protected function __construct(Key $secret, $headers = array())
{
if (empty($secret)) {
throw new InvalidOctetSequenceJWKException('secret is not set!.');
}
$this->set[JSONWebKeyParameters::KeyType] = new StringOrURI(JSONWebKeyTypes::OctetSequence);
parent::__construct($headers);
if (count($headers) === 0) {
return;
}
$b64 = new Base64UrlRepresentation();
$this->key = $secret;
$this->set[OctetSequenceKeysParameters::Key] = new StringOrURI($b64->encode($secret->getEncoded()));
}
/**
* @param Key $key
* @param string $message
* @param string $signature
* @return bool
* @throws InvalidKeyLengthAlgorithmException
* @throws InvalidKeyTypeAlgorithmException
*/
public function verify(Key $key, $message, $signature)
{
if (!$key instanceof RSAPublicKey) {
throw new InvalidKeyTypeAlgorithmException();
}
if ($this->getMinKeyLen() > $key->getBitLength()) {
throw new InvalidKeyLengthAlgorithmException(sprintf('min len %s - cur len %s.', $this->getMinKeyLen(), $key->getBitLength()));
}
$res = $this->rsa_impl->loadKey($key->getEncoded());
if (!$res) {
throw new InvalidKeyTypeAlgorithmException();
}
$this->rsa_impl->setHash($this->getHashingAlgorithm());
$this->rsa_impl->setMGFHash($this->getHashingAlgorithm());
$this->rsa_impl->setSignatureMode($this->getPaddingMode());
return $this->rsa_impl->verify($message, $signature);
}
/**
* @param Key $key
* @param string $enc_message
* @return string
* @throws InvalidKeyTypeAlgorithmException
*/
public function decrypt(Key $key, $enc_message)
{
if (!$key instanceof RSAPrivateKey) {
throw new InvalidKeyTypeAlgorithmException('key is not private');
}
if ($key->getFormat() !== 'PKCS1') {
throw new InvalidKeyTypeAlgorithmException('keys is not on PKCS1 format');
}
$res = $this->rsa_impl->loadKey($key->getEncoded());
if (!$res) {
throw new InvalidKeyTypeAlgorithmException('could not parse the key');
}
if ($this->rsa_impl->getSize() < $this->getMinKeyLen()) {
throw new InvalidKeyTypeAlgorithmException('len is invalid');
}
return $this->rsa_impl->decrypt($enc_message);
}
/**
* @return $this
* @throws InvalidJWKAlgorithm
* @throws InvalidKeyTypeAlgorithmException
* @throws JWEInvalidCompactFormatException
* @throws JWEInvalidRecipientKeyException
* @throws JWEUnsupportedContentEncryptionAlgorithmException
* @throws JWEUnsupportedKeyManagementAlgorithmException
* @throws \Exception
*/
private function decrypt()
{
if (is_null($this->jwk)) {
throw new JWEInvalidRecipientKeyException();
}
if (!$this->should_decrypt) {
return $this;
}
if ($this->jwk->getAlgorithm()->getValue() !== $this->header->getAlgorithm()->getString()) {
throw new InvalidJWKAlgorithm(sprintf('mismatch between algorithm intended for use with the key %s and the cryptographic algorithm used to encrypt or determine the value of the CEK %s', $this->jwk->getAlgorithm()->getValue(), $this->header->getAlgorithm()->getString()));
}
$key_management_algorithm = KeyManagementAlgorithms_Registry::getInstance()->get($this->header->getAlgorithm()->getString());
if (is_null($key_management_algorithm)) {
throw new JWEUnsupportedKeyManagementAlgorithmException(sprintf('alg %s', $this->header->getAlgorithm()->getString()));
}
$content_encryption_algorithm = ContentEncryptionAlgorithms_Registry::getInstance()->get($this->header->getEncryptionAlgorithm()->getString());
if (is_null($content_encryption_algorithm)) {
throw new JWEUnsupportedContentEncryptionAlgorithmException(sprintf('enc %s', $this->header->getEncryptionAlgorithm()->getString()));
}
$this->cek = $this->decryptJWEEncryptedKey($key_management_algorithm);
// We encrypt the payload and get the tag
$jwt_shared_protected_header = JOSEHeaderSerializer::serialize($this->header);
/**
* Decrypt the JWE Cipher Text using the CEK, the JWE Initialization
* Vector, the Additional Authenticated Data value, and the JWE
* Authentication Tag (which is the Authentication Tag input to the
* calculation) using the specified content encryption algorithm,
* returning the decrypted plaintext and validating the JWE
* Authentication Tag in the manner specified for the algorithm,
* rejecting the input without emitting any decrypted output if the
* JWE Authentication Tag is incorrect.
*/
$plain_text = $content_encryption_algorithm->decrypt($this->cipher_text, $this->cek->getEncoded(), $this->iv, $jwt_shared_protected_header, $this->tag);
$zip = $this->header->getCompressionAlgorithm();
/**
* If a "zip" parameter was included, uncompress the decrypted
* plaintext using the specified compression algorithm.
*/
if (!is_null($zip)) {
$compression__algorithm = CompressionAlgorithms_Registry::getInstance()->get($zip->getValue());
$plain_text = $compression__algorithm->uncompress($plain_text);
}
$this->setPayload(JWSPayloadFactory::build($plain_text));
$this->should_decrypt = false;
return $this;
}
