/**
* Get the compression algorithm as specified in the given header.
*
* @param Header $header Header
* @throws \UnexpectedValueException If compression algorithm parameter is
* not present or algorithm is not supported
* @return CompressionAlgorithm
*/
public static function algoByHeader(Header $header)
{
if (!$header->hasCompressionAlgorithm()) {
throw new \UnexpectedValueException("No compression algorithm parameter.");
}
return self::algoByName($header->compressionAlgorithm()->value());
}
/**
* Get signature algorithm using a matching key from given JWK set.
*
* @param JWKSet $set
* @throws \UnexpectedValueException If a key cannot be found
* @return SignatureAlgorithm
*/
public function algoByKeys(JWKSet $set)
{
if (!$this->_header->hasKeyID()) {
throw new \UnexpectedValueException("No key ID paremeter.");
}
$id = $this->_header->keyID()->value();
if (!$set->hasKeyID($id)) {
throw new \UnexpectedValueException("No key for ID '{$id}'.");
}
return $this->algoByKey($set->keyByID($id));
}
/**
* Get JWT header.
*
* @return JOSE
*/
public function header()
{
$header = Header::fromJSON(Base64::urlDecode($this->_parts[0]));
return new JOSE($header);
}
/**
*
* @see \JWX\JWE\KeyManagementAlgorithm::_decryptKey()
* @throws \RuntimeException For generic errors
* @return string
*/
protected function _decryptKey($ciphertext, Header $header)
{
if (!$header->hasAuthenticationTag()) {
throw new \RuntimeException("Header doesn't contain authentication tag.");
}
$auth_tag = $header->authenticationTag()->authenticationTag();
$cek = $this->_getGCM()->decrypt($ciphertext, $auth_tag, "", $this->_kek, $this->_iv);
return $cek;
}
/**
* Derive algorithm name from the header and optionally from the given JWK.
*
* @param Header $header Header
* @param JWK $jwk Optional JWK
* @throws \UnexpectedValueException If algorithm parameter is not present
* or header and JWK algorithms differ.
* @return string Algorithm name
*/
public static function deriveAlgorithmName(Header $header, JWK $jwk = null)
{
if ($header->hasAlgorithm()) {
$alg = $header->algorithm()->value();
}
// if JWK is set, and has an algorithm parameter
if (isset($jwk) && $jwk->hasAlgorithmParameter()) {
$jwk_alg = $jwk->algorithmParameter()->value();
// check that algorithms match
if (isset($alg) && $alg != $jwk_alg) {
throw new \UnexpectedValueException("JWK algorithm '{$jwk_alg}' doesn't match" . " the header's algorithm '{$alg}'.");
}
$alg = $jwk_alg;
}
if (!isset($alg)) {
throw new \UnexpectedValueException("No algorithm parameter.");
}
return $alg;
}
/**
* Convert to compact serialization.
*
* @return string
*/
public function toCompact()
{
return Base64::urlEncode($this->_protectedHeader->toJSON()) . "." . Base64::urlEncode($this->_encryptedKey) . "." . Base64::urlEncode($this->_iv) . "." . Base64::urlEncode($this->_ciphertext) . "." . Base64::urlEncode($this->_authenticationTag);
}
/**
* Generate input for the signature computation.
*
* @param string $payload Payload
* @param Header $header Protected header
* @return string
*/
protected static function _generateSignatureInput($payload, Header $header)
{
$b64 = $header->hasB64Payload() ? $header->B64Payload()->value() : true;
$data = Base64::urlEncode($header->toJSON()) . ".";
$data .= $b64 ? Base64::urlEncode($payload) : $payload;
return $data;
}
/**
*
* @param JWK $jwk
* @param Header $header
* @throws \UnexpectedValueException
* @return PBES2Algorithm
*/
public static function fromJWK(JWK $jwk, Header $header)
{
$jwk = SymmetricKeyJWK::fromJWK($jwk);
if (!$header->hasPBES2SaltInput()) {
throw new \UnexpectedValueException("No salt input.");
}
$salt_input = $header->PBES2SaltInput()->saltInput();
if (!$header->hasPBES2Count()) {
throw new \UnexpectedValueException("No iteration count.");
}
$count = $header->PBES2Count()->value();
$alg = JWA::deriveAlgorithmName($header, $jwk);
if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
throw new \UnexpectedValueException("Unsupported algorithm '{$alg}'.");
}
$cls = self::MAP_ALGO_TO_CLASS[$alg];
return new $cls($jwk->key(), $salt_input, $count);
}
