/**
* @param \Jose\Object\JWEInterface $jwe
* @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm
* @param string $key_management_mode
* @param array $additional_headers
*
* @return string
*/
private function determineCEK(Object\JWEInterface $jwe, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, $key_management_mode, array &$additional_headers)
{
switch ($key_management_mode) {
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_ENCRYPT:
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_WRAP:
return $this->createCEK($content_encryption_algorithm->getCEKSize());
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_AGREEMENT:
Assertion::eq(1, $jwe->countRecipients(), 'Unable to encrypt for multiple recipients using key agreement algorithms.');
$complete_headers = array_merge($jwe->getSharedProtectedHeaders(), $jwe->getSharedHeaders(), $jwe->getRecipient(0)->getHeaders());
$algorithm = $this->findKeyEncryptionAlgorithm($complete_headers);
return $algorithm->getAgreementKey($content_encryption_algorithm->getCEKSize(), $content_encryption_algorithm->getAlgorithmName(), $jwe->getRecipient(0)->getRecipientKey(), $complete_headers, $additional_headers);
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_DIRECT:
Assertion::eq(1, $jwe->countRecipients(), 'Unable to encrypt for multiple recipients using key agreement algorithms.');
Assertion::eq($jwe->getRecipient(0)->getRecipientKey()->get('kty'), 'oct', 'Wrong key type.');
Assertion::true($jwe->getRecipient(0)->getRecipientKey()->has('k'), 'The key parameter "k" is missing.');
return Base64Url::decode($jwe->getRecipient(0)->getRecipientKey()->get('k'));
default:
throw new \InvalidArgumentException(sprintf('Unsupported key management mode "%s".', $key_management_mode));
}
}
/**
* @param \Jose\Object\JWEInterface $jwe
* @param string $cek
* @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm
* @param array $complete_headers
*
* @return bool
*/
private function decryptPayload(Object\JWEInterface &$jwe, $cek, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, array $complete_headers)
{
$payload = $content_encryption_algorithm->decryptContent($jwe->getCiphertext(), $cek, $jwe->getIV(), null === $jwe->getAAD() ? null : Base64Url::encode($jwe->getAAD()), $jwe->getEncodedSharedProtectedHeaders(), $jwe->getTag());
if (null === $payload) {
return false;
}
$this->decompressIfNeeded($payload, $complete_headers);
$decoded = json_decode($payload, true);
$jwe = $jwe->withPayload(null === $decoded ? $payload : $decoded);
return true;
}
/**
* @param array $complete_headers
* @param string $cek
* @param \Jose\Algorithm\KeyEncryption\KeyAgreementWrappingInterface $key_encryption_algorithm
* @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm
* @param array $additional_headers
* @param \Jose\Object\JWKInterface $recipient_key
*
* @return string
*/
private function getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm(array $complete_headers, $cek, Algorithm\KeyEncryption\KeyAgreementWrappingInterface $key_encryption_algorithm, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, array &$additional_headers, Object\JWKInterface $recipient_key)
{
$jwt_cek = $key_encryption_algorithm->wrapAgreementKey($recipient_key, $cek, $content_encryption_algorithm->getCEKSize(), $complete_headers, $additional_headers);
return $jwt_cek;
}
