/** * @return $this * @throws InvalidJWKAlgorithm * @throws InvalidKeyTypeAlgorithmException * @throws JWEInvalidCompactFormatException * @throws JWEInvalidRecipientKeyException * @throws JWEUnsupportedContentEncryptionAlgorithmException * @throws JWEUnsupportedKeyManagementAlgorithmException * @throws \Exception */ private function decrypt() { if (is_null($this->jwk)) { throw new JWEInvalidRecipientKeyException(); } if (!$this->should_decrypt) { return $this; } if ($this->jwk->getAlgorithm()->getValue() !== $this->header->getAlgorithm()->getString()) { throw new InvalidJWKAlgorithm(sprintf('mismatch between algorithm intended for use with the key %s and the cryptographic algorithm used to encrypt or determine the value of the CEK %s', $this->jwk->getAlgorithm()->getValue(), $this->header->getAlgorithm()->getString())); } $key_management_algorithm = KeyManagementAlgorithms_Registry::getInstance()->get($this->header->getAlgorithm()->getString()); if (is_null($key_management_algorithm)) { throw new JWEUnsupportedKeyManagementAlgorithmException(sprintf('alg %s', $this->header->getAlgorithm()->getString())); } $content_encryption_algorithm = ContentEncryptionAlgorithms_Registry::getInstance()->get($this->header->getEncryptionAlgorithm()->getString()); if (is_null($content_encryption_algorithm)) { throw new JWEUnsupportedContentEncryptionAlgorithmException(sprintf('enc %s', $this->header->getEncryptionAlgorithm()->getString())); } $this->cek = $this->decryptJWEEncryptedKey($key_management_algorithm); // We encrypt the payload and get the tag $jwt_shared_protected_header = JOSEHeaderSerializer::serialize($this->header); /** * Decrypt the JWE Cipher Text using the CEK, the JWE Initialization * Vector, the Additional Authenticated Data value, and the JWE * Authentication Tag (which is the Authentication Tag input to the * calculation) using the specified content encryption algorithm, * returning the decrypted plaintext and validating the JWE * Authentication Tag in the manner specified for the algorithm, * rejecting the input without emitting any decrypted output if the * JWE Authentication Tag is incorrect. */ $plain_text = $content_encryption_algorithm->decrypt($this->cipher_text, $this->cek->getEncoded(), $this->iv, $jwt_shared_protected_header, $this->tag); $zip = $this->header->getCompressionAlgorithm(); /** * If a "zip" parameter was included, uncompress the decrypted * plaintext using the specified compression algorithm. */ if (!is_null($zip)) { $compression__algorithm = CompressionAlgorithms_Registry::getInstance()->get($zip->getValue()); $plain_text = $compression__algorithm->uncompress($plain_text); } $this->setPayload(JWSPayloadFactory::build($plain_text)); $this->should_decrypt = false; return $this; }
public static function serialize(IJWEJOSEHeader $header) { $json = $header->toJson(); return JWTRawSerializer::serialize($json); }