From 90aab8293d837d254aa09c9e8c2fb338fe8d6e2c Mon Sep 17 00:00:00 2001 From: Sebastiaan Knijnenburg Date: Thu, 7 Nov 2024 11:41:50 +0100 Subject: [PATCH] Add SensitiveParameter attribute to sensitive parameters Adds `#[SensitiveParameter]` to all potentially sensitive parameters, including key material, certificates and passphrases. --- src/Signer/Key/InMemory.php | 32 ++++++++++++++++++++++++-------- src/Signer/OpenSSL.php | 11 +++++++++-- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/src/Signer/Key/InMemory.php b/src/Signer/Key/InMemory.php index f8fdedf2..8bc06938 100644 --- a/src/Signer/Key/InMemory.php +++ b/src/Signer/Key/InMemory.php @@ -6,6 +6,7 @@ use Lcobucci\JWT\Signer\InvalidKeyProvided; use Lcobucci\JWT\Signer\Key; use Lcobucci\JWT\SodiumBase64Polyfill; +use SensitiveParameter; use SplFileObject; use Throwable; @@ -15,21 +16,33 @@ final class InMemory implements Key { /** @param non-empty-string $contents */ - private function __construct(public readonly string $contents, public readonly string $passphrase) - { + private function __construct( + #[SensitiveParameter] + public readonly string $contents, + #[SensitiveParameter] + public readonly string $passphrase, + ) { } /** @param non-empty-string $contents */ - public static function plainText(string $contents, string $passphrase = ''): self - { + public static function plainText( + #[SensitiveParameter] + string $contents, + #[SensitiveParameter] + string $passphrase = '', + ): self { self::guardAgainstEmptyKey($contents); return new self($contents, $passphrase); } /** @param non-empty-string $contents */ - public static function base64Encoded(string $contents, string $passphrase = ''): self - { + public static function base64Encoded( + #[SensitiveParameter] + string $contents, + #[SensitiveParameter] + string $passphrase = '', + ): self { $decoded = SodiumBase64Polyfill::base642bin( $contents, SodiumBase64Polyfill::SODIUM_BASE64_VARIANT_ORIGINAL, @@ -45,8 +58,11 @@ public static function base64Encoded(string $contents, string $passphrase = ''): * * @throws FileCouldNotBeRead */ - public static function file(string $path, string $passphrase = ''): self - { + public static function file( + string $path, + #[SensitiveParameter] + string $passphrase = '', + ): self { try { $file = new SplFileObject($path); } catch (Throwable $exception) { diff --git a/src/Signer/OpenSSL.php b/src/Signer/OpenSSL.php index bcc7065c..a507752b 100644 --- a/src/Signer/OpenSSL.php +++ b/src/Signer/OpenSSL.php @@ -5,6 +5,7 @@ use Lcobucci\JWT\Signer; use OpenSSLAsymmetricKey; +use SensitiveParameter; use function array_key_exists; use function assert; @@ -40,7 +41,9 @@ abstract class OpenSSL implements Signer * @throws InvalidKeyProvided */ final protected function createSignature( + #[SensitiveParameter] string $pem, + #[SensitiveParameter] string $passphrase, string $payload, ): string { @@ -56,8 +59,12 @@ final protected function createSignature( } /** @throws CannotSignPayload */ - private function getPrivateKey(string $pem, string $passphrase): OpenSSLAsymmetricKey - { + private function getPrivateKey( + #[SensitiveParameter] + string $pem, + #[SensitiveParameter] + string $passphrase, + ): OpenSSLAsymmetricKey { return $this->validateKey(openssl_pkey_get_private($pem, $passphrase)); }