sop / jwx

lib/JWX/JWK/Parameter/OtherPrimesInfoParameter.php

Indentation +10 added lines, -10 removed lines

@@ -12,15 +12,15 @@
  */
 class OtherPrimesInfoParameter extends JWKParameter
 {
-    use ArrayParameterValue;
+	use ArrayParameterValue;
     
-    /**
-     * Constructor.
-     *
-     * @param array[] ...$primes
-     */
-    public function __construct(...$primes)
-    {
-        parent::__construct(self::PARAM_OTHER_PRIMES_INFO, $primes);
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param array[] ...$primes
+	 */
+	public function __construct(...$primes)
+	{
+		parent::__construct(self::PARAM_OTHER_PRIMES_INFO, $primes);
+	}
 }

lib/JWX/JWT/JWT.php

Switch Indentation +8 added lines, -8 removed lines

@@ -66,14 +66,14 @@
     {
         $this->_parts = explode(".", $token);
         switch (count($this->_parts)) {
-            case 3:
-                $this->_type = self::TYPE_JWS;
-                break;
-            case 5:
-                $this->_type = self::TYPE_JWE;
-                break;
-            default:
-                throw new \UnexpectedValueException("Not a JWT token.");
+        case 3:
+            $this->_type = self::TYPE_JWS;
+            break;
+        case 5:
+            $this->_type = self::TYPE_JWE;
+            break;
+        default:
+            throw new \UnexpectedValueException("Not a JWT token.");
         }
     }
     

Indentation +390 added lines, -390 removed lines

@@ -26,418 +26,418 @@
  */
 class JWT
 {
-    /**
-     * Type identifier for the signed JWT.
-     *
-     * @internal
-     *
-     * @var int
-     */
-    const TYPE_JWS = 0;
+	/**
+	 * Type identifier for the signed JWT.
+	 *
+	 * @internal
+	 *
+	 * @var int
+	 */
+	const TYPE_JWS = 0;
     
-    /**
-     * Type identifier for the encrypted JWT.
-     *
-     * @internal
-     *
-     * @var int
-     */
-    const TYPE_JWE = 1;
+	/**
+	 * Type identifier for the encrypted JWT.
+	 *
+	 * @internal
+	 *
+	 * @var int
+	 */
+	const TYPE_JWE = 1;
     
-    /**
-     * JWT parts.
-     *
-     * @var string[] $_parts
-     */
-    protected $_parts;
+	/**
+	 * JWT parts.
+	 *
+	 * @var string[] $_parts
+	 */
+	protected $_parts;
     
-    /**
-     * JWT type.
-     *
-     * @var int $_type
-     */
-    protected $_type;
+	/**
+	 * JWT type.
+	 *
+	 * @var int $_type
+	 */
+	protected $_type;
     
-    /**
-     * Constructor.
-     *
-     * @param string $token JWT string
-     * @throws \UnexpectedValueException
-     */
-    public function __construct(string $token)
-    {
-        $this->_parts = explode(".", $token);
-        switch (count($this->_parts)) {
-            case 3:
-                $this->_type = self::TYPE_JWS;
-                break;
-            case 5:
-                $this->_type = self::TYPE_JWE;
-                break;
-            default:
-                throw new \UnexpectedValueException("Not a JWT token.");
-        }
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param string $token JWT string
+	 * @throws \UnexpectedValueException
+	 */
+	public function __construct(string $token)
+	{
+		$this->_parts = explode(".", $token);
+		switch (count($this->_parts)) {
+			case 3:
+				$this->_type = self::TYPE_JWS;
+				break;
+			case 5:
+				$this->_type = self::TYPE_JWE;
+				break;
+			default:
+				throw new \UnexpectedValueException("Not a JWT token.");
+		}
+	}
     
-    /**
-     * Convert claims set to an unsecured JWT.
-     *
-     * Unsecured JWT is not signed nor encrypted neither integrity protected,
-     * and should thus be handled with care!
-     *
-     * @link https://tools.ietf.org/html/rfc7519#section-6
-     * @param Claims $claims Claims set
-     * @param Header|null $header Optional header
-     * @throws \RuntimeException For generic errors
-     * @return self
-     */
-    public static function unsecuredFromClaims(Claims $claims,
-        Header $header = null): self
-    {
-        return self::signedFromClaims($claims, new NoneAlgorithm(), $header);
-    }
+	/**
+	 * Convert claims set to an unsecured JWT.
+	 *
+	 * Unsecured JWT is not signed nor encrypted neither integrity protected,
+	 * and should thus be handled with care!
+	 *
+	 * @link https://tools.ietf.org/html/rfc7519#section-6
+	 * @param Claims $claims Claims set
+	 * @param Header|null $header Optional header
+	 * @throws \RuntimeException For generic errors
+	 * @return self
+	 */
+	public static function unsecuredFromClaims(Claims $claims,
+		Header $header = null): self
+	{
+		return self::signedFromClaims($claims, new NoneAlgorithm(), $header);
+	}
     
-    /**
-     * Convert claims set to a signed JWS token.
-     *
-     * @param Claims $claims Claims set
-     * @param SignatureAlgorithm $algo Signature algorithm
-     * @param Header|null $header Optional header
-     * @throws \RuntimeException For generic errors
-     * @return self
-     */
-    public static function signedFromClaims(Claims $claims,
-        SignatureAlgorithm $algo, Header $header = null): self
-    {
-        $payload = $claims->toJSON();
-        $jws = JWS::sign($payload, $algo, $header);
-        return new self($jws->toCompact());
-    }
+	/**
+	 * Convert claims set to a signed JWS token.
+	 *
+	 * @param Claims $claims Claims set
+	 * @param SignatureAlgorithm $algo Signature algorithm
+	 * @param Header|null $header Optional header
+	 * @throws \RuntimeException For generic errors
+	 * @return self
+	 */
+	public static function signedFromClaims(Claims $claims,
+		SignatureAlgorithm $algo, Header $header = null): self
+	{
+		$payload = $claims->toJSON();
+		$jws = JWS::sign($payload, $algo, $header);
+		return new self($jws->toCompact());
+	}
     
-    /**
-     * Convert claims set to an encrypted JWE token.
-     *
-     * @param Claims $claims Claims set
-     * @param KeyManagementAlgorithm $key_algo Key management algorithm
-     * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm
-     * @param CompressionAlgorithm|null $zip_algo Optional compression algorithm
-     * @param Header|null $header Optional header
-     * @throws \RuntimeException For generic errors
-     * @return self
-     */
-    public static function encryptedFromClaims(Claims $claims,
-        KeyManagementAlgorithm $key_algo, ContentEncryptionAlgorithm $enc_algo,
-        CompressionAlgorithm $zip_algo = null, Header $header = null): self
-    {
-        $payload = $claims->toJSON();
-        $jwe = JWE::encrypt($payload, $key_algo, $enc_algo, $zip_algo, $header);
-        return new self($jwe->toCompact());
-    }
+	/**
+	 * Convert claims set to an encrypted JWE token.
+	 *
+	 * @param Claims $claims Claims set
+	 * @param KeyManagementAlgorithm $key_algo Key management algorithm
+	 * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm
+	 * @param CompressionAlgorithm|null $zip_algo Optional compression algorithm
+	 * @param Header|null $header Optional header
+	 * @throws \RuntimeException For generic errors
+	 * @return self
+	 */
+	public static function encryptedFromClaims(Claims $claims,
+		KeyManagementAlgorithm $key_algo, ContentEncryptionAlgorithm $enc_algo,
+		CompressionAlgorithm $zip_algo = null, Header $header = null): self
+	{
+		$payload = $claims->toJSON();
+		$jwe = JWE::encrypt($payload, $key_algo, $enc_algo, $zip_algo, $header);
+		return new self($jwe->toCompact());
+	}
     
-    /**
-     * Get claims from the JWT.
-     *
-     * Claims shall be validated according to given validation context.
-     * Validation context must contain all the necessary keys for the signature
-     * validation and/or content decryption.
-     *
-     * If validation context contains only one key, it shall be used explicitly.
-     * If multiple keys are provided, they must contain a JWK ID parameter for
-     * the key identification.
-     *
-     * @param ValidationContext $ctx
-     * @throws ValidationException If signature is invalid, or decryption fails,
-     *         or claims validation fails.
-     * @throws \RuntimeException For generic errors
-     * @return Claims
-     */
-    public function claims(ValidationContext $ctx): Claims
-    {
-        // check signature or decrypt depending on the JWT type.
-        if ($this->isJWS()) {
-            $payload = self::_validatedPayloadFromJWS($this->JWS(), $ctx);
-        } else {
-            $payload = self::_validatedPayloadFromJWE($this->JWE(), $ctx);
-        }
-        // if JWT contains a nested token
-        if ($this->isNested()) {
-            return $this->_claimsFromNestedPayload($payload, $ctx);
-        }
-        // decode claims and validate
-        $claims = Claims::fromJSON($payload);
-        $ctx->validate($claims);
-        return $claims;
-    }
+	/**
+	 * Get claims from the JWT.
+	 *
+	 * Claims shall be validated according to given validation context.
+	 * Validation context must contain all the necessary keys for the signature
+	 * validation and/or content decryption.
+	 *
+	 * If validation context contains only one key, it shall be used explicitly.
+	 * If multiple keys are provided, they must contain a JWK ID parameter for
+	 * the key identification.
+	 *
+	 * @param ValidationContext $ctx
+	 * @throws ValidationException If signature is invalid, or decryption fails,
+	 *         or claims validation fails.
+	 * @throws \RuntimeException For generic errors
+	 * @return Claims
+	 */
+	public function claims(ValidationContext $ctx): Claims
+	{
+		// check signature or decrypt depending on the JWT type.
+		if ($this->isJWS()) {
+			$payload = self::_validatedPayloadFromJWS($this->JWS(), $ctx);
+		} else {
+			$payload = self::_validatedPayloadFromJWE($this->JWE(), $ctx);
+		}
+		// if JWT contains a nested token
+		if ($this->isNested()) {
+			return $this->_claimsFromNestedPayload($payload, $ctx);
+		}
+		// decode claims and validate
+		$claims = Claims::fromJSON($payload);
+		$ctx->validate($claims);
+		return $claims;
+	}
     
-    /**
-     * Sign self producing a nested JWT.
-     *
-     * Note that if JWT is to be signed and encrypted, it should be done in
-     * sign-then-encrypt order. Please refer to links for security information.
-     *
-     * @link https://tools.ietf.org/html/rfc7519#section-11.2
-     * @param SignatureAlgorithm $algo Signature algorithm
-     * @param Header|null $header Optional header
-     * @throws \RuntimeException For generic errors
-     * @return self
-     */
-    public function signNested(SignatureAlgorithm $algo, Header $header = null): self
-    {
-        if (!isset($header)) {
-            $header = new Header();
-        }
-        // add JWT content type parameter
-        $header = $header->withParameters(
-            new ContentTypeParameter(ContentTypeParameter::TYPE_JWT));
-        $jws = JWS::sign($this->token(), $algo, $header);
-        return new self($jws->toCompact());
-    }
+	/**
+	 * Sign self producing a nested JWT.
+	 *
+	 * Note that if JWT is to be signed and encrypted, it should be done in
+	 * sign-then-encrypt order. Please refer to links for security information.
+	 *
+	 * @link https://tools.ietf.org/html/rfc7519#section-11.2
+	 * @param SignatureAlgorithm $algo Signature algorithm
+	 * @param Header|null $header Optional header
+	 * @throws \RuntimeException For generic errors
+	 * @return self
+	 */
+	public function signNested(SignatureAlgorithm $algo, Header $header = null): self
+	{
+		if (!isset($header)) {
+			$header = new Header();
+		}
+		// add JWT content type parameter
+		$header = $header->withParameters(
+			new ContentTypeParameter(ContentTypeParameter::TYPE_JWT));
+		$jws = JWS::sign($this->token(), $algo, $header);
+		return new self($jws->toCompact());
+	}
     
-    /**
-     * Encrypt self producing a nested JWT.
-     *
-     * This JWT should be a JWS, that is, the order of nesting should be
-     * sign-then-encrypt.
-     *
-     * @link https://tools.ietf.org/html/rfc7519#section-11.2
-     * @param KeyManagementAlgorithm $key_algo Key management algorithm
-     * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm
-     * @param CompressionAlgorithm|null $zip_algo Optional compression algorithm
-     * @param Header|null $header Optional header
-     * @throws \RuntimeException For generic errors
-     * @return self
-     */
-    public function encryptNested(KeyManagementAlgorithm $key_algo,
-        ContentEncryptionAlgorithm $enc_algo,
-        CompressionAlgorithm $zip_algo = null, Header $header = null): self
-    {
-        if (!isset($header)) {
-            $header = new Header();
-        }
-        // add JWT content type parameter
-        $header = $header->withParameters(
-            new ContentTypeParameter(ContentTypeParameter::TYPE_JWT));
-        $jwe = JWE::encrypt($this->token(), $key_algo, $enc_algo, $zip_algo,
-            $header);
-        return new self($jwe->toCompact());
-    }
+	/**
+	 * Encrypt self producing a nested JWT.
+	 *
+	 * This JWT should be a JWS, that is, the order of nesting should be
+	 * sign-then-encrypt.
+	 *
+	 * @link https://tools.ietf.org/html/rfc7519#section-11.2
+	 * @param KeyManagementAlgorithm $key_algo Key management algorithm
+	 * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm
+	 * @param CompressionAlgorithm|null $zip_algo Optional compression algorithm
+	 * @param Header|null $header Optional header
+	 * @throws \RuntimeException For generic errors
+	 * @return self
+	 */
+	public function encryptNested(KeyManagementAlgorithm $key_algo,
+		ContentEncryptionAlgorithm $enc_algo,
+		CompressionAlgorithm $zip_algo = null, Header $header = null): self
+	{
+		if (!isset($header)) {
+			$header = new Header();
+		}
+		// add JWT content type parameter
+		$header = $header->withParameters(
+			new ContentTypeParameter(ContentTypeParameter::TYPE_JWT));
+		$jwe = JWE::encrypt($this->token(), $key_algo, $enc_algo, $zip_algo,
+			$header);
+		return new self($jwe->toCompact());
+	}
     
-    /**
-     * Whether JWT is a JWS.
-     *
-     * @return bool
-     */
-    public function isJWS(): bool
-    {
-        return $this->_type == self::TYPE_JWS;
-    }
+	/**
+	 * Whether JWT is a JWS.
+	 *
+	 * @return bool
+	 */
+	public function isJWS(): bool
+	{
+		return $this->_type == self::TYPE_JWS;
+	}
     
-    /**
-     * Get JWT as a JWS.
-     *
-     * @throws \LogicException
-     * @return JWS
-     */
-    public function JWS(): JWS
-    {
-        if (!$this->isJWS()) {
-            throw new \LogicException("Not a JWS.");
-        }
-        return JWS::fromParts($this->_parts);
-    }
+	/**
+	 * Get JWT as a JWS.
+	 *
+	 * @throws \LogicException
+	 * @return JWS
+	 */
+	public function JWS(): JWS
+	{
+		if (!$this->isJWS()) {
+			throw new \LogicException("Not a JWS.");
+		}
+		return JWS::fromParts($this->_parts);
+	}
     
-    /**
-     * Whether JWT is a JWE.
-     *
-     * @return bool
-     */
-    public function isJWE(): bool
-    {
-        return $this->_type == self::TYPE_JWE;
-    }
+	/**
+	 * Whether JWT is a JWE.
+	 *
+	 * @return bool
+	 */
+	public function isJWE(): bool
+	{
+		return $this->_type == self::TYPE_JWE;
+	}
     
-    /**
-     * Get JWT as a JWE.
-     *
-     * @throws \LogicException
-     * @return JWE
-     */
-    public function JWE(): JWE
-    {
-        if (!$this->isJWE()) {
-            throw new \LogicException("Not a JWE.");
-        }
-        return JWE::fromParts($this->_parts);
-    }
+	/**
+	 * Get JWT as a JWE.
+	 *
+	 * @throws \LogicException
+	 * @return JWE
+	 */
+	public function JWE(): JWE
+	{
+		if (!$this->isJWE()) {
+			throw new \LogicException("Not a JWE.");
+		}
+		return JWE::fromParts($this->_parts);
+	}
     
-    /**
-     * Check whether JWT contains another nested JWT.
-     *
-     * @return bool
-     */
-    public function isNested(): bool
-    {
-        $header = $this->header();
-        if (!$header->hasContentType()) {
-            return false;
-        }
-        $cty = $header->contentType()->value();
-        if ($cty != ContentTypeParameter::TYPE_JWT) {
-            return false;
-        }
-        return true;
-    }
+	/**
+	 * Check whether JWT contains another nested JWT.
+	 *
+	 * @return bool
+	 */
+	public function isNested(): bool
+	{
+		$header = $this->header();
+		if (!$header->hasContentType()) {
+			return false;
+		}
+		$cty = $header->contentType()->value();
+		if ($cty != ContentTypeParameter::TYPE_JWT) {
+			return false;
+		}
+		return true;
+	}
     
-    /**
-     * Check whether JWT is unsecured, that is, it's neither integrity protected
-     * nor encrypted.
-     *
-     * @return bool
-     */
-    public function isUnsecured(): bool
-    {
-        // encrypted JWT shall be considered secure
-        if ($this->isJWE()) {
-            return false;
-        }
-        // check whether JWS is unsecured
-        return $this->JWS()->isUnsecured();
-    }
+	/**
+	 * Check whether JWT is unsecured, that is, it's neither integrity protected
+	 * nor encrypted.
+	 *
+	 * @return bool
+	 */
+	public function isUnsecured(): bool
+	{
+		// encrypted JWT shall be considered secure
+		if ($this->isJWE()) {
+			return false;
+		}
+		// check whether JWS is unsecured
+		return $this->JWS()->isUnsecured();
+	}
     
-    /**
-     * Get JWT header.
-     *
-     * @return JOSE
-     */
-    public function header(): JOSE
-    {
-        $header = Header::fromJSON(Base64::urlDecode($this->_parts[0]));
-        return new JOSE($header);
-    }
+	/**
+	 * Get JWT header.
+	 *
+	 * @return JOSE
+	 */
+	public function header(): JOSE
+	{
+		$header = Header::fromJSON(Base64::urlDecode($this->_parts[0]));
+		return new JOSE($header);
+	}
     
-    /**
-     * Get JWT as a string.
-     *
-     * @return string
-     */
-    public function token(): string
-    {
-        return implode(".", $this->_parts);
-    }
+	/**
+	 * Get JWT as a string.
+	 *
+	 * @return string
+	 */
+	public function token(): string
+	{
+		return implode(".", $this->_parts);
+	}
     
-    /**
-     * Get claims from a nested payload.
-     *
-     * @param string $payload JWT payload
-     * @param ValidationContext $ctx Validation context
-     * @return Claims
-     */
-    private function _claimsFromNestedPayload(string $payload,
-        ValidationContext $ctx): Claims
-    {
-        $jwt = new JWT($payload);
-        // if this token secured, allow nested tokens to be unsecured.
-        if (!$this->isUnsecured()) {
-            $ctx = $ctx->withUnsecuredAllowed(true);
-        }
-        return $jwt->claims($ctx);
-    }
+	/**
+	 * Get claims from a nested payload.
+	 *
+	 * @param string $payload JWT payload
+	 * @param ValidationContext $ctx Validation context
+	 * @return Claims
+	 */
+	private function _claimsFromNestedPayload(string $payload,
+		ValidationContext $ctx): Claims
+	{
+		$jwt = new JWT($payload);
+		// if this token secured, allow nested tokens to be unsecured.
+		if (!$this->isUnsecured()) {
+			$ctx = $ctx->withUnsecuredAllowed(true);
+		}
+		return $jwt->claims($ctx);
+	}
     
-    /**
-     * Get validated payload from JWS.
-     *
-     * @param JWS $jws JWS
-     * @param ValidationContext $ctx Validation context
-     * @throws ValidationException If signature validation fails
-     * @return string
-     */
-    private static function _validatedPayloadFromJWS(JWS $jws,
-        ValidationContext $ctx): string
-    {
-        // if JWS is unsecured
-        if ($jws->isUnsecured()) {
-            return self::_validatedPayloadFromUnsecuredJWS($jws, $ctx);
-        }
-        return self::_validatedPayloadFromSignedJWS($jws, $ctx->keys());
-    }
+	/**
+	 * Get validated payload from JWS.
+	 *
+	 * @param JWS $jws JWS
+	 * @param ValidationContext $ctx Validation context
+	 * @throws ValidationException If signature validation fails
+	 * @return string
+	 */
+	private static function _validatedPayloadFromJWS(JWS $jws,
+		ValidationContext $ctx): string
+	{
+		// if JWS is unsecured
+		if ($jws->isUnsecured()) {
+			return self::_validatedPayloadFromUnsecuredJWS($jws, $ctx);
+		}
+		return self::_validatedPayloadFromSignedJWS($jws, $ctx->keys());
+	}
     
-    /**
-     * Get validated payload from an unsecured JWS.
-     *
-     * @param JWS $jws JWS
-     * @param ValidationContext $ctx Validation context
-     * @throws ValidationException If unsecured JWT's are not allowed, or JWS
-     *         token is malformed
-     * @return string
-     */
-    private static function _validatedPayloadFromUnsecuredJWS(JWS $jws,
-        ValidationContext $ctx): string
-    {
-        if (!$ctx->isUnsecuredAllowed()) {
-            throw new ValidationException("Unsecured JWS not allowed.");
-        }
-        if (!$jws->validate(new NoneAlgorithm())) {
-            throw new ValidationException("Malformed unsecured token.");
-        }
-        return $jws->payload();
-    }
+	/**
+	 * Get validated payload from an unsecured JWS.
+	 *
+	 * @param JWS $jws JWS
+	 * @param ValidationContext $ctx Validation context
+	 * @throws ValidationException If unsecured JWT's are not allowed, or JWS
+	 *         token is malformed
+	 * @return string
+	 */
+	private static function _validatedPayloadFromUnsecuredJWS(JWS $jws,
+		ValidationContext $ctx): string
+	{
+		if (!$ctx->isUnsecuredAllowed()) {
+			throw new ValidationException("Unsecured JWS not allowed.");
+		}
+		if (!$jws->validate(new NoneAlgorithm())) {
+			throw new ValidationException("Malformed unsecured token.");
+		}
+		return $jws->payload();
+	}
     
-    /**
-     * Get validated payload from a signed JWS.
-     *
-     * @param JWS $jws JWS
-     * @param JWKSet $keys Set of allowed keys for the signature validation
-     * @throws ValidationException If validation fails
-     * @return string
-     */
-    private static function _validatedPayloadFromSignedJWS(JWS $jws, JWKSet $keys): string
-    {
-        try {
-            // explicitly defined key
-            if (1 == count($keys)) {
-                $valid = $jws->validateWithJWK($keys->first());
-            } else {
-                $valid = $jws->validateWithJWKSet($keys);
-            }
-        } catch (\RuntimeException $e) {
-            throw new ValidationException("JWS validation failed.", 0, $e);
-        }
-        if (!$valid) {
-            throw new ValidationException("JWS signature is invalid.");
-        }
-        return $jws->payload();
-    }
+	/**
+	 * Get validated payload from a signed JWS.
+	 *
+	 * @param JWS $jws JWS
+	 * @param JWKSet $keys Set of allowed keys for the signature validation
+	 * @throws ValidationException If validation fails
+	 * @return string
+	 */
+	private static function _validatedPayloadFromSignedJWS(JWS $jws, JWKSet $keys): string
+	{
+		try {
+			// explicitly defined key
+			if (1 == count($keys)) {
+				$valid = $jws->validateWithJWK($keys->first());
+			} else {
+				$valid = $jws->validateWithJWKSet($keys);
+			}
+		} catch (\RuntimeException $e) {
+			throw new ValidationException("JWS validation failed.", 0, $e);
+		}
+		if (!$valid) {
+			throw new ValidationException("JWS signature is invalid.");
+		}
+		return $jws->payload();
+	}
     
-    /**
-     * Get validated payload from an encrypted JWE.
-     *
-     * @param JWE $jwe JWE
-     * @param ValidationContext $ctx Validation context
-     * @throws ValidationException If decryption fails
-     * @return string
-     */
-    private static function _validatedPayloadFromJWE(JWE $jwe,
-        ValidationContext $ctx): string
-    {
-        try {
-            $keys = $ctx->keys();
-            // explicitly defined key
-            if (1 == count($keys)) {
-                return $jwe->decryptWithJWK($keys->first());
-            }
-            return $jwe->decryptWithJWKSet($keys);
-        } catch (\RuntimeException $e) {
-            throw new ValidationException("JWE validation failed.", 0, $e);
-        }
-    }
+	/**
+	 * Get validated payload from an encrypted JWE.
+	 *
+	 * @param JWE $jwe JWE
+	 * @param ValidationContext $ctx Validation context
+	 * @throws ValidationException If decryption fails
+	 * @return string
+	 */
+	private static function _validatedPayloadFromJWE(JWE $jwe,
+		ValidationContext $ctx): string
+	{
+		try {
+			$keys = $ctx->keys();
+			// explicitly defined key
+			if (1 == count($keys)) {
+				return $jwe->decryptWithJWK($keys->first());
+			}
+			return $jwe->decryptWithJWKSet($keys);
+		} catch (\RuntimeException $e) {
+			throw new ValidationException("JWE validation failed.", 0, $e);
+		}
+	}
     
-    /**
-     * Convert JWT to string.
-     *
-     * @return string
-     */
-    public function __toString()
-    {
-        return $this->token();
-    }
+	/**
+	 * Convert JWT to string.
+	 *
+	 * @return string
+	 */
+	public function __toString()
+	{
+		return $this->token();
+	}
 }

lib/JWX/JWT/Claim/ExpirationTimeClaim.php

Indentation +13 added lines, -13 removed lines

@@ -13,18 +13,18 @@
  */
 class ExpirationTimeClaim extends RegisteredClaim
 {
-    use NumericDateClaim;
-    use ReferenceTimeValidation;
+	use NumericDateClaim;
+	use ReferenceTimeValidation;
     
-    /**
-     * Constructor.
-     *
-     * @param int $exp_time Expiration time
-     */
-    public function __construct($exp_time)
-    {
-        // validate that claim is after the constraint (reference time)
-        parent::__construct(self::NAME_EXPIRATION_TIME, intval($exp_time),
-            new GreaterValidator());
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param int $exp_time Expiration time
+	 */
+	public function __construct($exp_time)
+	{
+		// validate that claim is after the constraint (reference time)
+		parent::__construct(self::NAME_EXPIRATION_TIME, intval($exp_time),
+			new GreaterValidator());
+	}
 }

lib/JWX/JWT/Claim/RegisteredClaim.php

Indentation +77 added lines, -77 removed lines

@@ -9,85 +9,85 @@
  */
 abstract class RegisteredClaim extends Claim
 {
-    // JWT claims
-    const NAME_ISSUER = "iss";
-    const NAME_SUBJECT = "sub";
-    const NAME_AUDIENCE = "aud";
-    const NAME_EXPIRATION_TIME = "exp";
-    const NAME_NOT_BEFORE = "nbf";
-    const NAME_ISSUED_AT = "iat";
-    const NAME_JWT_ID = "jti";
+	// JWT claims
+	const NAME_ISSUER = "iss";
+	const NAME_SUBJECT = "sub";
+	const NAME_AUDIENCE = "aud";
+	const NAME_EXPIRATION_TIME = "exp";
+	const NAME_NOT_BEFORE = "nbf";
+	const NAME_ISSUED_AT = "iat";
+	const NAME_JWT_ID = "jti";
     
-    // OpenID claims
-    const NAME_FULL_NAME = "name";
-    const NAME_GIVEN_NAME = "given_name";
-    const NAME_FAMILY_NAME = "family_name";
-    const NAME_MIDDLE_NAME = "middle_name";
-    const NAME_NICKNAME = "nickname";
-    const NAME_PREFERRED_USERNAME = "preferred_username";
-    const NAME_PROFILE_URL = "profile";
-    const NAME_PICTURE_URL = "picture";
-    const NAME_WEBSITE_URL = "website";
-    const NAME_EMAIL = "email";
-    const NAME_EMAIL_VERIFIED = "email_verified";
-    const NAME_GENDER = "gender";
-    const NAME_BIRTHDATE = "birthdate";
-    const NAME_TIMEZONE = "zoneinfo";
-    const NAME_LOCALE = "locale";
-    const NAME_PHONE_NUMBER = "phone_number";
-    const NAME_PHONE_NUMBER_VERIFIED = "phone_number_verified";
-    const NAME_ADDRESS = "address";
-    const NAME_UPDATED_AT = "updated_at";
-    const NAME_AUTHORIZED_PARTY = "azp";
-    const NAME_NONCE = "nonce";
-    const NAME_AUTH_TIME = "auth_time";
-    const NAME_ACCESS_TOKEN_HASH = "at_hash";
-    const NAME_CODE_HASH = "c_hash";
-    const NAME_ACR = "acr";
-    const NAME_AMR = "amr";
-    const NAME_SUB_JWK = "sub_jwk";
+	// OpenID claims
+	const NAME_FULL_NAME = "name";
+	const NAME_GIVEN_NAME = "given_name";
+	const NAME_FAMILY_NAME = "family_name";
+	const NAME_MIDDLE_NAME = "middle_name";
+	const NAME_NICKNAME = "nickname";
+	const NAME_PREFERRED_USERNAME = "preferred_username";
+	const NAME_PROFILE_URL = "profile";
+	const NAME_PICTURE_URL = "picture";
+	const NAME_WEBSITE_URL = "website";
+	const NAME_EMAIL = "email";
+	const NAME_EMAIL_VERIFIED = "email_verified";
+	const NAME_GENDER = "gender";
+	const NAME_BIRTHDATE = "birthdate";
+	const NAME_TIMEZONE = "zoneinfo";
+	const NAME_LOCALE = "locale";
+	const NAME_PHONE_NUMBER = "phone_number";
+	const NAME_PHONE_NUMBER_VERIFIED = "phone_number_verified";
+	const NAME_ADDRESS = "address";
+	const NAME_UPDATED_AT = "updated_at";
+	const NAME_AUTHORIZED_PARTY = "azp";
+	const NAME_NONCE = "nonce";
+	const NAME_AUTH_TIME = "auth_time";
+	const NAME_ACCESS_TOKEN_HASH = "at_hash";
+	const NAME_CODE_HASH = "c_hash";
+	const NAME_ACR = "acr";
+	const NAME_AMR = "amr";
+	const NAME_SUB_JWK = "sub_jwk";
     
-    /**
-     * Mapping from registered claim name to class name.
-     *
-     * @internal
-     *
-     * @var array
-     */
-    const MAP_NAME_TO_CLASS = array(
-        /* @formatter:off */
-        self::NAME_ISSUER => IssuerClaim::class,
-        self::NAME_SUBJECT => SubjectClaim::class,
-        self::NAME_AUDIENCE => AudienceClaim::class,
-        self::NAME_EXPIRATION_TIME => ExpirationTimeClaim::class,
-        self::NAME_NOT_BEFORE => NotBeforeClaim::class,
-        self::NAME_ISSUED_AT => IssuedAtClaim::class,
-        self::NAME_JWT_ID => JWTIDClaim::class
-        /* @formatter:on */
-    );
+	/**
+	 * Mapping from registered claim name to class name.
+	 *
+	 * @internal
+	 *
+	 * @var array
+	 */
+	const MAP_NAME_TO_CLASS = array(
+		/* @formatter:off */
+		self::NAME_ISSUER => IssuerClaim::class,
+		self::NAME_SUBJECT => SubjectClaim::class,
+		self::NAME_AUDIENCE => AudienceClaim::class,
+		self::NAME_EXPIRATION_TIME => ExpirationTimeClaim::class,
+		self::NAME_NOT_BEFORE => NotBeforeClaim::class,
+		self::NAME_ISSUED_AT => IssuedAtClaim::class,
+		self::NAME_JWT_ID => JWTIDClaim::class
+		/* @formatter:on */
+	);
     
-    /**
-     * Constructor.
-     *
-     * Defined here for type strictness. Parameters are passed to the
-     * superclass.
-     *
-     * @param mixed ...$args
-     */
-    public function __construct(...$args)
-    {
-        parent::__construct((string) $args[0], $args[1],
-            isset($args[2]) ? $args[2] : null);
-    }
+	/**
+	 * Constructor.
+	 *
+	 * Defined here for type strictness. Parameters are passed to the
+	 * superclass.
+	 *
+	 * @param mixed ...$args
+	 */
+	public function __construct(...$args)
+	{
+		parent::__construct((string) $args[0], $args[1],
+			isset($args[2]) ? $args[2] : null);
+	}
     
-    /**
-     * Initialize concrete claim instance from a JSON value.
-     *
-     * @param mixed $value
-     * @return RegisteredClaim
-     */
-    public static function fromJSONValue($value)
-    {
-        return new static($value);
-    }
+	/**
+	 * Initialize concrete claim instance from a JSON value.
+	 *
+	 * @param mixed $value
+	 * @return RegisteredClaim
+	 */
+	public static function fromJSONValue($value)
+	{
+		return new static($value);
+	}
 }

lib/JWX/JWT/Parameter/ReplicatedClaimParameter.php

Indentation +9 added lines, -9 removed lines

@@ -11,13 +11,13 @@
  */
 class ReplicatedClaimParameter extends JWTParameter
 {
-    /**
-     * Constructor.
-     *
-     * @param Claim $claim
-     */
-    public function __construct(Claim $claim)
-    {
-        parent::__construct($claim->name(), $claim->value());
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param Claim $claim
+	 */
+	public function __construct(Claim $claim)
+	{
+		parent::__construct($claim->name(), $claim->value());
+	}
 }

lib/JWX/Util/Base64.php

Switch Indentation +11 added lines, -11 removed lines

@@ -31,17 +31,17 @@
     {
         $data = strtr($data, "-_", "+/");
         switch (strlen($data) % 4) {
-            case 0:
-                break;
-            case 2:
-                $data .= "==";
-                break;
-            case 3:
-                $data .= "=";
-                break;
-            default:
-                throw new \UnexpectedValueException(
-                    "Malformed base64url encoding.");
+        case 0:
+            break;
+        case 2:
+            $data .= "==";
+            break;
+        case 3:
+            $data .= "=";
+            break;
+        default:
+            throw new \UnexpectedValueException(
+                "Malformed base64url encoding.");
         }
         return self::decode($data);
     }

Indentation +95 added lines, -95 removed lines

@@ -9,104 +9,104 @@
  */
 class Base64
 {
-    /**
-     * Encode a string using base64url variant.
-     *
-     * @link https://en.wikipedia.org/wiki/Base64#URL_applications
-     * @param string $data
-     * @return string
-     */
-    public static function urlEncode(string $data): string
-    {
-        return strtr(rtrim(self::encode($data), "="), "+/", "-_");
-    }
+	/**
+	 * Encode a string using base64url variant.
+	 *
+	 * @link https://en.wikipedia.org/wiki/Base64#URL_applications
+	 * @param string $data
+	 * @return string
+	 */
+	public static function urlEncode(string $data): string
+	{
+		return strtr(rtrim(self::encode($data), "="), "+/", "-_");
+	}
     
-    /**
-     * Decode a string using base64url variant.
-     *
-     * @link https://en.wikipedia.org/wiki/Base64#URL_applications
-     * @param string $data
-     * @throws \UnexpectedValueException
-     * @return string
-     */
-    public static function urlDecode(string $data): string
-    {
-        $data = strtr($data, "-_", "+/");
-        switch (strlen($data) % 4) {
-            case 0:
-                break;
-            case 2:
-                $data .= "==";
-                break;
-            case 3:
-                $data .= "=";
-                break;
-            default:
-                throw new \UnexpectedValueException(
-                    "Malformed base64url encoding.");
-        }
-        return self::decode($data);
-    }
+	/**
+	 * Decode a string using base64url variant.
+	 *
+	 * @link https://en.wikipedia.org/wiki/Base64#URL_applications
+	 * @param string $data
+	 * @throws \UnexpectedValueException
+	 * @return string
+	 */
+	public static function urlDecode(string $data): string
+	{
+		$data = strtr($data, "-_", "+/");
+		switch (strlen($data) % 4) {
+			case 0:
+				break;
+			case 2:
+				$data .= "==";
+				break;
+			case 3:
+				$data .= "=";
+				break;
+			default:
+				throw new \UnexpectedValueException(
+					"Malformed base64url encoding.");
+		}
+		return self::decode($data);
+	}
     
-    /**
-     * Check whether string is validly base64url encoded.
-     *
-     * @link https://en.wikipedia.org/wiki/Base64#URL_applications
-     * @param string $data
-     * @return bool
-     */
-    public static function isValidURLEncoding(string $data): bool
-    {
-        return preg_match('#^[A-Za-z0-9\-_]*$#', $data) == 1;
-    }
+	/**
+	 * Check whether string is validly base64url encoded.
+	 *
+	 * @link https://en.wikipedia.org/wiki/Base64#URL_applications
+	 * @param string $data
+	 * @return bool
+	 */
+	public static function isValidURLEncoding(string $data): bool
+	{
+		return preg_match('#^[A-Za-z0-9\-_]*$#', $data) == 1;
+	}
     
-    /**
-     * Encode a string in base64.
-     *
-     * @link https://tools.ietf.org/html/rfc4648#section-4
-     * @param string $data
-     * @throws \RuntimeException If encoding fails
-     * @return string
-     */
-    public static function encode(string $data): string
-    {
-        $ret = @base64_encode($data);
-        if (!is_string($ret)) {
-            $err = error_get_last();
-            $msg = isset($err) && __FILE__ == $err['file'] ? $err['message'] : null;
-            throw new \RuntimeException($msg ?? "base64_encode() failed.");
-        }
-        return $ret;
-    }
+	/**
+	 * Encode a string in base64.
+	 *
+	 * @link https://tools.ietf.org/html/rfc4648#section-4
+	 * @param string $data
+	 * @throws \RuntimeException If encoding fails
+	 * @return string
+	 */
+	public static function encode(string $data): string
+	{
+		$ret = @base64_encode($data);
+		if (!is_string($ret)) {
+			$err = error_get_last();
+			$msg = isset($err) && __FILE__ == $err['file'] ? $err['message'] : null;
+			throw new \RuntimeException($msg ?? "base64_encode() failed.");
+		}
+		return $ret;
+	}
     
-    /**
-     * Decode a string from base64 encoding.
-     *
-     * @link https://tools.ietf.org/html/rfc4648#section-4
-     * @param string $data
-     * @throws \RuntimeException If decoding fails
-     * @return string
-     */
-    public static function decode(string $data): string
-    {
-        $ret = base64_decode($data, true);
-        if (!is_string($ret)) {
-            $err = error_get_last();
-            $msg = isset($err) && __FILE__ == $err['file'] ? $err['message'] : null;
-            throw new \RuntimeException($msg ?? "base64_decode() failed.");
-        }
-        return $ret;
-    }
+	/**
+	 * Decode a string from base64 encoding.
+	 *
+	 * @link https://tools.ietf.org/html/rfc4648#section-4
+	 * @param string $data
+	 * @throws \RuntimeException If decoding fails
+	 * @return string
+	 */
+	public static function decode(string $data): string
+	{
+		$ret = base64_decode($data, true);
+		if (!is_string($ret)) {
+			$err = error_get_last();
+			$msg = isset($err) && __FILE__ == $err['file'] ? $err['message'] : null;
+			throw new \RuntimeException($msg ?? "base64_decode() failed.");
+		}
+		return $ret;
+	}
     
-    /**
-     * Check whether string is validly base64 encoded.
-     *
-     * @link https://tools.ietf.org/html/rfc4648#section-4
-     * @param string $data
-     * @return bool
-     */
-    public static function isValid(string $data): bool
-    {
-        return preg_match('#^[A-Za-z0-9+/]*={0,2}$#', $data) == 1;
-    }
+	/**
+	 * Check whether string is validly base64 encoded.
+	 *
+	 * @link https://tools.ietf.org/html/rfc4648#section-4
+	 * @param string $data
+	 * @return bool
+	 */
+	public static function isValid(string $data): bool
+	{
+		return preg_match('#^[A-Za-z0-9+/]*={0,2}$#', $data) == 1;
+	}
 }

lib/JWX/Parameter/Feature/ArrayParameterValue.php

Indentation +20 added lines, -20 removed lines

@@ -7,25 +7,25 @@
  */
 trait ArrayParameterValue
 {
-    /**
-     * Constructor.
-     *
-     * @param mixed ...$values
-     */
-    abstract public function __construct(...$values);
+	/**
+	 * Constructor.
+	 *
+	 * @param mixed ...$values
+	 */
+	abstract public function __construct(...$values);
     
-    /**
-     * Initialize from a JSON value.
-     *
-     * @param array $value
-     * @return static
-     */
-    public static function fromJSONValue($value)
-    {
-        if (!is_array($value)) {
-            throw new \UnexpectedValueException(
-                get_called_class() . " expects an array parameter.");
-        }
-        return new static(...$value);
-    }
+	/**
+	 * Initialize from a JSON value.
+	 *
+	 * @param array $value
+	 * @return static
+	 */
+	public static function fromJSONValue($value)
+	{
+		if (!is_array($value)) {
+			throw new \UnexpectedValueException(
+				get_called_class() . " expects an array parameter.");
+		}
+		return new static(...$value);
+	}
 }

lib/JWX/JWS/Algorithm/HMACAlgorithm.php

Indentation +81 added lines, -81 removed lines

@@ -18,92 +18,92 @@
  */
 abstract class HMACAlgorithm extends SignatureAlgorithm
 {
-    /**
-     * Shared secret key.
-     *
-     * @var string $_key
-     */
-    protected $_key;
+	/**
+	 * Shared secret key.
+	 *
+	 * @var string $_key
+	 */
+	protected $_key;
     
-    /**
-     * Mapping from algorithm name to class name.
-     *
-     * @internal
-     *
-     * @var array
-     */
-    const MAP_ALGO_TO_CLASS = array(
-        /* @formatter:off */
-        JWA::ALGO_HS256 => HS256Algorithm::class, 
-        JWA::ALGO_HS384 => HS384Algorithm::class, 
-        JWA::ALGO_HS512 => HS512Algorithm::class
-        /* @formatter:on */
-    );
+	/**
+	 * Mapping from algorithm name to class name.
+	 *
+	 * @internal
+	 *
+	 * @var array
+	 */
+	const MAP_ALGO_TO_CLASS = array(
+		/* @formatter:off */
+		JWA::ALGO_HS256 => HS256Algorithm::class, 
+		JWA::ALGO_HS384 => HS384Algorithm::class, 
+		JWA::ALGO_HS512 => HS512Algorithm::class
+		/* @formatter:on */
+	);
     
-    /**
-     * Get algorithm name recognized by the Hash extension.
-     *
-     * @return string
-     */
-    abstract protected function _hashAlgo(): string;
+	/**
+	 * Get algorithm name recognized by the Hash extension.
+	 *
+	 * @return string
+	 */
+	abstract protected function _hashAlgo(): string;
     
-    /**
-     * Constructor.
-     *
-     * @param string $key Shared secret key
-     */
-    public function __construct(string $key)
-    {
-        $this->_key = $key;
-    }
+	/**
+	 * Constructor.
+	 *
+	 * @param string $key Shared secret key
+	 */
+	public function __construct(string $key)
+	{
+		$this->_key = $key;
+	}
     
-    /**
-     *
-     * {@inheritdoc}
-     */
-    public static function fromJWK(JWK $jwk, Header $header): self
-    {
-        $jwk = SymmetricKeyJWK::fromJWK($jwk);
-        $alg = JWA::deriveAlgorithmName($header, $jwk);
-        if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
-            throw new \UnexpectedValueException("Unsupported algorithm '$alg'.");
-        }
-        $cls = self::MAP_ALGO_TO_CLASS[$alg];
-        return new $cls($jwk->key());
-    }
+	/**
+	 *
+	 * {@inheritdoc}
+	 */
+	public static function fromJWK(JWK $jwk, Header $header): self
+	{
+		$jwk = SymmetricKeyJWK::fromJWK($jwk);
+		$alg = JWA::deriveAlgorithmName($header, $jwk);
+		if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
+			throw new \UnexpectedValueException("Unsupported algorithm '$alg'.");
+		}
+		$cls = self::MAP_ALGO_TO_CLASS[$alg];
+		return new $cls($jwk->key());
+	}
     
-    /**
-     *
-     * {@inheritdoc}
-     */
-    public function computeSignature(string $data): string
-    {
-        $result = @hash_hmac($this->_hashAlgo(), $data, $this->_key, true);
-        if (false === $result) {
-            $err = error_get_last();
-            $msg = isset($err) && __FILE__ == $err['file'] ? $err['message'] : null;
-            throw new \RuntimeException($msg ?? 'hash_hmac() failed.');
-        }
-        return $result;
-    }
+	/**
+	 *
+	 * {@inheritdoc}
+	 */
+	public function computeSignature(string $data): string
+	{
+		$result = @hash_hmac($this->_hashAlgo(), $data, $this->_key, true);
+		if (false === $result) {
+			$err = error_get_last();
+			$msg = isset($err) && __FILE__ == $err['file'] ? $err['message'] : null;
+			throw new \RuntimeException($msg ?? 'hash_hmac() failed.');
+		}
+		return $result;
+	}
     
-    /**
-     *
-     * {@inheritdoc}
-     */
-    public function validateSignature(string $data, string $signature): bool
-    {
-        return $this->computeSignature($data) === $signature;
-    }
+	/**
+	 *
+	 * {@inheritdoc}
+	 */
+	public function validateSignature(string $data, string $signature): bool
+	{
+		return $this->computeSignature($data) === $signature;
+	}
     
-    /**
-     *
-     * @see \JWX\JWS\SignatureAlgorithm::headerParameters()
-     * @return \JWX\JWT\Parameter\JWTParameter[]
-     */
-    public function headerParameters(): array
-    {
-        return array_merge(parent::headerParameters(),
-            array(AlgorithmParameter::fromAlgorithm($this)));
-    }
+	/**
+	 *
+	 * @see \JWX\JWS\SignatureAlgorithm::headerParameters()
+	 * @return \JWX\JWT\Parameter\JWTParameter[]
+	 */
+	public function headerParameters(): array
+	{
+		return array_merge(parent::headerParameters(),
+			array(AlgorithmParameter::fromAlgorithm($this)));
+	}
 }

lib/JWX/JWS/Algorithm/HS256Algorithm.php

Indentation +16 added lines, -16 removed lines

@@ -13,21 +13,21 @@
  */
 class HS256Algorithm extends HMACAlgorithm
 {
-    /**
-     *
-     * {@inheritdoc}
-     */
-    protected function _hashAlgo(): string
-    {
-        return "sha256";
-    }
+	/**
+	 *
+	 * {@inheritdoc}
+	 */
+	protected function _hashAlgo(): string
+	{
+		return "sha256";
+	}
     
-    /**
-     *
-     * {@inheritdoc}
-     */
-    public function algorithmParamValue(): string
-    {
-        return JWA::ALGO_HS256;
-    }
+	/**
+	 *
+	 * {@inheritdoc}
+	 */
+	public function algorithmParamValue(): string
+	{
+		return JWA::ALGO_HS256;
+	}
 }