Ensure that JWS does not use algorithm none

Author: cicnavi

src/Federation/EntityStatement.php

@@ -17,9 +17,9 @@
 class EntityStatement extends ParsedJws
 {
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @return non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      */
     public function getIssuer(): string
     {
@@ -28,9 +28,9 @@ public function getIssuer(): string
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @return non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      */
     public function getSubject(): string
     {
@@ -76,9 +76,9 @@ public function getJwks(): JwksClaim
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @return non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      */
     public function getType(): string
     {
@@ -93,9 +93,9 @@ public function getType(): string
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @return null|non-empty-string[]
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      */
     public function getAuthorityHints(): ?array
     {
@@ -128,9 +128,9 @@ public function getAuthorityHints(): ?array
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @return null|non-empty-string[]
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      */
     public function getTrustAnchorHints(): ?array
     {
@@ -304,9 +304,9 @@ public function getTrustMarkIssuers(): ?TrustMarkIssuersClaimBag
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @return non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      */
     public function getKeyId(): string
     {
@@ -315,11 +315,11 @@ public function getKeyId(): string
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @return ?non-empty-string
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
      * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
      *
-     * @return ?non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      */
     public function getFederationFetchEndpoint(): ?string
     {
@@ -339,11 +339,11 @@ public function getFederationFetchEndpoint(): ?string
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @return ?non-empty-string
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
      * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
      *
-     * @return ?non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      */
     public function getFederationTrustMarkEndpoint(): ?string
     {
@@ -363,11 +363,11 @@ public function getFederationTrustMarkEndpoint(): ?string
 
 
     /**
-     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @return ?non-empty-string
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
      * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
      *
-     * @return ?non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      */
     public function getFederationTrustMarkStatusEndpoint(): ?string
     {
@@ -386,6 +386,19 @@ public function getFederationTrustMarkStatusEndpoint(): ?string
     }
 
 
+    /**
+     * @return non-empty-string
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @throws \SimpleSAML\OpenID\Exceptions\OpenId4VciProofException
+     * @throws \SimpleSAML\OpenID\Exceptions\TrustMarkDelegationException
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     */
+    public function getAlgorithm(): string
+    {
+        return parent::getAlgorithm() ?? throw new EntityStatementException('No Algorithm header claim found.');
+    }
+
+
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
@@ -426,6 +439,7 @@ protected function validate(): void
             $this->getExpirationTime(...),
             $this->getJwks(...),
             $this->getType(...),
+            $this->getAlgorithm(...),
             $this->getKeyId(...),
             $this->getAuthorityHints(...),
             $this->getTrustAnchorHints(...),

src/Jws/ParsedJws.php

@@ -5,8 +5,10 @@
 namespace SimpleSAML\OpenID\Jws;
 
 use JsonException;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Decorators\DateIntervalDecorator;
+use SimpleSAML\OpenID\Exceptions\EntityStatementException;
 use SimpleSAML\OpenID\Exceptions\JwsException;
 use SimpleSAML\OpenID\Factories\ClaimFactory;
 use SimpleSAML\OpenID\Helpers;
@@ -377,8 +379,22 @@ public function getAlgorithm(): ?string
     {
         $claimKey = ClaimsEnum::Alg->value;
 
-        $typ = $this->getHeaderClaim($claimKey);
+        $alg = $this->getHeaderClaim($claimKey);
 
-        return is_null($typ) ? null : $this->helpers->type()->ensureNonEmptyString($typ, $claimKey);
+        if (is_null($alg)) {
+            return null;
+        }
+
+        $alg = $this->helpers->type()->ensureNonEmptyString($alg, $claimKey);
+
+        $algEnum = SignatureAlgorithmEnum::tryFrom($alg) ?? throw new EntityStatementException(
+            'Invalid Algorithm header claim.',
+        );
+
+        if ($algEnum->isNone()) {
+            throw new JwsException('Invalid Algorithm header claim (none).');
+        }
+
+        return $alg;
     }
 }

src/VerifiableCredentials/OpenId4VciProof.php

@@ -4,7 +4,6 @@
 
 namespace SimpleSAML\OpenID\VerifiableCredentials;
 
-use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
 use SimpleSAML\OpenID\Exceptions\OpenId4VciProofException;
@@ -21,17 +20,7 @@ class OpenId4VciProof extends ParsedJws
      */
     public function getAlgorithm(): string
     {
-        $alg = parent::getAlgorithm() ?? throw new OpenId4VciProofException('No Algorithm header claim found.');
-
-        $algEnum = SignatureAlgorithmEnum::tryFrom($alg) ?? throw new OpenId4VciProofException(
-            'Invalid Algorithm header claim.',
-        );
-
-        if ($algEnum->isNone()) {
-            throw new OpenId4VciProofException('Invalid Algorithm header claim (none).');
-        }
-
-        return $alg;
+        return parent::getAlgorithm() ?? throw new OpenId4VciProofException('No Algorithm header claim found.');
     }
 
 

tests/src/Federation/EntityStatementTest.php

@@ -10,6 +10,7 @@
 use PHPUnit\Framework\Attributes\UsesClass;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Decorators\DateIntervalDecorator;
 use SimpleSAML\OpenID\Exceptions\JwsException;
 use SimpleSAML\OpenID\Factories\ClaimFactory;
@@ -24,6 +25,7 @@
 
 #[CoversClass(EntityStatement::class)]
 #[UsesClass(ParsedJws::class)]
+#[UsesClass(SignatureAlgorithmEnum::class)]
 final class EntityStatementTest extends TestCase
 {
     protected MockObject $signatureMock;

tests/src/Federation/Factories/EntityStatementFactoryTest.php

@@ -29,6 +29,7 @@
 #[UsesClass(ParsedJwsFactory::class)]
 #[UsesClass(ParsedJws::class)]
 #[UsesClass(EntityStatement::class)]
+#[UsesClass(SignatureAlgorithmEnum::class)]
 final class EntityStatementFactoryTest extends TestCase
 {
     protected MockObject $signatureMock;

tests/src/Jws/ParsedJwsTest.php

@@ -7,8 +7,10 @@
 use Jose\Component\Signature\JWS;
 use Jose\Component\Signature\Signature;
 use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\UsesClass;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
+use SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum;
 use SimpleSAML\OpenID\Decorators\DateIntervalDecorator;
 use SimpleSAML\OpenID\Exceptions\JwsException;
 use SimpleSAML\OpenID\Factories\ClaimFactory;
@@ -20,6 +22,7 @@
 use SimpleSAML\OpenID\Serializers\JwsSerializerManagerDecorator;
 
 #[CoversClass(ParsedJws::class)]
+#[UsesClass(SignatureAlgorithmEnum::class)]
 final class ParsedJwsTest extends TestCase
 {
     protected MockObject $jwsDecoratorMock;
@@ -449,4 +452,25 @@ public function testThrowsIfNotBeforeInTheFuture(): void
 
         $this->sut()->getNotBefore();
     }
+
+
+    public function testAlgHeaderCanBeNull(): void
+    {
+        unset($this->sampleHeader['alg']);
+        $this->signatureMock->method('getProtectedHeader')->willReturn($this->sampleHeader);
+
+        $this->assertNull($this->sut()->getAlgorithm());
+    }
+
+
+    public function testAlgHeaderCanNotBeNone(): void
+    {
+        $this->sampleHeader['alg'] = 'none';
+        $this->signatureMock->method('getProtectedHeader')->willReturn($this->sampleHeader);
+
+        $this->expectException(JwsException::class);
+        $this->expectExceptionMessage('none');
+
+        $this->sut()->getAlgorithm();
+    }
 }