/**
* Generates salt input. This uses {@link SimpleJWT\Util\Util::random_bytes()}
* to generate random bytes.
*
* @return string the salt input
*/
protected function generateSaltInput()
{
return Util::random_bytes(8);
}
/**
* Encrypts the JWE.
*
* @param SimpleJWT\Keys\KeySet $keys the key set containing the key to encrypt the
* content encryption key
* @param string $kid the ID of the key to use to encrypt. If null, this
* is automatically retrieved
* @param string $format the JWE serialisation format
* @return string the encrypted JWE
* @throws SimpleJWT\Keys\KeyException if there is an error obtaining the key
* to sign the JWT
* @throws SimpleJWT\Crypt\CryptException if there is a cryptographic error
*/
public function encrypt($keys, $kid = null, $format = self::COMPACT_FORMAT)
{
if (!isset($this->headers['alg'])) {
throw new \InvalidArgumentException('alg parameter missing');
}
if (!isset($this->headers['enc'])) {
throw new \InvalidArgumentException('enc parameter missing');
}
$key_enc = AlgorithmFactory::create($this->headers['alg']);
$content_enc = AlgorithmFactory::create($this->headers['enc']);
if ($kid != null) {
$this->headers['kid'] = $kid;
}
if ($key_enc instanceof KeyDerivationAlgorithm) {
$agreed_key = $key_enc->deriveKey($keys, $this->headers, $kid);
if ($key_enc instanceof KeyEncryptionAlgorithm) {
// Key agreement with wrapping
$keys->add(new SymmetricKey(array('kty' => SymmetricKey::KTY, 'alg' => $this->headers['alg'], 'k' => Util::base64url_encode($agreed_key)), 'php'));
} else {
// Direct key agreement or direct encryption
$cek = $agreed_key;
}
}
if (!isset($cek)) {
$cek = Util::random_bytes($content_enc->getCEKSize() / 8);
}
if ($key_enc instanceof KeyEncryptionAlgorithm) {
$encrypted_key = $key_enc->encryptKey($cek, $keys, $this->headers, $kid);
} else {
$encrypted_key = '';
}
if (isset($this->headers['zip'])) {
switch ($this->headers['zip']) {
case 'DEF':
$plaintext = gzdeflate($this->plaintext);
break;
default:
throw new \InvalidArgumentException('Unsupported zip header:' . $this->headers['zip']);
}
} else {
$plaintext = $this->plaintext;
}
$protected = Util::base64url_encode(json_encode($this->headers));
$results = $content_enc->encryptAndSign($plaintext, $cek, $protected);
$ciphertext = $results['ciphertext'];
$iv = isset($results['iv']) ? $results['iv'] : '';
$tag = $results['tag'];
switch ($format) {
case self::COMPACT_FORMAT:
return $protected . '.' . $encrypted_key . '.' . $iv . '.' . $ciphertext . '.' . $tag;
case self::JSON_FORMAT:
$obj = array('protected' => $protected, 'ciphertext' => $ciphertext, 'tag' => $tag, 'encrypted_key' => $encrypted_key);
if ($iv) {
$obj['iv'] = $iv;
}
return json_encode($obj);
default:
throw new \InvalidArgumentException('Incorrect format');
}
}
/**
* Generates a seed for OAEP encoding. This uses {@link SimpleJWT\Util\Util::random_bytes()}
* to generate random bytes.
*
* @param int $len the length of the seed required, in octets
* @return string the seed
*/
protected function generateSeed($len)
{
return Util::random_bytes($len);
}
