Merge release 3.1.0 into 4.0.x

.gitattributes

@@ -1,10 +1,18 @@
 * text=auto
 
+/.github export-ignore
+/packs export-ignore
 /performance export-ignore
+/tests export-ignore
+/.editorconfig export-ignore
 /.gitattributes export-ignore
 /.gitignore export-ignore
-/.scrutinizer.yml export-ignore
-/.travis.yml export-ignore
+/.gitsplit.yml export-ignore
+/CODE_OF_CONDUCT.md export-ignore
+/ecs.php export-ignore
+/infection.json export-ignore
+/Makefile export-ignore
 /phpbench.json export-ignore
+/phpstan.neon export-ignore
 /phpunit.xml.dist export-ignore
-/README.md export-ignore
+/rector.php export-ignore

.github/dependabot.yml

@@ -1,8 +1,19 @@
 version: 2
 updates:
-- package-ecosystem: composer
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "11:00"
-  open-pull-requests-limit: 10
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "friday"
+    versioning-strategy: "widen"
+    open-pull-requests-limit: 20
+    allow:
+      - dependency-type: all
+    labels: ["Dependencies"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 20
+    labels: ["Dependencies"]

.github/stale.yml

@@ -1,4 +1,4 @@
-daysUntilStale: 60
+daysUntilStale: 30
 daysUntilClose: 7
 staleLabel: wontfix
 markComment: >

.gitignore

@@ -1,14 +1,12 @@
 .phpbench
 .phpunit.result.cache
-.travis/phar-private.pem
 jose.phar
 jose.phar.pubkey
 jose.phar.version
-.travis/build-key.pem
-.travis/secrets.tar
 report.md
 composer.lock
 .php_cs
 .php_cs.cache
 vendor/
 src/Bundle/JoseFramework/var/
+infection.txt

.gitsplit.yml

@@ -53,6 +53,4 @@ splits:
       target: "https://${GH_TOKEN}@github.com/web-token/signature-pack.git"
 
 origins:
-    - ^master$
-    - ^v\d+\.\d+$
-    - ^v\d+\.\d+\.\d+.*$
+    - ^\d+\.\d+\.\d+.*$

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| 4.0.x   | :white_check_mark: |
+| 3.1.x   | :white_check_mark: |
+| 3.0.x   | :white_check_mark: |
+| < 3.0.0 | :x:                |
+
+## Reporting a Vulnerability
+
+If you think you have found a security issue, DO NOT open an issue. You MUST email your issue: security AT
+spomky-labs.com.

composer.json

@@ -74,31 +74,31 @@
     "require-dev": {
         "ext-curl": "*",
         "ext-gmp": "*",
-        "bjeavons/zxcvbn-php": "^1.0",
-        "blackfire/php-sdk": "^1.14",
+        "bjeavons/zxcvbn-php": "^1.3",
+        "blackfire/php-sdk": "^1.31",
         "ekino/phpstan-banned-code": "^1.0",
         "infection/infection": "^0.26",
-        "matthiasnoback/symfony-config-test": "^3.1|^4.0",
-        "nyholm/psr7": "^1.3",
-        "php-http/mock-client": "^1.0",
+        "matthiasnoback/symfony-config-test": "^4.3.0",
+        "nyholm/psr7": "^1.5",
+        "php-http/mock-client": "^1.5",
         "php-parallel-lint/php-parallel-lint": "^1.3",
         "phpbench/phpbench": "^1.2",
         "phpstan/extension-installer": "^1.1",
-        "phpstan/phpstan": "^1.0",
+        "phpstan/phpstan": "^1.8",
         "phpstan/phpstan-deprecation-rules": "^1.0",
-        "phpstan/phpstan-phpunit": "^1.0",
-        "phpstan/phpstan-strict-rules": "^1.0",
-        "phpunit/phpunit": "^8.0|^9.0",
+        "phpstan/phpstan-phpunit": "^1.1",
+        "phpstan/phpstan-strict-rules": "^1.4",
+        "phpunit/phpunit": "^9.5.23",
         "rector/rector": "^0.14",
         "roave/security-advisories": "dev-latest",
-        "symfony/browser-kit": "^5.4|^6.0",
+        "symfony/browser-kit": "^6.1.3",
         "symfony/finder": "^5.4|^6.0",
-        "symfony/framework-bundle": "^5.4|^6.0",
+        "symfony/framework-bundle": "^6.1.3",
         "symfony/http-client": "^5.4|^6.0",
-        "symfony/phpunit-bridge": "^5.4|^6.0",
-        "symfony/serializer": "^5.4|^6.0",
-        "symfony/var-dumper": "^5.4|^6.0",
-        "symfony/yaml": "^5.4|^6.0",
+        "symfony/phpunit-bridge": "^6.1.3",
+        "symfony/serializer": "^6.1.3",
+        "symfony/var-dumper": "^6.1.3",
+        "symfony/yaml": "^6.1.3",
         "symplify/easy-coding-standard": "^11.0"
     },
     "replace": {

phpstan.neon

@@ -17,5 +17,5 @@ parameters:
         - '#Parameter \#2 \.\.\.\$values of function sprintf expects bool\|float\|int\|string\|null\, mixed given\.#'
         - '#Parameter \#1 \.\.\.\$arrays of function array_merge expects array\, mixed given\.#'
         - '#Cannot cast mixed to int\.#'
-includes:
-    - vendor/phpstan/phpstan/conf/bleedingEdge.neon
+        - '#Parameter .* of (static )?method .* expects Jose\\Component\\Core\\JWK, mixed given\.#'
+        - '#Cannot call method (get|has)\(\) on mixed\.#'

src/Bundle/JoseFramework/DataCollector/AlgorithmCollector.php

@@ -5,7 +5,6 @@
 namespace Jose\Bundle\JoseFramework\DataCollector;
 
 use function array_key_exists;
-use function function_exists;
 use Jose\Component\Core\Algorithm;
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
@@ -93,7 +92,7 @@ private function getAlgorithmType(
 
     private function getAlgorithmMessages(): array
     {
-        $messages = [
+        return [
             'none' => [
                 'severity' => 'severity-low',
                 'message' => 'This algorithm is not secured. Please use with caution.',
@@ -195,27 +194,5 @@ private function getAlgorithmMessages(): array
                 'message' => 'This algorithm is not secured (known attacks). See <a target="_blank" href="https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-5">https://tools.ietf.org/html/draft-irtf-cfrg-webcrypto-algorithms-00#section-5</a>.',
             ],
         ];
-        if (! function_exists('openssl_pkey_derive')) {
-            $messages += [
-                'ECDH-ES' => [
-                    'severity' => 'severity-medium',
-                    'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.',
-                ],
-                'ECDH-ES+A128KW' => [
-                    'severity' => 'severity-medium',
-                    'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.',
-                ],
-                'ECDH-ES+A192KW' => [
-                    'severity' => 'severity-medium',
-                    'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.',
-                ],
-                'ECDH-ES+A256KW' => [
-                    'severity' => 'severity-medium',
-                    'message' => 'This algorithm is very slow when used with curves P-256, P-384, P-521 with php 7.2 and below.',
-                ],
-            ];
-        }
-
-        return $messages;
     }
 }

src/Bundle/JoseFramework/Resources/config/Algorithms/encryption_ecdhes.php

@@ -6,6 +6,10 @@
 use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHESA128KW;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHESA192KW;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHESA256KW;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSS;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSSA128KW;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSSA192KW;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSSA256KW;
 
 /*
  * The MIT License (MIT)
@@ -44,4 +48,24 @@
         ->tag('jose.algorithm', [
             'alias' => 'ECDH-ES+A256KW',
         ]);
+
+    $container->set(ECDHSS::class)
+        ->tag('jose.algorithm', [
+            'alias' => 'ECDH-SS',
+        ]);
+
+    $container->set(ECDHSSA128KW::class)
+        ->tag('jose.algorithm', [
+            'alias' => 'ECDH-SS+A128KW',
+        ]);
+
+    $container->set(ECDHSSA192KW::class)
+        ->tag('jose.algorithm', [
+            'alias' => 'ECDH-SS+A192KW',
+        ]);
+
+    $container->set(ECDHSSA256KW::class)
+        ->tag('jose.algorithm', [
+            'alias' => 'ECDH-SS+A256KW',
+        ]);
 };

src/Bundle/JoseFramework/Resources/config/Algorithms/signature_experimental.php

@@ -2,6 +2,7 @@
 
 declare(strict_types=1);
 
+use Jose\Component\Signature\Algorithm\Blake2b;
 use Jose\Component\Signature\Algorithm\ES256K;
 use Jose\Component\Signature\Algorithm\HS1;
 use Jose\Component\Signature\Algorithm\HS256_64;
@@ -52,4 +53,9 @@
         ->tag('jose.algorithm', [
             'alias' => 'ES256K',
         ]);
+
+    $container->set(Blake2b::class)
+        ->tag('jose.algorithm', [
+            'alias' => 'BLAKE2B',
+        ]);
 };

src/Bundle/JoseFramework/Serializer/JWESerializer.php

@@ -26,7 +26,7 @@ public function __construct(
         $this->serializerManager = $serializerManager;
     }
 
-    public function supportsDenormalization(mixed $data, string $type, string $format = null): bool
+    public function supportsDenormalization(mixed $data, string $type, string $format = null, array $context = []): bool
     {
         return $type === JWE::class
             && class_exists(JWESerializerManager::class)

src/Bundle/JoseFramework/Serializer/JWSSerializer.php

@@ -26,7 +26,7 @@ public function __construct(
         $this->serializerManager = $serializerManager;
     }
 
-    public function supportsDenormalization(mixed $data, string $type, string $format = null): bool
+    public function supportsDenormalization(mixed $data, string $type, string $format = null, array $context = []): bool
     {
         return $type === JWS::class
             && class_exists(JWSSerializerManager::class)

src/Component/Encryption/JWEBuilder.php

@@ -27,6 +27,8 @@
 
 class JWEBuilder
 {
+    protected ?JWK $senderKey = null;
+
     protected ?string $payload = null;
 
     protected ?string $aad = null;
@@ -55,6 +57,7 @@ public function __construct(
      */
     public function create(): self
     {
+        $this->senderKey = null;
         $this->payload = null;
         $this->aad = null;
         $this->recipients = [];
@@ -188,6 +191,31 @@ public function addRecipient(JWK $recipientKey, array $recipientHeader = []): se
         return $clone;
     }
 
+    //TODO: Verify if the key is compatible with the key encrytion algorithm like is done to the ECDH-ES
+    /**
+     * Set the sender JWK to be used instead of the internal generated JWK
+     */
+    public function withSenderKey(JWK $senderKey): self
+    {
+        $clone = clone $this;
+        $completeHeader = array_merge($clone->sharedHeader, $clone->sharedProtectedHeader);
+        $keyEncryptionAlgorithm = $clone->getKeyEncryptionAlgorithm($completeHeader);
+        if ($clone->keyManagementMode === null) {
+            $clone->keyManagementMode = $keyEncryptionAlgorithm->getKeyManagementMode();
+        } else {
+            if (! $clone->areKeyManagementModesCompatible(
+                $clone->keyManagementMode,
+                $keyEncryptionAlgorithm->getKeyManagementMode()
+            )) {
+                throw new InvalidArgumentException('Foreign key management mode forbidden.');
+            }
+        }
+        $clone->checkKey($keyEncryptionAlgorithm, $senderKey);
+        $clone->senderKey = $senderKey;
+
+        return $clone;
+    }
+
     /**
      * Builds the JWE.
      */
@@ -255,7 +283,7 @@ private function processRecipient(array $recipient, string $cek, array &$additio
             $keyEncryptionAlgorithm,
             $additionalHeader,
             $recipient['key'],
-            $recipient['sender_key'] ?? null
+            $recipient['sender_key'] ?? $this->senderKey ?? null
         );
         $recipientHeader = $recipient['header'];
         if ((is_countable($additionalHeader) ? count($additionalHeader) : 0) !== 0 && count($this->recipients) !== 1) {