/** * @param \Jose\Object\JWEInterface $jwe * * @return \Jose\Algorithm\ContentEncryptionAlgorithmInterface */ private function getContentEncryptionAlgorithm(Object\JWEInterface $jwe) { $algorithm = null; foreach ($jwe->getRecipients() as $recipient) { $complete_headers = array_merge($jwe->getSharedProtectedHeaders(), $jwe->getSharedHeaders(), $recipient->getHeaders()); Assertion::keyExists($complete_headers, 'enc', 'Parameter "enc" is missing.'); if (null === $algorithm) { $algorithm = $complete_headers['enc']; } else { Assertion::eq($algorithm, $complete_headers['enc'], 'Foreign content encryption algorithms are not allowed.'); } } $content_encryption_algorithm = $this->getJWAManager()->getAlgorithm($algorithm); Assertion::isInstanceOf($content_encryption_algorithm, Algorithm\ContentEncryptionAlgorithmInterface::class, sprintf('The content encryption algorithm "%s" is not supported or not a content encryption algorithm instance.', $algorithm)); return $content_encryption_algorithm; }
/** * @param \Jose\Object\JWEInterface $jwe * * @throws \InvalidArgumentException */ private function checkCompleteHeader($jwe) { foreach (['enc', 'alg'] as $key) { if (!$jwe->hasHeader($key)) { throw new \InvalidArgumentException(sprintf("Parameters '%s' is missing.", $key)); } } }
/** * @param \Jose\Object\JWEInterface $jwe * @param string $cek * @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm * @param array $complete_headers * * @return bool */ private function decryptPayload(Object\JWEInterface &$jwe, $cek, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, array $complete_headers) { $payload = $content_encryption_algorithm->decryptContent($jwe->getCiphertext(), $cek, $jwe->getIV(), null === $jwe->getAAD() ? null : Base64Url::encode($jwe->getAAD()), $jwe->getEncodedSharedProtectedHeaders(), $jwe->getTag()); if (null === $payload) { return false; } $this->decompressIfNeeded($payload, $complete_headers); $decoded = json_decode($payload, true); $jwe = $jwe->withPayload(null === $decoded ? $payload : $decoded); return true; }
/** * @param \Jose\Object\JWEInterface $jwe * * @throws \OAuth2\Exception\BaseExceptionInterface * * @return \Jose\Object\JWSInterface */ protected function decryptAssertion(JWEInterface $jwe) { if (!in_array($jwe->getHeader('alg'), $this->allowed_encryption_algorithms) || !in_array($jwe->getHeader('enc'), $this->allowed_encryption_algorithms)) { throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_REQUEST, sprintf('Algorithm not allowed. Authorized algorithms: %s.', json_encode($this->allowed_encryption_algorithms))); } $this->decrypter->decrypt($jwe, $this->key_set); if (null === $jwe->getPayload()) { throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_REQUEST, 'Unable to decrypt the payload. Please verify keys used for encryption.'); } $jws = $this->loader->load($jwe->getPayload()); if (!$jws instanceof JWSInterface) { throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_REQUEST, 'The encrypted assertion does not contain a single JWS.'); } return $jws; }
/** * @param \Jose\Object\JWEInterface $jwe * @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm * @param string $cek * @param string $iv * @param \Jose\Compression\CompressionInterface|null $compression_method */ private function encryptJWE(Object\JWEInterface &$jwe, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, $cek, $iv, Compression\CompressionInterface $compression_method = null) { if (!empty($jwe->getSharedProtectedHeaders())) { $jwe = $jwe->withEncodedSharedProtectedHeaders(Base64Url::encode(json_encode($jwe->getSharedProtectedHeaders()))); } $tag = null; $payload = $this->preparePayload($jwe->getPayload(), $compression_method); $aad = null === $jwe->getAAD() ? null : Base64Url::encode($jwe->getAAD()); $ciphertext = $content_encryption_algorithm->encryptContent($payload, $cek, $iv, $aad, $jwe->getEncodedSharedProtectedHeaders(), $tag); $jwe = $jwe->withCiphertext($ciphertext); $jwe = $jwe->withIV($iv); if (null !== $tag) { $jwe = $jwe->withTag($tag); } }