Skip to content

Wrong warnings when invalid key supplied in openssl_sign #559

New issue
New issue
Closed
#560
Closed
Wrong warnings when invalid key supplied in openssl_sign#559
#560
@vishwarajanand

Description

@vishwarajanand
vishwarajanand
opened on Mar 7, 2024

Ref:

php-jwt/src/JWT.php

Lines 252 to 257 in 1b9e871

case 'openssl':
$signature = '';
$success = \openssl_sign($msg, $signature, $key, $algorithm); // @phpstan-ignore-line
if (!$success) {
throw new DomainException('OpenSSL unable to sign data');
}

when a $key is not properly formatted, warnings are generated: PHP Warning: openssl_sign(): Supplied key param cannot be coerced into a private key. Instead, invalid keys should be validated and thrown gracefully. Like this:

        case 'openssl':
            $signature = '';
            if (!openssl_pkey_get_private($key)) {
                throw new DomainException('OpenSSL unable to validate key');
            }
            $success = \openssl_sign($msg, $signature, $key, $algorithm); // @phpstan-ignore-line
            if (!$success) {
                throw new DomainException('OpenSSL unable to sign data');
            }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions