Allow users to lock their app into an algorithm.

sarciszewski · sarciszewski · commit ec013c9b275a · 2015-04-01T02:42:13.000-04:00
diff --git a/Authentication/JWT.php b/Authentication/JWT.php
@@ -15,6 +15,8 @@
  */
 class JWT
 {
+    public static $only_method = 'HS256';
+    
     public static $methods = array(
         'HS256' => array('hash_hmac', 'SHA256'),
         'HS512' => array('hash_hmac', 'SHA512'),
@@ -173,6 +175,11 @@ public static function verify($msg, $signature, $key, $method = 'HS256')
         if (empty(self::$methods[$method])) {
             throw new DomainException('Algorithm not supported');
         }
+        if (self::$only_method === null) {
+            throw new DomainException('Algorithm not specified');
+        } elseif ($method !== self::$only_method) {
+            throw new DomainException('Incorrect algorithm error');
+        }
         list($function, $algo) = self::$methods[$method];
         switch($function) {
             case 'openssl':
@@ -299,4 +306,22 @@ private static function handleJsonError($errno)
             : 'Unknown JSON error: ' . $errno
         );
     }
+    
+    /**
+     * Set the only allowed method for this server.
+     * 
+     * @ref https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
+     * 
+     * @param string $method array index in self::$methods
+     * 
+     * @return boolean
+     */
+    public static function setOnlyAllowedMethod($method)
+    {
+        if (!empty(self::$methods[$method])) {
+            self::$only_method = $method;
+            return true;
+        }
+        return false;
+    }
 }
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
@@ -102,6 +102,7 @@ public function testRSEncodeDecode()
         $privKey = openssl_pkey_new(array('digest_alg' => 'sha256',
             'private_key_bits' => 1024,
             'private_key_type' => OPENSSL_KEYTYPE_RSA));
+        JWT::setOnlyAllowedMethod('RS256');
         $msg = JWT::encode('abc', $privKey, 'RS256');
         $pubKey = openssl_pkey_get_details($privKey);
         $pubKey = $pubKey['key'];
@@ -112,6 +113,7 @@ public function testRSEncodeDecode()
     public function testKIDChooser()
     {
         $keys = array('1' => 'my_key', '2' => 'my_key2');
+        JWT::setOnlyAllowedMethod('HS256');
         $msg = JWT::encode('abc', $keys['1'], 'HS256', '1');
         $decoded = JWT::decode($msg, $keys, true);
         $this->assertEquals($decoded, 'abc');
