feat: add ed25519 support to JWK (public keys)

[edudobay]

Ed25519 key support has been added in #343 for the "standard" key format, but not yet for JWKs. (I'm opening a new PR, as I had previously opened #414 against a different base branch.)

Reference documentation: RFC8037

[bshaffer]

Thank you for submitting this! I have some technical questions, as well as some issues with the implementation here. Hopefully we can get this feature merged!

[bshaffer]

This naming is confusing to me. For key type OKP, the spec says

The parameter "x" MUST be present and contain the public key
encoded using the base64url [RFC4648] encoding.

This links to another spec which says

This encoding may be referred to as "base64url". This encoding
should not be regarded as the same as the "base64" encoding and
should not be referred to as only "base64"

I think it would be better to call this base64UrlDecode

[edudobay]

I've renamed the function to convertBase64urlToBase64. Do you think it's clearer?

It doesn't actually decode base64 data, it just translates from base64url to base64 so that the PHP base64_decode function can be used.

[bshaffer]

I am unfamiliar with OKPs, but by looking at this example, those values contain an "alg" of EdDSA instead of using the clunky mapping. I'd prefer to keep the algorithm explicit, and require it like we do everywhere else.

[edudobay]

I've reverted to the original version where the algorithm is always required. I see that the library opted for always requiring an explicit algorithm.

[bshaffer]

This is strange to me, as the values here aren't curves, but algorithms. I am not convinced this is the correct implementation.

[edudobay]

I've rephrased the concepts to call these "key subtypes", as section 2 of RFC 8037 calls it.

[bshaffer]

I am confused because there is no action taken as far as implementing decoding a key with ed25519. The JWK class is base64url-decoding the key, and (I am assuming) relying on the to default behavior of sodium_crypto to accept this as ed25519. There are other possible values here, however, so I think at the very least this needs to throw an exception if crv is not ed25519.

[edudobay]

Yes, the sodium_crypto functions that are used by the library work specifically with ed25519.

If an unsupported crv is provided, an exception will be thrown a few lines above with the message Unrecognised or unsupported OKP key subtype.

[alecsammon]

This PR would be really useful for us.

@edudobay - do you have time to get this updated and the questions responded to, or instead would you be happy if I took it forward?

I've tested the branch with our code bases and everything looks to work correctly.

Thank you!

[edudobay]

Hi! Sorry for the delay, I've addressed the issues you commented, and I think it's clearer and cleaner now.

I was wondering if it would be useful to throw an exception if the provided alg is not supported for the given kty (for example, alg=RS256 and kty=OKP). But this verification does not yet exist for the other key types, so I guess this would be the scope of a future PR.

In that case, the mismatch would fall down to the crypto function layer — it would either give an error because the given key is invalid for the given algorithm, or encrypt with the wrong algorithm if by chance the same key is valid for different algorithms.

[bshaffer]

This looks great! Just one minor change and we can merge this!

Thanks again for your contribution.

[bshaffer]

The tests say this needs to contain an "alg" parameter! Either that or you can refactor the tests to use the $defaultAlg argument

[edudobay]

Added the parameter.

[edudobay]

@bshaffer I've addressed the final comments, so I think this is ready now :)