Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:119248
Return-Path: <divinity76@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10851 invoked from network); 9 Jan 2023 21:13:22 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 9 Jan 2023 21:13:22 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 14D2818054A
	for <internals@lists.php.net>; Mon,  9 Jan 2023 13:13:22 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <divinity76@gmail.com>
Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  9 Jan 2023 13:13:19 -0800 (PST)
Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-4c9b9185d18so59307557b3.10
        for <internals@lists.php.net>; Mon, 09 Jan 2023 13:13:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=13BMoIJVcf+hQAe2zy/ofDIamLK0emaXDjEu6Lcit0k=;
        b=gOKCGzgVTTBPJ6IfJ3IYkQyAv2zraj9USBUUsxKcigTT9NPDV9VTrGC48h9FH/NE0n
         iHWzw/mhg1RSQCenRnn6vwVQGpgKPJqrokkWddgKMlaEOj6jcjwqkWC0CpL4rtBhxZIM
         yp5jbNsfW2fCDwDeuZ66LI/r0PNS3SdNRuGx/OrsIHP2Xq3Ar8bdZ//0bMN/GiH+JJaa
         UpuJrm1g0dcEh2M15XtRZvO8IPYt570B9YrTZ5VnLSb+kNE4C9dWyti4iFEER9gJ1lK+
         dg+AiVKEtLeYIMY1BzUiB3HMsC7JZiv6qSBqE/5TSDfsTPDqRu+XrbsJh4u/1zsOX68R
         Ovrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=13BMoIJVcf+hQAe2zy/ofDIamLK0emaXDjEu6Lcit0k=;
        b=3rQUH2xVPBod9Fislrm/OkcdsJrRMO2WOIVos3YLdacFKGsOqrip0uPInIAqL0F313
         8Oxa0gr0PRP48mge2oU+QCiFC744udQJBcU7vUKYBdexBnCskrxHXhY8mzQ+gVTRfnOU
         2pu9qmmdtYyUrFxYGXuTgo4S8AAKxQ29V+MLN/bHCq2KTjrNTArSIAYh+KBMQy+s23+w
         hVHAJakoXZWPnUkDKl+cLv91OhP9YtaZNKUP+htG3EpgfOTMSDNT18UrOXkyiliJGOps
         Mc+WLW4rZP8fuN2msqrtAkU6swsln3e6Y+pvjzdEOLKKeGgzbMAZhb0JtMmWS+klFgEK
         WiYQ==
X-Gm-Message-State: AFqh2kqs0NiLqBYZqVCtreW7theeIil58l8C1YIH0omeYxyYKkxDJsTp
	4DP9necNe/DXXzZbFBQg/H4HFBJ0DaAeYexz3s0=
X-Google-Smtp-Source: AMrXdXvOA5MzVry85ozgLIwMl4xVwHIyzooLej8fgbt3xFYkEt9fLVWq+3YrBYinRWmndJzyJws8fMM7xifI0KBddFw=
X-Received: by 2002:a05:690c:81:b0:36c:aaa6:e571 with SMTP id
 be1-20020a05690c008100b0036caaa6e571mr626898ywb.467.1673298799294; Mon, 09
 Jan 2023 13:13:19 -0800 (PST)
MIME-Version: 1.0
References: <CAESVnVo3NyM_RGybyLQSko0F=fBSnSWG3gkVZtU-DS8W=79fdA@mail.gmail.com>
 <df7b363b-b178-36ec-9765-fbeed7ecfef7@bastelstu.be>
In-Reply-To: <df7b363b-b178-36ec-9765-fbeed7ecfef7@bastelstu.be>
Date: Mon, 9 Jan 2023 22:12:43 +0100
Message-ID: <CAJmy8YHex-g92EFRDYs7AwW0OfzbF9d4vAUqQim+RcP6Nn7EVQ@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: Sara Golemon <pollita@php.net>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] base64url format
From: divinity76@gmail.com (Hans Henrik Bergan)

when http_build_query() wanted to support different encoding schemes,
PHP_QUERY_RFC1738 and PHP_QUERY_RFC3986 was made, instead of creating
http_build_query_rfc1738() and http_build_query_rfc3986() , hmm

On Mon, 9 Jan 2023 at 21:12, Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:
>
> Hi
>
> On 1/9/23 19:49, Sara Golemon wrote:
> > I've been working with JWTs lately and that means working with Base64UR=
L
> > format. (Ref: https://www.rfc-editor.org/rfc/rfc4648#section-5 )
> > This is essentially the same thing as normal Base64, but instead of '+'=
 and
> > '/', it uses '-' and '_', respectively. It also allows leaving off the
> > training '=3D' padding characters.
> >
>
> With JWTs you likely also want a constant time encoder that is not
> susceptible for cache-timing leaks [1]. For this reason
> https://github.com/paragonie/constant_time_encoding is a most-have
> dependency for my projects and I generally use the functions of that
> library by default, unless there is a reason not to (high performance
> required). That library also includes a b32 implementation that cmb wishe=
d.
>
> There's also
> https://www.php.net/manual/en/function.sodium-bin2base64.php which is
> constant-time and supports b64url, unfortunately it's not guaranteed to
> be available.
>
> Best regards
> Tim D=C3=BCsterhus
>
> [1] It's likely more important for encrypted tokens, than only for
> signed ones.
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>