Skip to content

Commit ea1ce71

Browse files
SlamdunkSlamdunk
authored
Merge pull request #1082 from slknijnenburg/add-sensitiveparam-attribute
Add `#[SensitiveParameter]` attribute to sensitive parameters
2 parents 848815d + 90aab82 commit ea1ce71

File tree

2 files changed

+33
-10
lines changed

2 files changed

+33
-10
lines changed

src/Signer/Key/InMemory.php

Lines changed: 24 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
use Lcobucci\JWT\Signer\InvalidKeyProvided;
77
use Lcobucci\JWT\Signer\Key;
88
use Lcobucci\JWT\SodiumBase64Polyfill;
9+
use SensitiveParameter;
910
use SplFileObject;
1011
use Throwable;
1112

@@ -15,21 +16,33 @@
1516
final class InMemory implements Key
1617
{
1718
/** @param non-empty-string $contents */
18-
private function __construct(public readonly string $contents, public readonly string $passphrase)
19-
{
19+
private function __construct(
20+
#[SensitiveParameter]
21+
public readonly string $contents,
22+
#[SensitiveParameter]
23+
public readonly string $passphrase,
24+
) {
2025
}
2126

2227
/** @param non-empty-string $contents */
23-
public static function plainText(string $contents, string $passphrase = ''): self
24-
{
28+
public static function plainText(
29+
#[SensitiveParameter]
30+
string $contents,
31+
#[SensitiveParameter]
32+
string $passphrase = '',
33+
): self {
2534
self::guardAgainstEmptyKey($contents);
2635

2736
return new self($contents, $passphrase);
2837
}
2938

3039
/** @param non-empty-string $contents */
31-
public static function base64Encoded(string $contents, string $passphrase = ''): self
32-
{
40+
public static function base64Encoded(
41+
#[SensitiveParameter]
42+
string $contents,
43+
#[SensitiveParameter]
44+
string $passphrase = '',
45+
): self {
3346
$decoded = SodiumBase64Polyfill::base642bin(
3447
$contents,
3548
SodiumBase64Polyfill::SODIUM_BASE64_VARIANT_ORIGINAL,
@@ -45,8 +58,11 @@ public static function base64Encoded(string $contents, string $passphrase = ''):
4558
*
4659
* @throws FileCouldNotBeRead
4760
*/
48-
public static function file(string $path, string $passphrase = ''): self
49-
{
61+
public static function file(
62+
string $path,
63+
#[SensitiveParameter]
64+
string $passphrase = '',
65+
): self {
5066
try {
5167
$file = new SplFileObject($path);
5268
} catch (Throwable $exception) {

src/Signer/OpenSSL.php

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55

66
use Lcobucci\JWT\Signer;
77
use OpenSSLAsymmetricKey;
8+
use SensitiveParameter;
89

910
use function array_key_exists;
1011
use function assert;
@@ -40,7 +41,9 @@ abstract class OpenSSL implements Signer
4041
* @throws InvalidKeyProvided
4142
*/
4243
final protected function createSignature(
44+
#[SensitiveParameter]
4345
string $pem,
46+
#[SensitiveParameter]
4447
string $passphrase,
4548
string $payload,
4649
): string {
@@ -56,8 +59,12 @@ final protected function createSignature(
5659
}
5760

5861
/** @throws CannotSignPayload */
59-
private function getPrivateKey(string $pem, string $passphrase): OpenSSLAsymmetricKey
60-
{
62+
private function getPrivateKey(
63+
#[SensitiveParameter]
64+
string $pem,
65+
#[SensitiveParameter]
66+
string $passphrase,
67+
): OpenSSLAsymmetricKey {
6168
return $this->validateKey(openssl_pkey_get_private($pem, $passphrase));
6269
}
6370

0 commit comments

Comments
 (0)