implement small encryption key tests

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/Controller/ApiController.php

@@ -94,8 +94,8 @@ public function deleteUser(string $userId): DataResponse {
 	public function getJwks(): JSONResponse {
 		try {
 			$jwks = $this->jwkService->getJwks();
-//			return new JSONResponse(['keys' => $jwks]);
-			 return new JSONResponse($this->jwkService->debug());
+			return new JSONResponse(['keys' => $jwks]);
+			// return new JSONResponse($this->jwkService->debug());
 		} catch (\Exception|\Throwable $e) {
 			return new JSONResponse(['error' => $e->getMessage()], Http::STATUS_INTERNAL_SERVER_ERROR);
 		}

lib/Service/JwkService.php

@@ -23,10 +23,14 @@ class JwkService {
 	public const PEM_SIG_KEY_SETTINGS_KEY = 'pemSignatureKey';
 	public const PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY = 'pemSignatureKeyExpiresAt';
 	public const PEM_SIG_KEY_EXPIRES_IN_SECONDS = 60 * 60;
+	public const PEM_SIG_KEY_ALGORITHM = 'ES384';
+	public const PEM_SIG_KEY_CURVE = 'P-384';
 
 	public const PEM_ENC_KEY_SETTINGS_KEY = 'pemEncryptionKey';
 	public const PEM_ENC_KEY_EXPIRES_AT_SETTINGS_KEY = 'pemEncryptionKeyExpiresAt';
 	public const PEM_ENC_KEY_EXPIRES_IN_SECONDS = 60 * 60;
+	public const PEM_ENC_KEY_ALGORITHM = 'ECDH-ES+A192KW';
+	public const PEM_ENC_KEY_CURVE = 'P-384';
 
 	public function __construct(
 		private IAppConfig $appConfig,
@@ -127,10 +131,10 @@ public function getJwkFromSslKey(array $sslKeyDetails, bool $isEncryptionKey = f
 			'kty' => 'EC',
 			'use' => $isEncryptionKey ? 'enc' : 'sig',
 			'kid' => ($isEncryptionKey ? 'enc' : 'sig') . '_key_' . $pemPrivateKeyExpiresAt,
-			'crv' => 'P-384',
+			'crv' => $isEncryptionKey ? self::PEM_ENC_KEY_CURVE : self::PEM_SIG_KEY_CURVE,
 			'x' => \rtrim(\strtr(\base64_encode($sslKeyDetails['ec']['x']), '+/', '-_'), '='),
 			'y' => \rtrim(\strtr(\base64_encode($sslKeyDetails['ec']['y']), '+/', '-_'), '='),
-			'alg' => $isEncryptionKey ? 'ECDH-ES+A192KW' : 'ES384',
+			'alg' => $isEncryptionKey ? self::PEM_ENC_KEY_ALGORITHM : self::PEM_SIG_KEY_ALGORITHM,
 		];
 		return $jwk;
 	}
@@ -185,7 +189,7 @@ public function generateClientAssertion(Provider $provider, string $discoveryIss
 			$payload['code'] = $code;
 		}
 
-		return $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemPrivateKeyExpiresAt, 'ES384');
+		return $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemPrivateKeyExpiresAt, self::PEM_SIG_KEY_ALGORITHM);
 	}
 
 	public function debug(): array {
@@ -196,11 +200,11 @@ public function debug(): array {
 
 		$payload = ['lll' => 'aaa'];
 		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
-		$signedJwtToken = $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemPrivateKeyExpiresAt, 'ES384');
+		$signedJwtToken = $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemPrivateKeyExpiresAt, self::PEM_SIG_KEY_ALGORITHM);
 
 		// check content of JWT
 		$rawJwks = ['keys' => [$this->getJwkFromSslKey($pubKey)]];
-		$jwks = JWK::parseKeySet($rawJwks, 'ES384');
+		$jwks = JWK::parseKeySet($rawJwks, self::PEM_SIG_KEY_ALGORITHM);
 		$jwtPayload = JWT::decode($signedJwtToken, $jwks);
 		$jwtPayloadArray = json_decode(json_encode($jwtPayload), true);
 

tests/unit/Service/JwkServiceTest.php

@@ -41,19 +41,19 @@ public function testSignatureKeyAndJwt() {
 		$initialPayload = ['nice' => 'example'];
 		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(JwkService::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
 		$jwkId = 'sig_key_' . $pemPrivateKeyExpiresAt;
-		$signedJwtToken = $this->jwkService->createJwt($initialPayload, $sslPrivateKey, $jwkId, 'ES384');
+		$signedJwtToken = $this->jwkService->createJwt($initialPayload, $sslPrivateKey, $jwkId, JwkService::PEM_SIG_KEY_ALGORITHM);
 
 		// check JWK
 		$jwk = $this->jwkService->getJwkFromSslKey($pubKey);
 		$this->assertEquals('EC', $jwk['kty']);
 		$this->assertEquals('sig', $jwk['use']);
 		$this->assertEquals($jwkId, $jwk['kid']);
-		$this->assertEquals('P-384', $jwk['crv']);
-		$this->assertEquals('ES384', $jwk['alg']);
+		$this->assertEquals(JwkService::PEM_SIG_KEY_CURVE, $jwk['crv']);
+		$this->assertEquals(JwkService::PEM_SIG_KEY_ALGORITHM, $jwk['alg']);
 
 		// check content of JWT
 		$rawJwks = ['keys' => [$jwk]];
-		$jwks = JWK::parseKeySet($rawJwks, 'ES384');
+		$jwks = JWK::parseKeySet($rawJwks, JwkService::PEM_SIG_KEY_ALGORITHM);
 		$jwtPayload = JWT::decode($signedJwtToken, $jwks);
 		$jwtPayloadArray = json_decode(json_encode($jwtPayload), true);
 		$this->assertEquals($initialPayload, $jwtPayloadArray);
@@ -62,7 +62,23 @@ public function testSignatureKeyAndJwt() {
 		$jwtParts = explode('.', $signedJwtToken, 3);
 		$jwtHeader = json_decode(JWT::urlsafeB64Decode($jwtParts[0]), true);
 		$this->assertEquals('JWT', $jwtHeader['typ']);
-		$this->assertEquals('ES384', $jwtHeader['alg']);
+		$this->assertEquals(JwkService::PEM_SIG_KEY_ALGORITHM, $jwtHeader['alg']);
 		$this->assertEquals($jwkId, $jwtHeader['kid']);
 	}
+
+	public function testEncryptionKey() {
+		$myPemEncryptionKey = $this->jwkService->getMyEncryptionKey();
+		$sslEncryptionKey = openssl_pkey_get_private($myPemEncryptionKey);
+		$sslEncryptionKeyDetails = openssl_pkey_get_details($sslEncryptionKey);
+		$encJwk = $this->jwkService->getJwkFromSslKey($sslEncryptionKeyDetails, isEncryptionKey: true);
+
+		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(JwkService::PEM_ENC_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
+		$encJwkId = 'enc_key_' . $pemPrivateKeyExpiresAt;
+
+		$this->assertEquals('EC', $encJwk['kty']);
+		$this->assertEquals('enc', $encJwk['use']);
+		$this->assertEquals($encJwkId, $encJwk['kid']);
+		$this->assertEquals(JwkService::PEM_ENC_KEY_CURVE, $encJwk['crv']);
+		$this->assertEquals(JwkService::PEM_ENC_KEY_ALGORITHM, $encJwk['alg']);
+	}
 }