MC-38539: Introduce JWT wrapper

ogorkun · ogorkun · commit cfb09d224b82 · 2021-02-02T12:17:56.000-06:00
diff --git a/dev/tests/integration/testsuite/Magento/Framework/Jwt/JwtManagerTest.php b/dev/tests/integration/testsuite/Magento/Framework/Jwt/JwtManagerTest.php
@@ -171,6 +171,7 @@ public function getTokenVariants(): array
             ]
         );
 
+        //RSA keys
         $rsaPrivateResource = openssl_pkey_new(['private_key_bites' => 512, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
         if ($rsaPrivateResource === false) {
             throw new \RuntimeException('Failed to create RSA keypair');
@@ -180,6 +181,29 @@ public function getTokenVariants(): array
             throw new \RuntimeException('Failed to read RSA private key');
         }
         openssl_free_key($rsaPrivateResource);
+
+        //EC Keys
+        $curveNameMap = [
+            256 => 'prime256v1',
+            384 => 'secp384r1',
+            512 => 'secp521r1'
+        ];
+        $ecKeys = [];
+        foreach ($curveNameMap as $bits => $curve) {
+            $privateResource = openssl_pkey_new(['curve_name' => $curve, 'private_key_type' => OPENSSL_KEYTYPE_EC]);
+            if ($privateResource === false) {
+                throw new \RuntimeException('Failed to create EC keypair');
+            }
+            $esPublic = openssl_pkey_get_details($privateResource)['key'];
+            if (!openssl_pkey_export($privateResource, $esPrivate, 'pass')) {
+                throw new \RuntimeException('Failed to read EC private key');
+            }
+            openssl_free_key($privateResource);
+            $ecKeys[$bits] = [$esPrivate, $esPublic];
+            unset($privateResource, $esPublic, $esPrivate);
+        }
+
+        //Shared secret for SHA algorithms
         $sharedSecret = random_bytes(128);
 
         return [
@@ -242,7 +266,22 @@ public function getTokenVariants(): array
                     )
                 ),
                 [new JwsSignatureJwks($jwkFactory->createVerifyRs256($rsaPublic))]
-            ]
+            ],
+            'jws-ES256' => [
+                $flatJws,
+                new JwsSignatureJwks($jwkFactory->createSignEs256($ecKeys[256][0], 'pass')),
+                [new JwsSignatureJwks($jwkFactory->createVerifyEs256($ecKeys[256][1]))]
+            ],
+            'jws-ES384' => [
+                $flatJws,
+                new JwsSignatureJwks($jwkFactory->createSignEs384($ecKeys[384][0], 'pass')),
+                [new JwsSignatureJwks($jwkFactory->createVerifyEs384($ecKeys[384][1]))]
+            ],
+            'jws-ES512' => [
+                $flatJws,
+                new JwsSignatureJwks($jwkFactory->createSignEs512($ecKeys[512][0], 'pass')),
+                [new JwsSignatureJwks($jwkFactory->createVerifyEs512($ecKeys[512][1]))]
+            ],
         ];
     }
 
diff --git a/lib/internal/Magento/Framework/Jwt/JwkFactory.php b/lib/internal/Magento/Framework/Jwt/JwkFactory.php
@@ -13,6 +13,12 @@
  */
 class JwkFactory
 {
+    private const EC_CURVE_MAP = [
+        '1.2.840.10045.3.1.7' => ['name' => 'P-256', 'bits' => 256],
+        '1.3.132.0.34' => ['name' => 'P-384', 'bits' => 384],
+        '1.3.132.0.35' => ['name' => 'P-521', 'bits' => 512]
+    ];
+
     /**
      * Create JWK for signatures generated with HMAC and SHA256
      *
@@ -115,6 +121,75 @@ public function createVerifyRs512(string $publicKey): Jwk
         return $this->createVerifyRsa(512, $publicKey);
     }
 
+    /**
+     * Create JWK to sign JWS with ECDSA using P-256 and SHA-256.
+     *
+     * @param string $privateKey
+     * @param string|null $passPhrase
+     * @return Jwk
+     */
+    public function createSignEs256(string $privateKey, ?string $passPhrase): Jwk
+    {
+        return $this->createSignEs(256, $privateKey, $passPhrase);
+    }
+
+    /**
+     * Create JWK to verify JWS signed with ECDSA using P-256 and SHA-256.
+     *
+     * @param string $publicKey
+     * @return Jwk
+     */
+    public function createVerifyEs256(string $publicKey): Jwk
+    {
+        return $this->createVerifyEs(256, $publicKey);
+    }
+
+    /**
+     * Create JWK to sign JWS with ECDSA using P-384 and SHA-384 .
+     *
+     * @param string $privateKey
+     * @param string|null $passPhrase
+     * @return Jwk
+     */
+    public function createSignEs384(string $privateKey, ?string $passPhrase): Jwk
+    {
+        return $this->createSignEs(384, $privateKey, $passPhrase);
+    }
+
+    /**
+     * Create JWK to verify JWS signed with ECDSA using P-384 and SHA-384 .
+     *
+     * @param string $publicKey
+     * @return Jwk
+     */
+    public function createVerifyEs384(string $publicKey): Jwk
+    {
+        return $this->createVerifyEs(384, $publicKey);
+    }
+
+    /**
+     * Create JWK to sign JWS with ECDSA using P-521 and SHA-512.
+     *
+     * @param string $privateKey
+     * @param string|null $passPhrase
+     * @return Jwk
+     */
+    public function createSignEs512(string $privateKey, ?string $passPhrase): Jwk
+    {
+        return $this->createSignEs(512, $privateKey, $passPhrase);
+    }
+
+    /**
+     * Create JWK to verify JWS signed with ECDSA using P-521 and SHA-512.
+     *
+     * @param string $publicKey
+     * @return Jwk
+     */
+    public function createVerifyEs512(string $publicKey): Jwk
+    {
+        return $this->createVerifyEs(512, $publicKey);
+    }
+
     private function createHmac(int $bits, string $key): Jwk
     {
         if (strlen($key) < 128) {
@@ -186,6 +261,57 @@ private function createVerifyRsa(int $bits, string $key): Jwk
         );
     }
 
+    private function createSignEs(int $bits, string $key, ?string $pass): Jwk
+    {
+        $resource = openssl_get_privatekey($key, (string)$pass);
+        $keyData = openssl_pkey_get_details($resource)['ec'];
+        openssl_free_key($resource);
+        if (!array_key_exists($keyData['curve_oid'], self::EC_CURVE_MAP)) {
+            throw new \RuntimeException('Unsupported EC curve');
+        }
+        if ($bits !== self::EC_CURVE_MAP[$keyData['curve_oid']]['bits']) {
+            throw new \RuntimeException('The key cannot be used with SHA-' .$bits .' hashing algorithm');
+        }
+
+        return new Jwk(
+            Jwk::KEY_TYPE_EC,
+            [
+                'd' => self::base64Encode($keyData['d']),
+                'x' => self::base64Encode($keyData['x']),
+                'y' => self::base64Encode($keyData['y']),
+                'crv' => self::EC_CURVE_MAP[$keyData['curve_oid']]['name']
+            ],
+            Jwk::PUBLIC_KEY_USE_SIGNATURE,
+            null,
+            'ES' .$bits
+        );
+    }
+
+    private function createVerifyEs(int $bits, string $key): Jwk
+    {
+        $resource = openssl_get_publickey($key);
+        $keyData = openssl_pkey_get_details($resource)['ec'];
+        openssl_free_key($resource);
+        if (!array_key_exists($keyData['curve_oid'], self::EC_CURVE_MAP)) {
+            throw new \RuntimeException('Unsupported EC curve');
+        }
+        if ($bits !== self::EC_CURVE_MAP[$keyData['curve_oid']]['bits']) {
+            throw new \RuntimeException('The key cannot be used with SHA-' .$bits .' hashing algorithm');
+        }
+
+        return new Jwk(
+            Jwk::KEY_TYPE_EC,
+            [
+                'x' => self::base64Encode($keyData['x']),
+                'y' => self::base64Encode($keyData['y']),
+                'crv' => self::EC_CURVE_MAP[$keyData['curve_oid']]['name']
+            ],
+            Jwk::PUBLIC_KEY_USE_SIGNATURE,
+            null,
+            'ES' .$bits
+        );
+    }
+
     /**
      * Encode value into Base64Url format.
      *
