Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:119246 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 3064 invoked from network); 9 Jan 2023 19:39:11 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 9 Jan 2023 19:39:11 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 73B9318053F for ; Mon, 9 Jan 2023 11:39:10 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPF_HELO_FAIL, SPF_PASS,T_REMOTE_IMAGE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS16509 52.24.0.0/14 X-Spam-Virus: No X-Envelope-From: Received: from box.sixthree.me (box.sixthree.me [52.24.245.86]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 9 Jan 2023 11:39:09 -0800 (PST) Received: from authenticated-user (box.sixthree.me [52.24.245.86]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by box.sixthree.me (Postfix) with ESMTPSA id 206A17E1A9 for ; Mon, 9 Jan 2023 11:39:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=eamann.com; s=mail; t=1673293149; bh=0vflR235V0ULNcKo9pMuqJkuq6vVpQFrYnfTebPElj0=; h=Date:Subject:To:References:From:In-Reply-To:From; b=iQBc1di6n1mzzyZIsYYcRJSgRuwDYkGA+hzBIUGhf/op3pcM6SlJbv8PRJ2BFuifx PdyN/DSYKcZ/P7G/nYyDRA9vJ6MgpmyuyR2+SHGbwXq5pKlkURMleQgqRCI68U94T1 pUcxTMj2xLEqi05UcbcW+cizsvhUyczHnrxASvi8X+/y18l+wQwec7p2chuUCyoP/5 t7ohcifFffkZQDILLRHTucJD3aOTB+4b5Ghf4gVmTHHvSO2oOAcHLa8C1Za7MDilCM Ojdra4iouJCAln41FZugQ9Ynd45ZJoMECQ/7t4+RnIXdqLzr2di6zysQcfCg6mH17i rmh26XHn1K6Fg== Content-Type: multipart/alternative; boundary="------------gpobQXGCXuQq1TSA0lw7R2e8" Message-ID: <84c781cb-3c9c-fdc5-029e-0824fa444deb@eamann.com> Date: Mon, 9 Jan 2023 11:39:08 -0800 MIME-Version: 1.0 Content-Language: en-US To: internals@lists.php.net References: Reply-To: Eric Mann In-Reply-To: Subject: Re: [PHP-DEV] base64url format From: internals@lists.php.net ("Eric Mann via internals") --------------gpobQXGCXuQq1TSA0lw7R2e8 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit I'm in support of such a feature, but would strongly advocate for an additional parameter to flag whether or not to include the trailing `=` pad. The trailing pad is optional according to RFC 4648, so I think leaving it off by default would be the ideal use case, but an optional `include_padding` flag or something along those lines would be helpful. On 1/9/23 10:49 AM, Sara Golemon wrote: > I've been working with JWTs lately and that means working with Base64URL > format. (Ref:https://www.rfc-editor.org/rfc/rfc4648#section-5 ) > This is essentially the same thing as normal Base64, but instead of '+' and > '/', it uses '-' and '_', respectively. It also allows leaving off the > training '=' padding characters. > > So far, I've just been including polyfills like this: > > function base64url_decode(string $str): string { > return base64_decode(str_pad(strtr($str, '-_', '+/'), (4 - > (strlen($str) % 4)) % 4, '=')); > } > > function base64_encode(string $str): string { > return rtrim(strtr(base64_encode($str), '+/', '-_'), '='); > } > > These work fine, but they create a LOT of string copies along the way which > shouldn't be necessary. > Would anyone mind if skipped RFC and just added `base64url_encode()` and > `base64url_decode()` to PHP 8.3? > > Can hold a vote if anyone objects, but this seems fairly non-controversial. > > -Sara > -- Security Principles for PHP Applications *Eric Mann * Tekton *PGP:*0x63F15A9B715376CA *P:*503.925.6266 *E:*eric@eamann.com eamann.com ttmm.io Twitter icon LinkedIn icon --------------gpobQXGCXuQq1TSA0lw7R2e8--