@@ -31,7 +31,7 @@ class JWT
3131 private const ASN1_SEQUENCE = 0x10 ;
3232 private const ASN1_BIT_STRING = 0x03 ;
3333
34- private const RSA_KEY_MIN_LENGTH = 2048 ;
34+ private const RSA_KEY_MIN_LENGTH = 2048 ;
3535
3636 /**
3737 * When checking nbf, iat or expiration times,
@@ -284,7 +284,11 @@ public static function sign(
284284 }
285285 return $ signature ;
286286 case 'sodium_crypto ' :
287- return self ::parseEdDSA ($ msg , $ key );
287+ try {
288+ return sodium_crypto_sign_detached ($ msg , self ::validateEdDSAKey ($ key ));
289+ } catch (Exception $ e ) {
290+ throw new DomainException ($ e ->getMessage (), 0 , $ e );
291+ }
288292 }
289293
290294 throw new DomainException ('Algorithm not supported ' );
@@ -336,7 +340,15 @@ private static function verify(
336340 'OpenSSL error: ' . \openssl_error_string ()
337341 );
338342 case 'sodium_crypto ' :
339- return self ::parseEdDSA ($ msg , $ keyMaterial , $ signature );
343+ try {
344+ $ key = self ::validateEdDSAKey ($ keyMaterial );
345+ if (\strlen ($ signature ) === 0 ) {
346+ throw new DomainException ('Signature cannot be empty string ' );
347+ }
348+ return sodium_crypto_sign_verify_detached ($ signature , $ msg , $ key );
349+ } catch (Exception $ e ) {
350+ throw new DomainException ($ e ->getMessage (), 0 , $ e );
351+ }
340352 case 'hash_hmac ' :
341353 default :
342354 if (!\is_string ($ keyMaterial )) {
@@ -438,7 +450,6 @@ public static function urlsafeB64Encode(string $input): string
438450 return \str_replace ('= ' , '' , \strtr (\base64_encode ($ input ), '+/ ' , '-_ ' ));
439451 }
440452
441-
442453 /**
443454 * Determine if an algorithm has been provided for each Key
444455 *
@@ -711,32 +722,24 @@ private static function validateEcKeyLength(
711722 }
712723 }
713724
714- private static function parseEdDSA (
715- string $ msg ,
716- #[\SensitiveParameter] $ keyMaterial ,
717- ?string $ signature = null
718- ) {
725+ /**
726+ * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate $keyMaterial
727+ * @return non-empty-string
728+ */
729+ private static function validateEdDSAKey (#[\SensitiveParameter] $ keyMaterial ): string
730+ {
719731 if (!\function_exists ('sodium_crypto_sign_verify_detached ' )) {
720732 throw new DomainException ('libsodium is not available ' );
721733 }
722734 if (!\is_string ($ keyMaterial )) {
723735 throw new InvalidArgumentException ('key must be a string when using EdDSA ' );
724736 }
725- try {
726- // The last non-empty line is used as the key.
727- $ lines = array_filter (explode ("\n" , $ keyMaterial ));
728- $ key = self ::urlsafeB64Decode ((string ) end ($ lines ));
729- if (\strlen ($ key ) === 0 ) {
730- throw new DomainException ('Key cannot be empty string ' );
731- }
732- if (!is_null ($ signature ) && \strlen ($ signature ) === 0 ) {
733- throw new DomainException ('Signature cannot be empty string ' );
734- }
735- return $ signature
736- ? sodium_crypto_sign_verify_detached ($ signature , $ msg , $ key )
737- : sodium_crypto_sign_detached ($ msg , $ key );
738- } catch (Exception $ e ) {
739- throw new DomainException ($ e ->getMessage (), 0 , $ e );
737+ // The last non-empty line is used as the key.
738+ $ lines = array_filter (explode ("\n" , $ keyMaterial ));
739+ $ key = self ::urlsafeB64Decode ((string ) end ($ lines ));
740+ if (\strlen ($ key ) === 0 ) {
741+ throw new DomainException ('Key cannot be empty string ' );
740742 }
743+ return $ key ;
741744 }
742745}
0 commit comments