/** * Generates salt input. This uses {@link SimpleJWT\Util\Util::random_bytes()} * to generate random bytes. * * @return string the salt input */ protected function generateSaltInput() { return Util::random_bytes(8); }
/** * Encrypts the JWE. * * @param SimpleJWT\Keys\KeySet $keys the key set containing the key to encrypt the * content encryption key * @param string $kid the ID of the key to use to encrypt. If null, this * is automatically retrieved * @param string $format the JWE serialisation format * @return string the encrypted JWE * @throws SimpleJWT\Keys\KeyException if there is an error obtaining the key * to sign the JWT * @throws SimpleJWT\Crypt\CryptException if there is a cryptographic error */ public function encrypt($keys, $kid = null, $format = self::COMPACT_FORMAT) { if (!isset($this->headers['alg'])) { throw new \InvalidArgumentException('alg parameter missing'); } if (!isset($this->headers['enc'])) { throw new \InvalidArgumentException('enc parameter missing'); } $key_enc = AlgorithmFactory::create($this->headers['alg']); $content_enc = AlgorithmFactory::create($this->headers['enc']); if ($kid != null) { $this->headers['kid'] = $kid; } if ($key_enc instanceof KeyDerivationAlgorithm) { $agreed_key = $key_enc->deriveKey($keys, $this->headers, $kid); if ($key_enc instanceof KeyEncryptionAlgorithm) { // Key agreement with wrapping $keys->add(new SymmetricKey(array('kty' => SymmetricKey::KTY, 'alg' => $this->headers['alg'], 'k' => Util::base64url_encode($agreed_key)), 'php')); } else { // Direct key agreement or direct encryption $cek = $agreed_key; } } if (!isset($cek)) { $cek = Util::random_bytes($content_enc->getCEKSize() / 8); } if ($key_enc instanceof KeyEncryptionAlgorithm) { $encrypted_key = $key_enc->encryptKey($cek, $keys, $this->headers, $kid); } else { $encrypted_key = ''; } if (isset($this->headers['zip'])) { switch ($this->headers['zip']) { case 'DEF': $plaintext = gzdeflate($this->plaintext); break; default: throw new \InvalidArgumentException('Unsupported zip header:' . $this->headers['zip']); } } else { $plaintext = $this->plaintext; } $protected = Util::base64url_encode(json_encode($this->headers)); $results = $content_enc->encryptAndSign($plaintext, $cek, $protected); $ciphertext = $results['ciphertext']; $iv = isset($results['iv']) ? $results['iv'] : ''; $tag = $results['tag']; switch ($format) { case self::COMPACT_FORMAT: return $protected . '.' . $encrypted_key . '.' . $iv . '.' . $ciphertext . '.' . $tag; case self::JSON_FORMAT: $obj = array('protected' => $protected, 'ciphertext' => $ciphertext, 'tag' => $tag, 'encrypted_key' => $encrypted_key); if ($iv) { $obj['iv'] = $iv; } return json_encode($obj); default: throw new \InvalidArgumentException('Incorrect format'); } }
/** * Generates a seed for OAEP encoding. This uses {@link SimpleJWT\Util\Util::random_bytes()} * to generate random bytes. * * @param int $len the length of the seed required, in octets * @return string the seed */ protected function generateSeed($len) { return Util::random_bytes($len); }