/**
* @param \Cyh\Jose\Signing\Signer\SignerInterface $signer
* @param string $jwt_strings
* @param resource|string $key default null
* @param ValidateInterface[] $validators
* @return array
* @throws MalformedException
* @throws InvalidSignatureException
* @throws ValidateException
*/
public static function verify(SignerInterface $signer, $jwt_strings, $key = null, array $validators = array())
{
$jwt_arr = explode('.', $jwt_strings);
if (3 !== count($jwt_arr)) {
throw new MalformedException('Wrong number of segments');
}
$header_base64 = $jwt_arr[0];
$header = Header::fromString($header_base64);
// Do not determine algorithm by header.
if ($signer->getAlg() !== $header->getAlg()) {
throw new MalformedException('Invalid alg header');
}
$payload_base64 = $jwt_arr[1];
$message = $header_base64 . '.' . $payload_base64;
$signature = Base64Url::decode($jwt_arr[2]);
$signer->verify($message, $signature, $key);
$payload_json = Base64Url::decode($payload_base64);
$claims = Json::decode($payload_json);
foreach ($validators as $validator) {
if (!$validator instanceof ValidateInterface) {
throw new UnexpectedValueException('validator is must implement ValidateInterface');
}
if (!$validator->validate($claims)) {
throw new ValidateException('Validation failed. validator name: ' . $validator->getName());
}
}
return $claims;
}
/**
* @param AlgInterface $alg
* @param EncInterface $enc
* @param string $content
* @param string $private_or_secret_key
* @param string $pass_phrase default null
* @return string
* @throws \Cyh\Jose\Exception\MalformedException
*/
public static function decrypt(AlgInterface $alg, EncInterface $enc, $content, $private_or_secret_key, $pass_phrase = null)
{
$components = explode('.', $content);
if (5 !== count($components)) {
throw new MalformedException('Wrong number of segments');
}
$encrypted_cek = Base64Url::decode($components[1]);
$cek = new ContentEncryptionKey($alg->decrypt($encrypted_cek, $private_or_secret_key, $pass_phrase));
$aad_base64 = $components[0];
$protected_header = Header::fromString($components[0]);
if ($alg->getAlg() !== $protected_header->getAlg()) {
throw new MalformedException('invalid alg header');
}
if ($enc->getEnc() !== $protected_header->getEnc()) {
throw new MalformedException('invalid enc header');
}
$iv = Base64Url::decode($components[2]);
$cipher_text = Base64Url::decode($components[3]);
$auth_tag = Base64Url::decode($components[4]);
return $enc->decrypt($aad_base64, $cek, $iv, $cipher_text, $auth_tag);
}
/**
* @expectedException \Cyh\Jose\Exception\UnexpectedValueException
*/
public function testEncodeBase64InvalidParam()
{
Base64Url::encode(array());
}
/**
* @return string
*/
public function __toString()
{
return Base64Url::encode(Json::encode($this->headers));
}
/**
* @expectedException Cyh\Jose\Signing\Exception\InvalidSignatureException
*/
public function testRS256ModifiedClaimExp()
{
$token_strings = Jwt::sign(new RS256(), $this->valid_claims, $this->rsa_prv_key);
list($h, $p, $s) = explode('.', $token_strings);
$payload = Json::decode(Base64Url::decode($p));
$payload['exp'] = time() + 86400;
$p = Base64Url::encode(Json::encode($payload));
$mod_token = "{$h}.{$p}.{$s}";
Jwt::verify(new RS256(), $mod_token, $this->rsa_pub_key);
}
