MC-38539: Introduce JWT wrapper

Author: ogorkun

app/code/Magento/JwtFrameworkAdapter/Model/JwtManager.php

@@ -184,22 +184,7 @@ public function read(string $token, array $acceptableEncryption): JwtInterface
      */
     private function convertToAdapterJwk(Jwk $jwk): AdapterJwk
     {
-        $data = [
-            'kty' => $jwk->getKeyType(),
-            'use' => $jwk->getPublicKeyUse(),
-            'key_ops' => $jwk->getKeyOperations(),
-            'alg' => $jwk->getAlgorithm(),
-            'x5u' => $jwk->getX509Url(),
-            'x5c' => $jwk->getX509CertificateChain(),
-            'x5t' => $jwk->getX509Sha1Thumbprint(),
-            'x5t#S256' => $jwk->getX509Sha256Thumbprint()
-        ];
-        $data = array_merge($data, $jwk->getAlgoData());
-        $data = array_filter($data, function ($value) {
-            return $value !== null;
-        });
-
-        return new AdapterJwk($data);
+        return new AdapterJwk($jwk->getJsonData());
     }
 
     private function convertToAdapterKeySet(JwkSet $jwkSet): AdapterJwkSet
@@ -256,14 +241,16 @@ private function buildJws(JwsInterface $jws, EncryptionSettingsInterface $encryp
                     throw new EncryptionException('Algorithm is required for JWKs');
                 }
                 $protected = [];
+                if ($jws->getPayload()->getContentType()) {
+                    $protected['cty'] = $jws->getPayload()->getContentType();
+                }
                 if ($jws->getProtectedHeaders()) {
                     $protected = $this->extractHeaderData($jws->getProtectedHeaders()[$i]);
                 }
                 $protected['alg'] = $alg;
                 $unprotected = [];
                 if ($jws->getUnprotectedHeaders()) {
                     $unprotected = $this->extractHeaderData($jws->getUnprotectedHeaders()[$i]);
-                    $unprotected['alg'] = $alg;
                 }
                 $builder = $builder->addSignature($this->convertToAdapterJwk($jwk), $protected, $unprotected);
             }

dev/tests/integration/testsuite/Magento/Framework/Jwt/JwtManagerTest.php

@@ -9,7 +9,9 @@
 namespace Magento\Framework\Jwt;
 
 use Magento\Framework\Jwt\Claim\PrivateClaim;
+use Magento\Framework\Jwt\Header\Critical;
 use Magento\Framework\Jwt\Header\PrivateHeaderParameter;
+use Magento\Framework\Jwt\Header\PublicHeaderParameter;
 use Magento\Framework\Jwt\Jwe\JweInterface;
 use Magento\Framework\Jwt\Jws\Jws;
 use Magento\Framework\Jwt\Jws\JwsHeader;
@@ -42,14 +44,18 @@ protected function setUp(): void
      *
      * @param JwtInterface $jwt
      * @param EncryptionSettingsInterface $encryption
+     * @param EncryptionSettingsInterface[] $readEncryption
      * @return void
      *
      * @dataProvider getTokenVariants
      */
-    public function testCreateRead(JwtInterface $jwt, EncryptionSettingsInterface $encryption): void
-    {
+    public function testCreateRead(
+        JwtInterface $jwt,
+        EncryptionSettingsInterface $encryption,
+        array $readEncryption
+    ): void {
         $token = $this->manager->create($jwt, $encryption);
-        $recreated = $this->manager->read($token, [$encryption]);
+        $recreated = $this->manager->read($token, $readEncryption);
 
         //Verifying header
         $this->verifyHeader($jwt->getHeader(), $recreated->getHeader());
@@ -88,7 +94,7 @@ public function getTokenVariants(): array
         /** @var JwkFactory $jwkFactory */
         $jwkFactory = Bootstrap::getObjectManager()->get(JwkFactory::class);
 
-        $hmacFlatJws = new Jws(
+        $flatJws = new Jws(
             [
                 new JwsHeader(
                     [
@@ -107,18 +113,59 @@ public function getTokenVariants(): array
             null
         );
 
+        $flatJwsWithUnprotectedHeader = new Jws(
+            [
+                new JwsHeader(
+                    [
+                        new PrivateHeaderParameter('custom-header', 'value'),
+                        new Critical(['magento'])
+                    ]
+                )
+            ],
+            new ClaimsPayload(
+                [
+                    new PrivateClaim('custom-claim', 'value'),
+                    new PrivateClaim('custom-claim2', 'value2')
+                ]
+            ),
+            [
+                new JwsHeader(
+                    [
+                        new PublicHeaderParameter('public-header', 'magento', 'public-value')
+                    ]
+                )
+            ]
+        );
+        $rsaPrivateResource = openssl_pkey_new(['private_key_bites' => 512, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
+        if ($rsaPrivateResource === false) {
+            throw new \RuntimeException('Failed to create RSA keypair');
+        }
+        $rsaPublic = openssl_pkey_get_details($rsaPrivateResource)['key'];
+        if (!openssl_pkey_export($rsaPrivateResource, $rsaPrivate)) {
+            throw new \RuntimeException('Failed to read RSA private key');
+        }
+        openssl_free_key($rsaPrivateResource);
+
         return [
             'jws-HS256' => [
-                $hmacFlatJws,
-                new JwsSignatureJwks($jwkFactory->createHs256(random_bytes(128)))
+                $flatJws,
+                $enc = new JwsSignatureJwks($jwkFactory->createHs256(random_bytes(128))),
+                [$enc]
             ],
             'jws-HS384' => [
-                $hmacFlatJws,
-                new JwsSignatureJwks($jwkFactory->createHs384(random_bytes(128)))
+                $flatJws,
+                $enc = new JwsSignatureJwks($jwkFactory->createHs384(random_bytes(128))),
+                [$enc]
             ],
             'jws-HS512' => [
-                $hmacFlatJws,
-                new JwsSignatureJwks($jwkFactory->createHs512(random_bytes(128)))
+                $flatJwsWithUnprotectedHeader,
+                $enc = new JwsSignatureJwks($jwkFactory->createHs512(random_bytes(128))),
+                [$enc]
+            ],
+            'jws-RS256' => [
+                $flatJws,
+                new JwsSignatureJwks($jwkFactory->createSignRs256($rsaPrivate, null)),
+                [new JwsSignatureJwks($jwkFactory->createVerifyRs256($rsaPublic))]
             ]
         ];
     }

lib/internal/Magento/Framework/Jwt/Header/Algorithm.php

@@ -0,0 +1,55 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Jwt\Header;
+
+use Magento\Framework\Jwt\Jwe\JweHeaderParameterInterface;
+use Magento\Framework\Jwt\Jws\JwsHeaderParameterInterface;
+
+/**
+ * "alg" header.
+ */
+class Algorithm implements JwsHeaderParameterInterface, JweHeaderParameterInterface
+{
+    /**
+     * @var string
+     */
+    private $value;
+
+    /**
+     * @param string $value
+     */
+    public function __construct(string $value)
+    {
+        $this->value = $value;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getName(): string
+    {
+        return 'alg';
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getValue()
+    {
+        return $this->value;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getClass(): ?int
+    {
+        return self::CLASS_REGISTERED;
+    }
+}

lib/internal/Magento/Framework/Jwt/Header/Critical.php

@@ -0,0 +1,58 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Jwt\Header;
+
+use Magento\Framework\Jwt\Jwe\JweHeaderParameterInterface;
+use Magento\Framework\Jwt\Jws\JwsHeaderParameterInterface;
+
+/**
+ * "crit" header.
+ */
+class Critical implements JwsHeaderParameterInterface, JweHeaderParameterInterface
+{
+    /**
+     * @var string[]
+     */
+    private $value;
+
+    /**
+     * @param string[] $value
+     */
+    public function __construct(array $value)
+    {
+        if (!$value) {
+            throw new \InvalidArgumentException('Critical header cannot be empty');
+        }
+        $this->value = array_values($value);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getName(): string
+    {
+        return 'crit';
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getValue()
+    {
+        return json_encode($this->value);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getClass(): ?int
+    {
+        return self::CLASS_REGISTERED;
+    }
+}

lib/internal/Magento/Framework/Jwt/Header/Jwk.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Jwt\Header;
+
+use Magento\Framework\Jwt\Jwe\JweHeaderParameterInterface;
+use Magento\Framework\Jwt\Jws\JwsHeaderParameterInterface;
+use Magento\Framework\Jwt\Jwk as JwkData;
+
+/**
+ * "jwk" header.
+ */
+class Jwk implements JwsHeaderParameterInterface, JweHeaderParameterInterface
+{
+    /**
+     * @var JwkData
+     */
+    private $value;
+
+    /**
+     * @param JwkData $value
+     */
+    public function __construct(JwkData $value)
+    {
+        $this->value = $value;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getName(): string
+    {
+        return 'jwk';
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getValue()
+    {
+        return json_encode($this->value->getJsonData());
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getClass(): ?int
+    {
+        return self::CLASS_REGISTERED;
+    }
+}

lib/internal/Magento/Framework/Jwt/Header/JwkSetUrl.php

@@ -0,0 +1,55 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Jwt\Header;
+
+use Magento\Framework\Jwt\Jwe\JweHeaderParameterInterface;
+use Magento\Framework\Jwt\Jws\JwsHeaderParameterInterface;
+
+/**
+ * "jku" header.
+ */
+class JwkSetUrl implements JwsHeaderParameterInterface, JweHeaderParameterInterface
+{
+    /**
+     * @var string
+     */
+    private $value;
+
+    /**
+     * @param string $value
+     */
+    public function __construct(string $value)
+    {
+        $this->value = $value;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getName(): string
+    {
+        return 'jku';
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getValue()
+    {
+        return $this->value;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getClass(): ?int
+    {
+        return self::CLASS_REGISTERED;
+    }
+}