Differences Between: [Versions 310 and 403] [Versions 311 and 403] [Versions 400 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * This files exposes functions for LTI 1.3 Key Management. 19 * 20 * @package mod_lti 21 * @copyright 2020 Claude Vervoort (Cengage) 22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 23 */ 24 namespace mod_lti\local\ltiopenid; 25 26 use Firebase\JWT\JWT; 27 28 /** 29 * This class exposes functions for LTI 1.3 Key Management. 30 * 31 * @package mod_lti 32 * @copyright 2020 Claude Vervoort (Cengage) 33 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 34 */ 35 class jwks_helper { 36 37 /** 38 * 39 * See https://www.imsglobal.org/spec/security/v1p1#approved-jwt-signing-algorithms. 40 * @var string[] 41 */ 42 private static $ltisupportedalgs = [ 43 'RS256' => 'RSA', 44 'RS384' => 'RSA', 45 'RS512' => 'RSA', 46 'ES256' => 'EC', 47 'ES384' => 'EC', 48 'ES512' => 'EC' 49 ]; 50 51 /** 52 * Returns the private key to use to sign outgoing JWT. 53 * 54 * @return array keys are kid and key in PEM format. 55 */ 56 public static function get_private_key() { 57 $privatekey = get_config('mod_lti', 'privatekey'); 58 $kid = get_config('mod_lti', 'kid'); 59 return [ 60 "key" => $privatekey, 61 "kid" => $kid 62 ]; 63 } 64 65 /** 66 * Returns the JWK Key Set for this site. 67 * @return array keyset exposting the site public key. 68 */ 69 public static function get_jwks() { 70 $jwks = array('keys' => array()); 71 72 $privatekey = self::get_private_key(); 73 $res = openssl_pkey_get_private($privatekey['key']); 74 $details = openssl_pkey_get_details($res); 75 76 // Avoid passing null values to base64_encode. 77 if (!isset($details['rsa']['e']) || !isset($details['rsa']['n'])) { 78 throw new \moodle_exception('Error: essential openssl keys not set'); 79 } 80 81 $jwk = array(); 82 $jwk['kty'] = 'RSA'; 83 $jwk['alg'] = 'RS256'; 84 $jwk['kid'] = $privatekey['kid']; 85 $jwk['e'] = rtrim(strtr(base64_encode($details['rsa']['e']), '+/', '-_'), '='); 86 $jwk['n'] = rtrim(strtr(base64_encode($details['rsa']['n']), '+/', '-_'), '='); 87 $jwk['use'] = 'sig'; 88 89 $jwks['keys'][] = $jwk; 90 return $jwks; 91 } 92 93 /** 94 * Take an array of JWKS keys and infer the 'alg' property for a single key, if missing, based on an input JWT. 95 * 96 * This only sets the 'alg' property for a single key when all the following conditions are met: 97 * - The key's 'kid' matches the 'kid' provided in the JWT's header. 98 * - The key's 'alg' is missing. 99 * - The JWT's header 'alg' matches the algorithm family of the key (the key's kty). 100 * - The JWT's header 'alg' matches one of the approved LTI asymmetric algorithms. 101 * 102 * Keys not matching the above are left unchanged. 103 * 104 * @param array $jwks the keyset array. 105 * @param string $jwt the JWT string. 106 * @return array the fixed keyset array. 107 */ 108 public static function fix_jwks_alg(array $jwks, string $jwt): array { 109 $jwtparts = explode('.', $jwt); 110 $jwtheader = json_decode(JWT::urlsafeB64Decode($jwtparts[0]), true); 111 if (!isset($jwtheader['kid'])) { 112 throw new \moodle_exception('Error: kid must be provided in JWT header.'); 113 } 114 115 foreach ($jwks['keys'] as $index => $key) { 116 // Only fix the key being referred to in the JWT. 117 if ($jwtheader['kid'] != $key['kid']) { 118 continue; 119 } 120 121 // Only fix the key if the alg is missing. 122 if (!empty($key['alg'])) { 123 continue; 124 } 125 126 // The header alg must match the key type (family) specified in the JWK's kty. 127 if (!isset(static::$ltisupportedalgs[$jwtheader['alg']]) || 128 static::$ltisupportedalgs[$jwtheader['alg']] != $key['kty']) { 129 throw new \moodle_exception('Error: Alg specified in the JWT header is incompatible with the JWK key type'); 130 } 131 132 $jwks['keys'][$index]['alg'] = $jwtheader['alg']; 133 } 134 135 return $jwks; 136 } 137 138 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body