        }
-        $x = Base64UrlSafe::decode($jwk->get('x'));
-        $xLength = 8 * mb_strlen($x, '8bit');
-        $y = Base64UrlSafe::decode($jwk->get('y'));
-        $yLength = 8 * mb_strlen($y, '8bit');
-        if ($yLength !== $xLength || $yLength !== 256) {
-            $bag->add(Message::high('Invalid key. The components "x" and "y" size shall be 256 bits.'));
-        }
-        $xBI = BigInteger::fromBase(bin2hex($x), 16);
-        $yBI = BigInteger::fromBase(bin2hex($y), 16);
-        $curve = NistCurve::curve256();
-        if (! $curve->contains($xBI, $yBI)) {
-            $bag->add(Message::high('Invalid key. The point is not on the curve.'));
-        }
+    protected function getKeySize(): int
+    {
+        return 256;
     }
 }
@@ -4,46 +4,20 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
-use Brick\Math\BigInteger;
-use Jose\Component\Core\JWK;
-use Jose\Component\Core\Util\Ecc\NistCurve;
-use ParagonIE\ConstantTime\Base64UrlSafe;
-use RuntimeException;
-
-final class ES384KeyAnalyzer implements KeyAnalyzer
+final class ES384KeyAnalyzer extends ESKeyAnalyzer
 {
-    public function __construct()
+    protected function getAlgorithmName(): string
     {
-        if (! class_exists(NistCurve::class)) {
-            throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer');
-        }
+        return 'ES384';
     }
 
-    public function analyze(JWK $jwk, MessageBag $bag): void
+    protected function getCurveName(): string
     {
-        if ($jwk->get('kty') !== 'EC') {
-            return;
-        }
-        if (! $jwk->has('crv')) {
-            $bag->add(Message::high('Invalid key. The components "crv" is missing.'));
+        return 'P-384';
+    }
 
-            return;
-        }
-        if ($jwk->get('crv') !== 'P-384') {
-            return;
-        }
-        $x = Base64UrlSafe::decode($jwk->get('x'));
-        $xLength = 8 * mb_strlen($x, '8bit');
-        $y = Base64UrlSafe::decode($jwk->get('y'));
-        $yLength = 8 * mb_strlen($y, '8bit');
-        if ($yLength !== $xLength || $yLength !== 384) {
-            $bag->add(Message::high('Invalid key. The components "x" and "y" size shall be 384 bits.'));
-        }
-        $xBI = BigInteger::fromBase(bin2hex($x), 16);
-        $yBI = BigInteger::fromBase(bin2hex($y), 16);
-        $curve = NistCurve::curve384();
-        if (! $curve->contains($xBI, $yBI)) {
-            $bag->add(Message::high('Invalid key. The point is not on the curve.'));
-        }
+    protected function getKeySize(): int
+    {
+        return 384;
     }
 }
@@ -4,46 +4,20 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
-use Brick\Math\BigInteger;
-use Jose\Component\Core\JWK;
-use Jose\Component\Core\Util\Ecc\NistCurve;
-use ParagonIE\ConstantTime\Base64UrlSafe;
-use RuntimeException;
-
-final class ES512KeyAnalyzer implements KeyAnalyzer
+final class ES512KeyAnalyzer extends ESKeyAnalyzer
 {
-    public function __construct()
+    protected function getAlgorithmName(): string
     {
-        if (! class_exists(NistCurve::class)) {
-            throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer');
-        }
+        return 'ES512';
     }
 
-    public function analyze(JWK $jwk, MessageBag $bag): void
+    protected function getCurveName(): string
     {
-        if ($jwk->get('kty') !== 'EC') {
-            return;
-        }
-        if (! $jwk->has('crv')) {
-            $bag->add(Message::high('Invalid key. The components "crv" is missing.'));
+        return 'P-521';
+    }
 
-            return;
-        }
-        if ($jwk->get('crv') !== 'P-521') {
-            return;
-        }
-        $x = Base64UrlSafe::decode($jwk->get('x'));
-        $xLength = 8 * mb_strlen($x, '8bit');
-        $y = Base64UrlSafe::decode($jwk->get('y'));
-        $yLength = 8 * mb_strlen($y, '8bit');
-        if ($yLength !== $xLength || $yLength !== 528) {
-            $bag->add(Message::high('Invalid key. The components "x" and "y" size shall be 528 bits.'));
-        }
-        $xBI = BigInteger::fromBase(bin2hex($x), 16);
-        $yBI = BigInteger::fromBase(bin2hex($y), 16);
-        $curve = NistCurve::curve521();
-        if (! $curve->contains($xBI, $yBI)) {
-            $bag->add(Message::high('Invalid key. The point is not on the curve.'));
-        }
+    protected function getKeySize(): int
+    {
+        return 512; //528
     }
 }
@@ -0,0 +1,76 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Jose\Component\KeyManagement\Analyzer;
+
+use Brick\Math\BigInteger;
+use function is_string;
+use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\Ecc\NistCurve;
+use ParagonIE\ConstantTime\Base64UrlSafe;
+use RuntimeException;
+
+abstract class ESKeyAnalyzer implements KeyAnalyzer
+{
+    public function __construct()
+    {
+        if (! class_exists(NistCurve::class)) {
+            throw new RuntimeException('Please install web-token/jwt-util-ecc to use this key analyzer');
+        }
+    }
+
+    public function analyze(JWK $jwk, MessageBag $bag): void
+    {
+        if (! $jwk->has('alg') || $jwk->get('alg') !== $this->getAlgorithmName()) {
+            return;
+        }
+        if ($jwk->get('kty') !== 'EC') {
+            return;
+        }
+        if (! $jwk->has('crv')) {
+            $bag->add(Message::high('Invalid key. The components "crv" is missing.'));
+
+            return;
+        }
+        if ($jwk->get('crv') !== $this->getCurveName()) {
+            return;
+        }
+        $x = $jwk->get('x');
+        if (! is_string($x)) {
+            $bag->add(Message::high('Invalid key. The components "x" shall be a string.'));
+
+            return;
+        }
+        $x = Base64UrlSafe::decode($x);
+        $xLength = 8 * mb_strlen($x, '8bit');
+        $y = $jwk->get('y');
+        if (! is_string($y)) {
+            $bag->add(Message::high('Invalid key. The components "y" shall be a string.'));
+
+            return;
+        }
+        $y = Base64UrlSafe::decode($y);
+        $yLength = 8 * mb_strlen($y, '8bit');
+        if ($yLength !== $xLength || $yLength !== $this->getKeySize()) {
+            $bag->add(
+                Message::high(sprintf(
+                    'Invalid key. The components "x" and "y" size shall be %d bits.',
+                    $this->getKeySize()
+                ))
+            );
+        }
+        $xBI = BigInteger::fromBase(bin2hex($x), 16);
+        $yBI = BigInteger::fromBase(bin2hex($y), 16);
+        $curve = NistCurve::curve256();
+        if (! $curve->contains($xBI, $yBI)) {
+            $bag->add(Message::high('Invalid key. The point is not on the curve.'));
+        }
+    }
+
+    abstract protected function getAlgorithmName(): string;
+
+    abstract protected function getCurveName(): string;
+
+    abstract protected function getKeySize(): int;
+}
@@ -4,23 +4,15 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
-use Jose\Component\Core\JWK;
-use ParagonIE\ConstantTime\Base64UrlSafe;
-
-final class HS256KeyAnalyzer implements KeyAnalyzer
+final class HS256KeyAnalyzer extends HSKeyAnalyzer
 {
-    public function analyze(JWK $jwk, MessageBag $bag): void
+    protected function getAlgorithmName(): string
+    {
+        return 'HS256';
+    }
+
+    protected function getMinimumKeySize(): int
     {
-        if ($jwk->get('kty') !== 'oct') {
-            return;
-        }
-        if (! $jwk->has('alg') || $jwk->get('alg') !== 'HS256') {
-            return;
-        }
-        $k = Base64UrlSafe::decode($jwk->get('k'));
-        $kLength = 8 * mb_strlen($k, '8bit');
-        if ($kLength < 256) {
-            $bag->add(Message::high('HS256 algorithm requires at least 256 bits key length.'));
-        }
+        return 256;
     }
 }
@@ -4,23 +4,15 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
-use Jose\Component\Core\JWK;
-use ParagonIE\ConstantTime\Base64UrlSafe;
-
-final class HS384KeyAnalyzer implements KeyAnalyzer
+final class HS384KeyAnalyzer extends HSKeyAnalyzer
 {
-    public function analyze(JWK $jwk, MessageBag $bag): void
+    protected function getAlgorithmName(): string
+    {
+        return 'HS384';
+    }
+
+    protected function getMinimumKeySize(): int
     {
-        if ($jwk->get('kty') !== 'oct') {
-            return;
-        }
-        if (! $jwk->has('alg') || $jwk->get('alg') !== 'HS384') {
-            return;
-        }
-        $k = Base64UrlSafe::decode($jwk->get('k'));
-        $kLength = 8 * mb_strlen($k, '8bit');
-        if ($kLength < 384) {
-            $bag->add(Message::high('HS384 algorithm requires at least 384 bits key length.'));
-        }
+        return 384;
     }
 }