Re-organise OpenSSL key incompatibility verification

The expected behaviour for key length verification between RSA and ECDSA
algorithms are actually different. This shifts the responsibility to the
base respective base implementations, simplifying the code a bit.

Signed-off-by: Luís Cobucci <lcobucci@gmail.com>

Author: lcobucci

src/Signer/Ecdsa.php

@@ -39,16 +39,25 @@ final public function verify(string $expected, string $payload, Key $key): bool
         );
     }
 
-    final public function keyType(): int
+    /** {@inheritdoc} */
+    final protected function guardAgainstIncompatibleKey(int $type, int $lengthInBits): void
     {
-        return OPENSSL_KEYTYPE_EC;
-    }
+        if ($type !== OPENSSL_KEYTYPE_EC) {
+            throw InvalidKeyProvided::incompatibleKeyType(
+                self::KEY_TYPE_MAP[OPENSSL_KEYTYPE_EC],
+                self::KEY_TYPE_MAP[$type],
+            );
+        }
 
-    final public function minimumBitsLengthForKey(): int
-    {
-        return 224;
+        $expectedKeyLength = $this->expectedKeyLength();
+
+        if ($lengthInBits !== $expectedKeyLength) {
+            throw InvalidKeyProvided::incompatibleKeyLength($expectedKeyLength, $lengthInBits);
+        }
     }
 
+    abstract public function expectedKeyLength(): int;
+
     /**
      * Returns the length of each point in the signature, so that we can calculate and verify R and S points properly
      *

src/Signer/Ecdsa/Sha256.php

@@ -23,4 +23,9 @@ public function pointLength(): int
     {
         return 64;
     }
+
+    public function expectedKeyLength(): int
+    {
+        return 256;
+    }
 }

src/Signer/Ecdsa/Sha384.php

@@ -23,4 +23,9 @@ public function pointLength(): int
     {
         return 96;
     }
+
+    public function expectedKeyLength(): int
+    {
+        return 384;
+    }
 }

src/Signer/Ecdsa/Sha512.php

@@ -23,4 +23,9 @@ public function pointLength(): int
     {
         return 132;
     }
+
+    public function expectedKeyLength(): int
+    {
+        return 521;
+    }
 }

src/Signer/InvalidKeyProvided.php

@@ -13,9 +13,20 @@ public static function cannotBeParsed(string $details): self
         return new self('It was not possible to parse your key, reason:' . $details);
     }
 
-    public static function incompatibleKey(): self
+    public static function incompatibleKeyType(string $expectedType, string $actualType): self
     {
-        return new self('This key is not compatible with this signer');
+        return new self(
+            'The type of the provided key is not "' . $expectedType
+            . '", "' . $actualType . '" provided'
+        );
+    }
+
+    public static function incompatibleKeyLength(int $expectedLength, int $actualLength): self
+    {
+        return new self(
+            'The length of the provided key is different than ' . $expectedLength . ' bits, '
+            . $actualLength . ' bits provided'
+        );
     }
 
     public static function cannotBeEmpty(): self

src/Signer/OpenSSL.php

@@ -19,10 +19,21 @@
 use function openssl_sign;
 use function openssl_verify;
 
+use const OPENSSL_KEYTYPE_DH;
+use const OPENSSL_KEYTYPE_DSA;
+use const OPENSSL_KEYTYPE_EC;
+use const OPENSSL_KEYTYPE_RSA;
 use const PHP_EOL;
 
 abstract class OpenSSL implements Signer
 {
+    protected const KEY_TYPE_MAP = [
+        OPENSSL_KEYTYPE_RSA => 'RSA',
+        OPENSSL_KEYTYPE_DSA => 'DSA',
+        OPENSSL_KEYTYPE_DH => 'DH',
+        OPENSSL_KEYTYPE_EC => 'EC',
+    ];
+
     /**
      * @throws CannotSignPayload
      * @throws InvalidKeyProvided
@@ -47,9 +58,6 @@ final protected function createSignature(
         }
     }
 
-    /** @return positive-int */
-    abstract public function minimumBitsLengthForKey(): int;
-
     /**
      * @return resource|OpenSSLAsymmetricKey
      *
@@ -105,15 +113,12 @@ private function validateKey($key): void
         $details = openssl_pkey_get_details($key);
         assert(is_array($details));
 
-        if (! array_key_exists('key', $details) || $details['type'] !== $this->keyType()) {
-            throw InvalidKeyProvided::incompatibleKey();
-        }
-
         assert(array_key_exists('bits', $details));
         assert(is_int($details['bits']));
-        if ($details['bits'] < $this->minimumBitsLengthForKey()) {
-            throw InvalidKeyProvided::tooShort($this->minimumBitsLengthForKey(), $details['bits']);
-        }
+        assert(array_key_exists('type', $details));
+        assert(is_int($details['type']));
+
+        $this->guardAgainstIncompatibleKey($details['type'], $details['bits']);
     }
 
     private function fullOpenSSLErrorString(): string
@@ -127,6 +132,9 @@ private function fullOpenSSLErrorString(): string
         return $error;
     }
 
+    /** @throws InvalidKeyProvided */
+    abstract protected function guardAgainstIncompatibleKey(int $type, int $lengthInBits): void;
+
     /** @param resource|OpenSSLAsymmetricKey $key */
     private function freeKey($key): void
     {
@@ -137,13 +145,6 @@ private function freeKey($key): void
         openssl_free_key($key); // Deprecated and no longer necessary as of PHP >= 8.0
     }
 
-    /**
-     * Returns the type of key to be used to create/verify the signature (using OpenSSL constants)
-     *
-     * @internal
-     */
-    abstract public function keyType(): int;
-
     /**
      * Returns which algorithm to be used to create/verify the signature (using OpenSSL constants)
      *

src/Signer/Rsa.php

@@ -7,6 +7,8 @@
 
 abstract class Rsa extends OpenSSL
 {
+    private const MINIMUM_KEY_LENGTH = 2048;
+
     final public function sign(string $payload, Key $key): string
     {
         return $this->createSignature($key->contents(), $key->passphrase(), $payload);
@@ -17,13 +19,17 @@ final public function verify(string $expected, string $payload, Key $key): bool
         return $this->verifySignature($expected, $payload, $key->contents());
     }
 
-    final public function keyType(): int
+    final protected function guardAgainstIncompatibleKey(int $type, int $lengthInBits): void
     {
-        return OPENSSL_KEYTYPE_RSA;
-    }
+        if ($type !== OPENSSL_KEYTYPE_RSA) {
+            throw InvalidKeyProvided::incompatibleKeyType(
+                self::KEY_TYPE_MAP[OPENSSL_KEYTYPE_RSA],
+                self::KEY_TYPE_MAP[$type],
+            );
+        }
 
-    final public function minimumBitsLengthForKey(): int
-    {
-        return 2048;
+        if ($lengthInBits < self::MINIMUM_KEY_LENGTH) {
+            throw InvalidKeyProvided::tooShort(self::MINIMUM_KEY_LENGTH, $lengthInBits);
+        }
     }
 }

src/Signer/UnsafeEcdsa.php

@@ -40,14 +40,15 @@ final public function verify(string $expected, string $payload, Key $key): bool
         );
     }
 
-    final public function keyType(): int
+    // phpcs:ignore SlevomatCodingStandard.Functions.UnusedParameter.UnusedParameter
+    final protected function guardAgainstIncompatibleKey(int $type, int $lengthInBits): void
     {
-        return OPENSSL_KEYTYPE_EC;
-    }
-
-    final public function minimumBitsLengthForKey(): int
-    {
-        return 1;
+        if ($type !== OPENSSL_KEYTYPE_EC) {
+            throw InvalidKeyProvided::incompatibleKeyType(
+                self::KEY_TYPE_MAP[OPENSSL_KEYTYPE_EC],
+                self::KEY_TYPE_MAP[$type],
+            );
+        }
     }
 
     /**

src/Signer/UnsafeRsa.php

@@ -18,13 +18,14 @@ final public function verify(string $expected, string $payload, Key $key): bool
         return $this->verifySignature($expected, $payload, $key->contents());
     }
 
-    final public function keyType(): int
+    // phpcs:ignore SlevomatCodingStandard.Functions.UnusedParameter.UnusedParameter
+    final protected function guardAgainstIncompatibleKey(int $type, int $lengthInBits): void
     {
-        return OPENSSL_KEYTYPE_RSA;
-    }
-
-    final public function minimumBitsLengthForKey(): int
-    {
-        return 1;
+        if ($type !== OPENSSL_KEYTYPE_RSA) {
+            throw InvalidKeyProvided::incompatibleKeyType(
+                self::KEY_TYPE_MAP[OPENSSL_KEYTYPE_RSA],
+                self::KEY_TYPE_MAP[$type],
+            );
+        }
     }
 }

test/functional/ES512TokenTest.php

@@ -77,7 +77,7 @@ public function builderShouldRaiseExceptionWhenKeyIsNotEcdsaCompatible(): void
         $builder = $this->config->builder();
 
         $this->expectException(InvalidKeyProvided::class);
-        $this->expectExceptionMessage('This key is not compatible with this signer');
+        $this->expectExceptionMessage('The type of the provided key is not "EC", "RSA" provided');
 
         $builder->identifiedBy('1')
             ->permittedFor('http://client.abc.com')
@@ -168,7 +168,7 @@ public function signatureAssertionShouldRaiseExceptionWhenAlgorithmIsDifferent(T
     public function signatureAssertionShouldRaiseExceptionWhenKeyIsNotEcdsaCompatible(Token $token): void
     {
         $this->expectException(InvalidKeyProvided::class);
-        $this->expectExceptionMessage('This key is not compatible with this signer');
+        $this->expectExceptionMessage('The type of the provided key is not "EC", "RSA" provided');
 
         $this->config->validator()->assert(
             $token,