MC-38539: Introduce JWT wrapper

Author: ogorkun

dev/tests/integration/testsuite/Magento/Framework/Jwt/JwtManagerTest.php

@@ -171,55 +171,25 @@ public function getTokenVariants(): array
             ]
         );
 
-        //RSA keys
-        $rsaPrivateResource = openssl_pkey_new(['private_key_bites' => 512, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
-        if ($rsaPrivateResource === false) {
-            throw new \RuntimeException('Failed to create RSA keypair');
-        }
-        $rsaPublic = openssl_pkey_get_details($rsaPrivateResource)['key'];
-        if (!openssl_pkey_export($rsaPrivateResource, $rsaPrivate, 'pass')) {
-            throw new \RuntimeException('Failed to read RSA private key');
-        }
-        openssl_free_key($rsaPrivateResource);
-
-        //EC Keys
-        $curveNameMap = [
-            256 => 'prime256v1',
-            384 => 'secp384r1',
-            512 => 'secp521r1'
-        ];
-        $ecKeys = [];
-        foreach ($curveNameMap as $bits => $curve) {
-            $privateResource = openssl_pkey_new(['curve_name' => $curve, 'private_key_type' => OPENSSL_KEYTYPE_EC]);
-            if ($privateResource === false) {
-                throw new \RuntimeException('Failed to create EC keypair');
-            }
-            $esPublic = openssl_pkey_get_details($privateResource)['key'];
-            if (!openssl_pkey_export($privateResource, $esPrivate, 'pass')) {
-                throw new \RuntimeException('Failed to read EC private key');
-            }
-            openssl_free_key($privateResource);
-            $ecKeys[$bits] = [$esPrivate, $esPublic];
-            unset($privateResource, $esPublic, $esPrivate);
-        }
-
-        //Shared secret for SHA algorithms
+        //Keys
+        [$rsaPrivate, $rsaPublic] = $this->createRsaKeys();
+        $ecKeys = $this->createEcKeys();
         $sharedSecret = random_bytes(128);
 
         return [
             'jws-HS256' => [
                 $flatJws,
-                $enc = new JwsSignatureJwks($jwkFactory->createHs256(random_bytes(128))),
+                $enc = new JwsSignatureJwks($jwkFactory->createHs256($sharedSecret)),
                 [$enc]
             ],
             'jws-HS384' => [
                 $flatJws,
-                $enc = new JwsSignatureJwks($jwkFactory->createHs384(random_bytes(128))),
+                $enc = new JwsSignatureJwks($jwkFactory->createHs384($sharedSecret)),
                 [$enc]
             ],
             'jws-HS512' => [
                 $jwsWithUnprotectedHeader,
-                $enc = new JwsSignatureJwks($jwkFactory->createHs512(random_bytes(128))),
+                $enc = new JwsSignatureJwks($jwkFactory->createHs512($sharedSecret)),
                 [$enc]
             ],
             'jws-RS256' => [
@@ -282,6 +252,21 @@ public function getTokenVariants(): array
                 new JwsSignatureJwks($jwkFactory->createSignEs512($ecKeys[512][0], 'pass')),
                 [new JwsSignatureJwks($jwkFactory->createVerifyEs512($ecKeys[512][1]))]
             ],
+            'jws-PS256' => [
+                $flatJws,
+                new JwsSignatureJwks($jwkFactory->createSignPs256($rsaPrivate, 'pass')),
+                [new JwsSignatureJwks($jwkFactory->createVerifyPs256($rsaPublic))]
+            ],
+            'jws-PS384' => [
+                $flatJws,
+                new JwsSignatureJwks($jwkFactory->createSignPs384($rsaPrivate, 'pass')),
+                [new JwsSignatureJwks($jwkFactory->createVerifyPs384($rsaPublic))]
+            ],
+            'jws-PS512' => [
+                $flatJws,
+                new JwsSignatureJwks($jwkFactory->createSignPs512($rsaPrivate, 'pass')),
+                [new JwsSignatureJwks($jwkFactory->createVerifyPs512($rsaPublic))]
+            ],
         ];
     }
 
@@ -314,4 +299,54 @@ private function verifyAgainstHeaders(array $expected, HeaderInterface $actual):
         }
         $this->assertTrue($oneIsValid);
     }
+
+    /**
+     * Create RSA key-pair.
+     *
+     * @return string[] With 1st element as private key, second - public.
+     */
+    private function createRsaKeys(): array
+    {
+        $rsaPrivateResource = openssl_pkey_new(['private_key_bites' => 512, 'private_key_type' => OPENSSL_KEYTYPE_RSA]);
+        if ($rsaPrivateResource === false) {
+            throw new \RuntimeException('Failed to create RSA keypair');
+        }
+        $rsaPublic = openssl_pkey_get_details($rsaPrivateResource)['key'];
+        if (!openssl_pkey_export($rsaPrivateResource, $rsaPrivate, 'pass')) {
+            throw new \RuntimeException('Failed to read RSA private key');
+        }
+        openssl_free_key($rsaPrivateResource);
+
+        return [$rsaPrivate, $rsaPublic];
+    }
+
+    /**
+     * Create EC key pairs for with different curves.
+     *
+     * @return array Keys - bits, values contain 2 elements: 0 => private, 1 => public.
+     */
+    private function createEcKeys(): array
+    {
+        $curveNameMap = [
+            256 => 'prime256v1',
+            384 => 'secp384r1',
+            512 => 'secp521r1'
+        ];
+        $ecKeys = [];
+        foreach ($curveNameMap as $bits => $curve) {
+            $privateResource = openssl_pkey_new(['curve_name' => $curve, 'private_key_type' => OPENSSL_KEYTYPE_EC]);
+            if ($privateResource === false) {
+                throw new \RuntimeException('Failed to create EC keypair');
+            }
+            $esPublic = openssl_pkey_get_details($privateResource)['key'];
+            if (!openssl_pkey_export($privateResource, $esPrivate, 'pass')) {
+                throw new \RuntimeException('Failed to read EC private key');
+            }
+            openssl_free_key($privateResource);
+            $ecKeys[$bits] = [$esPrivate, $esPublic];
+            unset($privateResource, $esPublic, $esPrivate);
+        }
+
+        return $ecKeys;
+    }
 }

lib/internal/Magento/Framework/Jwt/Jwk.php

@@ -77,6 +77,11 @@ class Jwk
      */
     private $use;
 
+    /**
+     * @var string|null
+     */
+    private $kid;
+
     /**
      * @var string[]|null
      */
@@ -123,6 +128,7 @@ class Jwk
      * @param string[]|null $x5c
      * @param string|null $x5t
      * @param string|null $x5ts256
+     * @param string|null $kid
      */
     public function __construct(
         string $kty,
@@ -133,7 +139,8 @@ public function __construct(
         ?string $x5u = null,
         ?array $x5c = null,
         ?string $x5t = null,
-        ?string $x5ts256 = null
+        ?string $x5ts256 = null,
+        ?string $kid = null
     ) {
         $this->kty = $kty;
         $this->data = $data;
@@ -144,6 +151,7 @@ public function __construct(
         $this->x5c = $x5c;
         $this->x5t = $x5t;
         $this->x5ts256 = $x5ts256;
+        $this->kid = $kid;
     }
 
     /**
@@ -226,6 +234,16 @@ public function getX509Sha256Thumbprint(): ?string
         return $this->x5ts256;
     }
 
+    /**
+     * "kid" parameter.
+     *
+     * @return string|null
+     */
+    public function getKeyId(): ?string
+    {
+        return $this->kid;
+    }
+
     /**
      * Map with algorithm (type) specific data.
      *
@@ -251,7 +269,8 @@ public function getJsonData(): array
             'x5u' => $this->getX509Url(),
             'x5c' => $this->getX509CertificateChain(),
             'x5t' => $this->getX509Sha1Thumbprint(),
-            'x5t#S256' => $this->getX509Sha256Thumbprint()
+            'x5t#S256' => $this->getX509Sha256Thumbprint(),
+            'kid' => $this->getKeyId()
         ];
         $data = array_merge($data, $this->getAlgoData());
 

lib/internal/Magento/Framework/Jwt/JwkFactory.php

@@ -19,6 +19,50 @@ class JwkFactory
         '1.3.132.0.35' => ['name' => 'P-521', 'bits' => 512]
     ];
 
+    /**
+     * Create JWK object from key data.
+     *
+     * @param array $data
+     * @return Jwk
+     */
+    public function createFromData(array $data): Jwk
+    {
+        if (!array_key_exists('kty', $data)) {
+            throw new \InvalidArgumentException('Missing key type in JWK data (kty)');
+        }
+        $kty = $data['kty'];
+        unset($data['kty']);
+        $use = array_key_exists('use', $data) ? $data['use'] : null;
+        unset($data['use']);
+        $keyOps = array_key_exists('key_ops', $data) ? $data['key_ops'] : null;
+        unset($data['key_ops']);
+        $alg = array_key_exists('alg', $data) ? $data['alg'] : null;
+        unset($data['alg']);
+        $x5u = array_key_exists('x5u', $data) ? $data['x5u'] : null;
+        unset($data['use']);
+        $x5c = array_key_exists('x5c', $data) ? $data['x5c'] : null;
+        unset($data['x5c']);
+        $x5t = array_key_exists('x5t', $data) ? $data['x5t'] : null;
+        unset($data['x5t']);
+        $x5tS256 = array_key_exists('x5t#S256', $data) ? $data['x5t#S256'] : null;
+        unset($data['x5t#S256']);
+        $kid = array_key_exists('kid', $data) ? $data['kid'] : null;
+        unset($data['kid']);
+
+        return new Jwk(
+            $kty,
+            $data,
+            $use,
+            $keyOps,
+            $alg,
+            $x5u,
+            $x5c,
+            $x5t,
+            $x5tS256,
+            $kid
+        );
+    }
+
     /**
      * Create JWK for signatures generated with HMAC and SHA256
      *
@@ -190,6 +234,75 @@ public function createVerifyEs512(string $publicKey): Jwk
         return $this->createVerifyEs(512, $publicKey);
     }
 
+    /**
+     * Create JWK to sign JWS with RSASSA-PSS using SHA-256 and MGF1 with SHA-256.
+     *
+     * @param string $privateKey
+     * @param string|null $passPhrase
+     * @return Jwk
+     */
+    public function createSignPs256(string $privateKey, ?string $passPhrase): Jwk
+    {
+        return $this->createSignPs(256, $privateKey, $passPhrase);
+    }
+
+    /**
+     * Create JWK to verify JWS signed with RSASSA-PSS using SHA-256 and MGF1 with SHA-256.
+     *
+     * @param string $publicKey
+     * @return Jwk
+     */
+    public function createVerifyPs256(string $publicKey): Jwk
+    {
+        return $this->createVerifyPs(256, $publicKey);
+    }
+
+    /**
+     * Create JWK to sign JWS with RSASSA-PSS using SHA-384 and MGF1 with SHA-384.
+     *
+     * @param string $privateKey
+     * @param string|null $passPhrase
+     * @return Jwk
+     */
+    public function createSignPs384(string $privateKey, ?string $passPhrase): Jwk
+    {
+        return $this->createSignPs(384, $privateKey, $passPhrase);
+    }
+
+    /**
+     * Create JWK to verify JWS signed with RSASSA-PSS using SHA-384 and MGF1 with SHA-384.
+     *
+     * @param string $publicKey
+     * @return Jwk
+     */
+    public function createVerifyPs384(string $publicKey): Jwk
+    {
+        return $this->createVerifyPs(384, $publicKey);
+    }
+
+    /**
+     * Create JWK to sign JWS with RSASSA-PSS using SHA-512 and MGF1 with SHA-512.
+     *
+     * @param string $privateKey
+     * @param string|null $passPhrase
+     * @return Jwk
+     */
+    public function createSignPs512(string $privateKey, ?string $passPhrase): Jwk
+    {
+        return $this->createSignPs(512, $privateKey, $passPhrase);
+    }
+
+    /**
+     * Create JWK to verify JWS signed with RSASSA-PSS using SHA-512 and MGF1 with SHA-512.
+     *
+     * @param string $publicKey
+     * @return Jwk
+     */
+    public function createVerifyPs512(string $publicKey): Jwk
+    {
+        return $this->createVerifyPs(512, $publicKey);
+    }
+
     private function createHmac(int $bits, string $key): Jwk
     {
         if (strlen($key) < 128) {
@@ -261,6 +374,22 @@ private function createVerifyRsa(int $bits, string $key): Jwk
         );
     }
 
+    private function createSignPs(int $bits, string $key, ?string $pass): Jwk
+    {
+        $data = $this->createSignRsa($bits, $key, $pass)->getJsonData();
+        $data['alg'] = 'PS' .$bits;
+
+        return $this->createFromData($data);
+    }
+
+    private function createVerifyPs(int $bits, string $key): Jwk
+    {
+        $data = $this->createVerifyRsa($bits, $key)->getJsonData();
+        $data['alg'] = 'PS' .$bits;
+
+        return $this->createFromData($data);
+    }
+
     private function createSignEs(int $bits, string $key, ?string $pass): Jwk
     {
         $resource = openssl_get_privatekey($key, (string)$pass);