/**
* @param IJWTSnapshot $jwt_snapshot
* @return string
*/
public static function serialize(IJWTSnapshot $jwt_snapshot)
{
list($header, $payload, $signature) = $jwt_snapshot->take();
$e_header = JOSEHeaderSerializer::serialize($header);
$e_payload = $header->getType()->getString() === 'JWT' ? JWTClaimSetSerializer::serialize($payload) : JWTRawSerializer::serialize($payload);
$e_signature = JWTRawSerializer::serialize($signature);
return sprintf('%s.%s.%s', $e_header, $e_payload, $e_signature);
}
/**
* @return $this
* @throws InvalidJWKAlgorithm
* @throws InvalidKeyTypeAlgorithmException
* @throws JWEInvalidCompactFormatException
* @throws JWEInvalidRecipientKeyException
* @throws JWEUnsupportedContentEncryptionAlgorithmException
* @throws JWEUnsupportedKeyManagementAlgorithmException
* @throws \Exception
*/
private function decrypt()
{
if (is_null($this->jwk)) {
throw new JWEInvalidRecipientKeyException();
}
if (!$this->should_decrypt) {
return $this;
}
if ($this->jwk->getAlgorithm()->getValue() !== $this->header->getAlgorithm()->getString()) {
throw new InvalidJWKAlgorithm(sprintf('mismatch between algorithm intended for use with the key %s and the cryptographic algorithm used to encrypt or determine the value of the CEK %s', $this->jwk->getAlgorithm()->getValue(), $this->header->getAlgorithm()->getString()));
}
$key_management_algorithm = KeyManagementAlgorithms_Registry::getInstance()->get($this->header->getAlgorithm()->getString());
if (is_null($key_management_algorithm)) {
throw new JWEUnsupportedKeyManagementAlgorithmException(sprintf('alg %s', $this->header->getAlgorithm()->getString()));
}
$content_encryption_algorithm = ContentEncryptionAlgorithms_Registry::getInstance()->get($this->header->getEncryptionAlgorithm()->getString());
if (is_null($content_encryption_algorithm)) {
throw new JWEUnsupportedContentEncryptionAlgorithmException(sprintf('enc %s', $this->header->getEncryptionAlgorithm()->getString()));
}
$this->cek = $this->decryptJWEEncryptedKey($key_management_algorithm);
// We encrypt the payload and get the tag
$jwt_shared_protected_header = JOSEHeaderSerializer::serialize($this->header);
/**
* Decrypt the JWE Cipher Text using the CEK, the JWE Initialization
* Vector, the Additional Authenticated Data value, and the JWE
* Authentication Tag (which is the Authentication Tag input to the
* calculation) using the specified content encryption algorithm,
* returning the decrypted plaintext and validating the JWE
* Authentication Tag in the manner specified for the algorithm,
* rejecting the input without emitting any decrypted output if the
* JWE Authentication Tag is incorrect.
*/
$plain_text = $content_encryption_algorithm->decrypt($this->cipher_text, $this->cek->getEncoded(), $this->iv, $jwt_shared_protected_header, $this->tag);
$zip = $this->header->getCompressionAlgorithm();
/**
* If a "zip" parameter was included, uncompress the decrypted
* plaintext using the specified compression algorithm.
*/
if (!is_null($zip)) {
$compression__algorithm = CompressionAlgorithms_Registry::getInstance()->get($zip->getValue());
$plain_text = $compression__algorithm->uncompress($plain_text);
}
$this->setPayload(JWSPayloadFactory::build($plain_text));
$this->should_decrypt = false;
return $this;
}
/**
* @param string $original_alg
* @return bool
* @throws InvalidJWKAlgorithm
* @throws JWSInvalidJWKException
* @throws JWSInvalidPayloadException
* @throws JWSNotSupportedAlgorithm
*/
public function verify($original_alg)
{
if (is_null($this->jwk)) {
throw new JWSInvalidJWKException();
}
if ($this->jwk->getKeyUse()->getString() !== JSONWebKeyPublicKeyUseValues::Signature) {
throw new JWSInvalidJWKException(sprintf('use %s not supported ', $this->jwk->getKeyUse()->getString()));
}
if (is_null($this->jwk->getAlgorithm())) {
throw new InvalidJWKAlgorithm('algorithm intended for use with the key is not set! ');
}
if (!is_null($this->jwk->getId()) && !is_null($this->header->getKeyID()) && $this->header->getKeyID()->getValue() != $this->jwk->getId()->getValue()) {
throw new JWSInvalidJWKException(sprintf('original kid %s - current kid %s', $this->header->getKeyID()->getValue(), $this->jwk->getId()->getValue()));
}
$alg = DigitalSignatures_MACs_Registry::getInstance()->get($original_alg);
if (is_null($alg)) {
throw new JWSNotSupportedAlgorithm(sprintf('algo %s', $original_alg));
}
$former_alg = $this->header->getAlgorithm()->getString();
if ($former_alg != $original_alg) {
throw new JWSNotSupportedAlgorithm(sprintf('former alg %s - original alg %s', $former_alg, $original_alg));
}
if ($this->jwk->getAlgorithm()->getValue() !== $original_alg) {
throw new InvalidJWKAlgorithm(sprintf('mismatch between algorithm intended for use with the key %s and the cryptographic algorithm used to secure the JWS %s', $this->jwk->getAlgorithm()->getValue(), $original_alg));
}
$secured_input_bytes = JOSEHeaderSerializer::serialize($this->header) . IBasicJWT::SegmentSeparator . $this->getEncodedPayload();
// use public key / secret
$key = $this->jwk->getKey(JSONWebKeyKeyOperationsValues::VerifyDigitalSignatureOrMAC);
return $alg->verify($key, $secured_input_bytes, $this->signature);
}
