Failed Conditions
Push — v7 ( a6a0be...79e5af )
by Florent
02:05
created

getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm()   A

Complexity

Conditions 1
Paths 1

Size

Total Lines 4
Code Lines 2

Duplication

Lines 0
Ratio 0 %

Importance

Changes 0
Metric Value
dl 0
loc 4
rs 10
c 0
b 0
f 0
cc 1
eloc 2
nc 1
nop 5
1
<?php
2
3
declare(strict_types=1);
4
5
/*
6
 * The MIT License (MIT)
7
 *
8
 * Copyright (c) 2014-2017 Spomky-Labs
9
 *
10
 * This software may be modified and distributed under the terms
11
 * of the MIT license.  See the LICENSE file for details.
12
 */
13
14
namespace Jose\Component\Encryption;
15
16
use Base64Url\Base64Url;
17
use Jose\Component\Core\JWAManager;
18
use Jose\Component\Core\JWK;
19
use Jose\Component\Core\KeyChecker;
20
use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithmInterface;
21
use Jose\Component\Encryption\Algorithm\KeyEncryption\DirectEncryptionInterface;
22
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyAgreementInterface;
23
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyAgreementWrappingInterface;
24
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyEncryptionInterface;
25
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyWrappingInterface;
26
use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithmInterface;
27
use Jose\Component\Encryption\Compression\CompressionInterface;
28
use Jose\Component\Encryption\Compression\CompressionMethodsManager;
29
30
final class JWEBuilder
31
{
32
    /**
33
     * @var mixed
34
     */
35
    private $payload;
36
37
    /**
38
     * @var string|null
39
     */
40
    private $aad;
41
42
    /**
43
     * @var Recipient[]
44
     */
45
    private $recipients = [];
46
47
    /**
48
     * @var JWAManager
49
     */
50
    private $keyEncryptionAlgorithmManager;
51
52
    /**
53
     * @var JWAManager
54
     */
55
    private $contentEncryptionAlgorithmManager;
56
57
    /**
58
     * @var CompressionMethodsManager
59
     */
60
    private $compressionManager;
61
62
    /**
63
     * @var array
64
     */
65
    private $sharedProtectedHeaders = [];
66
67
    /**
68
     * @var array
69
     */
70
    private $sharedHeaders = [];
71
72
    /**
73
     * @var null|CompressionInterface
74
     */
75
    private $compressionMethod = null;
76
77
    /**
78
     * @var null|ContentEncryptionAlgorithmInterface
79
     */
80
    private $contentEncryptionAlgorithm = null;
81
82
    /**
83
     * @var null|string
84
     */
85
    private $keyManagementMode = null;
86
87
    /**
88
     * JWEBuilder constructor.
89
     *
90
     * @param JWAManager                $keyEncryptionAlgorithmManager
91
     * @param JWAManager                $contentEncryptionAlgorithmManager
92
     * @param CompressionMethodsManager $compressionManager
93
     */
94
    public function __construct(JWAManager $keyEncryptionAlgorithmManager, JWAManager $contentEncryptionAlgorithmManager, CompressionMethodsManager $compressionManager)
95
    {
96
        $this->keyEncryptionAlgorithmManager = $keyEncryptionAlgorithmManager;
97
        $this->contentEncryptionAlgorithmManager = $contentEncryptionAlgorithmManager;
98
        $this->compressionManager = $compressionManager;
99
    }
100
101
    /**
102
     * @return string[]
103
     */
104
    public function getSupportedKeyEncryptionAlgorithms(): array
105
    {
106
        return $this->keyEncryptionAlgorithmManager->list();
107
    }
108
109
    /**
110
     * @return string[]
111
     */
112
    public function getSupportedContentEncryptionAlgorithms(): array
113
    {
114
        return $this->contentEncryptionAlgorithmManager->list();
115
    }
116
117
    /**
118
     * @return string[]
119
     */
120
    public function getSupportedCompressionMethods(): array
121
    {
122
        return $this->compressionManager->list();
123
    }
124
125
    /**
126
     * @param mixed $payload
127
     *
128
     * @return JWEBuilder
129
     */
130
    public function withPayload($payload): JWEBuilder
131
    {
132
        if (false === mb_detect_encoding($payload, 'UTF-8', true)) {
133
            throw new \InvalidArgumentException('The payload must be encoded in UTF-8');
134
        }
135
        $clone = clone $this;
136
        $clone->payload = $payload;
137
138
        return $clone;
139
    }
140
141
    /**
142
     * @param string|null $aad
143
     *
144
     * @return JWEBuilder
145
     */
146
    public function withAAD(?string $aad): JWEBuilder
147
    {
148
        $clone = clone $this;
149
        $clone->aad = $aad;
150
151
        return $clone;
152
    }
153
154
    /**
155
     * @param array $sharedProtectedHeaders
156
     *
157
     * @return JWEBuilder
158
     */
159
    public function withSharedProtectedHeaders(array $sharedProtectedHeaders): JWEBuilder
160
    {
161
        $this->checkDuplicatedHeaderParameters($sharedProtectedHeaders, $this->sharedHeaders);
162
        foreach ($this->recipients as $recipient) {
163
            $this->checkDuplicatedHeaderParameters($sharedProtectedHeaders, $recipient->getHeaders());
164
        }
165
        $clone = clone $this;
166
        $clone->sharedProtectedHeaders = $sharedProtectedHeaders;
167
168
        return $clone;
169
    }
170
171
    /**
172
     * @param array $sharedHeaders
173
     *
174
     * @return JWEBuilder
175
     */
176
    public function withSharedHeaders(array $sharedHeaders): JWEBuilder
177
    {
178
        $this->checkDuplicatedHeaderParameters($this->sharedProtectedHeaders, $sharedHeaders);
179
        foreach ($this->recipients as $recipient) {
180
            $this->checkDuplicatedHeaderParameters($sharedHeaders, $recipient->getHeaders());
181
        }
182
        $clone = clone $this;
183
        $clone->sharedHeaders = $sharedHeaders;
184
185
        return $clone;
186
    }
187
188
    /**
189
     * @param JWK   $recipientKey
190
     * @param array $recipientHeaders
191
     *
192
     * @return JWEBuilder
193
     */
194
    public function addRecipient(JWK $recipientKey, array $recipientHeaders = []): JWEBuilder
195
    {
196
        $this->checkDuplicatedHeaderParameters($this->sharedProtectedHeaders, $recipientHeaders);
197
        $this->checkDuplicatedHeaderParameters($this->sharedHeaders, $recipientHeaders);
198
        $clone = clone $this;
199
        $completeHeaders = array_merge($clone->sharedHeaders, $recipientHeaders, $clone->sharedProtectedHeaders);
200
        $clone->checkAndSetContentEncryptionAlgorithm($completeHeaders);
201
        $keyEncryptionAlgorithm = $clone->getKeyEncryptionAlgorithm($completeHeaders);
202
        if (null === $clone->keyManagementMode) {
203
            $clone->keyManagementMode = $keyEncryptionAlgorithm->getKeyManagementMode();
204
        } else {
205
            if (!$clone->areKeyManagementModesCompatible($clone->keyManagementMode, $keyEncryptionAlgorithm->getKeyManagementMode())) {
206
                throw new \InvalidArgumentException('Foreign key management mode forbidden.');
207
            }
208
        }
209
210
        $compressionMethod = $clone->getCompressionMethod($completeHeaders);
211
        if (null !== $compressionMethod) {
212
            if (null === $clone->compressionMethod) {
213
                $clone->compressionMethod = $compressionMethod;
214
            } elseif ($clone->compressionMethod->name() !== $compressionMethod->name()) {
215
                throw new \InvalidArgumentException('Incompatible compression method.');
216
            }
217
        }
218
        if (null === $compressionMethod && null !== $clone->compressionMethod) {
219
            throw new \InvalidArgumentException('Inconsistent compression method.');
220
        }
221
        $clone->checkKey($keyEncryptionAlgorithm, $recipientKey);
222
        $clone->recipients[] = [
223
            'key' => $recipientKey,
224
            'headers' => $recipientHeaders,
225
            'key_encryption_algorithm' => $keyEncryptionAlgorithm,
226
        ];
227
228
        return $clone;
229
    }
230
231
    /**
232
     * @return JWE
233
     */
234
    public function build(): JWE
235
    {
236
        if (0 === count($this->recipients)) {
237
            throw new \LogicException('No recipient.');
238
        }
239
240
        $additionalHeaders = [];
241
        $cek = $this->determineCEK($additionalHeaders);
242
243
        $recipients = [];
244
        foreach ($this->recipients as $recipient) {
245
            $recipient = $this->processRecipient($recipient, $cek, $additionalHeaders);
0 ignored issues
show
Documentation introduced by
$recipient is of type object<Jose\Component\Encryption\Recipient>, but the function expects a array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
246
            $recipients[] = $recipient;
247
        }
248
249
        if (!empty($additionalHeaders) && 1 === count($this->recipients)) {
250
            $sharedProtectedHeaders = array_merge($additionalHeaders, $this->sharedProtectedHeaders);
251
        } else {
252
            $sharedProtectedHeaders = $this->sharedProtectedHeaders;
253
        }
254
        $encodedSharedProtectedHeaders = empty($sharedProtectedHeaders) ? '' : Base64Url::encode(json_encode($sharedProtectedHeaders));
255
256
        list($ciphertext, $iv, $tag) = $this->encryptJWE($cek, $encodedSharedProtectedHeaders);
257
258
        return JWE::create($ciphertext, $iv, $this->aad, $tag, $this->sharedHeaders, $sharedProtectedHeaders, $encodedSharedProtectedHeaders, $recipients);
259
    }
260
261
    /**
262
     * @param array $completeHeaders
263
     */
264
    private function checkAndSetContentEncryptionAlgorithm(array $completeHeaders): void
265
    {
266
        $contentEncryptionAlgorithm = $this->getContentEncryptionAlgorithm($completeHeaders);
267
        if (null === $this->contentEncryptionAlgorithm) {
268
            $this->contentEncryptionAlgorithm = $contentEncryptionAlgorithm;
269
        } elseif ($contentEncryptionAlgorithm->name() !== $this->contentEncryptionAlgorithm->name()) {
270
            throw new \InvalidArgumentException('Inconsistent content encryption algorithm');
271
        }
272
    }
273
274
    /**
275
     * @param array  $recipient
276
     * @param string $cek
277
     * @param array  $additionalHeaders
278
     *
279
     * @return Recipient
280
     */
281
    private function processRecipient(array $recipient, string $cek, array &$additionalHeaders): Recipient
282
    {
283
        $completeHeaders = array_merge($this->sharedHeaders, $recipient['headers'], $this->sharedProtectedHeaders);
284
        /** @var KeyEncryptionAlgorithmInterface $keyEncryptionAlgorithm */
285
        $keyEncryptionAlgorithm = $recipient['key_encryption_algorithm'];
286
        $encryptedContentEncryptionKey = $this->getEncryptedKey($completeHeaders, $cek, $keyEncryptionAlgorithm, $additionalHeaders, $recipient['key']);
287
        $recipientHeaders = $recipient['headers'];
288
        if (!empty($additionalHeaders) && 1 !== count($this->recipients)) {
289
            $recipientHeaders = array_merge($recipientHeaders, $additionalHeaders);
290
            $additionalHeaders = [];
291
        }
292
293
        return Recipient::create($recipientHeaders, $encryptedContentEncryptionKey);
294
    }
295
296
    /**
297
     * @param string $cek
298
     * @param string $encodedSharedProtectedHeaders
299
     *
300
     * @return array
301
     */
302
    private function encryptJWE(string $cek, string $encodedSharedProtectedHeaders): array
303
    {
304
        $tag = null;
305
        $iv_size = $this->contentEncryptionAlgorithm->getIVSize();
306
        $iv = $this->createIV($iv_size);
307
        $payload = $this->preparePayload();
308
        $aad = $this->aad ? Base64Url::encode($this->aad) : null;
309
        $ciphertext = $this->contentEncryptionAlgorithm->encryptContent($payload, $cek, $iv, $aad, $encodedSharedProtectedHeaders, $tag);
310
311
        return [$ciphertext, $iv, $tag];
312
    }
313
314
    /**
315
     * @return string
316
     */
317
    private function preparePayload(): ?string
318
    {
319
        $prepared = is_string($this->payload) ? $this->payload : json_encode($this->payload);
320
        if (null === $prepared) {
321
            throw new \RuntimeException('The payload is empty or cannot encoded into JSON.');
322
        }
323
324
        if (null === $this->compressionMethod) {
325
            return $prepared;
326
        }
327
        $compressedPayload = $this->compressionMethod->compress($prepared);
328
        if (null === $compressedPayload) {
329
            throw new \RuntimeException('The payload cannot be compressed.');
330
        }
331
332
        return $compressedPayload;
333
    }
334
335
    /**
336
     * @param array                           $completeHeaders
337
     * @param string                          $cek
338
     * @param KeyEncryptionAlgorithmInterface $keyEncryptionAlgorithm
339
     * @param JWK                             $recipientKey
340
     * @param array                           $additionalHeaders
341
     *
342
     * @return string|null
343
     */
344
    private function getEncryptedKey(array $completeHeaders, string $cek, KeyEncryptionAlgorithmInterface $keyEncryptionAlgorithm, array &$additionalHeaders, JWK $recipientKey): ?string
345
    {
346
        if ($keyEncryptionAlgorithm instanceof KeyEncryptionInterface) {
347
            return $this->getEncryptedKeyFromKeyEncryptionAlgorithm($completeHeaders, $cek, $keyEncryptionAlgorithm, $recipientKey, $additionalHeaders);
348
        } elseif ($keyEncryptionAlgorithm instanceof KeyWrappingInterface) {
349
            return $this->getEncryptedKeyFromKeyWrappingAlgorithm($completeHeaders, $cek, $keyEncryptionAlgorithm, $recipientKey, $additionalHeaders);
350
        } elseif ($keyEncryptionAlgorithm instanceof KeyAgreementWrappingInterface) {
351
            return $this->getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm($completeHeaders, $cek, $keyEncryptionAlgorithm, $additionalHeaders, $recipientKey);
352
        } elseif ($keyEncryptionAlgorithm instanceof KeyAgreementInterface) {
353
            return null;
354
        } elseif ($keyEncryptionAlgorithm instanceof DirectEncryptionInterface) {
355
            return null;
356
        }
357
358
        throw new \InvalidArgumentException('Unsupported key encryption algorithm.');
359
    }
360
361
    /**
362
     * @param array                         $completeHeaders
363
     * @param string                        $cek
364
     * @param KeyAgreementWrappingInterface $keyEncryptionAlgorithm
365
     * @param array                         $additionalHeaders
366
     * @param JWK                           $recipientKey
367
     *
368
     * @return string
369
     */
370
    private function getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm(array $completeHeaders, string $cek, KeyAgreementWrappingInterface $keyEncryptionAlgorithm, array &$additionalHeaders, JWK $recipientKey): string
371
    {
372
        return $keyEncryptionAlgorithm->wrapAgreementKey($recipientKey, $cek, $this->contentEncryptionAlgorithm->getCEKSize(), $completeHeaders, $additionalHeaders);
373
    }
374
375
    /**
376
     * @param array                  $completeHeaders
377
     * @param string                 $cek
378
     * @param KeyEncryptionInterface $keyEncryptionAlgorithm
379
     * @param JWK                    $recipientKey
380
     * @param array                  $additionalHeaders
381
     *
382
     * @return string
383
     */
384
    private function getEncryptedKeyFromKeyEncryptionAlgorithm(array $completeHeaders, string $cek, KeyEncryptionInterface $keyEncryptionAlgorithm, JWK $recipientKey, array &$additionalHeaders): string
385
    {
386
        return $keyEncryptionAlgorithm->encryptKey($recipientKey, $cek, $completeHeaders, $additionalHeaders);
387
    }
388
389
    /**
390
     * @param array                $completeHeaders
391
     * @param string               $cek
392
     * @param KeyWrappingInterface $keyEncryptionAlgorithm
393
     * @param JWK                  $recipientKey
394
     * @param array                $additionalHeaders
395
     *
396
     * @return string
397
     */
398
    private function getEncryptedKeyFromKeyWrappingAlgorithm(array $completeHeaders, string $cek, KeyWrappingInterface $keyEncryptionAlgorithm, JWK $recipientKey, array &$additionalHeaders): string
399
    {
400
        return $keyEncryptionAlgorithm->wrapKey($recipientKey, $cek, $completeHeaders, $additionalHeaders);
401
    }
402
403
    /**
404
     * @param KeyEncryptionAlgorithmInterface $keyEncryptionAlgorithm
405
     * @param JWK                             $recipientKey
406
     */
407
    private function checkKey(KeyEncryptionAlgorithmInterface $keyEncryptionAlgorithm, JWK $recipientKey)
408
    {
409
        KeyChecker::checkKeyUsage($recipientKey, 'encryption');
410
        if ('dir' !== $keyEncryptionAlgorithm->name()) {
411
            KeyChecker::checkKeyAlgorithm($recipientKey, $keyEncryptionAlgorithm->name());
412
        } else {
413
            KeyChecker::checkKeyAlgorithm($recipientKey, $this->contentEncryptionAlgorithm->name());
414
        }
415
    }
416
417
    /**
418
     * @param array $additionalHeaders
419
     *
420
     * @return string
421
     */
422
    private function determineCEK(array &$additionalHeaders): string
423
    {
424
        switch ($this->keyManagementMode) {
425
            case KeyEncryptionInterface::MODE_ENCRYPT:
426
            case KeyEncryptionInterface::MODE_WRAP:
427
                return $this->createCEK($this->contentEncryptionAlgorithm->getCEKSize());
428
            case KeyEncryptionInterface::MODE_AGREEMENT:
429
                if (1 !== count($this->recipients)) {
430
                    throw new \LogicException('Unable to encrypt for multiple recipients using key agreement algorithms.');
431
                }
432
                /** @var JWK $key */
433
                $key = $this->recipients[0]['key'];
434
                /** @var KeyAgreementInterface $algorithm */
435
                $algorithm = $this->recipients[0]['key_encryption_algorithm'];
436
                $completeHeaders = array_merge($this->sharedHeaders, $this->recipients[0]['headers'], $this->sharedProtectedHeaders);
437
438
                return $algorithm->getAgreementKey($this->contentEncryptionAlgorithm->getCEKSize(), $this->contentEncryptionAlgorithm->name(), $key, $completeHeaders, $additionalHeaders);
439
            case KeyEncryptionInterface::MODE_DIRECT:
440
                if (1 !== count($this->recipients)) {
441
                    throw new \LogicException('Unable to encrypt for multiple recipients using key agreement algorithms.');
442
                }
443
                /** @var JWK $key */
444
                $key = $this->recipients[0]['key'];
445
                if ('oct' !== $key->get('kty')) {
446
                    throw new \RuntimeException('Wrong key type.');
447
                }
448
449
                return Base64Url::decode($key->get('k'));
450
            default:
451
                throw new \InvalidArgumentException(sprintf('Unsupported key management mode "%s".', $this->keyManagementMode));
452
        }
453
    }
454
455
    /**
456
     * @param array $completeHeaders
457
     *
458
     * @return CompressionInterface|null
459
     */
460
    private function getCompressionMethod(array $completeHeaders): ?CompressionInterface
461
    {
462
        if (!array_key_exists('zip', $completeHeaders)) {
463
            return null;
464
        }
465
466
        return $this->compressionManager->get($completeHeaders['zip']);
467
    }
468
469
    /**
470
     * @param string $current
471
     * @param string $new
472
     *
473
     * @return bool
474
     */
475
    private function areKeyManagementModesCompatible(string $current, string $new): bool
476
    {
477
        $agree = KeyEncryptionAlgorithmInterface::MODE_AGREEMENT;
478
        $dir = KeyEncryptionAlgorithmInterface::MODE_DIRECT;
479
        $enc = KeyEncryptionAlgorithmInterface::MODE_ENCRYPT;
480
        $wrap = KeyEncryptionAlgorithmInterface::MODE_WRAP;
481
        $supportedKeyManagementModeCombinations = [$enc.$enc => true, $enc.$wrap => true, $wrap.$enc => true, $wrap.$wrap => true, $agree.$agree => false, $agree.$dir => false, $agree.$enc => false, $agree.$wrap => false, $dir.$agree => false, $dir.$dir => false, $dir.$enc => false, $dir.$wrap => false, $enc.$agree => false, $enc.$dir => false, $wrap.$agree => false, $wrap.$dir => false];
482
483
        if (array_key_exists($current.$new, $supportedKeyManagementModeCombinations)) {
484
            return $supportedKeyManagementModeCombinations[$current.$new];
485
        }
486
487
        return false;
488
    }
489
490
    /**
491
     * @param int $size
492
     *
493
     * @return string
494
     */
495
    private function createCEK(int $size): string
496
    {
497
        return random_bytes($size / 8);
498
    }
499
500
    /**
501
     * @param int $size
502
     *
503
     * @return string
504
     */
505
    private function createIV(int $size): string
506
    {
507
        return random_bytes($size / 8);
508
    }
509
510
    /**
511
     * @param array $completeHeaders
512
     *
513
     * @return KeyEncryptionAlgorithmInterface
514
     */
515
    private function getKeyEncryptionAlgorithm(array $completeHeaders): KeyEncryptionAlgorithmInterface
516
    {
517
        if (!array_key_exists('alg', $completeHeaders)) {
518
            throw new \InvalidArgumentException('Parameter "alg" is missing.');
519
        }
520
        $keyEncryptionAlgorithm = $this->keyEncryptionAlgorithmManager->get($completeHeaders['alg']);
521
        if (!$keyEncryptionAlgorithm instanceof KeyEncryptionAlgorithmInterface) {
522
            throw new \InvalidArgumentException(sprintf('The key encryption algorithm "%s" is not supported or not a key encryption algorithm instance.', $completeHeaders['alg']));
523
        }
524
525
        return $keyEncryptionAlgorithm;
526
    }
527
528
    /**
529
     * @param array $completeHeaders
530
     *
531
     * @return ContentEncryptionAlgorithmInterface
532
     */
533
    private function getContentEncryptionAlgorithm(array $completeHeaders): ContentEncryptionAlgorithmInterface
534
    {
535
        if (!array_key_exists('enc', $completeHeaders)) {
536
            throw new \InvalidArgumentException('Parameter "enc" is missing.');
537
        }
538
        $contentEncryptionAlgorithm = $this->contentEncryptionAlgorithmManager->get($completeHeaders['enc']);
539
        if (!$contentEncryptionAlgorithm instanceof ContentEncryptionAlgorithmInterface) {
540
            throw new \InvalidArgumentException(sprintf('The content encryption algorithm "%s" is not supported or not a content encryption algorithm instance.', $completeHeaders['alg']));
541
        }
542
543
        return $contentEncryptionAlgorithm;
544
    }
545
546
    /**
547
     * @param array $header1
548
     * @param array $header2
549
     */
550
    private function checkDuplicatedHeaderParameters(array $header1, array $header2)
551
    {
552
        $inter = array_intersect_key($header1, $header2);
553
        if (!empty($inter)) {
554
            throw new \InvalidArgumentException(sprintf('The header contains duplicated entries: %s.', json_encode(array_keys($inter))));
555
        }
556
    }
557
}
558