Updated changelog

Removed chmod from CryptKey and add toggle to disable checking

.travis.yml

@@ -7,8 +7,6 @@ cache:
   - vendor
 
 php:
-  - 5.5.9
-  - 5.5
   - 5.6
   - 7.0
   - 7.1

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 6.0.2 (released 2017-08-03)
+
+* An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
+* Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
+* Fixes invalid code challenge method payload key name (Issue #777)
+
+## 6.0.1 (released 2017-07-19)
+
+To address feedback from the security release the following change has been made:
+  
+* If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
+
+## 6.0.0 (released 2017-07-01)
+
+* Breaking change: The `AuthorizationServer` constructor now expects an encryption key string instead of a public key
+* Remove support for HHVM
+* Remove support for PHP 5.5
+
 ## 5.1.4 (released 2017-07-01)
 
 * Fixed multiple security vulnerabilities as a result of a security audit paid for by the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source). All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.

CONTRIBUTING.md

@@ -1,7 +1,7 @@
 Thanks for contributing to this project.
 
 
-**Please submit your pull request against the `develop` branch only.**
+**Please submit your pull request against the `master` branch only.**
 
 
 Please ensure that you run `phpunit` from the project root after you've made any changes.

README.md

@@ -3,7 +3,7 @@
 ### :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:
 ### Security Notice 
 
-### Please upgrade to version `>=5.1.4` (backwards compatible) or `6.x` (one tiny breaking change) to fix some potential security vulnerabilities 
+### Please upgrade to version `>=5.1.4` (backwards compatible) or `6.x` (one tiny breaking change) to fix some potential security vulnerabilities - [visit this page for more information](https://oauth2.thephpleague.com/v5-security-improvements/)
 ### :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:
 
 [![Latest Version](http://img.shields.io/packagist/v/league/oauth2-server.svg?style=flat-square)](https://github.com/thephpleague/oauth2-server/releases)
@@ -36,11 +36,9 @@ This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](ht
 
 The following versions of PHP are supported:
 
-* PHP 5.5 (>=5.5.9)
 * PHP 5.6
 * PHP 7.0
 * PHP 7.1
-* HHVM
 
 The `openssl` extension is also required.
 

composer.json

@@ -4,7 +4,7 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": ">=5.5.9",
+        "php": ">=5.6.0",
         "ext-openssl": "*",
         "league/event": "^2.1",
         "lcobucci/jwt": "^3.1",
@@ -14,8 +14,7 @@
     },
     "require-dev": {
         "phpunit/phpunit": "^4.8 || ^5.0",
-        "zendframework/zend-diactoros": "^1.0",
+        "zendframework/zend-diactoros": "^1.0"
-        "indigophp/hash-compat": "^1.1"
     },
     "repositories": [
         {
@@ -60,13 +59,5 @@
         "psr-4": {
             "LeagueTests\\": "tests/"
         }
-    },
-    "extra": {
-        "branch-alias": {
-            "dev-V5-WIP": "5.0-dev"
-        }
-    },
-    "suggest": {
-        "indigophp/hash-compat": "Polyfill for hash_equals function for PHP 5.5"
     }
 }

examples/public/auth_code.php

@@ -36,7 +36,6 @@ $app = new App([
         $refreshTokenRepository = new RefreshTokenRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
         $server = new AuthorizationServer(
@@ -44,9 +43,8 @@ $app = new App([
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
-        $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
 
         // Enable the authentication code grant on the server with a token TTL of 1 hour
         $server->enableGrantType(

examples/public/client_credentials.php

@@ -32,7 +32,6 @@ $app = new App([
         // Path to public and private keys
         $privateKey = 'file://' . __DIR__ . '/../private.key';
         //$privateKey = new CryptKey('file://path/to/private.key', 'passphrase'); // if private key has a pass phrase
-        $publicKey = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
         $server = new AuthorizationServer(
@@ -40,9 +39,8 @@ $app = new App([
             $accessTokenRepository,
             $scopeRepository,
             $privateKey,
-            $publicKey
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
-        $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
 
         // Enable the client credentials grant on the server
         $server->enableGrantType(

examples/public/implicit.php

@@ -32,7 +32,6 @@ $app = new App([
         $accessTokenRepository = new AccessTokenRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
         $server = new AuthorizationServer(
@@ -40,7 +39,7 @@ $app = new App([
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
         $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
 

examples/public/middleware_use.php

@@ -38,7 +38,6 @@ $app = new App([
         $refreshTokenRepository = new RefreshTokenRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
         $server = new AuthorizationServer(
@@ -46,9 +45,8 @@ $app = new App([
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
-        $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
 
         // Enable the authentication code grant on the server with a token TTL of 1 hour
         $server->enableGrantType(

examples/public/password.php

@@ -24,9 +24,8 @@ $app = new App([
             new AccessTokenRepository(),            // instance of AccessTokenRepositoryInterface
             new ScopeRepository(),                  // instance of ScopeRepositoryInterface
             'file://' . __DIR__ . '/../private.key',    // path to private key
-            'file://' . __DIR__ . '/../public.key'      // path to public key
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'      // encryption key
         );
-        $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
 
         $grant = new PasswordGrant(
             new UserRepository(),           // instance of UserRepositoryInterface

examples/public/refresh_token.php

@@ -32,7 +32,6 @@ $app = new App([
         $refreshTokenRepository = new RefreshTokenRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
         $server = new AuthorizationServer(
@@ -40,9 +39,8 @@ $app = new App([
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
-        $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
 
         // Enable the refresh token grant on the server
         $grant = new RefreshTokenGrant($refreshTokenRepository);

src/AuthorizationServer.php

@@ -3,7 +3,6 @@
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
- *
  * @link        https://github.com/thephpleague/oauth2-server
  */
 
@@ -26,8 +25,6 @@ class AuthorizationServer implements EmitterAwareInterface
 {
     use EmitterAwareTrait;
 
-    const ENCRYPTION_KEY_ERROR = 'You must set the encryption key going forward to improve the security of this library - see this page for more information https://oauth2.thephpleague.com/v5-security-improvements/';
-
     /**
      * @var GrantTypeInterface[]
      */
@@ -80,7 +77,7 @@ class AuthorizationServer implements EmitterAwareInterface
      * @param AccessTokenRepositoryInterface $accessTokenRepository
      * @param ScopeRepositoryInterface       $scopeRepository
      * @param CryptKey|string                $privateKey
-     * @param CryptKey|string                $publicKey
+     * @param string                         $encryptionKey
      * @param null|ResponseTypeInterface     $responseType
      */
     public function __construct(
@@ -88,7 +85,7 @@ class AuthorizationServer implements EmitterAwareInterface
         AccessTokenRepositoryInterface $accessTokenRepository,
         ScopeRepositoryInterface $scopeRepository,
         $privateKey,
-        $publicKey,
+        $encryptionKey,
         ResponseTypeInterface $responseType = null
     ) {
         $this->clientRepository = $clientRepository;
@@ -100,24 +97,10 @@ class AuthorizationServer implements EmitterAwareInterface
         }
         $this->privateKey = $privateKey;
 
-        if ($publicKey instanceof CryptKey === false) {
+        $this->encryptionKey = $encryptionKey;
-            $publicKey = new CryptKey($publicKey);
-        }
-        $this->publicKey = $publicKey;
-
         $this->responseType = $responseType;
     }
 
-    /**
-     * Set the encryption key
-     *
-     * @param string $key
-     */
-    public function setEncryptionKey($key)
-    {
-        $this->encryptionKey = $key;
-    }
-
     /**
      * Enable a grant type on the server.
      *
@@ -134,14 +117,7 @@ class AuthorizationServer implements EmitterAwareInterface
         $grantType->setClientRepository($this->clientRepository);
         $grantType->setScopeRepository($this->scopeRepository);
         $grantType->setPrivateKey($this->privateKey);
-        $grantType->setPublicKey($this->publicKey);
         $grantType->setEmitter($this->getEmitter());
-
-        if ($this->encryptionKey === null) {
-            // @codeCoverageIgnoreStart
-            error_log(self::ENCRYPTION_KEY_ERROR);
-            // @codeCoverageIgnoreEnd
-        }
         $grantType->setEncryptionKey($this->encryptionKey);
 
         $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
@@ -159,12 +135,6 @@ class AuthorizationServer implements EmitterAwareInterface
      */
     public function validateAuthorizationRequest(ServerRequestInterface $request)
     {
-        if ($this->encryptionKey === null) {
-            // @codeCoverageIgnoreStart
-            error_log(self::ENCRYPTION_KEY_ERROR);
-            // @codeCoverageIgnoreEnd
-        }
-
         foreach ($this->enabledGrantTypes as $grantType) {
             if ($grantType->canRespondToAuthorizationRequest($request)) {
                 return $grantType->validateAuthorizationRequest($request);

src/AuthorizationValidators/BearerTokenValidator.php

@@ -12,6 +12,7 @@ namespace League\OAuth2\Server\AuthorizationValidators;
 use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\ValidationData;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
@@ -26,6 +27,11 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
      */
     private $accessTokenRepository;
 
+    /**
+     * @var \League\OAuth2\Server\CryptKey
+     */
+    protected $publicKey;
+
     /**
      * @param AccessTokenRepositoryInterface $accessTokenRepository
      */
@@ -34,6 +40,16 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
         $this->accessTokenRepository = $accessTokenRepository;
     }
 
+    /**
+     * Set the private key
+     *
+     * @param \League\OAuth2\Server\CryptKey $key
+     */
+    public function setPublicKey(CryptKey $key)
+    {
+        $this->publicKey = $key;
+    }
+
     /**
      * {@inheritdoc}
      */

src/CryptKey.php

@@ -29,8 +29,9 @@ class CryptKey
     /**
      * @param string      $keyPath
      * @param null|string $passPhrase
+     * @param bool        $keyPermissionsCheck
      */
-    public function __construct($keyPath, $passPhrase = null)
+    public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck = true)
     {
         if (preg_match(self::RSA_KEY_PATTERN, $keyPath)) {
             $keyPath = $this->saveKeyToFile($keyPath);
@@ -44,20 +45,15 @@ class CryptKey
             throw new \LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
         }
 
-        // Verify the permissions of the key
+        if ($keyPermissionsCheck === true) {
-        $keyPathPerms = decoct(fileperms($keyPath) & 0777);
+            // Verify the permissions of the key
-        if ($keyPathPerms !== '600') {
+            $keyPathPerms = decoct(fileperms($keyPath) & 0777);
-            // Attempt to correct the permissions
+            if (in_array($keyPathPerms, ['600', '660'], true) === false) {
-            if (chmod($keyPath, 0600) === false) {
+                trigger_error(sprintf(
-                // @codeCoverageIgnoreStart
+                    'Key file "%s" permissions are not correct, should be 600 or 660 instead of %s',
-                throw new \LogicException(
+                    $keyPath,
-                    sprintf(
+                    $keyPathPerms
-                        'Key file "%s" permissions are not correct, should be 600 instead of %s, unable to automatically resolve the issue',
+                ), E_USER_NOTICE);
-                        $keyPath,
-                        $keyPathPerms
-                    )
-                );
-                // @codeCoverageIgnoreEnd
             }
         }
 
@@ -79,19 +75,19 @@ class CryptKey
 
         if (!file_exists($keyPath) && !touch($keyPath)) {
             // @codeCoverageIgnoreStart
-            throw new \RuntimeException('"%s" key file could not be created', $keyPath);
+            throw new \RuntimeException(sprintf('"%s" key file could not be created', $keyPath));
             // @codeCoverageIgnoreEnd
         }
 
         if (file_put_contents($keyPath, $key) === false) {
             // @codeCoverageIgnoreStart
-            throw new \RuntimeException('Unable to write key file to temporary directory "%s"', $tmpDir);
+            throw new \RuntimeException(sprintf('Unable to write key file to temporary directory "%s"', $tmpDir));
             // @codeCoverageIgnoreEnd
         }
 
         if (chmod($keyPath, 0600) === false) {
             // @codeCoverageIgnoreStart
-            throw new \RuntimeException('The key file "%s" file mode could not be changed with chmod to 600', $keyPath);
+            throw new \RuntimeException(sprintf('The key file "%s" file mode could not be changed with chmod to 600', $keyPath));
             // @codeCoverageIgnoreEnd
         }
 

src/CryptTrait.php

@@ -1,11 +1,9 @@
 <?php
 /**
  * Public/private key encryption.
- *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
- *
  * @link        https://github.com/thephpleague/oauth2-server
  */
 
@@ -15,80 +13,26 @@ use Defuse\Crypto\Crypto;
 
 trait CryptTrait
 {
-    /**
-     * @var CryptKey
-     */
-    protected $privateKey;
-
-    /**
-     * @var CryptKey
-     */
-    protected $publicKey;
-
     /**
      * @var string
      */
     protected $encryptionKey;
 
-    /**
-     * Set path to private key.
-     *
-     * @param CryptKey $privateKey
-     */
-    public function setPrivateKey(CryptKey $privateKey)
-    {
-        $this->privateKey = $privateKey;
-    }
-
-    /**
-     * Set path to public key.
-     *
-     * @param CryptKey $publicKey
-     */
-    public function setPublicKey(CryptKey $publicKey)
-    {
-        $this->publicKey = $publicKey;
-    }
-
     /**
      * Encrypt data with a private key.
      *
      * @param string $unencryptedData
      *
      * @throws \LogicException
-     *
      * @return string
      */
     protected function encrypt($unencryptedData)
     {
-        if ($this->encryptionKey !== null) {
+        try {
             return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
+        } catch (\Exception $e) {
+            throw new \LogicException($e->getMessage());
         }
-
-        $privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
-        $privateKeyDetails = @openssl_pkey_get_details($privateKey);
-        if ($privateKeyDetails === null) {
-            throw new \LogicException(
-                sprintf('Could not get details of private key: %s', $this->privateKey->getKeyPath())
-            );
-        }
-
-        $chunkSize = ceil($privateKeyDetails['bits'] / 8) - 11;
-        $output = '';
-
-        while ($unencryptedData) {
-            $chunk = substr($unencryptedData, 0, $chunkSize);
-            $unencryptedData = substr($unencryptedData, $chunkSize);
-            if (openssl_private_encrypt($chunk, $encrypted, $privateKey) === false) {
-                // @codeCoverageIgnoreStart
-                throw new \LogicException('Failed to encrypt data');
-                // @codeCoverageIgnoreEnd
-            }
-            $output .= $encrypted;
-        }
-        openssl_pkey_free($privateKey);
-
-        return base64_encode($output);
     }
 
     /**
@@ -97,41 +41,15 @@ trait CryptTrait
      * @param string $encryptedData
      *
      * @throws \LogicException
-     *
      * @return string
      */
     protected function decrypt($encryptedData)
     {
-        if ($this->encryptionKey !== null) {
+        try {
             return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
+        } catch (\Exception $e) {
+            throw new \LogicException($e->getMessage());
         }
-
-        $publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath());
-        $publicKeyDetails = @openssl_pkey_get_details($publicKey);
-        if ($publicKeyDetails === null) {
-            throw new \LogicException(
-                sprintf('Could not get details of public key: %s', $this->publicKey->getKeyPath())
-            );
-        }
-
-        $chunkSize = ceil($publicKeyDetails['bits'] / 8);
-        $output = '';
-
-        $encryptedData = base64_decode($encryptedData);
-
-        while ($encryptedData) {
-            $chunk = substr($encryptedData, 0, $chunkSize);
-            $encryptedData = substr($encryptedData, $chunkSize);
-            if (openssl_public_decrypt($chunk, $decrypted, $publicKey/*, OPENSSL_PKCS1_OAEP_PADDING*/) === false) {
-                // @codeCoverageIgnoreStart
-                throw new \LogicException('Failed to decrypt data');
-                // @codeCoverageIgnoreEnd
-            }
-            $output .= $decrypted;
-        }
-        openssl_pkey_free($publicKey);
-
-        return $output;
     }
 
     /**

src/Exception/OAuthServerException.php

@@ -152,7 +152,7 @@ class OAuthServerException extends \Exception
      */
     public static function invalidRefreshToken($hint = null)
     {
-        return new static('The refresh token is invalid.', 8, 'invalid_request', 400, $hint);
+        return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint);
     }
 
     /**

src/Grant/AbstractGrant.php

@@ -11,6 +11,7 @@
 namespace League\OAuth2\Server\Grant;
 
 use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
@@ -75,6 +76,11 @@ abstract class AbstractGrant implements GrantTypeInterface
      */
     protected $refreshTokenTTL;
 
+    /**
+     * @var \League\OAuth2\Server\CryptKey
+     */
+    protected $privateKey;
+
     /**
      * @param ClientRepositoryInterface $clientRepository
      */
@@ -131,6 +137,16 @@ abstract class AbstractGrant implements GrantTypeInterface
         $this->refreshTokenTTL = $refreshTokenTTL;
     }
 
+    /**
+     * Set the private key
+     *
+     * @param \League\OAuth2\Server\CryptKey $key
+     */
+    public function setPrivateKey(CryptKey $key)
+    {
+        $this->privateKey = $key;
+    }
+
     /**
      * Validate the client.
      *

src/Grant/AuthCodeGrant.php

@@ -312,30 +312,16 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
             );
 
             $payload = [
-                'client_id'               => $authCode->getClient()->getIdentifier(),
+                'client_id'             => $authCode->getClient()->getIdentifier(),
-                'redirect_uri'            => $authCode->getRedirectUri(),
+                'redirect_uri'          => $authCode->getRedirectUri(),
-                'auth_code_id'            => $authCode->getIdentifier(),
+                'auth_code_id'          => $authCode->getIdentifier(),
-                'scopes'                  => $authCode->getScopes(),
+                'scopes'                => $authCode->getScopes(),
-                'user_id'                 => $authCode->getUserIdentifier(),
+                'user_id'               => $authCode->getUserIdentifier(),
-                'expire_time'             => (new \DateTime())->add($this->authCodeTTL)->format('U'),
+                'expire_time'           => (new \DateTime())->add($this->authCodeTTL)->format('U'),
-                'code_challenge'          => $authorizationRequest->getCodeChallenge(),
+                'code_challenge'        => $authorizationRequest->getCodeChallenge(),
-                'code_challenge_method  ' => $authorizationRequest->getCodeChallengeMethod(),
+                'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
             ];
 
-            if ($this->encryptionKey === null) {
-                // Add padding to vary the length of the payload
-                $payload['_padding'] = base64_encode(random_bytes(mt_rand(8, 256)));
-                // Shuffle the payload so that the structure is no longer know and obvious
-                $keys = array_keys($payload);
-                shuffle($keys);
-                $shuffledPayload = [];
-                foreach ($keys as $key) {
-                    $shuffledPayload[$key] = $payload[$key];
-                }
-            } else {
-                $shuffledPayload = $payload;
-            }
-
             $response = new RedirectResponse();
             $response->setRedirectUri(
                 $this->makeRedirectUri(
@@ -343,7 +329,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                     [
                         'code'  => $this->encrypt(
                             json_encode(
-                                $shuffledPayload
+                                $payload
                             )
                         ),
                         'state' => $authorizationRequest->getState(),

src/Grant/GrantTypeInterface.php

@@ -126,13 +126,6 @@ interface GrantTypeInterface extends EmitterAwareInterface
      */
     public function setPrivateKey(CryptKey $privateKey);
 
-    /**
-     * Set the path to the public key.
-     *
-     * @param CryptKey $publicKey
-     */
-    public function setPublicKey(CryptKey $publicKey);
-
     /**
      * Set the encryption key
      *

src/Repositories/AccessTokenRepositoryInterface.php

@@ -12,6 +12,7 @@ namespace League\OAuth2\Server\Repositories;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 
 /**
  * Access token interface.
@@ -33,6 +34,8 @@ interface AccessTokenRepositoryInterface extends RepositoryInterface
      * Persists a new access token to permanent storage.
      *
      * @param AccessTokenEntityInterface $accessTokenEntity
+     *
+     * @throws UniqueTokenIdentifierConstraintViolationException
      */
     public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity);
 

src/Repositories/AuthCodeRepositoryInterface.php

@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server\Repositories;
 
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 
 /**
  * Auth code storage interface.
@@ -27,6 +28,8 @@ interface AuthCodeRepositoryInterface extends RepositoryInterface
      * Persists a new auth code to permanent storage.
      *
      * @param AuthCodeEntityInterface $authCodeEntity
+     *
+     * @throws UniqueTokenIdentifierConstraintViolationException
      */
     public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity);
 

src/Repositories/RefreshTokenRepositoryInterface.php

@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server\Repositories;
 
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 
 /**
  * Refresh token interface.
@@ -27,6 +28,8 @@ interface RefreshTokenRepositoryInterface extends RepositoryInterface
      * Create a new refresh token_name.
      *
      * @param RefreshTokenEntityInterface $refreshTokenEntity
+     *
+     * @throws UniqueTokenIdentifierConstraintViolationException
      */
     public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity);
 

src/ResponseTypes/AbstractResponseType.php

@@ -11,6 +11,7 @@
 
 namespace League\OAuth2\Server\ResponseTypes;
 
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
@@ -29,6 +30,11 @@ abstract class AbstractResponseType implements ResponseTypeInterface
      */
     protected $refreshToken;
 
+    /**
+     * @var CryptKey
+     */
+    protected $privateKey;
+
     /**
      * {@inheritdoc}
      */
@@ -44,4 +50,15 @@ abstract class AbstractResponseType implements ResponseTypeInterface
     {
         $this->refreshToken = $refreshToken;
     }
+
+    /**
+     * Set the private key
+     *
+     * @param \League\OAuth2\Server\CryptKey $key
+     */
+    public function setPrivateKey(CryptKey $key)
+    {
+        $this->privateKey = $key;
+    }
+
 }

tests/AuthorizationServerTest.php

@@ -26,6 +26,13 @@ use Zend\Diactoros\ServerRequestFactory;
 
 class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
 {
+    public function setUp()
+    {
+        // Make sure the keys have the correct permissions.
+        chmod(__DIR__ . '/Stubs/private.key', 0600);
+        chmod(__DIR__ . '/Stubs/public.key', 0600);
+    }
+
     public function testRespondToRequestInvalidGrantType()
     {
         $server = new AuthorizationServer(
@@ -33,10 +40,9 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
             $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
             $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
             'file://' . __DIR__ . '/Stubs/private.key',
-            'file://' . __DIR__ . '/Stubs/public.key',
+            base64_encode(random_bytes(36)),
             new StubResponseType()
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
 
@@ -64,10 +70,9 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
             $accessTokenRepositoryMock,
             $scopeRepositoryMock,
             'file://' . __DIR__ . '/Stubs/private.key',
-            'file://' . __DIR__ . '/Stubs/public.key',
+            base64_encode(random_bytes(36)),
             new StubResponseType()
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
 
@@ -89,7 +94,6 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $abstractGrantReflection = new \ReflectionClass($server);
         $method = $abstractGrantReflection->getMethod('getResponseType');
@@ -109,7 +113,6 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $authCodeRepository = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock();
         $authCodeRepository->method('getNewAuthCode')->willReturn(new AuthCodeEntity());
@@ -120,9 +123,6 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
             new \DateInterval('PT10M')
         );
 
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/Stubs/public.key'));
-
         $server->enableGrantType($grant);
 
         $authRequest = new AuthorizationRequest();
@@ -156,7 +156,6 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
         $server->enableGrantType($grant);
 
         $request = new ServerRequest(
@@ -189,7 +188,6 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
             'file://' . __DIR__ . '/Stubs/private.key',
             'file://' . __DIR__ . '/Stubs/public.key'
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $request = new ServerRequest(
             [],

tests/CryptTraitTest.php

@@ -8,7 +8,7 @@ use LeagueTests\Stubs\CryptTraitStub;
 class CryptTraitTest extends \PHPUnit_Framework_TestCase
 {
     /**
-     * CryptTrait stub
+     * @var \LeagueTests\Stubs\CryptTraitStub
      */
     protected $cryptStub;
 
@@ -26,30 +26,4 @@ class CryptTraitTest extends \PHPUnit_Framework_TestCase
         $this->assertNotEquals($payload, $encrypted);
         $this->assertEquals($payload, $plainText);
     }
-
-    /**
-     * @expectedException \LogicException
-     */
-    public function testBadPrivateKey()
-    {
-        $this->cryptStub->setPrivateKey(new CryptKey(__DIR__ . '/Stubs/public.key'));
-        $this->cryptStub->doEncrypt('');
-    }
-
-    /**
-     * @expectedException \LogicException
-     */
-    public function testBadPublicKey()
-    {
-        $this->cryptStub->setPublicKey(new CryptKey(__DIR__ . '/Stubs/private.key'));
-        $this->cryptStub->doDecrypt('');
-    }
-
-    /**
-     * @expectedException \LogicException
-     */
-    public function testNonExistentKey()
-    {
-        new CryptKey('foo/bar');
-    }
 }

tests/Grant/AbstractGrantTest.php

@@ -27,8 +27,6 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
     {
         /** @var AbstractGrant $grantMock */
         $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
-        $grantMock->setPrivateKey(new CryptKey(__DIR__ . '/../Stubs/private.key'));
-        $grantMock->setPublicKey(new CryptKey(__DIR__ . '/../Stubs/public.key'));
         $grantMock->setEmitter(new Emitter());
     }
 

tests/Grant/AuthCodeGrantTest.php

@@ -510,9 +510,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
             $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
             new \DateInterval('PT10M')
         );
-
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
     }
@@ -537,9 +535,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
             $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
             new \DateInterval('PT10M')
         );
-
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $grant->completeAuthorizationRequest($authRequest);
     }
@@ -574,8 +570,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -643,8 +638,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -715,8 +709,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -773,7 +766,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
             new \DateInterval('PT10M')
         );
         $grant->setClientRepository($clientRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
 
         $request = new ServerRequest(
             [],
@@ -820,7 +813,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
             new \DateInterval('PT10M')
         );
         $grant->setClientRepository($clientRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
 
         $request = new ServerRequest(
             [],
@@ -873,8 +866,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -919,8 +911,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -983,8 +974,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1044,8 +1034,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1105,8 +1094,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1164,8 +1152,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
         $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1237,8 +1224,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
         $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1310,8 +1296,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
         $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1370,9 +1355,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
             $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
             new \DateInterval('PT10M')
         );
-
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
     }
@@ -1398,9 +1381,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
             $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
             new \DateInterval('PT10M')
         );
-
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
     }
@@ -1427,9 +1408,6 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
             new \DateInterval('PT10M')
         );
 
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-
         $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
     }
 
@@ -1464,8 +1442,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1536,8 +1513,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],
@@ -1608,8 +1584,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $request = new ServerRequest(
             [],

tests/Grant/ImplicitGrantTest.php

@@ -283,7 +283,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
 
         $grant = new ImplicitGrant(new \DateInterval('PT10M'));
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
 
         $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
@@ -307,7 +306,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
 
         $grant = new ImplicitGrant(new \DateInterval('PT10M'));
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
 
         $grant->completeAuthorizationRequest($authRequest);
@@ -329,7 +327,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
 
         $grant = new ImplicitGrant(new \DateInterval('PT10M'));
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
 
         $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
@@ -354,7 +351,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
 
         $grant = new ImplicitGrant(new \DateInterval('PT10M'));
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
 
         $grant->completeAuthorizationRequest($authRequest);
@@ -379,7 +375,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
 
         $grant = new ImplicitGrant(new \DateInterval('PT10M'));
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
 
         $grant->completeAuthorizationRequest($authRequest);

tests/Grant/RefreshTokenGrantTest.php

@@ -21,7 +21,7 @@ use Zend\Diactoros\ServerRequest;
 class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
 {
     /**
-     * CryptTrait stub
+     * @var CryptTraitStub
      */
     protected $cryptStub;
 
@@ -65,7 +65,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setScopeRepository($scopeRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -121,7 +121,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -180,7 +180,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
         $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -227,7 +227,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $serverRequest = new ServerRequest();
@@ -259,7 +259,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $oldRefreshToken = 'foobar';
@@ -291,14 +291,13 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
         $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
 
-
         $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
         $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
 
         $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -344,7 +343,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -391,7 +390,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
         $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
         $grant->setClientRepository($clientRepositoryMock);
         $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
         $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
 
         $oldRefreshToken = $this->cryptStub->doEncrypt(

tests/Middleware/AuthorizationServerMiddlewareTest.php

@@ -33,10 +33,9 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
             $accessRepositoryMock,
             $scopeRepositoryMock,
             'file://' . __DIR__ . '/../Stubs/private.key',
-            'file://' . __DIR__ . '/../Stubs/public.key',
+            base64_encode(random_bytes(36)),
             new StubResponseType()
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant());
 
@@ -67,10 +66,9 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
             $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
             $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
             'file://' . __DIR__ . '/../Stubs/private.key',
-            'file://' . __DIR__ . '/../Stubs/public.key',
+            base64_encode(random_bytes(36)),
             new StubResponseType()
         );
-        $server->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
 
@@ -99,7 +97,8 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
         $response = $exception->generateHttpResponse(new Response());
 
         $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar?error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope', $response->getHeader('location')[0]);
+        $this->assertEquals('http://foo/bar?error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
+            $response->getHeader('location')[0]);
     }
 
     public function testOAuthErrorResponseRedirectUriFragment()
@@ -108,6 +107,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
         $response = $exception->generateHttpResponse(new Response(), true);
 
         $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar#error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope', $response->getHeader('location')[0]);
+        $this->assertEquals('http://foo/bar#error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
+            $response->getHeader('location')[0]);
     }
 }

tests/ResponseTypes/BearerResponseTypeTest.php

@@ -23,7 +23,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
 
         $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
         $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $client = new ClientEntity();
         $client->setIdentifier('clientName');
@@ -67,7 +67,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
 
         $responseType = new BearerTokenResponseWithParams($accessTokenRepositoryMock);
         $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $client = new ClientEntity();
         $client->setIdentifier('clientName');
@@ -115,7 +115,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
 
         $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
         $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $client = new ClientEntity();
         $client->setIdentifier('clientName');
@@ -141,7 +141,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
         $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(false);
 
         $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
         $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $request = new ServerRequest();
@@ -162,7 +161,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
 
         $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
         $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $client = new ClientEntity();
         $client->setIdentifier('clientName');
@@ -185,7 +184,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
         $json = json_decode((string) $response->getBody());
 
         $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
         $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $request = new ServerRequest();
@@ -205,7 +203,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
     {
         $responseType = new BearerTokenResponse();
         $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $client = new ClientEntity();
         $client->setIdentifier('clientName');
@@ -231,7 +229,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
         $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(true);
 
         $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
         $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $request = new ServerRequest();
@@ -253,12 +250,11 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
 
         $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
         $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
 
         $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
         $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $request = new ServerRequest();
@@ -280,12 +276,11 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
 
         $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
         $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
 
         $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
 
         $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
         $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
 
         $request = new ServerRequest();

tests/Stubs/CryptTraitStub.php

@@ -11,8 +11,12 @@ class CryptTraitStub
 
     public function __construct()
     {
-        $this->setPrivateKey(new CryptKey('file://' . __DIR__ . '/private.key'));
+        $this->setEncryptionKey(base64_encode(random_bytes(36)));
-        $this->setPublicKey(new CryptKey('file://' . __DIR__ . '/public.key'));
+    }
+
+    public function getKey()
+    {
+        return $this->encryptionKey;
     }
 
     public function doEncrypt($unencryptedData)