/**
* @param Context $context
* @param string $token
* @param string|resource $key
*
* @return string
*/
public static function decode(Context $context, $token, $key)
{
if (empty($token) || trim($token) === '') {
throw new JoseJwtException('Incoming token expected to be in compact serialization form, but is empty');
}
$parts = explode('.', $token);
if (count($parts) != 5) {
throw new JoseJwtException('Invalid JWE token');
}
$decodedParts = [];
foreach ($parts as $part) {
$decodedParts[] = UrlSafeB64Encoder::decode($part);
}
$headerString = $decodedParts[0];
$encryptedCek = $decodedParts[1];
$iv = $decodedParts[2];
$cipherText = $decodedParts[3];
$authTag = $decodedParts[4];
$header = json_decode($headerString, true);
if (null === $header) {
throw new JoseJwtException('Invalid header');
}
$algorithm = $context->jweAlgorithms()->get($header['alg']);
$encryption = $context->jweEncryptions()->get($header['enc']);
$cek = $algorithm->unwrap($encryptedCek, $key, $encryption->getKeySize(), $header);
$aad = $parts[0];
$plainText = $encryption->decrypt($aad, $cek, $iv, $cipherText, $authTag);
return $plainText;
}
