pdsinterop · ylebre · Feb 28, 2021 · Feb 26, 2021
diff --git a/composer.json b/composer.json
@@ -30,7 +30,8 @@
     "ext-json": "*",
     "ext-mbstring": "*",
     "ext-openssl": "*",
-    "league/oauth2-server": "^8.1"
+    "league/oauth2-server": "^8.1",
+    "web-token/jwt-core": "^2.2"
   },
   "require-dev": {
     "ext-xdebug": "*",

diff --git a/src/Utils/DPop.php b/src/Utils/DPop.php
@@ -5,7 +5,9 @@
 use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer\Key;
 use Lcobucci\JWT\ValidationData;
-use CoderCat\JWKToPEM\JWKConverter;
+use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\ECKey;
+use Jose\Component\Core\Util\RSAKey;
 
 class DPop {
 	public function getWebId($request) {
@@ -111,17 +113,25 @@ private function validateDpop($dpop, $request) {
 		if ($alg == "none") {
 			throw new \Exception("alg is none");
 		}
-		if ($alg != "RS256") {
-			throw new \Exception("alg is not supported");
-		}
 
 		//error_log("5");
 		// 5.  that the JWT is signed using the public key contained in the
 		//     "jwk" header of the JWT,
 		$jwk = $dpop->getHeader("jwk");
-		$jwkConverter = new JWKConverter();
-		$pem = $jwkConverter->toPEM(json_decode(json_encode($jwk), true));
-		$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
+		$webTokenJwk = \Jose\Component\Core\JWK::createFromJson(json_encode($jwk));
+		switch ($alg) {
+			case "RS256":
+				$pem = \Jose\Component\Core\Util\RSAKey::createFromJWK($webTokenJwk)->toPEM();
+				$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
+			break;
+			case "ES256":
+				$pem = \Jose\Component\Core\Util\ECKey::convertToPEM($webTokenJwk);
+				$signer = new \Lcobucci\JWT\Signer\Ecdsa\Sha256();
+			break;
+			default:
+				throw new \Exception("unsupported algorithm");
+			break;
+		}
 		$key = new \Lcobucci\JWT\Signer\Key($pem);
 		if (!$dpop->verify($signer, $key)) {
 			throw new \Exception("invalid signature");