/**
* @param IJWKSpecification $spec
* @return IJWK
* @throws InvalidJWKAlgorithm
* @throws JWKInvalidSpecException
*/
public static function build(IJWKSpecification $spec)
{
if (is_null($spec)) {
throw new \InvalidArgumentException('missing spec param');
}
$algorithm = DigitalSignatures_MACs_Registry::getInstance()->get($spec->getAlg());
if (is_null($algorithm)) {
$algorithm = ContentEncryptionAlgorithms_Registry::getInstance()->get($spec->getAlg());
}
if (is_null($algorithm)) {
$algorithm = KeyManagementAlgorithms_Registry::getInstance()->get($spec->getAlg());
}
if (is_null($algorithm)) {
throw new InvalidJWKAlgorithm(sprintf('alg %s not supported!', $spec->getAlg()));
}
if ($algorithm->getKeyType() !== JSONWebKeyTypes::OctetSequence) {
throw new InvalidJWKAlgorithm(sprintf('key type %s not supported!', $algorithm->getKeyType()));
}
if (!$spec instanceof OctetSequenceJWKSpecification) {
throw new JWKInvalidSpecException();
}
$shared_secret = $spec->getSharedSecret();
$secret_len = strlen($shared_secret);
if ($secret_len === 0) {
$generator = Utils_Registry::getInstance()->get(Utils_Registry::RandomNumberGeneratorService);
$shared_secret = $generator->invoke($algorithm->getMinKeyLen() / 8);
}
return OctetSequenceJWK::fromSecret(new SymmetricSharedKey($shared_secret), $spec->getAlg(), $spec->getUse());
}
/**
* @return $this
* @throws InvalidJWKAlgorithm
* @throws InvalidKeyTypeAlgorithmException
* @throws JWEInvalidCompactFormatException
* @throws JWEInvalidRecipientKeyException
* @throws JWEUnsupportedContentEncryptionAlgorithmException
* @throws JWEUnsupportedKeyManagementAlgorithmException
* @throws \Exception
*/
private function decrypt()
{
if (is_null($this->jwk)) {
throw new JWEInvalidRecipientKeyException();
}
if (!$this->should_decrypt) {
return $this;
}
if ($this->jwk->getAlgorithm()->getValue() !== $this->header->getAlgorithm()->getString()) {
throw new InvalidJWKAlgorithm(sprintf('mismatch between algorithm intended for use with the key %s and the cryptographic algorithm used to encrypt or determine the value of the CEK %s', $this->jwk->getAlgorithm()->getValue(), $this->header->getAlgorithm()->getString()));
}
$key_management_algorithm = KeyManagementAlgorithms_Registry::getInstance()->get($this->header->getAlgorithm()->getString());
if (is_null($key_management_algorithm)) {
throw new JWEUnsupportedKeyManagementAlgorithmException(sprintf('alg %s', $this->header->getAlgorithm()->getString()));
}
$content_encryption_algorithm = ContentEncryptionAlgorithms_Registry::getInstance()->get($this->header->getEncryptionAlgorithm()->getString());
if (is_null($content_encryption_algorithm)) {
throw new JWEUnsupportedContentEncryptionAlgorithmException(sprintf('enc %s', $this->header->getEncryptionAlgorithm()->getString()));
}
$this->cek = $this->decryptJWEEncryptedKey($key_management_algorithm);
// We encrypt the payload and get the tag
$jwt_shared_protected_header = JOSEHeaderSerializer::serialize($this->header);
/**
* Decrypt the JWE Cipher Text using the CEK, the JWE Initialization
* Vector, the Additional Authenticated Data value, and the JWE
* Authentication Tag (which is the Authentication Tag input to the
* calculation) using the specified content encryption algorithm,
* returning the decrypted plaintext and validating the JWE
* Authentication Tag in the manner specified for the algorithm,
* rejecting the input without emitting any decrypted output if the
* JWE Authentication Tag is incorrect.
*/
$plain_text = $content_encryption_algorithm->decrypt($this->cipher_text, $this->cek->getEncoded(), $this->iv, $jwt_shared_protected_header, $this->tag);
$zip = $this->header->getCompressionAlgorithm();
/**
* If a "zip" parameter was included, uncompress the decrypted
* plaintext using the specified compression algorithm.
*/
if (!is_null($zip)) {
$compression__algorithm = CompressionAlgorithms_Registry::getInstance()->get($zip->getValue());
$plain_text = $compression__algorithm->uncompress($plain_text);
}
$this->setPayload(JWSPayloadFactory::build($plain_text));
$this->should_decrypt = false;
return $this;
}
