/** * @param int $cekSizeBits * @param string|resource $kek * @param array $header * * @return array [cek, encryptedCek] */ public function wrapNewKey($cekSizeBits, $kek, array $header) { $cek = $this->randomGenerator->get($cekSizeBits / 8); if (false == openssl_public_encrypt($cek, $cekEncrypted, $kek, $this->padding)) { throw new JoseJwtException('Unable to encrypt CEK'); } return [$cek, $cekEncrypted]; }
/** * @param int $bytesLength * * @return string */ public function get($bytesLength) { if ($this->first) { return $this->first->get($bytesLength); } elseif ($this->second) { return $this->second->get($bytesLength); } throw new JoseJwtException('No random generators provided'); }
/** * @param int $cekSizeBits * @param string|resource $kek * @param array $header * * @return array [cek, encryptedCek] */ public function wrapNewKey($cekSizeBits, $kek, array $header) { $kekLen = StringUtils::length($kek); if ($kekLen * 8 != $this->kekLengthBits) { throw new JoseJwtException(sprintf('AesKeyWrap management algorithm expected key of size %s bits, but was given %s bits', $this->kekLengthBits, $kekLen * 8)); } if ($cekSizeBits % 8 != 0) { throw new JoseJwtException('CekSizeBits must be divisible by 8'); } $cek = $this->randomGenerator->get($cekSizeBits / 8); $encryptedCek = $this->aesWrap($kek, $cek); return [$cek, $encryptedCek]; }
/** * @param string $aad * @param string $plainText * @param string|resource $cek * * @return array [iv, cipherText, authTag] */ public function encrypt($aad, $plainText, $cek) { $cekLen = StringUtils::length($cek); if ($cekLen * 8 != $this->keySize) { throw new JoseJwtException(sprintf('AES-CBC with HMAC algorithm expected key of size %s bits, but was given %s bits', $this->keySize, $cekLen * 8)); } if ($cekLen % 2 != 0) { throw new JoseJwtException('AES-CBC with HMAC encryption expected key of even number size'); } $hmacKey = StringUtils::substring($cek, 0, $cekLen / 2); $aesKey = StringUtils::substring($cek, $cekLen / 2, $cekLen / 2); $method = sprintf('AES-%d-CBC', $this->keySize / 2); $ivLen = openssl_cipher_iv_length($method); $iv = $this->randomGenerator->get($ivLen); $cipherText = openssl_encrypt($plainText, $method, $aesKey, true, $iv); $authTag = $this->computeAuthTag($aad, $iv, $cipherText, $hmacKey); return [$iv, $cipherText, $authTag]; }