x509-chain-verifier/SignedWithChain.php at main · midoria-io/x509-chain-verifier · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php

declare(strict_types=1);

namespace Manyou\X509ChainVerifier;

use Lcobucci\JWT\Signer;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Token;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
use Lcobucci\JWT\Validation\ConstraintViolation;
use Lcobucci\JWT\Validation\SignedWith as SignedWithInterface;
use RuntimeException;

class SignedWithChain implements SignedWithInterface
{
    public function __construct(
        private Signer $algorithm,
        private X509ChainVerifier $chainVerifier,
    ) {
    }

    public function assert(Token $token): void
    {
        $chain = $token->headers()->get('x5c', []);

        try {
            $certificate = $this->chainVerifier->verify($chain);
        } catch (RuntimeException $e) {
            throw ConstraintViolation::error($e->getMessage(), $this);
        }

        (new SignedWith($this->algorithm, InMemory::plainText($certificate)))->assert($token);
    }
}