John Davidson

Message:

Most examples of generating a public key from an Azure B2C modulus and exponent use phpseclib and pass an XML string to the library to generate a public key.

However, phpseclib3 appears to switch this up by providing a PublicKeyLoader that takes a keyed array where the keys are e and n for the exponent and modulus as BigInteger instances.

What transformations need to happen to those e and n values provided by Azure B2C to make them appropriate for use with the PublicKeyLoader?

Many of the examples for the older versions of phpseclib would convert from a base64url to base64, but I don't know if that is purely for the benefit of the XML conversion method and if that will work with the BigInteger function.

Generation of this public key is for the purposes of verifying an access token signature via lcobucci/jwt.

---

My Answer:
To generate a public key from Azure B2C keys using phpseclib3, you will need to perform the following transformations:

1. Convert the base64url encoded modulus and exponent values provided by Azure B2C to base64 format. This can be done using the following code snippet:

php
$modulus = base64_decode(strtr($azureModulus, '-_', '+/'));
$exponent = base64_decode(strtr($azureExponent, '-_', '+/'));


2. Create BigInteger instances for the modulus and exponent values:

php
use phpseclib3\Math\BigInteger;

$modulusBigInt = new BigInteger($modulus, 256);
$exponentBigInt = new BigInteger($exponent, 256);


3. Create a keyed array with the modulus and exponent values:

php
$keyedArray = ['e' => $exponentBigInt, 'n' => $modulusBigInt];


4. Use the PublicKeyLoader to generate the public key:

php
use phpseclib3\Crypt\RSA\PublicKeyLoader;

$publicKey = PublicKeyLoader::load($keyedArray);


Now you have successfully generated a public key from Azure B2C keys using phpseclib3. You can use this public key to verify an access token signature with lcobucci/jwt.