/**
* @param \Jose\Object\JWEInterface $jwe
* @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm
* @param string $key_management_mode
* @param array $additional_headers
*
* @return string
*/
private function determineCEK(Object\JWEInterface $jwe, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, $key_management_mode, array &$additional_headers)
{
switch ($key_management_mode) {
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_ENCRYPT:
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_WRAP:
return $this->createCEK($content_encryption_algorithm->getCEKSize());
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_AGREEMENT:
Assertion::eq(1, $jwe->countRecipients(), 'Unable to encrypt for multiple recipients using key agreement algorithms.');
$complete_headers = array_merge($jwe->getSharedProtectedHeaders(), $jwe->getSharedHeaders(), $jwe->getRecipient(0)->getHeaders());
$algorithm = $this->findKeyEncryptionAlgorithm($complete_headers);
return $algorithm->getAgreementKey($content_encryption_algorithm->getCEKSize(), $content_encryption_algorithm->getAlgorithmName(), $jwe->getRecipient(0)->getRecipientKey(), $complete_headers, $additional_headers);
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_DIRECT:
Assertion::eq(1, $jwe->countRecipients(), 'Unable to encrypt for multiple recipients using key agreement algorithms.');
Assertion::eq($jwe->getRecipient(0)->getRecipientKey()->get('kty'), 'oct', 'Wrong key type.');
Assertion::true($jwe->getRecipient(0)->getRecipientKey()->has('k'), 'The key parameter "k" is missing.');
return Base64Url::decode($jwe->getRecipient(0)->getRecipientKey()->get('k'));
default:
throw new \InvalidArgumentException(sprintf('Unsupported key management mode "%s".', $key_management_mode));
}
}
/**
* @param \Jose\Algorithm\JWAInterface $key_encryption_algorithm
* @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm
* @param \Jose\Object\JWKInterface $key
* @param \Jose\Object\RecipientInterface $recipient
* @param array $complete_headers
*
* @return null|string
*/
private function decryptCEK(Algorithm\JWAInterface $key_encryption_algorithm, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, Object\JWKInterface $key, Object\RecipientInterface $recipient, array $complete_headers)
{
if ($key_encryption_algorithm instanceof Algorithm\KeyEncryption\DirectEncryptionInterface) {
return $key_encryption_algorithm->getCEK($key);
} elseif ($key_encryption_algorithm instanceof Algorithm\KeyEncryption\KeyAgreementInterface) {
return $key_encryption_algorithm->getAgreementKey($content_encryption_algorithm->getCEKSize(), $content_encryption_algorithm->getAlgorithmName(), $key, $complete_headers);
} elseif ($key_encryption_algorithm instanceof Algorithm\KeyEncryption\KeyAgreementWrappingInterface) {
return $key_encryption_algorithm->unwrapAgreementKey($key, $recipient->getEncryptedKey(), $content_encryption_algorithm->getCEKSize(), $complete_headers);
} elseif ($key_encryption_algorithm instanceof Algorithm\KeyEncryption\KeyEncryptionInterface) {
return $key_encryption_algorithm->decryptKey($key, $recipient->getEncryptedKey(), $complete_headers);
} elseif ($key_encryption_algorithm instanceof Algorithm\KeyEncryption\KeyWrappingInterface) {
return $key_encryption_algorithm->unwrapKey($key, $recipient->getEncryptedKey(), $complete_headers);
} else {
throw new \InvalidArgumentException('Unsupported CEK generation');
}
}
/**
* @param array $complete_headers
* @param string $cek
* @param \Jose\Algorithm\KeyEncryption\KeyAgreementWrappingInterface $key_encryption_algorithm
* @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm
* @param array $additional_headers
* @param \Jose\Object\JWKInterface $recipient_key
*
* @return string
*/
private function getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm(array $complete_headers, $cek, Algorithm\KeyEncryption\KeyAgreementWrappingInterface $key_encryption_algorithm, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, array &$additional_headers, Object\JWKInterface $recipient_key)
{
$jwt_cek = $key_encryption_algorithm->wrapAgreementKey($recipient_key, $cek, $content_encryption_algorithm->getCEKSize(), $complete_headers, $additional_headers);
return $jwt_cek;
}
