On the way the PHPStan level "max"

Author: Spomky

phpstan.neon

@@ -13,5 +13,7 @@ parameters:
         - '#Binary operation "\^" between string and 1 results in an error\.#'
         - '#Parameter \#1 \$length of function random_bytes expects int\<1\, max\>.*\.#'
         - '#Parameter \#3 \$length of function mb_substr expects int\|null.*\.#'
+        - '#Parameter \#2 \.\.\.\$values of function sprintf expects bool\|float\|int\|string\|null\, mixed given\.#'
+        - '#Parameter \#1 \.\.\.\$arrays of function array_merge expects array\, mixed given\.#'
 includes:
     - vendor/phpstan/phpstan/conf/bleedingEdge.neon

src/Component/Core/Util/ECKey.php

@@ -7,6 +7,7 @@
 use function extension_loaded;
 use InvalidArgumentException;
 use function is_array;
+use function is_string;
 use Jose\Component\Core\JWK;
 use const OPENSSL_KEYTYPE_EC;
 use ParagonIE\ConstantTime\Base64UrlSafe;
@@ -200,7 +201,11 @@ private static function p521PublicKey(): string
 
     private static function p256PrivateKey(JWK $jwk): string
     {
-        $d = unpack('H*', str_pad(Base64UrlSafe::decode($jwk->get('d')), 32, "\0", STR_PAD_LEFT));
+        $d = $jwk->get('d');
+        if (! is_string($d)) {
+            throw new InvalidArgumentException('Unable to get the private key');
+        }
+        $d = unpack('H*', str_pad(Base64UrlSafe::decode($d), 32, "\0", STR_PAD_LEFT));
         if (! is_array($d) || ! isset($d[1])) {
             throw new InvalidArgumentException('Unable to get the private key');
         }
@@ -222,7 +227,11 @@ private static function p256PrivateKey(JWK $jwk): string
 
     private static function p256KPrivateKey(JWK $jwk): string
     {
-        $d = unpack('H*', str_pad(Base64UrlSafe::decode($jwk->get('d')), 32, "\0", STR_PAD_LEFT));
+        $d = $jwk->get('d');
+        if (! is_string($d)) {
+            throw new InvalidArgumentException('Unable to get the private key');
+        }
+        $d = unpack('H*', str_pad(Base64UrlSafe::decode($d), 32, "\0", STR_PAD_LEFT));
         if (! is_array($d) || ! isset($d[1])) {
             throw new InvalidArgumentException('Unable to get the private key');
         }
@@ -244,7 +253,11 @@ private static function p256KPrivateKey(JWK $jwk): string
 
     private static function p384PrivateKey(JWK $jwk): string
     {
-        $d = unpack('H*', str_pad(Base64UrlSafe::decode($jwk->get('d')), 48, "\0", STR_PAD_LEFT));
+        $d = $jwk->get('d');
+        if (! is_string($d)) {
+            throw new InvalidArgumentException('Unable to get the private key');
+        }
+        $d = unpack('H*', str_pad(Base64UrlSafe::decode($d), 48, "\0", STR_PAD_LEFT));
         if (! is_array($d) || ! isset($d[1])) {
             throw new InvalidArgumentException('Unable to get the private key');
         }
@@ -266,7 +279,11 @@ private static function p384PrivateKey(JWK $jwk): string
 
     private static function p521PrivateKey(JWK $jwk): string
     {
-        $d = unpack('H*', str_pad(Base64UrlSafe::decode($jwk->get('d')), 66, "\0", STR_PAD_LEFT));
+        $d = $jwk->get('d');
+        if (! is_string($d)) {
+            throw new InvalidArgumentException('Unable to get the private key');
+        }
+        $d = unpack('H*', str_pad(Base64UrlSafe::decode($d), 66, "\0", STR_PAD_LEFT));
         if (! is_array($d) || ! isset($d[1])) {
             throw new InvalidArgumentException('Unable to get the private key');
         }
@@ -288,12 +305,24 @@ private static function p521PrivateKey(JWK $jwk): string
 
     private static function getKey(JWK $jwk): string
     {
-        $nistCurveSize = self::getNistCurveSize($jwk->get('crv'));
+        $crv = $jwk->get('crv');
+        if (! is_string($crv)) {
+            throw new InvalidArgumentException('Unable to get the curve');
+        }
+        $nistCurveSize = self::getNistCurveSize($crv);
         $length = (int) ceil($nistCurveSize / 8);
+        $x = $jwk->get('x');
+        if (! is_string($x)) {
+            throw new InvalidArgumentException('Unable to get the public key');
+        }
+        $y = $jwk->get('y');
+        if (! is_string($y)) {
+            throw new InvalidArgumentException('Unable to get the public key');
+        }
 
         return
             "\04"
-            . str_pad(Base64UrlSafe::decode($jwk->get('x')), $length, "\0", STR_PAD_LEFT)
-            . str_pad(Base64UrlSafe::decode($jwk->get('y')), $length, "\0", STR_PAD_LEFT);
+            . str_pad(Base64UrlSafe::decode($x), $length, "\0", STR_PAD_LEFT)
+            . str_pad(Base64UrlSafe::decode($y), $length, "\0", STR_PAD_LEFT);
     }
 }

src/Component/Core/Util/KeyChecker.php

@@ -7,6 +7,7 @@
 use function in_array;
 use InvalidArgumentException;
 use function is_array;
+use function is_string;
 use Jose\Component\Core\JWK;
 
 /**
@@ -29,8 +30,12 @@ public static function checkKeyAlgorithm(JWK $key, string $algorithm): void
         if (! $key->has('alg')) {
             return;
         }
-        if ($key->get('alg') !== $algorithm) {
-            throw new InvalidArgumentException(sprintf('Key is only allowed for algorithm "%s".', $key->get('alg')));
+        $alg = $key->get('alg');
+        if (! is_string($alg)) {
+            throw new InvalidArgumentException('Invalid algorithm.');
+        }
+        if ($alg !== $algorithm) {
+            throw new InvalidArgumentException(sprintf('Key is only allowed for algorithm "%s".', $alg));
         }
     }
 

src/Component/Encryption/JWEBuilder.php

@@ -7,6 +7,7 @@
 use function array_key_exists;
 use function count;
 use InvalidArgumentException;
+use function is_string;
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\Util\JsonConverter;
@@ -450,8 +451,12 @@ private function determineCEK(array &$additionalHeader): string
                 if ($key->get('kty') !== 'oct') {
                     throw new RuntimeException('Wrong key type.');
                 }
+                $k = $key->get('k');
+                if (! is_string($k)) {
+                    throw new RuntimeException('Invalid key.');
+                }
 
-                return Base64UrlSafe::decode($key->get('k'));
+                return Base64UrlSafe::decode($k);
 
             default:
                 throw new InvalidArgumentException(sprintf(

src/Component/KeyManagement/Analyzer/ES256KeyAnalyzer.php

@@ -4,6 +4,9 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
+use Jose\Component\Core\Util\Ecc\Curve;
+use Jose\Component\Core\Util\Ecc\NistCurve;
+
 final class ES256KeyAnalyzer extends ESKeyAnalyzer
 {
     protected function getAlgorithmName(): string
@@ -16,6 +19,11 @@ protected function getCurveName(): string
         return 'P-256';
     }
 
+    protected function getCurve(): Curve
+    {
+        return NistCurve::curve256();
+    }
+
     protected function getKeySize(): int
     {
         return 256;

src/Component/KeyManagement/Analyzer/ES384KeyAnalyzer.php

@@ -4,6 +4,9 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
+use Jose\Component\Core\Util\Ecc\Curve;
+use Jose\Component\Core\Util\Ecc\NistCurve;
+
 final class ES384KeyAnalyzer extends ESKeyAnalyzer
 {
     protected function getAlgorithmName(): string
@@ -16,6 +19,11 @@ protected function getCurveName(): string
         return 'P-384';
     }
 
+    protected function getCurve(): Curve
+    {
+        return NistCurve::curve384();
+    }
+
     protected function getKeySize(): int
     {
         return 384;

src/Component/KeyManagement/Analyzer/ES512KeyAnalyzer.php

@@ -4,6 +4,9 @@
 
 namespace Jose\Component\KeyManagement\Analyzer;
 
+use Jose\Component\Core\Util\Ecc\Curve;
+use Jose\Component\Core\Util\Ecc\NistCurve;
+
 final class ES512KeyAnalyzer extends ESKeyAnalyzer
 {
     protected function getAlgorithmName(): string
@@ -16,8 +19,13 @@ protected function getCurveName(): string
         return 'P-521';
     }
 
+    protected function getCurve(): Curve
+    {
+        return NistCurve::curve521();
+    }
+
     protected function getKeySize(): int
     {
-        return 512; //528
+        return 528;
     }
 }

src/Component/KeyManagement/Analyzer/ESKeyAnalyzer.php

@@ -7,6 +7,7 @@
 use Brick\Math\BigInteger;
 use function is_string;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\Ecc\Curve;
 use Jose\Component\Core\Util\Ecc\NistCurve;
 use ParagonIE\ConstantTime\Base64UrlSafe;
 use RuntimeException;
@@ -22,9 +23,6 @@ public function __construct()
 
     public function analyze(JWK $jwk, MessageBag $bag): void
     {
-        if (! $jwk->has('alg') || $jwk->get('alg') !== $this->getAlgorithmName()) {
-            return;
-        }
         if ($jwk->get('kty') !== 'EC') {
             return;
         }
@@ -62,8 +60,7 @@ public function analyze(JWK $jwk, MessageBag $bag): void
         }
         $xBI = BigInteger::fromBase(bin2hex($x), 16);
         $yBI = BigInteger::fromBase(bin2hex($y), 16);
-        $curve = NistCurve::curve256();
-        if (! $curve->contains($xBI, $yBI)) {
+        if (! $this->getCurve()->contains($xBI, $yBI)) {
             $bag->add(Message::high('Invalid key. The point is not on the curve.'));
         }
     }
@@ -72,5 +69,7 @@ abstract protected function getAlgorithmName(): string;
 
     abstract protected function getCurveName(): string;
 
+    abstract protected function getCurve(): Curve;
+
     abstract protected function getKeySize(): int;
 }

tests/Component/KeyManagement/JWKAnalyzerTest.php

@@ -6,12 +6,19 @@
 
 use Jose\Component\Core\JWK;
 use Jose\Component\KeyManagement\Analyzer\AlgorithmAnalyzer;
+use Jose\Component\KeyManagement\Analyzer\ES256KeyAnalyzer;
+use Jose\Component\KeyManagement\Analyzer\ES384KeyAnalyzer;
+use Jose\Component\KeyManagement\Analyzer\ES512KeyAnalyzer;
+use Jose\Component\KeyManagement\Analyzer\HS256KeyAnalyzer;
+use Jose\Component\KeyManagement\Analyzer\HS384KeyAnalyzer;
+use Jose\Component\KeyManagement\Analyzer\HS512KeyAnalyzer;
 use Jose\Component\KeyManagement\Analyzer\KeyAnalyzerManager;
 use Jose\Component\KeyManagement\Analyzer\KeyIdentifierAnalyzer;
 use Jose\Component\KeyManagement\Analyzer\NoneAnalyzer;
 use Jose\Component\KeyManagement\Analyzer\OctAnalyzer;
 use Jose\Component\KeyManagement\Analyzer\RsaAnalyzer;
 use Jose\Component\KeyManagement\Analyzer\UsageAnalyzer;
+use Jose\Component\KeyManagement\Analyzer\ZxcvbnKeyAnalyzer;
 use Jose\Component\KeyManagement\JWKFactory;
 use PHPUnit\Framework\TestCase;
 
@@ -89,16 +96,39 @@ public function iCanAnalyzeAnOctKeyAndGetMessages(): void
         static::assertNotEmpty($messages);
     }
 
+    /**
+     * @test
+     */
+    public function iCanAnalyzeAnES521OctKeyAndGetMessages(): void
+    {
+        $key = JWKFactory::createECKey('P-521', [
+            'kid' => '0123456789',
+            'alg' => 'HS256',
+            'use' => 'sig',
+        ]);
+        $messages = $this->getKeyAnalyzer()
+            ->analyze($key)
+        ;
+        static::assertEmpty($messages);
+    }
+
     private function getKeyAnalyzer(): KeyAnalyzerManager
     {
         if ($this->keyAnalyzerManager === null) {
             $this->keyAnalyzerManager = new KeyAnalyzerManager();
             $this->keyAnalyzerManager->add(new AlgorithmAnalyzer());
+            $this->keyAnalyzerManager->add(new ES256KeyAnalyzer());
+            $this->keyAnalyzerManager->add(new ES384KeyAnalyzer());
+            $this->keyAnalyzerManager->add(new ES512KeyAnalyzer());
+            $this->keyAnalyzerManager->add(new HS256KeyAnalyzer());
+            $this->keyAnalyzerManager->add(new HS384KeyAnalyzer());
+            $this->keyAnalyzerManager->add(new HS512KeyAnalyzer());
             $this->keyAnalyzerManager->add(new KeyIdentifierAnalyzer());
             $this->keyAnalyzerManager->add(new NoneAnalyzer());
             $this->keyAnalyzerManager->add(new OctAnalyzer());
             $this->keyAnalyzerManager->add(new RsaAnalyzer());
             $this->keyAnalyzerManager->add(new UsageAnalyzer());
+            $this->keyAnalyzerManager->add(new ZxcvbnKeyAnalyzer());
         }
 
         return $this->keyAnalyzerManager;