/**
* {@inheritdoc}
*/
public function load($input, JWKSetInterface $jwk_set = null)
{
$json = Converter::convert($input, JSONSerializationModes::JSON_SERIALIZATION, false);
if (is_array($json)) {
if (array_key_exists('signatures', $json)) {
return $this->loadSerializedJsonJWS($json);
}
if (array_key_exists('recipients', $json)) {
return $this->loadSerializedJsonJWE($json, $jwk_set);
}
}
throw new \InvalidArgumentException('Unable to load the input');
}
/**
* @param array|JWKInterface|JWKSetInterface|JWTInterface|string $input The input to sign
* @param array $instructions Signature instructions
* @param string $serialization Serialization Overview
*
* @return string
*/
public function sign($input, array $instructions, $serialization = JSONSerializationModes::JSON_COMPACT_SERIALIZATION)
{
$this->checkInput($input);
$this->checkInstructions($instructions, $serialization);
$jwt_payload = Base64Url::encode($input->getPayload());
$signatures = ['payload' => $jwt_payload, 'signatures' => []];
foreach ($instructions as $instruction) {
$signatures['signatures'][] = $this->computeSignature($instruction, $input, $jwt_payload);
}
$prepared = Converter::convert($signatures, $serialization);
return is_array($prepared) ? current($prepared) : $prepared;
}
/**
* @param array|JWKInterface|JWKSetInterface|JWTInterface|string $input
* @param array $instructions
* @param array $shared_protected_header
* @param array $shared_unprotected_header
* @param string $serialization
* @param null $aad
*
* @return string
*/
public function encrypt($input, array $instructions, array $shared_protected_header = [], array $shared_unprotected_header = [], $serialization = JSONSerializationModes::JSON_COMPACT_SERIALIZATION, $aad = null)
{
$this->checkInput($input);
$this->checkInstructions($instructions, $serialization);
$protected_header = array_merge($input->getProtectedHeader(), $shared_protected_header);
$unprotected_header = array_merge($input->getUnprotectedHeader(), $shared_unprotected_header);
// We check if key management mode is OK
$key_management_mode = $this->getKeyManagementMode($instructions, $protected_header, $unprotected_header);
// We get the content encryption algorithm
$content_encryption_algorithm = $this->getContentEncryptionAlgorithm($instructions, $protected_header, $unprotected_header);
// CEK
$cek = $this->determineCEK($key_management_mode, $instructions, $protected_header, $unprotected_header, $content_encryption_algorithm->getCEKSize());
$recipients = ['recipients' => []];
foreach ($instructions as $instruction) {
$recipients['recipients'][] = $this->computeRecipient($instruction, $protected_header, $unprotected_header, $cek, $content_encryption_algorithm->getCEKSize(), $serialization);
}
// We prepare the payload and compress it if required
$payload = $input->getPayload();
$compression_method = $this->findCompressionMethod($instructions, $protected_header, $unprotected_header);
$this->compressPayload($payload, $compression_method);
// We compute the initialization vector
$iv = null;
if (!is_null($iv_size = $content_encryption_algorithm->getIVSize())) {
$iv = $this->createIV($iv_size);
}
// JWT Shared protected header
$jwt_shared_protected_header = Base64Url::encode(json_encode($protected_header));
// We encrypt the payload and get the tag
$tag = null;
$ciphertext = $content_encryption_algorithm->encryptContent($payload, $cek, $iv, $aad, $jwt_shared_protected_header, $tag);
// JWT Ciphertext
$jwt_ciphertext = Base64Url::encode($ciphertext);
// JWT AAD
$jwt_aad = is_null($aad) ? null : Base64Url::encode($aad);
// JWT Tag
$jwt_tag = is_null($tag) ? null : Base64Url::encode($tag);
// JWT IV
$jwt_iv = is_null($iv) ? '' : Base64Url::encode($iv);
$values = ['ciphertext' => $jwt_ciphertext, 'protected' => $jwt_shared_protected_header, 'unprotected' => $unprotected_header, 'iv' => $jwt_iv, 'tag' => $jwt_tag, 'aad' => $jwt_aad];
foreach ($values as $key => $value) {
if (!empty($value)) {
$recipients[$key] = $value;
}
}
$prepared = Converter::convert($recipients, $serialization);
return is_array($prepared) ? current($prepared) : $prepared;
}
public function testMergeEncrypted()
{
$result = Converter::merge(['ciphertext' => 'KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY', 'protected' => 'eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0', 'unprotected' => ['jku' => 'https://server.example.com/keys.jwks'], 'iv' => 'AxY8DCtDaGlsbGljb3RoZQ', 'tag' => 'Mz-VPPyU4RlcuYv1IwIvzw', 'header' => ['alg' => 'RSA1_5', 'kid' => '2011-04-29'], 'encrypted_key' => 'UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A'], ['ciphertext' => 'KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY', 'protected' => 'eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0', 'unprotected' => ['jku' => 'https://server.example.com/keys.jwks'], 'iv' => 'AxY8DCtDaGlsbGljb3RoZQ', 'tag' => 'Mz-VPPyU4RlcuYv1IwIvzw', 'header' => ['alg' => 'A128KW', 'kid' => '7'], 'encrypted_key' => '6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ']);
$expected_result = json_encode(['ciphertext' => 'KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY', 'protected' => 'eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0', 'unprotected' => ['jku' => 'https://server.example.com/keys.jwks'], 'iv' => 'AxY8DCtDaGlsbGljb3RoZQ', 'tag' => 'Mz-VPPyU4RlcuYv1IwIvzw', 'recipients' => [['header' => ['alg' => 'RSA1_5', 'kid' => '2011-04-29'], 'encrypted_key' => 'UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A'], ['header' => ['alg' => 'A128KW', 'kid' => '7'], 'encrypted_key' => '6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ']]]);
$this->assertEquals($expected_result, $result);
}
