Firebase\JWT\JWK Class Reference

Collaboration diagram for Firebase\JWT\JWK:

Static Public Member Functions
static	parseKeySet (array $jwks, string $defaultAlg=null)
	Parse a set of JWK keys. More...
static	parseKey (array $jwk, string $defaultAlg=null)
	Parse a JWK key. More...

Static Private Member Functions
static	createPemFromCrvAndXYCoordinates (string $crv, string $x, string $y)
	Converts the EC JWK values to pem format. More...
static	createPemFromModulusAndExponent (string $n, string $e)
	Create a public key represented in PEM format from RSA modulus and exponent information. More...
static	encodeLength (int $length)
	DER-encode the length. More...
static	encodeDER (int $type, string $value)
	Encodes a value into a DER object. More...
static	encodeOID (string $oid)
	Encodes a string into a DER-encoded OID. More...

Private Attributes
const	OID = '1.2.840.10045.2.1'
const	ASN1_OBJECT_IDENTIFIER = 0x06
const	ASN1_SEQUENCE = 0x10
const	ASN1_BIT_STRING = 0x03
const	EC_CURVES
const	OKP_SUBTYPES

Detailed Description

Definition at line 21 of file JWK.php.

Member Function Documentation

createPemFromCrvAndXYCoordinates()

static Firebase\JWT\JWK::createPemFromCrvAndXYCoordinates ( string  $crv, string  $x, string  $y  )

staticprivate

Converts the EC JWK values to pem format.

Parameters

string	$crv	The EC curve (only P-256 & P-384 is supported)
string	$x	The EC x-coordinate
string	$y	The EC y-coordinate

Returns

string

Definition at line 191 of file JWK.php.

                                                                                               : string
    {
        $pem =
            self::encodeDER(
                self::ASN1_SEQUENCE,
                self::encodeDER(
                    self::ASN1_SEQUENCE,
                    self::encodeDER(
                        self::ASN1_OBJECT_IDENTIFIER,
                        self::encodeOID(self::OID)
                    )
                    . self::encodeDER(
                        self::ASN1_OBJECT_IDENTIFIER,
                        self::encodeOID(self::EC_CURVES[$crv])
                    )
                ) .
                self::encodeDER(
                    self::ASN1_BIT_STRING,
                    \chr(0x00) . \chr(0x04)
                    . JWT::urlsafeB64Decode($x)
                    . JWT::urlsafeB64Decode($y)
                )
            );
 
        return sprintf(
            "-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----\n",
            wordwrap(base64_encode($pem), 64, "\n", true)
        );
    }

References Firebase\JWT\JWK\encodeDER(), and Firebase\JWT\JWT\urlsafeB64Decode().

Referenced by Firebase\JWT\JWK\parseKey().

Here is the call graph for this function:

Here is the caller graph for this function:

createPemFromModulusAndExponent()

static Firebase\JWT\JWK::createPemFromModulusAndExponent ( string  $n, string  $e  )

staticprivate

Create a public key represented in PEM format from RSA modulus and exponent information.

Parameters

string	$n	The RSA modulus encoded in Base64
string	$e	The RSA exponent encoded in Base64

Returns

string The RSA public key represented in PEM format

@uses encodeLength

Definition at line 231 of file JWK.php.

     : string {
        $mod = JWT::urlsafeB64Decode($n);
        $exp = JWT::urlsafeB64Decode($e);
 
        $modulus = \pack('Ca*a*', 2, self::encodeLength(\strlen($mod)), $mod);
        $publicExponent = \pack('Ca*a*', 2, self::encodeLength(\strlen($exp)), $exp);
 
        $rsaPublicKey = \pack(
            'Ca*a*a*',
            48,
            self::encodeLength(\strlen($modulus) + \strlen($publicExponent)),
            $modulus,
            $publicExponent
        );
 
        // sequence(oid(1.2.840.113549.1.1.1), null)) = rsaEncryption.
        $rsaOID = \pack('H*', '300d06092a864886f70d0101010500'); // hex version of MA0GCSqGSIb3DQEBAQUA
        $rsaPublicKey = \chr(0) . $rsaPublicKey;
        $rsaPublicKey = \chr(3) . self::encodeLength(\strlen($rsaPublicKey)) . $rsaPublicKey;
 
        $rsaPublicKey = \pack(
            'Ca*a*',
            48,
            self::encodeLength(\strlen($rsaOID . $rsaPublicKey)),
            $rsaOID . $rsaPublicKey
        );
 
        return "-----BEGIN PUBLIC KEY-----\r\n" .
            \chunk_split(\base64_encode($rsaPublicKey), 64) .
            '-----END PUBLIC KEY-----';
    }

Referenced by Firebase\JWT\JWK\parseKey().

Here is the caller graph for this function:

encodeDER()

static Firebase\JWT\JWK::encodeDER ( int  $type, string  $value  )

staticprivate

Encodes a value into a DER object.

Also defined in Firebase\JWT\JWT

Parameters

int	$type	DER tag
string	$value	the value to encode

Returns

string the encoded object

Definition at line 294 of file JWK.php.

                                                               : string
    {
        $tag_header = 0;
        if ($type === self::ASN1_SEQUENCE) {
            $tag_header |= 0x20;
        }
 
        // Type
        $der = \chr($tag_header | $type);
 
        // Length
        $der .= \chr(\strlen($value));
 
        return $der . $value;
    }

References $type.

Referenced by Firebase\JWT\JWK\createPemFromCrvAndXYCoordinates().

Here is the caller graph for this function:

encodeLength()

static Firebase\JWT\JWK::encodeLength ( int  $length )

staticprivate

DER-encode the length.

DER supports lengths up to (2**8)**127, however, we'll only support lengths up to (2**8)**4. See X.690 paragraph 8.1.3 for more information.

Parameters

int

$length

Returns

string

Definition at line 275 of file JWK.php.

                                                     : string
    {
        if ($length <= 0x7F) {
            return \chr($length);
        }
 
        $temp = \ltrim(\pack('N', $length), \chr(0));
 
        return \pack('Ca*', 0x80 | \strlen($temp), $temp);
    }

encodeOID()

static Firebase\JWT\JWK::encodeOID ( string  $oid )

staticprivate

Encodes a string into a DER-encoded OID.

Parameters

string

$oid

the OID string

Returns

string the binary DER-encoded OID

Definition at line 316 of file JWK.php.

                                                  : string
    {
        $octets = explode('.', $oid);
 
        // Get the first octet
        $first = (int) array_shift($octets);
        $second = (int) array_shift($octets);
        $oid = \chr($first * 40 + $second);
 
        // Iterate over subsequent octets
        foreach ($octets as $octet) {
            if ($octet == 0) {
                $oid .= \chr(0x00);
                continue;
            }
            $bin = '';
 
            while ($octet) {
                $bin .= \chr(0x80 | ($octet & 0x7f));
                $octet >>= 7;
            }
            $bin[0] = $bin[0] & \chr(0x7f);
 
            // Convert to big endian if necessary
            if (pack('V', 65534) == pack('L', 65534)) {
                $oid .= strrev($bin);
            } else {
                $oid .= $bin;
            }
        }
 
        return $oid;
    }

References ILIAS\Repository\int().

Here is the call graph for this function:

parseKey()

static Firebase\JWT\JWK::parseKey ( array  $jwk, string  $defaultAlg = null  )

static

Parse a JWK key.

Parameters

	array<mixed>	$jwk An individual JWK
string	$defaultAlg	The algorithm for the Key object if "alg" is not set in the JSON Web Key Set

Returns

Key The key object for the JWK

Exceptions

InvalidArgumentException	Provided JWK is empty
UnexpectedValueException	Provided JWK was invalid
DomainException	OpenSSL failure

@uses createPemFromModulusAndExponent

Definition at line 96 of file JWK.php.

                                                                          : ?Key
    {
        if (empty($jwk)) {
            throw new InvalidArgumentException('JWK must not be empty');
        }
 
        if (!isset($jwk['kty'])) {
            throw new UnexpectedValueException('JWK must contain a "kty" parameter');
        }
 
        if (!isset($jwk['alg'])) {
            if (\is_null($defaultAlg)) {
                // The "alg" parameter is optional in a KTY, but an algorithm is required
                // for parsing in this library. Use the $defaultAlg parameter when parsing the
                // key set in order to prevent this error.
                // @see https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
                throw new UnexpectedValueException('JWK must contain an "alg" parameter');
            }
            $jwk['alg'] = $defaultAlg;
        }
 
        switch ($jwk['kty']) {
            case 'RSA':
                if (!empty($jwk['d'])) {
                    throw new UnexpectedValueException('RSA private keys are not supported');
                }
                if (!isset($jwk['n']) || !isset($jwk['e'])) {
                    throw new UnexpectedValueException('RSA keys must contain values for both "n" and "e"');
                }
 
                $pem = self::createPemFromModulusAndExponent($jwk['n'], $jwk['e']);
                $publicKey = \openssl_pkey_get_public($pem);
                if (false === $publicKey) {
                    throw new DomainException(
                        'OpenSSL error: ' . \openssl_error_string()
                    );
                }
                return new Key($publicKey, $jwk['alg']);
            case 'EC':
                if (isset($jwk['d'])) {
                    // The key is actually a private key
                    throw new UnexpectedValueException('Key data must be for a public key');
                }
 
                if (empty($jwk['crv'])) {
                    throw new UnexpectedValueException('crv not set');
                }
 
                if (!isset(self::EC_CURVES[$jwk['crv']])) {
                    throw new DomainException('Unrecognised or unsupported EC curve');
                }
 
                if (empty($jwk['x']) || empty($jwk['y'])) {
                    throw new UnexpectedValueException('x and y not set');
                }
 
                $publicKey = self::createPemFromCrvAndXYCoordinates($jwk['crv'], $jwk['x'], $jwk['y']);
                return new Key($publicKey, $jwk['alg']);
            case 'OKP':
                if (isset($jwk['d'])) {
                    // The key is actually a private key
                    throw new UnexpectedValueException('Key data must be for a public key');
                }
 
                if (!isset($jwk['crv'])) {
                    throw new UnexpectedValueException('crv not set');
                }
 
                if (empty(self::OKP_SUBTYPES[$jwk['crv']])) {
                    throw new DomainException('Unrecognised or unsupported OKP key subtype');
                }
 
                if (empty($jwk['x'])) {
                    throw new UnexpectedValueException('x not set');
                }
 
                // This library works internally with EdDSA keys (Ed25519) encoded in standard base64.
                $publicKey = JWT::convertBase64urlToBase64($jwk['x']);
                return new Key($publicKey, $jwk['alg']);
            default:
                break;
        }
 
        return null;
    }

References Firebase\JWT\JWK\createPemFromCrvAndXYCoordinates(), and Firebase\JWT\JWK\createPemFromModulusAndExponent().

Referenced by Firebase\JWT\CachedKeySet\offsetGet(), and ILIAS\LTI\ToolProvider\Jwt\FirebaseClient\parseKeySet().

Here is the call graph for this function:

Here is the caller graph for this function:

parseKeySet()

static Firebase\JWT\JWK::parseKeySet ( array  $jwks, string  $defaultAlg = null  )

static

Parse a set of JWK keys.

Parameters

	array<mixed>	$jwks The JSON Web Key Set as an associative array
string	$defaultAlg	The algorithm for the Key object if "alg" is not set in the JSON Web Key Set

Returns

array<string, Key> An associative array of key IDs (kid) to Key objects

Exceptions

InvalidArgumentException	Provided JWK Set is empty
UnexpectedValueException	Provided JWK Set was invalid
DomainException	OpenSSL failure

@uses parseKey

Definition at line 55 of file JWK.php.

                                                                              : array
    {
        $keys = [];
 
        if (!isset($jwks['keys'])) {
            throw new UnexpectedValueException('"keys" member must exist in the JWK Set');
        }
 
        if (empty($jwks['keys'])) {
            throw new InvalidArgumentException('JWK Set did not contain any keys');
        }
 
        foreach ($jwks['keys'] as $k => $v) {
            $kid = isset($v['kid']) ? $v['kid'] : $k;
            if ($key = self::parseKey($v, $defaultAlg)) {
                $keys[(string) $kid] = $key;
            }
        }
 
        if (0 === \count($keys)) {
            throw new UnexpectedValueException('No supported algorithms found in JWK Set');
        }
 
        return $keys;
    }

References ILIAS\LTI\ToolProvider\$key, $keys, and ILIAS\LTI\ToolProvider\$kid.

Referenced by ilObjLTIConsumerGUI\saveContentSelection().

Here is the caller graph for this function:

Field Documentation

ASN1_BIT_STRING

const Firebase\JWT\JWK::ASN1_BIT_STRING = 0x03

private

Definition at line 26 of file JWK.php.

ASN1_OBJECT_IDENTIFIER

const Firebase\JWT\JWK::ASN1_OBJECT_IDENTIFIER = 0x06

private

Definition at line 24 of file JWK.php.

ASN1_SEQUENCE

const Firebase\JWT\JWK::ASN1_SEQUENCE = 0x10

private

Definition at line 25 of file JWK.php.

EC_CURVES

const Firebase\JWT\JWK::EC_CURVES

private

Initial value:

= [
        'P-256' => '1.2.840.10045.3.1.7', 
        'secp256k1' => '1.3.132.0.10', 
        'P-384' => '1.3.132.0.34', 
        
    ]

Definition at line 27 of file JWK.php.

OID

const Firebase\JWT\JWK::OID = '1.2.840.10045.2.1'

private

Definition at line 23 of file JWK.php.

OKP_SUBTYPES

const Firebase\JWT\JWK::OKP_SUBTYPES

private

Initial value:

= [
        'Ed25519' => true, 
    ]

Definition at line 36 of file JWK.php.

---

The documentation for this class was generated from the following file:

• Services/LTI/src/Firebase/JWK.php