From 5fdd2d7da9ab00e33309707666bc8233d0fd1673 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Kooman?= Date: Sat, 22 Aug 2020 21:32:53 +0200 Subject: [PATCH] cleanup README --- README.md | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index e23ac83..64329dd 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,8 @@ supporting every nook and cranny of the specification. # How? * Only supports `RS256`, `HS256` and `EdDSA` through separate classes, the - header is _NOT_ used to determine the algorithm when verifying signatures; + header is _NOT_ used to determine the algorithm when verifying signatures, + actually, the header is only inspected *after* verifying the signature; * All keys are validated before use and wrapped in "Key" objects to make sure they are of the correct format. Helper methods are provided to load / save / generate keys; @@ -41,23 +42,14 @@ supporting every nook and cranny of the specification. * Verifies the `exp` and `nbf` payload field if present to make sure the token is already and still valid. -# Versions - -| Version | PHP | OS | -|---------|--------|-----------------------------------| -| 1.x | >= 5.4 | CentOS >= 7 (+EPEL), Debian >= 9 | -| 2.x | >= 7.2 | CentOS >= 8 (+EPEL), Debian >= 10 | - # Requirements * PHP >= 5.4.8 * `php-hash` (for `HS256`) * `php-openssl` (for `RS256`) -* `php-pecl-libsodium` with PHP < 7.2 or `php-sodium` with PHP >= 7.2 - (for `EdDSA`) -On modern PHP versions only `paragonie/constant_time_encoding` is a dependency, -on older versions some polyfills are used. See `composer.json`. +Installing `php-sodium` (PHP >= 7.2) or `php-libsodium` packages, (PHP < 7.2) +are highly recommended when using `EdDSA`. ## Use @@ -78,7 +70,7 @@ be added in the future. In your `composer.json`: }, You can also download the signed source code archive -[here](https://software.tuxed.net/php-jwt/download.html). +[here](https://src.tuxed.net/php-jwt/). # Keys @@ -90,15 +82,16 @@ any other way unless you know what you are doing! Use the `openssl` command line to generate they public and private key: ```bash -$ openssl genrsa --out rsa.key 2048 +$ openssl genrsa --out rsa.key 3072 $ openssl rsa -in rsa.key -pubout -out rsa.pub ``` The RSA key MUST have -[at least](https://tools.ietf.org/html/rfc7518#section-4.2) 2048 bits. The -above command will generate a private key in `rsa.key` and the public key in -`rsa.pub`. Those files can be used with the `PublicKey` and `PrivateKey` key -wrapping classes. +[at least](https://tools.ietf.org/html/rfc7518#section-4.2) 2048 bits. It is +highly recommended to use at least 3072 when you plan to use the same key for +the next couple of years. The above command will generate a private key in +`rsa.key` and the public key in `rsa.pub`. Those files can be used with the +`PublicKey` and `PrivateKey` key wrapping classes. To inspect a public key: -- 2.45.2