Moodle 3.11 XRef and Diffs

Search moodle.org's
Developer Documentation
Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.
Moodle 3.11 Database Schema (by Marcus Green)
/mod/lti/classes/local/ltiopenid/ -> jwks_helper.php (source)
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.

/**
 * This files exposes functions for LTI 1.3 Key Management.
 *
 * @package    mod_lti
 * @copyright  2020 Claude Vervoort (Cengage)
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
 */
namespace mod_lti\local\ltiopenid;


> use Firebase\JWT\JWT;
/**
> 


 * This class exposes functions for LTI 1.3 Key Management.
 *
 * @package    mod_lti
 * @copyright  2020 Claude Vervoort (Cengage)
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
 */
class jwks_helper {

    /**

>      *
     * Returns the private key to use to sign outgoing JWT.
>      * See https://www.imsglobal.org/spec/security/v1p1#approved-jwt-signing-algorithms.
     *
>      * @var string[]
     * @return array keys are kid and key in PEM format.
>      */
     */
>     private static $ltisupportedalgs = [
    public static function get_private_key() {
>         'RS256' => 'RSA',
        $privatekey = get_config('mod_lti', 'privatekey');
>         'RS384' => 'RSA',
        $kid = get_config('mod_lti', 'kid');
>         'RS512' => 'RSA',
        return [
>         'ES256' => 'EC',
            "key" => $privatekey,
>         'ES384' => 'EC',
            "kid" => $kid
>         'ES512' => 'EC'
        ];
>     ];
    }
> 

>     /**


    /**
     * Returns the JWK Key Set for this site.
     * @return array keyset exposting the site public key.
     */
    public static function get_jwks() {
        $jwks = array('keys' => array());

        $privatekey = self::get_private_key();
        $res = openssl_pkey_get_private($privatekey['key']);
        $details = openssl_pkey_get_details($res);


>         // Avoid passing null values to base64_encode.
        $jwk = array();
>         if (!isset($details['rsa']['e']) || !isset($details['rsa']['n'])) {
        $jwk['kty'] = 'RSA';
>             throw new \moodle_exception('Error: essential openssl keys not set');
        $jwk['alg'] = 'RS256';
>         }
        $jwk['kid'] = $privatekey['kid'];
> 


        $jwk['e'] = rtrim(strtr(base64_encode($details['rsa']['e']), '+/', '-_'), '=');
        $jwk['n'] = rtrim(strtr(base64_encode($details['rsa']['n']), '+/', '-_'), '=');
        $jwk['use'] = 'sig';

        $jwks['keys'][] = $jwk;

>         return $jwks;
        return $jwks;
>     }
    }
> 

>     /**
}
>      * Take an array of JWKS keys and infer the 'alg' property for a single key, if missing, based on an input JWT.
>      *
>      * This only sets the 'alg' property for a single key when all the following conditions are met:
>      * - The key's 'kid' matches the 'kid' provided in the JWT's header.
>      * - The key's 'alg' is missing.
>      * - The JWT's header 'alg' matches the algorithm family of the key (the key's kty).
>      * - The JWT's header 'alg' matches one of the approved LTI asymmetric algorithms.
>      *
>      * Keys not matching the above are left unchanged.
>      *
>      * @param array $jwks the keyset array.
>      * @param string $jwt the JWT string.
>      * @return array the fixed keyset array.
>      */
>     public static function fix_jwks_alg(array $jwks, string $jwt): array {
>         $jwtparts = explode('.', $jwt);
>         $jwtheader = json_decode(JWT::urlsafeB64Decode($jwtparts[0]), true);
>         if (!isset($jwtheader['kid'])) {
>             throw new \moodle_exception('Error: kid must be provided in JWT header.');
>         }
> 
>         foreach ($jwks['keys'] as $index => $key) {
>             // Only fix the key being referred to in the JWT.
>             if ($jwtheader['kid'] != $key['kid']) {
>                 continue;
>             }
> 
>             // Only fix the key if the alg is missing.
>             if (!empty($key['alg'])) {
>                 continue;
>             }
> 
>             // The header alg must match the key type (family) specified in the JWK's kty.
>             if (!isset(static::$ltisupportedalgs[$jwtheader['alg']]) ||
>                     static::$ltisupportedalgs[$jwtheader['alg']] != $key['kty']) {
>                 throw new \moodle_exception('Error: Alg specified in the JWT header is incompatible with the JWK key type');
>             }
> 
>             $jwks['keys'][$index]['alg'] = $jwtheader['alg'];
>         }
>