Missing extension cause JWS Verifier to fail without any notice

Question

Missing extension cause JWS Verifier to fail without any notice

Closed this issue 2 years ago · 3 comments

Version(s) affected: 3.0.7

Description
I use the Symfony Bundle.

When I try to check the signature of my JWE token, it fails. And still, when i call manually the openssl_verify function, it succeds.

In this file : vendor/web-token/jwt-signature-algorithm-rsa/RSAPKCS1.php, in the function verify:

public function verify(JWK $key, string $input, string $signature): bool
{
    $this->checkKey($key);
    $pub = RSAKey::createFromJWK($key->toPublic());
    return openssl_verify($input, $signature, $pub->toPEM(), $this->getAlgorithm()) === 1;
}

I found that the call : $pub->toPEM() sort of never returns, not only a value, but never returns at all, and when i tried to trace it, i went very low in a lot of calls: initPublicKey, BitString, getBinary, well, I can't see the end of it.

And then, buried in vendor/fgrosse/phpasn1/lib/Utility/BigInteger.php (a third-party you probably use in some way), in the create function, I saw my problem came from this part :

switch (self::$_prefer) {
    case 'gmp':
        $ret = new BigIntegerGmp();
        break;
    case 'bcmath':
        $ret = new BigIntegerBcmath();
        break;
    default:
        throw new \UnexpectedValueException('Unknown number implementation: ' . self::$_prefer);
}

Simply I was missing a php extension.

How to reproduce

Run the code without gmp or bcmath PHP extension.

Possible Solution

Catch the exception, or make it a prerequisite when installing the module ?

Additional context

n/a

Answer 1 · 2022-08-19T14:59:03.000Z

Hi, thank you for reporting this issue.
GMP and BCMath extensions are not required, because this suite of librairies is used by companies/public departments where third party extensions such as GMP are not allowed.
This is the expected behavior and it is mentioned in the doc it can be (very) slow in some cases (https://web-token.spomky-labs.com/introduction/pre-requisite). Those extensions are also suggested by composer depending on the installed librairies (e.g. https://github.com/web-token/jwt-framework/blob/v3.0/src/SignatureAlgorithm/RSA/composer.json#L28-L31)

Answer 2 · 2022-08-19T15:30:00.000Z

Thanks for your answer. It does work with the extension installed, tho. It solves my problem, at least.

So there's maybe some other issue, like in fgrosse/phpasn1 or somewhere. Well, i hope i could help someone who stumbles on this issue.

Answer 3 · 2024-02-25T04:32:23.000Z

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.