Add SensitiveParameter attribute to sensitive parameters

Adds `#[SensitiveParameter]` to all potentially sensitive parameters,
including key material, certificates and passphrases.

Author: slknijnenburg

src/Builder.php

@@ -10,6 +10,7 @@
 use Lcobucci\JWT\Signer\InvalidKeyProvided;
 use Lcobucci\JWT\Signer\Key;
 use Lcobucci\JWT\Token\RegisteredClaimGiven;
+use SensitiveParameter;
 
 /** @immutable */
 interface Builder
@@ -81,5 +82,9 @@ public function withClaim(string $name, mixed $value): Builder;
      * @throws InvalidKeyProvided  When issue key is invalid/incompatible.
      * @throws ConversionFailed    When signature could not be converted.
      */
-    public function getToken(Signer $signer, Key $key): UnencryptedToken;
+    public function getToken(
+        Signer $signer,
+        #[SensitiveParameter]
+        Key $key,
+    ): UnencryptedToken;
 }

src/Configuration.php

@@ -8,6 +8,7 @@
 use Lcobucci\JWT\Encoding\JoseEncoder;
 use Lcobucci\JWT\Signer\Key;
 use Lcobucci\JWT\Validation\Constraint;
+use SensitiveParameter;
 
 /**
  * Configuration container for the JWT Builder and Parser
@@ -28,7 +29,9 @@ final class Configuration
 
     private function __construct(
         private readonly Signer $signer,
+        #[SensitiveParameter]
         private readonly Key $signingKey,
+        #[SensitiveParameter]
         private readonly Key $verificationKey,
         Encoder $encoder,
         Decoder $decoder,
@@ -43,7 +46,9 @@ private function __construct(
 
     public static function forAsymmetricSigner(
         Signer $signer,
+        #[SensitiveParameter]
         Key $signingKey,
+        #[SensitiveParameter]
         Key $verificationKey,
         Encoder $encoder = new JoseEncoder(),
         Decoder $decoder = new JoseEncoder(),
@@ -59,6 +64,7 @@ public static function forAsymmetricSigner(
 
     public static function forSymmetricSigner(
         Signer $signer,
+        #[SensitiveParameter]
         Key $key,
         Encoder $encoder = new JoseEncoder(),
         Decoder $decoder = new JoseEncoder(),

src/JwtFacade.php

@@ -13,6 +13,7 @@
 use Lcobucci\JWT\Validation\ValidAt;
 use Lcobucci\JWT\Validation\Validator;
 use Psr\Clock\ClockInterface as Clock;
+use SensitiveParameter;
 
 use function assert;
 
@@ -35,6 +36,7 @@ public function now(): DateTimeImmutable
     /** @param Closure(Builder, DateTimeImmutable):Builder $customiseBuilder */
     public function issue(
         Signer $signer,
+        #[SensitiveParameter]
         Key $signingKey,
         Closure $customiseBuilder,
     ): UnencryptedToken {

src/Signer.php

@@ -7,6 +7,7 @@
 use Lcobucci\JWT\Signer\Ecdsa\ConversionFailed;
 use Lcobucci\JWT\Signer\InvalidKeyProvided;
 use Lcobucci\JWT\Signer\Key;
+use SensitiveParameter;
 
 interface Signer
 {
@@ -28,7 +29,11 @@ public function algorithmId(): string;
      * @throws InvalidKeyProvided When issue key is invalid/incompatible.
      * @throws ConversionFailed   When signature could not be converted.
      */
-    public function sign(string $payload, Key $key): string;
+    public function sign(
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): string;
 
     /**
      * Returns if the expected hash matches with the data and key
@@ -39,5 +44,10 @@ public function sign(string $payload, Key $key): string;
      * @throws InvalidKeyProvided When issue key is invalid/incompatible.
      * @throws ConversionFailed   When signature could not be converted.
      */
-    public function verify(string $expected, string $payload, Key $key): bool;
+    public function verify(
+        string $expected,
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): bool;
 }

src/Signer/Blake2b.php

@@ -4,6 +4,7 @@
 namespace Lcobucci\JWT\Signer;
 
 use Lcobucci\JWT\Signer;
+use SensitiveParameter;
 
 use function hash_equals;
 use function sodium_crypto_generichash;
@@ -18,8 +19,11 @@ public function algorithmId(): string
         return 'BLAKE2B';
     }
 
-    public function sign(string $payload, Key $key): string
-    {
+    public function sign(
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): string {
         $actualKeyLength = 8 * strlen($key->contents());
 
         if ($actualKeyLength < self::MINIMUM_KEY_LENGTH_IN_BITS) {
@@ -29,8 +33,12 @@ public function sign(string $payload, Key $key): string
         return sodium_crypto_generichash($payload, $key->contents());
     }
 
-    public function verify(string $expected, string $payload, Key $key): bool
-    {
+    public function verify(
+        string $expected,
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): bool {
         return hash_equals($expected, $this->sign($payload, $key));
     }
 }

src/Signer/Ecdsa.php

@@ -5,6 +5,7 @@
 
 use Lcobucci\JWT\Signer\Ecdsa\MultibyteStringConverter;
 use Lcobucci\JWT\Signer\Ecdsa\SignatureConverter;
+use SensitiveParameter;
 
 use const OPENSSL_KEYTYPE_EC;
 
@@ -15,16 +16,23 @@ public function __construct(
     ) {
     }
 
-    final public function sign(string $payload, Key $key): string
-    {
+    final public function sign(
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): string {
         return $this->converter->fromAsn1(
             $this->createSignature($key->contents(), $key->passphrase(), $payload),
             $this->pointLength(),
         );
     }
 
-    final public function verify(string $expected, string $payload, Key $key): bool
-    {
+    final public function verify(
+        string $expected,
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): bool {
         return $this->verifySignature(
             $this->converter->toAsn1($expected, $this->pointLength()),
             $payload,

src/Signer/Eddsa.php

@@ -4,6 +4,7 @@
 namespace Lcobucci\JWT\Signer;
 
 use Lcobucci\JWT\Signer;
+use SensitiveParameter;
 use SodiumException;
 
 use function sodium_crypto_sign_detached;
@@ -16,17 +17,24 @@ public function algorithmId(): string
         return 'EdDSA';
     }
 
-    public function sign(string $payload, Key $key): string
-    {
+    public function sign(
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): string {
         try {
             return sodium_crypto_sign_detached($payload, $key->contents());
         } catch (SodiumException $sodiumException) {
             throw new InvalidKeyProvided($sodiumException->getMessage(), 0, $sodiumException);
         }
     }
 
-    public function verify(string $expected, string $payload, Key $key): bool
-    {
+    public function verify(
+        string $expected,
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): bool {
         try {
             return sodium_crypto_sign_verify_detached($expected, $payload, $key->contents());
         } catch (SodiumException $sodiumException) {

src/Signer/Hmac.php

@@ -4,15 +4,19 @@
 namespace Lcobucci\JWT\Signer;
 
 use Lcobucci\JWT\Signer;
+use SensitiveParameter;
 
 use function hash_equals;
 use function hash_hmac;
 use function strlen;
 
 abstract class Hmac implements Signer
 {
-    final public function sign(string $payload, Key $key): string
-    {
+    final public function sign(
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): string {
         $actualKeyLength   = 8 * strlen($key->contents());
         $expectedKeyLength = $this->minimumBitsLengthForKey();
 
@@ -23,8 +27,12 @@ final public function sign(string $payload, Key $key): string
         return hash_hmac($this->algorithm(), $payload, $key->contents(), true);
     }
 
-    final public function verify(string $expected, string $payload, Key $key): bool
-    {
+    final public function verify(
+        string $expected,
+        string $payload,
+        #[SensitiveParameter]
+        Key $key,
+    ): bool {
         return hash_equals($expected, $this->sign($payload, $key));
     }
 

src/Signer/Key/InMemory.php

@@ -6,6 +6,7 @@
 use Lcobucci\JWT\Signer\InvalidKeyProvided;
 use Lcobucci\JWT\Signer\Key;
 use Lcobucci\JWT\SodiumBase64Polyfill;
+use SensitiveParameter;
 use SplFileObject;
 use Throwable;
 
@@ -15,8 +16,11 @@
 final class InMemory implements Key
 {
     /** @param non-empty-string $contents */
-    private function __construct(public readonly string $contents, public readonly string $passphrase)
-    {
+    private function __construct(
+        public readonly string $contents,
+        #[SensitiveParameter]
+        public readonly string $passphrase,
+    ) {
     }
 
     /** @param non-empty-string $contents */

src/Signer/OpenSSL.php

@@ -5,6 +5,7 @@
 
 use Lcobucci\JWT\Signer;
 use OpenSSLAsymmetricKey;
+use SensitiveParameter;
 
 use function array_key_exists;
 use function assert;
@@ -40,7 +41,9 @@ abstract class OpenSSL implements Signer
      * @throws InvalidKeyProvided
      */
     final protected function createSignature(
+        #[SensitiveParameter]
         string $pem,
+        #[SensitiveParameter]
         string $passphrase,
         string $payload,
     ): string {
@@ -56,8 +59,12 @@ final protected function createSignature(
     }
 
     /** @throws CannotSignPayload */
-    private function getPrivateKey(string $pem, string $passphrase): OpenSSLAsymmetricKey
-    {
+    private function getPrivateKey(
+        #[SensitiveParameter]
+        string $pem,
+        #[SensitiveParameter]
+        string $passphrase,
+    ): OpenSSLAsymmetricKey {
         return $this->validateKey(openssl_pkey_get_private($pem, $passphrase));
     }
 
@@ -74,8 +81,10 @@ final protected function verifySignature(
     }
 
     /** @throws InvalidKeyProvided */
-    private function getPublicKey(string $pem): OpenSSLAsymmetricKey
-    {
+    private function getPublicKey(
+        #[SensitiveParameter]
+        string $pem,
+    ): OpenSSLAsymmetricKey {
         return $this->validateKey(openssl_pkey_get_public($pem));
     }
 
@@ -84,8 +93,10 @@ private function getPublicKey(string $pem): OpenSSLAsymmetricKey
      *
      * @throws InvalidKeyProvided
      */
-    private function validateKey(OpenSSLAsymmetricKey|bool $key): OpenSSLAsymmetricKey
-    {
+    private function validateKey(
+        #[SensitiveParameter]
+        OpenSSLAsymmetricKey|bool $key,
+    ): OpenSSLAsymmetricKey {
         if (is_bool($key)) {
             throw InvalidKeyProvided::cannotBeParsed($this->fullOpenSSLErrorString());
         }