d8/dfb/_jwt_utils_8php_source.html

<?php


/*

 *

 *  ____            _        _   __  __ _                  __  __ ____

 * |  _ \ ___   ___| | _____| |_|  \/  (_)_ __   ___      |  \/  |  _ \

 * | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |

 * |  __/ (_) | (__|   <  __/ |_| |  | | | | | |  __/_____| |  | |  __/

 * |_|   \___/ \___|_|\_\___|\__|_|  |_|_|_| |_|\___|     |_|  |_|_|

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU Lesser General Public License as published by

 * the Free Software Foundation, either version 3 of the License, or

 * (at your option) any later version.

 *

 * @author PocketMine Team

 * @link http://www.pocketmine.net/

 *

 *

 */


declare(strict_types=1);


namespace pocketmine\network\mcpe;


use pmmp\encoding\BE;

use pmmp\encoding\Byte;

use pmmp\encoding\ByteBufferReader;

use pocketmine\utils\AssumptionFailedError;

use pocketmine\utils\Utils;

use function base64_decode;

use function base64_encode;

use function bin2hex;

use function chr;

use function count;

use function explode;

use function hex2bin;

use function is_array;

use function json_decode;

use function json_encode;

use function json_last_error_msg;

use function ltrim;

use function openssl_error_string;

use function openssl_pkey_get_details;

use function openssl_pkey_get_public;

use function openssl_sign;

use function openssl_verify;

use function ord;

use function preg_match;

use function rtrim;

use function sprintf;

use function str_pad;

use function str_repeat;

use function str_replace;

use function str_split;

use function strlen;

use function strtr;

use function substr;

use const JSON_THROW_ON_ERROR;

use const OPENSSL_ALGO_SHA256;

use const OPENSSL_ALGO_SHA384;

use const STR_PAD_LEFT;


final class JwtUtils{

    public const BEDROCK_SIGNING_KEY_CURVE_NAME = "secp384r1";


    private const ASN1_INTEGER_TAG = "\x02";

    private const ASN1_SEQUENCE_TAG = "\x30";


    private const SIGNATURE_PART_LENGTH = 48;

    private const SIGNATURE_ALGORITHM = OPENSSL_ALGO_SHA384;


    public static function split(string $jwt) : array{

        //limit of 4 allows us to detect too many parts without having to split the string up into a potentially large

        //number of parts

        $v = explode(".", $jwt, limit: 4);

        if(count($v) !== 3){

            throw new JwtException("Expected exactly 3 JWT parts delimited by a period");

        }

        return [$v[0], $v[1], $v[2]]; //workaround phpstan bug

    }


    public static function parse(string $token) : array{

        $v = self::split($token);

        $header = json_decode(self::b64UrlDecode($v[0]), true);

        if(!is_array($header)){

            throw new JwtException("Failed to decode JWT header JSON: " . json_last_error_msg());

        }

        $body = json_decode(self::b64UrlDecode($v[1]), true);

        if(!is_array($body)){

            throw new JwtException("Failed to decode JWT payload JSON: " . json_last_error_msg());

        }

        $signature = self::b64UrlDecode($v[2]);

        return [$header, $body, $signature];

    }


    private static function signaturePartToAsn1(string $part) : string{

        if(strlen($part) !== self::SIGNATURE_PART_LENGTH){

            throw new JwtException("R and S for a SHA384 signature must each be exactly 48 bytes, but have " . strlen($part) . " bytes");

        }

        $part = ltrim($part, "\x00");

        if(ord($part[0]) >= 128){

            //ASN.1 integers with a leading 1 bit are considered negative - add a leading 0 byte to prevent this

            //ECDSA signature R and S values are always positive

            $part = "\x00" . $part;

        }


        //we can assume the length is 1 byte here - if it were larger than 127, more complex logic would be needed

        return self::ASN1_INTEGER_TAG . chr(strlen($part)) . $part;

    }


    private static function rawSignatureToDer(string $rawSignature) : string{

        if(strlen($rawSignature) !== self::SIGNATURE_PART_LENGTH * 2){

            throw new JwtException("JWT signature has unexpected length, expected 96, got " . strlen($rawSignature));

        }


        [$rString, $sString] = str_split($rawSignature, self::SIGNATURE_PART_LENGTH);

        $sequence = self::signaturePartToAsn1($rString) . self::signaturePartToAsn1($sString);


        //we can assume the length is 1 byte here - if it were larger than 127, more complex logic would be needed

        return self::ASN1_SEQUENCE_TAG . chr(strlen($sequence)) . $sequence;

    }


    private static function signaturePartFromAsn1(ByteBufferReader $stream) : string{

        $prefix = $stream->readByteArray(1);

        if($prefix !== self::ASN1_INTEGER_TAG){

            throw new \InvalidArgumentException("Expected an ASN.1 INTEGER tag, got " . bin2hex($prefix));

        }

        //we can assume the length is 1 byte here - if it were larger than 127, more complex logic would be needed

        $length = Byte::readUnsigned($stream);

        if($length > self::SIGNATURE_PART_LENGTH + 1){ //each part may have an extra leading 0 byte to prevent it being interpreted as a negative number

            throw new \InvalidArgumentException("Expected at most 49 bytes for signature R or S, got $length");

        }

        $part = $stream->readByteArray($length);

        return str_pad(ltrim($part, "\x00"), self::SIGNATURE_PART_LENGTH, "\x00", STR_PAD_LEFT);

    }


    private static function rawSignatureFromDer(string $derSignature) : string{

        if($derSignature[0] !== self::ASN1_SEQUENCE_TAG){

            throw new \InvalidArgumentException("Invalid DER signature, expected ASN.1 SEQUENCE tag, got " . bin2hex($derSignature[0]));

        }


        //we can assume the length is 1 byte here - if it were larger than 127, more complex logic would be needed

        $length = ord($derSignature[1]);

        $parts = substr($derSignature, 2, $length);

        if(strlen($parts) !== $length){

            throw new \InvalidArgumentException("Invalid DER signature, expected $length sequence bytes, got " . strlen($parts));

        }


        $stream = new ByteBufferReader($parts);

        $rRaw = self::signaturePartFromAsn1($stream);

        $sRaw = self::signaturePartFromAsn1($stream);


        if($stream->getUnreadLength() > 0){

            throw new \InvalidArgumentException("Invalid DER signature, unexpected trailing sequence data");

        }


        return $rRaw . $sRaw;

    }


    public static function verify(string $jwt, string $signingKeyDer, bool $ec) : bool{

        [$header, $body, $signature] = self::split($jwt);


        $rawSignature = self::b64UrlDecode($signature);

        $derSignature = $ec ? self::rawSignatureToDer($rawSignature) : $rawSignature;


        $v = openssl_verify(

            $header . '.' . $body,

            $derSignature,

            self::derPublicKeyToPem($signingKeyDer),

            $ec ? self::SIGNATURE_ALGORITHM : OPENSSL_ALGO_SHA256

        );

        switch($v){

            case 0: return false;

            case 1: return true;

            case -1: throw new JwtException("Error verifying JWT signature: " . openssl_error_string());

            default: throw new AssumptionFailedError("openssl_verify() should only return -1, 0 or 1");

        }

    }


    public static function create(array $header, array $claims, \OpenSSLAsymmetricKey $signingKey) : string{

        $jwtBody = JwtUtils::b64UrlEncode(json_encode($header, JSON_THROW_ON_ERROR)) . "." . JwtUtils::b64UrlEncode(json_encode($claims, JSON_THROW_ON_ERROR));


        openssl_sign(

            $jwtBody,

            $derSignature,

            $signingKey,

            self::SIGNATURE_ALGORITHM

        );


        $rawSignature = self::rawSignatureFromDer($derSignature);

        $jwtSig = self::b64UrlEncode($rawSignature);


        return "$jwtBody.$jwtSig";

    }


    public static function b64UrlEncode(string $str) : string{

        return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');

    }


    public static function b64UrlDecode(string $str) : string{

        if(($len = strlen($str) % 4) !== 0){

            $str .= str_repeat('=', 4 - $len);

        }

        $decoded = base64_decode(strtr($str, '-_', '+/'), true);

        if($decoded === false){

            throw new JwtException("Malformed base64url encoded payload could not be decoded");

        }

        return $decoded;

    }


    public static function emitDerPublicKey(\OpenSSLAsymmetricKey $opensslKey) : string{

        $details = Utils::assumeNotFalse(openssl_pkey_get_details($opensslKey), "Failed to get details from OpenSSL key resource");

        $pemKey = $details['key'];

        if(preg_match("@^-----BEGIN[A-Z\d ]+PUBLIC KEY-----\n([A-Za-z\d+/\n]+)\n-----END[A-Z\d ]+PUBLIC KEY-----\n$@", $pemKey, $matches) === 1){

            $derKey = base64_decode(str_replace("\n", "", $matches[1]), true);

            if($derKey !== false){

                return $derKey;

            }

        }

        throw new AssumptionFailedError("OpenSSL resource contains invalid public key");

    }


    private static function encodeDerLength(int $length) : string{

        if ($length <= 0x7F) {

            return chr($length);

        }


        $lengthBytes = ltrim(BE::packUnsignedInt($length), "\x00");


        return chr(0x80 | strlen($lengthBytes)) . $lengthBytes;

    }


    private static function encodeDerBytes(int $tag, string $data) : string{

        return chr($tag) . self::encodeDerLength(strlen($data)) . $data;

    }


    public static function parseDerPublicKey(string $derKey) : \OpenSSLAsymmetricKey{

        $signingKeyOpenSSL = openssl_pkey_get_public(self::derPublicKeyToPem($derKey));

        if($signingKeyOpenSSL === false){

            throw new JwtException("OpenSSL failed to parse key: " . openssl_error_string());

        }

        return $signingKeyOpenSSL;

    }


    public static function derPublicKeyToPem(string $derKey) : string{

        return sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----\n", base64_encode($derKey));

    }


    public static function rsaPublicKeyModExpToDer(string $nBase64, string $eBase64) : string{

        $mod = self::b64UrlDecode($nBase64);

        $exp = self::b64UrlDecode($eBase64);


        $modulus = self::encodeDerBytes(2, $mod);

        $publicExponent = self::encodeDerBytes(2, $exp);


        $rsaPublicKey = self::encodeDerBytes(48, $modulus . $publicExponent);


        // sequence(oid(1.2.840.113549.1.1.1), null)) = rsaEncryption.

        $rsaOID = hex2bin('300d06092a864886f70d0101010500'); // hex version of MA0GCSqGSIb3DQEBAQUA

        $rsaPublicKey = chr(0) . $rsaPublicKey;

        $rsaPublicKey = self::encodeDerBytes(3, $rsaPublicKey);


        return self::encodeDerBytes(48, $rsaOID . $rsaPublicKey);

    }


}


pocketmine\network\mcpe\JwtException
Definition JwtException.php:26

pocketmine\network\mcpe\JwtUtils
Definition JwtUtils.php:64

pocketmine\network\mcpe\JwtUtils\split
static split(string $jwt)
Definition JwtUtils.php:78

pocketmine\network\mcpe\JwtUtils\verify
static verify(string $jwt, string $signingKeyDer, bool $ec)
Definition JwtUtils.php:177

pocketmine\network\mcpe\JwtUtils\rsaPublicKeyModExpToDer
static rsaPublicKeyModExpToDer(string $nBase64, string $eBase64)
Definition JwtUtils.php:281

pocketmine\network\mcpe\JwtUtils\create
static create(array $header, array $claims, \OpenSSLAsymmetricKey $signingKey)
Definition JwtUtils.php:201

pocketmine\network\mcpe\JwtUtils\parse
static parse(string $token)
Definition JwtUtils.php:96

pocketmine\utils\AssumptionFailedError
Definition AssumptionFailedError.php:31

pocketmine\utils\Utils
Definition Utils.php:105