Merge pull request #563 from web-token/temp-ac4d6f

Merge-up 3.4.x to 4.0.x

.github/workflows/gitsplit.yml

@@ -1,10 +1,8 @@
 name: gitsplit
 on:
   push:
-    tags:
-      - '*'
-  release:
-    types: [published]
+    branches:
+      - "*.x"
 
 jobs:
   gitsplit:

README.md

@@ -26,7 +26,7 @@ Or
 
 # Contributing
 
-Requests for new features, bug fixed and all other ideas to make this library useful are welcome. [Please follow these best practices](doc/Contributing.md).
+Requests for new features, bug fixed and all other ideas to make this library useful are welcome. [Please follow these best practices](.github/CONTRIBUTING.md).
 
 If you discover a security vulnerability within the project, please **don't use the bug tracker and don't publish it publicly**.
 Instead, all security issues must be sent to security [at] spomky-labs.com.

src/Bundle/Routing/JWKSetLoader.php

@@ -32,13 +32,13 @@ public function add(string $pattern, string $name): void
     }
 
     #[Override]
-    public function load(mixed $resource, string $type = null): RouteCollection
+    public function load(mixed $resource, ?string $type = null): RouteCollection
     {
         return $this->routes;
     }
 
     #[Override]
-    public function supports(mixed $resource, string $type = null): bool
+    public function supports(mixed $resource, ?string $type = null): bool
     {
         return $type === 'jwkset';
     }

src/Bundle/Serializer/JWESerializer.php

@@ -36,15 +36,19 @@ public function getSupportedTypes(?string $format): array
     }
 
     #[Override]
-    public function supportsDenormalization(mixed $data, string $type, string $format = null, array $context = []): bool
-    {
+    public function supportsDenormalization(
+        mixed $data,
+        string $type,
+        ?string $format = null,
+        array $context = []
+    ): bool {
         return $type === JWE::class
             && class_exists(JWESerializerManager::class)
             && $this->formatSupported($format);
     }
 
     #[Override]
-    public function denormalize(mixed $data, string $type, string $format = null, array $context = []): JWE
+    public function denormalize(mixed $data, string $type, ?string $format = null, array $context = []): JWE
     {
         if ($data instanceof JWE === false) {
             throw new LogicException('Expected data to be a JWE.');

src/Bundle/Serializer/JWSSerializer.php

@@ -36,15 +36,19 @@ public function getSupportedTypes(?string $format): array
     }
 
     #[Override]
-    public function supportsDenormalization(mixed $data, string $type, string $format = null, array $context = []): bool
-    {
+    public function supportsDenormalization(
+        mixed $data,
+        string $type,
+        ?string $format = null,
+        array $context = []
+    ): bool {
         return $type === JWS::class
             && class_exists(JWSSerializerManager::class)
             && $this->formatSupported($format);
     }
 
     #[Override]
-    public function denormalize(mixed $data, string $type, string $format = null, array $context = []): JWS
+    public function denormalize(mixed $data, string $type, ?string $format = null, array $context = []): JWS
     {
         if ($data instanceof JWS === false) {
             throw new LogicException('Expected data to be a JWS.');

src/Bundle/Services/JWEDecrypter.php

@@ -28,7 +28,7 @@ public function decryptUsingKeySet(
         JWE &$jwe,
         JWKSet $jwkset,
         int $recipient,
-        JWK &$jwk = null,
+        ?JWK &$jwk = null,
         ?JWK $senderKey = null
     ): bool {
         $success = parent::decryptUsingKeySet($jwe, $jwkset, $recipient, $jwk, $senderKey);

src/Bundle/Services/JWSVerifier.php

@@ -29,7 +29,7 @@ public function verifyWithKeySet(
         JWKSet $jwkset,
         int $signatureIndex,
         ?string $detachedPayload = null,
-        JWK &$jwk = null
+        ?JWK &$jwk = null
     ): bool {
         $success = parent::verifyWithKeySet($jws, $jwkset, $signatureIndex, $detachedPayload, $jwk);
         if ($success) {

src/Library/Console/KeyAnalyzerCommand.php

@@ -23,7 +23,7 @@ final class KeyAnalyzerCommand extends Command
 {
     public function __construct(
         private readonly KeyAnalyzerManager $analyzerManager,
-        string $name = null
+        ?string $name = null
     ) {
         parent::__construct($name);
     }

src/Library/Console/KeysetAnalyzerCommand.php

@@ -26,7 +26,7 @@ final class KeysetAnalyzerCommand extends Command
     public function __construct(
         private readonly KeysetAnalyzerManager $keysetAnalyzerManager,
         private readonly KeyAnalyzerManager $keyAnalyzerManager,
-        string $name = null
+        ?string $name = null
     ) {
         parent::__construct($name);
     }

src/Library/Encryption/JWEDecrypter.php

@@ -85,7 +85,7 @@ public function decryptUsingKeySet(
         JWE &$jwe,
         JWKSet $jwkset,
         int $recipient,
-        JWK &$jwk = null,
+        ?JWK &$jwk = null,
         ?JWK $senderKey = null
     ): bool {
         if ($jwkset->count() === 0) {
@@ -112,7 +112,7 @@ private function decryptRecipientKey(
         JWE $jwe,
         JWKSet $jwkset,
         int $i,
-        JWK &$successJwk = null,
+        ?JWK &$successJwk = null,
         ?JWK $senderKey = null
     ): ?string {
         $recipient = $jwe->getRecipient($i);

src/Library/KeyManagement/KeyConverter/KeyConverter.php

@@ -396,7 +396,11 @@ private static function getCurve(string $oid): string
      */
     private static function sanitizePEM(string &$pem): void
     {
-        preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER);
+        $number = preg_match_all('#(-.*-)#', $pem, $matches, PREG_PATTERN_ORDER);
+        if ($number !== 2) {
+            throw new InvalidArgumentException('Unable to load the key');
+        }
+
         $ciphertext = preg_replace('#-.*-|\r|\n| #', '', $pem);
 
         $pem = $matches[0][0] . PHP_EOL;

src/Library/Signature/JWSVerifier.php

@@ -59,7 +59,7 @@ public function verifyWithKeySet(
         JWKSet $jwkset,
         int $signatureIndex,
         ?string $detachedPayload = null,
-        JWK &$jwk = null
+        ?JWK &$jwk = null
     ): bool {
         if ($jwkset->count() === 0) {
             throw new InvalidArgumentException('There is no key in the key set.');
@@ -78,7 +78,7 @@ private function verifySignature(
         JWKSet $jwkset,
         Signature $signature,
         ?string $detachedPayload = null,
-        JWK &$successJwk = null
+        ?JWK &$successJwk = null
     ): bool {
         $input = $this->getInputToVerify($jws, $signature, $detachedPayload);
         $algorithm = $this->getAlgorithm($signature);

tests/Component/KeyManagement/Keys/ECKeysTest.php

@@ -208,6 +208,31 @@ public function loadEncryptedPrivateEC512Key(): void
         ]);
     }
 
+    #[Test]
+    public function loadInvalidPEMKey(): void
+    {
+        // Then
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('Unable to load the key');
+
+        // Given
+        $private_pem = trim(<<<PEM
+MIIB0jCCAXegAwIBAgIJAK2o1kQ5JwpUMAoGCCqGSM49BAMCMEUxCzAJBgNVBAYT
+AkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRn
+aXRzIFB0eSBMdGQwHhcNMTUxMTA4MTUxMTU2WhcNMTYxMTA3MTUxMTU2WjBFMQsw
+CQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExEsr
+/55aqgFXdrbRNz1/WSNI8UaSUxCka2kGEN1bXsJIzjkeyv12dRHo7H5OmY2/Z9sN
+fgKhWj7elq0xSlcA0KNQME4wHQYDVR0OBBYEFKIGgCZoS388STT0qjoX/swKYBXh
+MB8GA1UdIwQYMBaAFKIGgCZoS388STT0qjoX/swKYBXhMAwGA1UdEwQFMAMBAf8w
+CgYIKoZIzj0EAwIDSQAwRgIhAK5OqQoBGR/pj2NOb+PyRKK4k4d3Muj9z/6LsJK+
+kkgUAiEA+FY4SWKv4mfe0gsOBId0Aah/HtVZxDBe3bCXOQM8MMM=
+PEM);
+
+        // When
+        KeyConverter::loadFromKey($private_pem, 'test');
+    }
+
     #[Test]
     public function convertPrivateKeyToPublic(): void
     {