/** * @param Context $context * @param string $token * @param string|resource $key * * @return string */ public static function decode(Context $context, $token, $key) { if (empty($token) || trim($token) === '') { throw new JoseJwtException('Incoming token expected to be in compact serialization form, but is empty'); } $parts = explode('.', $token); if (count($parts) != 5) { throw new JoseJwtException('Invalid JWE token'); } $decodedParts = []; foreach ($parts as $part) { $decodedParts[] = UrlSafeB64Encoder::decode($part); } $headerString = $decodedParts[0]; $encryptedCek = $decodedParts[1]; $iv = $decodedParts[2]; $cipherText = $decodedParts[3]; $authTag = $decodedParts[4]; $header = json_decode($headerString, true); if (null === $header) { throw new JoseJwtException('Invalid header'); } $algorithm = $context->jweAlgorithms()->get($header['alg']); $encryption = $context->jweEncryptions()->get($header['enc']); $cek = $algorithm->unwrap($encryptedCek, $key, $encryption->getKeySize(), $header); $aad = $parts[0]; $plainText = $encryption->decrypt($aad, $cek, $iv, $cipherText, $authTag); return $plainText; }