nov / jose-php Goto Github PK

Hello,
I noticed that you include composer.phar with the rest of the files. This causes complications when including this package because a lot of developers already have composer installed somewhere else and within our IDE (PHPStorm), its registering two files that now define \Command. I would suggest removing this file and just let people use the one they have installed.

How can I install/require?

Hi!

I'm having problems interoperating with other libraries when validating the authentication tag. More specifically, if a JWE is generated including no additional authenticated data, the library will unconditionally add the JWE header to it in JWE::calculateAuthenticationTagCBC(). This code affects mainly the generation of JWE tokens themselves. When decrypting JWE tokens generated with other libraries, the JWT class will add the header to $jwe->auth_data in JWT::decode().

AFAICS, there's nothing in the drafts saying that the header should be always included in the additional authenticated data, and if it was the case, then it should be the user the one setting it before calling JWE::decrypt(). At least when the AAD is not mandated to be in some way in the standard (like with AES_GCM), I think the library should be completely agnostic, and handling of auth data is out of its scope.

Thanks in advance!

According to https://jwt.io/ and my own testing, this library does not check the JWT claims (issued by, expires etc.), only the signature. It also doesn't support ES256, 384 and 512 (I don't personally need these).

Are there plans to add this functionality or deprecate this library in favour of others?
I think it is worth doing since your library is small and some others have many dependencies (and others don't support all the verification either!).

I am happy to help with some of this but you might already have decided not to do this?

Please share exact phpseclib url or version for which its work

Great library, just a small dipnote, in the encrypt decrypt section you briefly give an example:

$jwt_string = 'eyJ...';
$jwe = JOSE_JWT::decode($jwt_string);
$jwe->decrypt($private_key);

Once I inspect the object with var_dump after calling decrypt, I could see that the real payload is inside "plain_text" key, like this:
echo "$jwe->plain_text;

It would be great if you could add that to the documentation.

JOSE_JWT Object ( [header] => Array ( [typ] => JWT [alg] => RS512 ) [claims] => Array ( [partner] => ***** [exp] => 1490273253 [email] => ******* ) [signature] => ٜ��O8�L�p@8����w�r�~E�v�E�_�)�,X�B"�B��#z����5���f��\�����]�q�8����e8}�u;?id�������"��9�f���E����;��$f��,/�}���?���� ��=ݖk��N0��d��G ]F��M�TV6��j�1�G-�i�Wzϥ����{�1��Y2��L���5�q?C; �(m��n(5���&�ҹ�@���L�}�|���=~>��D�ަ���3�鄎�oZ�T��*- (�v��-������ [raw] => eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJwYXJ0bmVyIjoidW5vY29pbiIsImV4cCI6MTQ5MDI3MzI1MywiZW1haWwiOiJ1bm9jb2luQHNwcm92b29zdC5ubCJ9.2ZygmU84yEzicEA4 .................... )

what is this signature in this how to convert this please suggest

Hello,

when i use the library to create a jwe string with an symetric AES key, i get an error:
Fatal error: Uncaught exception 'JOSE_Exception_EncryptionFailed' with message 'Master key encryption failed' in C:\xampp\htdocs\jwe\src\JOSE\JWE.php:170 Stack trace: #0 C:\xampp\htdocs\jwe\src\JOSE\JWE.php(39): JOSE_JWE->encryptContentEncryptionKey('xxxxx...') #1 C:\xampp\htdocs\jwe\app\jwe-test.php(26): JOSE_JWE->encrypt('xxxx...') #2 {main} thrown in C:\xampp\htdocs\jwe\src\JOSE\JWE.php on line 170

Here is the way i use the library:
`require dirname(FILE) . '/../vendor/autoload.php';

require("inc_idp.conf");
$username = "";
$passwd = "";

$plain_text = array(
'type' => 'login_silent',
'timestamp' => mktime(date('H'), date('i'), date('s'), date('m'), date('d'), date('Y')),
'username' => $username,
'password' => $passwd,
'redirect' => 'https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'],
'claims' => ['id','first_name','last_name','email']
);

$jwe = new JOSE_JWE($plain_text);
$jwe->encrypt($client_secret, 'RSA-OAEP','A256GCM');
echo $jwe->toString();`

Do you know whats wrong with the key? Or is this key type not supported?

Regards

Dave

I need to run this code using PHP 8.1.5 version.

JOSE_JWE should provide a method to decode header before decryption.
Current implementation doesn't allow to find out the value of 'kid' header. Thus, it's not possible to find out the encryption key. See http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-14#section-4.1.9

Error: Class 'phpseclib\Crypt\RSA' not found in JOSE_JWK->toKey() (line 23 of \vendor\gree\jose\src\JOSE\JWK.php).

This is likely related to #34.

We currently depend on 2.2.0 but only 2.2.1 is available and it requires PHP 5.6. Since we are constrained to using pure RHEL, we only have PHP 5.4 available. Would you tag 2.2.0 (a7fa2b3) again so we can keep using it until Red Hat, someday, decides it's time to update PHP?

Thanks! :)

Hi,

PS256/384/512 JWS signatures in the test case can't be verified by the concluded public key.

• test/JOSE/JWS_Test.php
  • testVerifyPS256
  • testVerifyPS384
  • testVerifyPS512
• test/fixtures/public_key.pem

I tried to verify them by OpenSSL command and my JWS implementation in JavaScript
(https://github.com/kjur/jsjws).

If those test cases will success, this implementation can't be generate and verify PS signatures properly.

As for OpenSSL command validation, I also provide small Perl script to verify JWS
(https://github.com/kjur/jwsverify.pl). This may helps you to test your implementation
and check interoperability with other implementations.

Regards,

Hi!

I was wondering if there is some sort of similar https://github.com/irazasyed/jwt-auth-guard package to use with gree/jose?

Thanks in advance!

Draft 7+ of the JWT spec says implementations "MUST" support "A128CBC-HS256" and "A256CBC-HS512" (which is a change from A128CBC+HS256).

Ref: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-07#section-8

Hi!

The dependency on phpseclib/phpseclib is broken. They have just released 1.0.0 (which is fine), but also 2.0.0, which introduces namespaces and therefore breaks the jose library as it doesn't use namespaces for this dependency.

We've tested with 1.0.0 and it apparently works fine, so I would suggest changing the dependency to (but you may want to check that actually everything is working for you):

    "phpseclib/phpseclib": ">=0.3.5 <2.0.0"

I'd say it's quite urgent, since at the moment the library is completely broken for new installations.

Thanks!

Hi,

I have tried siging, encryption and decryption using this library. Encryption and decryption working fine, for my case i need to sign first and then needs to be encrypt here i am facing problem in signing, i am not getting any signing result in raw=> . could you help with below code?

//client private key
$client_privateKey = file_get_contents('config/keys/client_private.key');

    $server_publicKey = file_get_contents('config/keys/server_public.key');
    
    $server_privateKey = file_get_contents('config/keys/server_private.key');
    
    $client_publicKey = file_get_contents('config/keys/client_public.key');
    
    $payload = array(
        "IssueTime " => "2020-04-06T09:45:43.567",
        "Issuer " => ORG_ID,
        "Payload" => $post_data
    );
    
    $json_encoded = json_encode($payload);        
    
    
    // JWS/signing
    $jwt = new JOSE_JWT($json_encoded);
    $jws = $jwt->sign($client_privateKey, 'RS256');
    
    echo "Signature client payload<br /><pre>\n";
    print_r($jws);
    echo "</pre>\n";

I am not sure if this is a problem on my end or not, but composer can't find gree/jose anymore since it was moved. Is this something to do with the fact that there are no branches anymore?

rquast@zion:~myproject$ composer require gree/jose

  [InvalidArgumentException]                                                                                                                 
  Could not find package gree/jose at any version for your minimum-stability (stable). Check the package spelling or your minimum-stability