Skip to content

Commit

Permalink
Add SensitiveParameter attribute to sensitive parameters
Browse files Browse the repository at this point in the history
Adds `#[SensitiveParameter]` to all potentially sensitive parameters,
including key material, certificates and passphrases.
  • Loading branch information
slknijnenburg committed Nov 7, 2024
1 parent 848815d commit 90aab82
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 10 deletions.
32 changes: 24 additions & 8 deletions src/Signer/Key/InMemory.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
use Lcobucci\JWT\Signer\InvalidKeyProvided;
use Lcobucci\JWT\Signer\Key;
use Lcobucci\JWT\SodiumBase64Polyfill;
use SensitiveParameter;
use SplFileObject;
use Throwable;

Expand All @@ -15,21 +16,33 @@
final class InMemory implements Key
{
/** @param non-empty-string $contents */
private function __construct(public readonly string $contents, public readonly string $passphrase)
{
private function __construct(
#[SensitiveParameter]
public readonly string $contents,
#[SensitiveParameter]
public readonly string $passphrase,
) {
}

/** @param non-empty-string $contents */
public static function plainText(string $contents, string $passphrase = ''): self
{
public static function plainText(
#[SensitiveParameter]
string $contents,
#[SensitiveParameter]
string $passphrase = '',
): self {
self::guardAgainstEmptyKey($contents);

return new self($contents, $passphrase);
}

/** @param non-empty-string $contents */
public static function base64Encoded(string $contents, string $passphrase = ''): self
{
public static function base64Encoded(
#[SensitiveParameter]
string $contents,
#[SensitiveParameter]
string $passphrase = '',
): self {
$decoded = SodiumBase64Polyfill::base642bin(
$contents,
SodiumBase64Polyfill::SODIUM_BASE64_VARIANT_ORIGINAL,
Expand All @@ -45,8 +58,11 @@ public static function base64Encoded(string $contents, string $passphrase = ''):
*
* @throws FileCouldNotBeRead
*/
public static function file(string $path, string $passphrase = ''): self
{
public static function file(
string $path,
#[SensitiveParameter]
string $passphrase = '',
): self {
try {
$file = new SplFileObject($path);
} catch (Throwable $exception) {
Expand Down
11 changes: 9 additions & 2 deletions src/Signer/OpenSSL.php
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

use Lcobucci\JWT\Signer;
use OpenSSLAsymmetricKey;
use SensitiveParameter;

use function array_key_exists;
use function assert;
Expand Down Expand Up @@ -40,7 +41,9 @@ abstract class OpenSSL implements Signer
* @throws InvalidKeyProvided
*/
final protected function createSignature(
#[SensitiveParameter]
string $pem,
#[SensitiveParameter]
string $passphrase,
string $payload,
): string {
Expand All @@ -56,8 +59,12 @@ final protected function createSignature(
}

/** @throws CannotSignPayload */
private function getPrivateKey(string $pem, string $passphrase): OpenSSLAsymmetricKey
{
private function getPrivateKey(
#[SensitiveParameter]
string $pem,
#[SensitiveParameter]
string $passphrase,
): OpenSSLAsymmetricKey {
return $this->validateKey(openssl_pkey_get_private($pem, $passphrase));
}

Expand Down

0 comments on commit 90aab82

Please sign in to comment.