/**
* @param \Jose\Object\JWSInterface $jws
*
* @return \Jose\Algorithm\Signature\SignatureInterface
*/
private function getAlgorithm(JWSInterface $jws)
{
if (!$jws->hasHeader('alg')) {
throw new \InvalidArgumentException('No "alg" parameter set in the header.');
}
$alg = $jws->getHeader('alg');
$algorithm = $this->getJWAManager()->getAlgorithm($alg);
if (!$algorithm instanceof SignatureInterface) {
throw new \RuntimeException(sprintf('The algorithm "%s" is not supported or does not implement SignatureInterface.', $alg));
}
return $algorithm;
}
/**
* @param \Jose\Object\JWSInterface $jws
* @param \OAuth2\Client\JWTClientInterface $client
*
* @throws \OAuth2\Exception\BaseExceptionInterface
*/
public function verifySignature(JWSInterface $jws, JWTClientInterface $client)
{
if (!in_array($jws->getHeader('alg'), $client->getAllowedSignatureAlgorithms())) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_REQUEST, sprintf('Algorithm not allowed. Authorized algorithms: %s.', json_encode($client->getAllowedSignatureAlgorithms())));
}
try {
if (false === $this->verifier->verify($jws, $this->key_set)) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_REQUEST, 'Invalid signature.');
}
} catch (\Exception $e) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_REQUEST, $e->getMessage());
}
}