N°9319 increase php min. version to 8.2 (#887)

* Update minimum PHP version to 8.2
* Fix previous wrong resolution of merge conflict

lib/firebase/php-jwt/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [7.0.5](https://github.com/firebase/php-jwt/compare/v7.0.4...v7.0.5) (2026-03-31)
+
+
+### Bug Fixes
+
+* RSA from JWK sometimes returns empty Instance ([#628](https://github.com/firebase/php-jwt/issues/628)) ([b4c78aa](https://github.com/firebase/php-jwt/commit/b4c78aa731664122198ad36c0033aa29e807397a))
+
+## [7.0.4](https://github.com/firebase/php-jwt/compare/v7.0.3...v7.0.4) (2026-03-27)
+
+
+### Bug Fixes
+
+* readme examples, add tests for all examples ([#626](https://github.com/firebase/php-jwt/issues/626)) ([510a00c](https://github.com/firebase/php-jwt/commit/510a00c0e6353bc7d68412fab67e57a13954cb46))
+* use urlsafeB64Decode everywhere ([#627](https://github.com/firebase/php-jwt/issues/627)) ([b889495](https://github.com/firebase/php-jwt/commit/b889495c83ddc3f3885ca3f0b65b41b1cb37a3b1))
+
 ## [7.0.3](https://github.com/firebase/php-jwt/compare/v7.0.2...v7.0.3) (2026-02-18)
 
 

lib/firebase/php-jwt/README.md

@@ -23,16 +23,16 @@ php env does not have libsodium installed:
 composer require paragonie/sodium_compat
 ```
 
-Example
--------
+## Example
+
 ```php
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
 
-$key = 'example_key';
+$key = 'example_key_of_sufficient_length';
 $payload = [
-    'iss' => 'http://example.org',
-    'aud' => 'http://example.com',
+    'iss' => 'example.org',
+    'aud' => 'example.com',
     'iat' => 1356999524,
     'nbf' => 1357000000
 ];
@@ -69,8 +69,9 @@ $decoded_array = (array) $decoded;
 JWT::$leeway = 60; // $leeway in seconds
 $decoded = JWT::decode($jwt, new Key($key, 'HS256'));
 ```
-Example encode/decode headers
--------
+
+## Example encode/decode headers
+
 Decoding the JWT headers without verifying the JWT first is NOT recommended, and is not supported by
 this library. This is because without verifying the JWT, the header values could have been tampered with.
 Any value pulled from an unverified header should be treated as if it could be any string sent in from an
@@ -80,10 +81,10 @@ header part:
 ```php
 use Firebase\JWT\JWT;
 
-$key = 'example_key';
+$key = 'example_key_of_sufficient_length';
 $payload = [
-    'iss' => 'http://example.org',
-    'aud' => 'http://example.com',
+    'iss' => 'example.org',
+    'aud' => 'example.com',
     'iat' => 1356999524,
     'nbf' => 1357000000
 ];
@@ -103,8 +104,9 @@ $decoded = json_decode(base64_decode($headersB64), true);
 
 print_r($decoded);
 ```
-Example with RS256 (openssl)
-----------------------------
+
+## Example with RS256 (openssl)
+
 ```php
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
@@ -172,8 +174,7 @@ $decoded_array = (array) $decoded;
 echo "Decode:\n" . print_r($decoded_array, true) . "\n";
 ```
 
-Example with a passphrase
--------------------------
+## Example with a passphrase
 
 ```php
 use Firebase\JWT\JWT;
@@ -209,8 +210,8 @@ $decoded = JWT::decode($jwt, new Key($publicKey, 'RS256'));
 echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
 ```
 
-Example with EdDSA (libsodium and Ed25519 signature)
-----------------------------
+## Example with EdDSA (libsodium and Ed25519 signature)
+
 ```php
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
@@ -238,21 +239,21 @@ echo "Encode:\n" . print_r($jwt, true) . "\n";
 
 $decoded = JWT::decode($jwt, new Key($publicKey, 'EdDSA'));
 echo "Decode:\n" . print_r((array) $decoded, true) . "\n";
-````
+```
+
+## Example with multiple keys
 
-Example with multiple keys
---------------------------
 ```php
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
 
 // Example RSA keys from previous example
-// $privateKey1 = '...';
-// $publicKey1 = '...';
+// $privateRsKey = '...';
+// $publicRsKey = '...';
 
 // Example EdDSA keys from previous example
-// $privateKey2 = '...';
-// $publicKey2 = '...';
+// $privateEcKey = '...';
+// $publicEcKey = '...';
 
 $payload = [
     'iss' => 'example.org',
@@ -261,14 +262,14 @@ $payload = [
     'nbf' => 1357000000
 ];
 
-$jwt1 = JWT::encode($payload, $privateKey1, 'RS256', 'kid1');
-$jwt2 = JWT::encode($payload, $privateKey2, 'EdDSA', 'kid2');
+$jwt1 = JWT::encode($payload, $privateRsKey, 'RS256', 'kid1');
+$jwt2 = JWT::encode($payload, $privateEcKey, 'EdDSA', 'kid2');
 echo "Encode 1:\n" . print_r($jwt1, true) . "\n";
 echo "Encode 2:\n" . print_r($jwt2, true) . "\n";
 
 $keys = [
-    'kid1' => new Key($publicKey1, 'RS256'),
-    'kid2' => new Key($publicKey2, 'EdDSA'),
+    'kid1' => new Key($publicRsKey, 'RS256'),
+    'kid2' => new Key($publicEcKey, 'EdDSA'),
 ];
 
 $decoded1 = JWT::decode($jwt1, $keys);
@@ -278,8 +279,7 @@ echo "Decode 1:\n" . print_r((array) $decoded1, true) . "\n";
 echo "Decode 2:\n" . print_r((array) $decoded2, true) . "\n";
 ```
 
-Using JWKs
-----------
+## Using JWKs
 
 ```php
 use Firebase\JWT\JWK;
@@ -291,11 +291,11 @@ $jwks = ['keys' => []];
 
 // JWK::parseKeySet($jwks) returns an associative array of **kid** to Firebase\JWT\Key
 // objects. Pass this as the second parameter to JWT::decode.
-JWT::decode($jwt, JWK::parseKeySet($jwks));
+$decoded = JWT::decode($jwt, JWK::parseKeySet($jwks));
+print_r($decoded);
 ```
 
-Using Cached Key Sets
----------------------
+## Using Cached Key Sets
 
 The `CachedKeySet` class can be used to fetch and cache JWKS (JSON Web Key Sets) from a public URI.
 This has the following advantages:
@@ -315,7 +315,7 @@ $jwksUri = 'https://www.gstatic.com/iap/verify/public_key-jwk';
 $httpClient = new GuzzleHttp\Client();
 
 // Create an HTTP request factory (can be any PSR-17 compatible HTTP request factory)
-$httpFactory = new GuzzleHttp\Psr\HttpFactory();
+$httpFactory = new GuzzleHttp\Psr7\HttpFactory();
 
 // Create a cache item pool (can be any PSR-6 compatible cache item pool)
 $cacheItemPool = Phpfastcache\CacheManager::getInstance('files');
@@ -406,8 +406,8 @@ Tests
 Run the tests using phpunit:
 
 ```bash
-$ pear install PHPUnit
-$ phpunit --configuration phpunit.xml.dist
+$ composer update
+$ vendor/bin/phpunit -c phpunit.xml.dist
 PHPUnit 3.7.10 by Sebastian Bergmann.
 .....
 Time: 0 seconds, Memory: 2.50Mb

lib/firebase/php-jwt/composer.json

@@ -37,6 +37,7 @@
         "phpunit/phpunit": "^9.5",
         "psr/cache": "^2.0||^3.0",
         "psr/http-client": "^1.0",
-        "psr/http-factory": "^1.0"
+        "psr/http-factory": "^1.0",
+        "phpfastcache/phpfastcache": "^9.2"
     }
 }

lib/firebase/php-jwt/src/CachedKeySet.php

@@ -180,7 +180,8 @@ class CachedKeySet implements ArrayAccess
             $jwksResponse = $this->httpClient->sendRequest($request);
             if ($jwksResponse->getStatusCode() !== 200) {
                 throw new UnexpectedValueException(
-                    \sprintf('HTTP Error: %d %s for URI "%s"',
+                    \sprintf(
+                        'HTTP Error: %d %s for URI "%s"',
                         $jwksResponse->getStatusCode(),
                         $jwksResponse->getReasonPhrase(),
                         $this->jwksUri,

lib/firebase/php-jwt/src/JWK.php

@@ -240,6 +240,14 @@ class JWK
     ): string {
         $mod = JWT::urlsafeB64Decode($n);
         $exp = JWT::urlsafeB64Decode($e);
+        // Correct encoding for ASN1, as ints are represented as unsigned in jwk
+        // but signed in ASN1. Prepending null byte makes it unsigned.
+        if (\strlen($mod) > 0 && \ord($mod[0]) >= 128) {
+            $mod = \chr(0) . $mod;
+        }
+        if (\strlen($exp) > 0 && \ord($exp[0]) >= 128) {
+            $exp = \chr(0) . $exp;
+        }
 
         $modulus = \pack('Ca*a*', 2, self::encodeLength(\strlen($mod)), $mod);
         $publicExponent = \pack('Ca*a*', 2, self::encodeLength(\strlen($exp)), $exp);

lib/firebase/php-jwt/src/JWT.php

@@ -31,7 +31,7 @@ class JWT
     private const ASN1_SEQUENCE = 0x10;
     private const ASN1_BIT_STRING = 0x03;
 
-    private const RSA_KEY_MIN_LENGTH=2048;
+    private const RSA_KEY_MIN_LENGTH = 2048;
 
     /**
      * When checking nbf, iat or expiration times,
@@ -284,20 +284,8 @@ class JWT
                 }
                 return $signature;
             case 'sodium_crypto':
-                if (!\function_exists('sodium_crypto_sign_detached')) {
-                    throw new DomainException('libsodium is not available');
-                }
-                if (!\is_string($key)) {
-                    throw new InvalidArgumentException('key must be a string when using EdDSA');
-                }
                 try {
-                    // The last non-empty line is used as the key.
-                    $lines = array_filter(explode("\n", $key));
-                    $key = base64_decode((string) end($lines));
-                    if (\strlen($key) === 0) {
-                        throw new DomainException('Key cannot be empty string');
-                    }
-                    return sodium_crypto_sign_detached($msg, $key);
+                    return sodium_crypto_sign_detached($msg, self::validateEdDSAKey($key));
                 } catch (Exception $e) {
                     throw new DomainException($e->getMessage(), 0, $e);
                 }
@@ -352,19 +340,8 @@ class JWT
                     'OpenSSL error: ' . \openssl_error_string()
                 );
             case 'sodium_crypto':
-                if (!\function_exists('sodium_crypto_sign_verify_detached')) {
-                    throw new DomainException('libsodium is not available');
-                }
-                if (!\is_string($keyMaterial)) {
-                    throw new InvalidArgumentException('key must be a string when using EdDSA');
-                }
                 try {
-                    // The last non-empty line is used as the key.
-                    $lines = array_filter(explode("\n", $keyMaterial));
-                    $key = base64_decode((string) end($lines));
-                    if (\strlen($key) === 0) {
-                        throw new DomainException('Key cannot be empty string');
-                    }
+                    $key = self::validateEdDSAKey($keyMaterial);
                     if (\strlen($signature) === 0) {
                         throw new DomainException('Signature cannot be empty string');
                     }
@@ -473,7 +450,6 @@ class JWT
         return \str_replace('=', '', \strtr(\base64_encode($input), '+/', '-_'));
     }
 
-
     /**
      * Determine if an algorithm has been provided for each Key
      *
@@ -745,4 +721,25 @@ class JWT
             throw new DomainException('Provided key is too short');
         }
     }
+
+    /**
+     * @param string|OpenSSLAsymmetricKey|OpenSSLCertificate  $keyMaterial
+     * @return non-empty-string
+     */
+    private static function validateEdDSAKey(#[\SensitiveParameter] $keyMaterial): string
+    {
+        if (!\function_exists('sodium_crypto_sign_verify_detached')) {
+            throw new DomainException('libsodium is not available');
+        }
+        if (!\is_string($keyMaterial)) {
+            throw new InvalidArgumentException('key must be a string when using EdDSA');
+        }
+        // The last non-empty line is used as the key.
+        $lines = array_filter(explode("\n", $keyMaterial));
+        $key = self::urlsafeB64Decode((string) end($lines));
+        if (\strlen($key) === 0) {
+            throw new DomainException('Key cannot be empty string');
+        }
+        return $key;
+    }
 }