Remove core hashing and serialisation logic with more secure jwt

Author: aganttor

composer.json

@@ -17,7 +17,8 @@
     }
   ],
   "require": {
-    "php": ">=7.0"
+    "php": ">=7.0",
+    "firebase/php-jwt": "~5.0"
   },
   "require-dev": {
     "phpunit/phpunit": "~6.0"

src/AbstractDataStream.php

@@ -11,34 +11,38 @@ abstract class AbstractDataStream implements DataStream
      */
     private $raw;
 
-    /**
-     * @var \Hawkbit\DataStream\Hasher|null
-     */
-    private $hasher;
     /**
      * @var \Hawkbit\DataStream\Compressor|null
      */
     private $compressor;
+
     /**
-     * @var \Hawkbit\DataStream\Serializer|null
+     * @var mixed
      */
-    private $serializer;
+    private $data;
 
     /**
      * DataStream constructor.
      *
      * @param $data
-     * @param \Hawkbit\DataStream\Serializer|null $serializer
-     * @param \Hawkbit\DataStream\Hasher|null $hasher
      * @param \Hawkbit\DataStream\Compressor|null $compressor
      */
-    public function __construct($data, Serializer $serializer = null, Hasher $hasher = null, Compressor $compressor =
-    null)
+    public function __construct($data, Compressor $compressor = null)
     {
         $this->raw = $data;
-        $this->hasher = $hasher ?? new Adler32Hasher();
         $this->compressor = $compressor ?? new DeflateCompressor();
-        $this->serializer = $serializer ?? new JsonSerializer();
+        $this->data = $this->decorateData($data);
+    }
+
+    /**
+     * Decorate input data to desired result
+     *
+     * @param $data
+     *
+     * @return mixed
+     */
+    protected function decorateData($data){
+        return $data;
     }
 
     /**
@@ -50,11 +54,11 @@ public function getRaw()
     }
 
     /**
-     * @return \Hawkbit\DataStream\Hasher|null
+     * @return mixed
      */
-    public function getHasher()
+    public function getData()
     {
-        return $this->hasher;
+        return $this->data;
     }
 
     /**
@@ -64,20 +68,4 @@ public function getCompressor()
     {
         return $this->compressor;
     }
-
-    /**
-     * @return \Hawkbit\DataStream\Serializer|null
-     */
-    public function getSerializer()
-    {
-        return $this->serializer;
-    }
-
-    /**
-     * @return string
-     */
-    public function __toString(): string
-    {
-        return $this->getData();
-    }
 }

src/Adler32Hasher.php

@@ -10,17 +10,17 @@ interface DataStream
     const DEFAULT_INPUT = InputStream::class;
     const DEFAULT_OUTPUT = OutputStream::class;
     const MESSAGE_ESCAPE_STRING = "\0";
+    const DEFAULT_SECRET = 'datastream';
+    const DEFAULT_ISSUER = 'datastream';
+    const DEFAULT_ALG = 'HS512';
 
     /**
      * DataStream constructor.
      *
      * @param $data
-     * @param \Hawkbit\DataStream\Serializer|null $serializer
-     * @param \Hawkbit\DataStream\Hasher|null $hasher
      * @param \Hawkbit\DataStream\Compressor|null $compressor
      */
-    public function __construct($data, Serializer $serializer = null, Hasher $hasher = null, Compressor $compressor =
-    null);
+    public function __construct($data, Compressor $compressor = null);
 
     /**
      * get raw data
@@ -36,24 +36,5 @@ public function getRaw();
      */
     public function getData();
 
-    /**
-     * Get MD5 Hash fingerprint
-     *
-     * @return string
-     */
-    public function getFingerprint(): string;
-
-    /**
-     * Get expiration for data
-     *
-     * @return int
-     */
-    public function getExpirationTime(): int;
-
-    /**
-     * @return string
-     */
-    public function __toString(): string;
-
 
 }

src/DataStream.php

@@ -4,95 +4,32 @@
 namespace Hawkbit\DataStream;
 
 
+use Firebase\JWT\JWT;
+
 class InputStream extends AbstractDataStream implements DataStream
 {
 
     /**
-     * @var string
-     */
-    private $fingerPrint;
-
-    /**
-     * @var int
-     */
-    private $expirationTime;
-
-    /**
-     * @var mixed
-     */
-    private $data;
-
-    /**
-     * DataStream constructor.
+     * Load data from compressed jwt
      *
      * @param $data
-     * @param \Hawkbit\DataStream\Serializer|null $serializer
-     * @param \Hawkbit\DataStream\Hasher|null $hasher
-     * @param \Hawkbit\DataStream\Compressor|null $compressor
-     */
-    public function __construct($data, Serializer $serializer = null, Hasher $hasher = null, Compressor $compressor = null)
-    {
-        parent::__construct($data, $serializer, $hasher, $compressor);
-        $this->data = $this->parse();
-    }
-
-
-    /**
-     * Get converted data
      *
      * @return mixed
      */
-    public function getData()
-    {
-        return $this->data;
-    }
-
-    /**
-     * Get MD5 Hash fingerprint
-     *
-     * @return string
-     */
-    public function getFingerprint(): string
+    protected function decorateData($data)
     {
-        return $this->fingerPrint;
-    }
-
-    /**
-     * Get expiration for data
-     *
-     * @return int
-     */
-    public function getExpirationTime(): int
-    {
-        return $this->expirationTime;
-    }
-
-    private function parse()
-    {
-
-        // hex data
-        $stream = base64_decode($this->getRaw());
-
-        // get binary representation
-        $bin = @$this->getCompressor()->uncompress($stream);
-
-        $data = explode(DataStream::MESSAGE_ESCAPE_STRING, $bin, 3);
 
-        $this->fingerPrint = $data[0];
-        $this->expirationTime = (int)$data[1];
-        $payload = $data[2];
+        // compressed jwt
+        $compressed = base64_decode($data);
 
-        if ($this->getHasher()->hash($payload) !== $this->getFingerprint())
-        {
-            throw new \RuntimeException('Data are not equal!');
-        }
+        // get inflated jwt
+        $jwt = $this->getCompressor()->uncompress($compressed);
 
-        if (time() > $this->getExpirationTime())
-        {
-            throw new \RuntimeException('Data transfer expired!');
-        }
+        // decode data
+        $payload = JWT::decode($jwt, base64_encode(static::DEFAULT_SECRET), [static::DEFAULT_ALG]);
 
-        // transform to json
-        return $this->getSerializer()->unserialize($payload);
+        // return payload data
+        // workaround to get always assoc arrays instead of objects
+        return json_decode(json_encode($payload->data), true);
     }
 }