/** * @param IJWKSpecification $spec * @return IJWK * @throws InvalidJWKAlgorithm * @throws JWKInvalidSpecException */ public static function build(IJWKSpecification $spec) { if (is_null($spec)) { throw new \InvalidArgumentException('missing spec param'); } $algorithm = DigitalSignatures_MACs_Registry::getInstance()->get($spec->getAlg()); if (is_null($algorithm)) { $algorithm = ContentEncryptionAlgorithms_Registry::getInstance()->get($spec->getAlg()); } if (is_null($algorithm)) { $algorithm = KeyManagementAlgorithms_Registry::getInstance()->get($spec->getAlg()); } if (is_null($algorithm)) { throw new InvalidJWKAlgorithm(sprintf('alg %s not supported!', $spec->getAlg())); } if ($algorithm->getKeyType() !== JSONWebKeyTypes::OctetSequence) { throw new InvalidJWKAlgorithm(sprintf('key type %s not supported!', $algorithm->getKeyType())); } if (!$spec instanceof OctetSequenceJWKSpecification) { throw new JWKInvalidSpecException(); } $shared_secret = $spec->getSharedSecret(); $secret_len = strlen($shared_secret); if ($secret_len === 0) { $generator = Utils_Registry::getInstance()->get(Utils_Registry::RandomNumberGeneratorService); $shared_secret = $generator->invoke($algorithm->getMinKeyLen() / 8); } return OctetSequenceJWK::fromSecret(new SymmetricSharedKey($shared_secret), $spec->getAlg(), $spec->getUse()); }
/** * @return $this * @throws InvalidJWKAlgorithm * @throws InvalidKeyTypeAlgorithmException * @throws JWEInvalidCompactFormatException * @throws JWEInvalidRecipientKeyException * @throws JWEUnsupportedContentEncryptionAlgorithmException * @throws JWEUnsupportedKeyManagementAlgorithmException * @throws \Exception */ private function decrypt() { if (is_null($this->jwk)) { throw new JWEInvalidRecipientKeyException(); } if (!$this->should_decrypt) { return $this; } if ($this->jwk->getAlgorithm()->getValue() !== $this->header->getAlgorithm()->getString()) { throw new InvalidJWKAlgorithm(sprintf('mismatch between algorithm intended for use with the key %s and the cryptographic algorithm used to encrypt or determine the value of the CEK %s', $this->jwk->getAlgorithm()->getValue(), $this->header->getAlgorithm()->getString())); } $key_management_algorithm = KeyManagementAlgorithms_Registry::getInstance()->get($this->header->getAlgorithm()->getString()); if (is_null($key_management_algorithm)) { throw new JWEUnsupportedKeyManagementAlgorithmException(sprintf('alg %s', $this->header->getAlgorithm()->getString())); } $content_encryption_algorithm = ContentEncryptionAlgorithms_Registry::getInstance()->get($this->header->getEncryptionAlgorithm()->getString()); if (is_null($content_encryption_algorithm)) { throw new JWEUnsupportedContentEncryptionAlgorithmException(sprintf('enc %s', $this->header->getEncryptionAlgorithm()->getString())); } $this->cek = $this->decryptJWEEncryptedKey($key_management_algorithm); // We encrypt the payload and get the tag $jwt_shared_protected_header = JOSEHeaderSerializer::serialize($this->header); /** * Decrypt the JWE Cipher Text using the CEK, the JWE Initialization * Vector, the Additional Authenticated Data value, and the JWE * Authentication Tag (which is the Authentication Tag input to the * calculation) using the specified content encryption algorithm, * returning the decrypted plaintext and validating the JWE * Authentication Tag in the manner specified for the algorithm, * rejecting the input without emitting any decrypted output if the * JWE Authentication Tag is incorrect. */ $plain_text = $content_encryption_algorithm->decrypt($this->cipher_text, $this->cek->getEncoded(), $this->iv, $jwt_shared_protected_header, $this->tag); $zip = $this->header->getCompressionAlgorithm(); /** * If a "zip" parameter was included, uncompress the decrypted * plaintext using the specified compression algorithm. */ if (!is_null($zip)) { $compression__algorithm = CompressionAlgorithms_Registry::getInstance()->get($zip->getValue()); $plain_text = $compression__algorithm->uncompress($plain_text); } $this->setPayload(JWSPayloadFactory::build($plain_text)); $this->should_decrypt = false; return $this; }