sop / jwx

lib/JWX/JWE/KeyManagementAlgorithm.php

Indentation +115 added lines, -115 removed lines

@@ -17,127 +17,127 @@
  */
 abstract class KeyManagementAlgorithm implements AlgorithmParameterValue, HeaderParameters
 {
-    /**
-     * ID of the key used by the algorithm.
-     *
-     * If set, KeyID parameter shall be automatically inserted into JWE's
-     * header.
-     *
-     * @var null|string
-     */
-    protected $_keyID;
+	/**
+	 * ID of the key used by the algorithm.
+	 *
+	 * If set, KeyID parameter shall be automatically inserted into JWE's
+	 * header.
+	 *
+	 * @var null|string
+	 */
+	protected $_keyID;
 
-    /**
-     * Encrypt a key to be inserted into JWE header.
-     *
-     * @param string      $cek    Content encryption key
-     * @param null|Header $header Optional reference to the Header variable,
-     *                            which may be updated to contain parameters
-     *                            specific to this encrypt invocation.
-     *                            If the variable is referenced, but is a null,
-     *                            it shall be initialized to an empty Header.
-     *
-     * @throws \RuntimeException For generic errors
-     *
-     * @return string Encrypted key
-     */
-    final public function encrypt(string $cek, Header &$header = null): string
-    {
-        if (!isset($header)) {
-            $header = new Header();
-        }
-        return $this->_encryptKey($cek, $header);
-    }
+	/**
+	 * Encrypt a key to be inserted into JWE header.
+	 *
+	 * @param string      $cek    Content encryption key
+	 * @param null|Header $header Optional reference to the Header variable,
+	 *                            which may be updated to contain parameters
+	 *                            specific to this encrypt invocation.
+	 *                            If the variable is referenced, but is a null,
+	 *                            it shall be initialized to an empty Header.
+	 *
+	 * @throws \RuntimeException For generic errors
+	 *
+	 * @return string Encrypted key
+	 */
+	final public function encrypt(string $cek, Header &$header = null): string
+	{
+		if (!isset($header)) {
+			$header = new Header();
+		}
+		return $this->_encryptKey($cek, $header);
+	}
 
-    /**
-     * Decrypt a CEK from the encrypted data.
-     *
-     * @param string      $data   Encrypted key
-     * @param null|Header $header Optional header containing parameters
-     *                            required to decrypt the key
-     *
-     * @throws \RuntimeException For generic errors
-     *
-     * @return string Content encryption key
-     */
-    final public function decrypt(string $data, ?Header $header = null): string
-    {
-        if (!isset($header)) {
-            $header = new Header();
-        }
-        return $this->_decryptKey($data, $header);
-    }
+	/**
+	 * Decrypt a CEK from the encrypted data.
+	 *
+	 * @param string      $data   Encrypted key
+	 * @param null|Header $header Optional header containing parameters
+	 *                            required to decrypt the key
+	 *
+	 * @throws \RuntimeException For generic errors
+	 *
+	 * @return string Content encryption key
+	 */
+	final public function decrypt(string $data, ?Header $header = null): string
+	{
+		if (!isset($header)) {
+			$header = new Header();
+		}
+		return $this->_decryptKey($data, $header);
+	}
 
-    /**
-     * Get content encryption key for the encryption.
-     *
-     * Returned key may be random depending on the key management algorithm.
-     *
-     * @param int $length Required key size in bytes
-     *
-     * @return string
-     */
-    abstract public function cekForEncryption(int $length): string;
+	/**
+	 * Get content encryption key for the encryption.
+	 *
+	 * Returned key may be random depending on the key management algorithm.
+	 *
+	 * @param int $length Required key size in bytes
+	 *
+	 * @return string
+	 */
+	abstract public function cekForEncryption(int $length): string;
 
-    /**
-     * Initialize key management algorithm from a JWK and a header.
-     *
-     * @param JWK    $jwk
-     * @param Header $header
-     *
-     * @return KeyManagementAlgorithm
-     */
-    public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
-    {
-        $factory = new KeyAlgorithmFactory($header);
-        return $factory->algoByKey($jwk);
-    }
+	/**
+	 * Initialize key management algorithm from a JWK and a header.
+	 *
+	 * @param JWK    $jwk
+	 * @param Header $header
+	 *
+	 * @return KeyManagementAlgorithm
+	 */
+	public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
+	{
+		$factory = new KeyAlgorithmFactory($header);
+		return $factory->algoByKey($jwk);
+	}
 
-    /**
-     * Get self with key ID.
-     *
-     * @param null|string $id Key ID or null to remove
-     *
-     * @return self
-     */
-    public function withKeyID(?string $id): self
-    {
-        $obj = clone $this;
-        $obj->_keyID = $id;
-        return $obj;
-    }
+	/**
+	 * Get self with key ID.
+	 *
+	 * @param null|string $id Key ID or null to remove
+	 *
+	 * @return self
+	 */
+	public function withKeyID(?string $id): self
+	{
+		$obj = clone $this;
+		$obj->_keyID = $id;
+		return $obj;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    public function headerParameters(): array
-    {
-        $params = [];
-        if (isset($this->_keyID)) {
-            $params[] = new KeyIDParameter($this->_keyID);
-        }
-        return $params;
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	public function headerParameters(): array
+	{
+		$params = [];
+		if (isset($this->_keyID)) {
+			$params[] = new KeyIDParameter($this->_keyID);
+		}
+		return $params;
+	}
 
-    /**
-     * Encrypt a key.
-     *
-     * @param string $key    Key to be encrypted
-     * @param Header $header Reference to the Header variable, that shall
-     *                       be updated to contain parameters specific to the encryption
-     *
-     * @return string Ciphertext
-     */
-    abstract protected function _encryptKey(string $key, Header &$header): string;
+	/**
+	 * Encrypt a key.
+	 *
+	 * @param string $key    Key to be encrypted
+	 * @param Header $header Reference to the Header variable, that shall
+	 *                       be updated to contain parameters specific to the encryption
+	 *
+	 * @return string Ciphertext
+	 */
+	abstract protected function _encryptKey(string $key, Header &$header): string;
 
-    /**
-     * Decrypt a key.
-     *
-     * @param string $ciphertext Ciphertext of the encrypted key
-     * @param Header $header     Header possibly containing encoding specific
-     *                           parameters
-     *
-     * @return string Plaintext key
-     */
-    abstract protected function _decryptKey(string $ciphertext, Header $header): string;
+	/**
+	 * Decrypt a key.
+	 *
+	 * @param string $ciphertext Ciphertext of the encrypted key
+	 * @param Header $header     Header possibly containing encoding specific
+	 *                           parameters
+	 *
+	 * @return string Plaintext key
+	 */
+	abstract protected function _decryptKey(string $ciphertext, Header $header): string;
 }

lib/JWX/JWE/ContentEncryptionAlgorithm.php

Indentation +37 added lines, -37 removed lines

@@ -12,44 +12,44 @@
  */
 interface ContentEncryptionAlgorithm extends EncryptionAlgorithmParameterValue, HeaderParameters
 {
-    /**
-     * Encrypt plaintext.
-     *
-     * @param string $plaintext Data to encrypt
-     * @param string $key       Encryption key
-     * @param string $iv        Initialization vector
-     * @param string $aad       Additional authenticated data
-     *
-     * @return array Tuple of ciphertext and authentication tag
-     */
-    public function encrypt(string $plaintext, string $key, string $iv,
-        string $aad): array;
+	/**
+	 * Encrypt plaintext.
+	 *
+	 * @param string $plaintext Data to encrypt
+	 * @param string $key       Encryption key
+	 * @param string $iv        Initialization vector
+	 * @param string $aad       Additional authenticated data
+	 *
+	 * @return array Tuple of ciphertext and authentication tag
+	 */
+	public function encrypt(string $plaintext, string $key, string $iv,
+		string $aad): array;
 
-    /**
-     * Decrypt ciphertext.
-     *
-     * @param string $ciphertext Data to decrypt
-     * @param string $key        Encryption key
-     * @param string $iv         Initialization vector
-     * @param string $aad        Additional authenticated data
-     * @param string $auth_tag   Authentication tag to compare
-     *
-     * @return string Plaintext
-     */
-    public function decrypt(string $ciphertext, string $key, string $iv,
-        string $aad, string $auth_tag): string;
+	/**
+	 * Decrypt ciphertext.
+	 *
+	 * @param string $ciphertext Data to decrypt
+	 * @param string $key        Encryption key
+	 * @param string $iv         Initialization vector
+	 * @param string $aad        Additional authenticated data
+	 * @param string $auth_tag   Authentication tag to compare
+	 *
+	 * @return string Plaintext
+	 */
+	public function decrypt(string $ciphertext, string $key, string $iv,
+		string $aad, string $auth_tag): string;
 
-    /**
-     * Get the required key size in bytes.
-     *
-     * @return int
-     */
-    public function keySize(): int;
+	/**
+	 * Get the required key size in bytes.
+	 *
+	 * @return int
+	 */
+	public function keySize(): int;
 
-    /**
-     * Get the required IV size in bytes.
-     *
-     * @return int
-     */
-    public function ivSize(): int;
+	/**
+	 * Get the required IV size in bytes.
+	 *
+	 * @return int
+	 */
+	public function ivSize(): int;
 }

lib/JWX/JWE/KeyAlgorithm/PBES2Algorithm.php

Indentation +195 added lines, -195 removed lines

@@ -22,199 +22,199 @@
  */
 abstract class PBES2Algorithm extends KeyManagementAlgorithm
 {
-    use RandomCEK;
-
-    /**
-     * Mapping from algorithm name to class name.
-     *
-     * @internal
-     *
-     * @var array
-     */
-    const MAP_ALGO_TO_CLASS = [
-        JWA::ALGO_PBES2_HS256_A128KW => PBES2HS256A128KWAlgorithm::class,
-        JWA::ALGO_PBES2_HS384_A192KW => PBES2HS384A192KWAlgorithm::class,
-        JWA::ALGO_PBES2_HS512_A256KW => PBES2HS512A256KWAlgorithm::class,
-    ];
-
-    /**
-     * Password.
-     *
-     * @var string
-     */
-    protected $_password;
-
-    /**
-     * Salt input.
-     *
-     * @var string
-     */
-    protected $_saltInput;
-
-    /**
-     * Iteration count.
-     *
-     * @var int
-     */
-    protected $_count;
-
-    /**
-     * Derived key.
-     *
-     * @var string
-     */
-    private $_derivedKey;
-
-    /**
-     * Constructor.
-     *
-     * @param string $password   Password
-     * @param string $salt_input Salt input
-     * @param int    $count      Iteration count
-     */
-    public function __construct(string $password, string $salt_input, int $count)
-    {
-        $this->_password = $password;
-        $this->_saltInput = $salt_input;
-        $this->_count = $count;
-    }
-
-    /**
-     * Initialize from JWK.
-     *
-     * @param JWK    $jwk
-     * @param Header $header
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
-    {
-        $jwk = SymmetricKeyJWK::fromJWK($jwk);
-        if (!$header->hasPBES2SaltInput()) {
-            throw new \UnexpectedValueException('No salt input.');
-        }
-        $salt_input = $header->PBES2SaltInput()->saltInput();
-        if (!$header->hasPBES2Count()) {
-            throw new \UnexpectedValueException('No iteration count.');
-        }
-        $count = $header->PBES2Count()->value();
-        $alg = JWA::deriveAlgorithmName($header, $jwk);
-        if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
-            throw new \UnexpectedValueException("Unsupported algorithm '{$alg}'.");
-        }
-        $cls = self::MAP_ALGO_TO_CLASS[$alg];
-        return new $cls($jwk->key(), $salt_input, $count);
-    }
-
-    /**
-     * Initialize from a password with random salt and default iteration count.
-     *
-     * @param string $password   Password
-     * @param int    $count      Optional user defined iteration count
-     * @param int    $salt_bytes Optional user defined salt length
-     *
-     * @return self
-     */
-    public static function fromPassword(string $password, int $count = 64000,
-        int $salt_bytes = 8): self
-    {
-        $salt_input = openssl_random_pseudo_bytes($salt_bytes);
-        return new static($password, $salt_input, $count);
-    }
-
-    /**
-     * Get salt input.
-     *
-     * @return string
-     */
-    public function saltInput(): string
-    {
-        return $this->_saltInput;
-    }
-
-    /**
-     * Get computed salt.
-     *
-     * @return string
-     */
-    public function salt(): string
-    {
-        return PBES2SaltInputParameter::fromString($this->_saltInput)->salt(
-            AlgorithmParameter::fromAlgorithm($this));
-    }
-
-    /**
-     * Get iteration count.
-     *
-     * @return int
-     */
-    public function iterationCount(): int
-    {
-        return $this->_count;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function headerParameters(): array
-    {
-        return array_merge(parent::headerParameters(),
-            [AlgorithmParameter::fromAlgorithm($this),
-                PBES2SaltInputParameter::fromString($this->_saltInput),
-                new PBES2CountParameter($this->_count), ]);
-    }
-
-    /**
-     * Get hash algorithm for hash_pbkdf2.
-     *
-     * @return string
-     */
-    abstract protected function _hashAlgo(): string;
-
-    /**
-     * Get derived key length.
-     *
-     * @return int
-     */
-    abstract protected function _keyLength(): int;
-
-    /**
-     * Get key wrapping algoritym.
-     *
-     * @return AESKeyWrapAlgorithm
-     */
-    abstract protected function _kwAlgo(): AESKeyWrapAlgorithm;
-
-    /**
-     * Get derived key.
-     *
-     * @return string
-     */
-    protected function _derivedKey(): string
-    {
-        if (!isset($this->_derivedKey)) {
-            $this->_derivedKey = hash_pbkdf2($this->_hashAlgo(),
-                $this->_password, $this->salt(), $this->_count,
-                $this->_keyLength(), true);
-        }
-        return $this->_derivedKey;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _encryptKey(string $key, Header &$header): string
-    {
-        return $this->_kwAlgo()->wrap($key, $this->_derivedKey());
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _decryptKey(string $ciphertext, Header $header): string
-    {
-        return $this->_kwAlgo()->unwrap($ciphertext, $this->_derivedKey());
-    }
+	use RandomCEK;
+
+	/**
+	 * Mapping from algorithm name to class name.
+	 *
+	 * @internal
+	 *
+	 * @var array
+	 */
+	const MAP_ALGO_TO_CLASS = [
+		JWA::ALGO_PBES2_HS256_A128KW => PBES2HS256A128KWAlgorithm::class,
+		JWA::ALGO_PBES2_HS384_A192KW => PBES2HS384A192KWAlgorithm::class,
+		JWA::ALGO_PBES2_HS512_A256KW => PBES2HS512A256KWAlgorithm::class,
+	];
+
+	/**
+	 * Password.
+	 *
+	 * @var string
+	 */
+	protected $_password;
+
+	/**
+	 * Salt input.
+	 *
+	 * @var string
+	 */
+	protected $_saltInput;
+
+	/**
+	 * Iteration count.
+	 *
+	 * @var int
+	 */
+	protected $_count;
+
+	/**
+	 * Derived key.
+	 *
+	 * @var string
+	 */
+	private $_derivedKey;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param string $password   Password
+	 * @param string $salt_input Salt input
+	 * @param int    $count      Iteration count
+	 */
+	public function __construct(string $password, string $salt_input, int $count)
+	{
+		$this->_password = $password;
+		$this->_saltInput = $salt_input;
+		$this->_count = $count;
+	}
+
+	/**
+	 * Initialize from JWK.
+	 *
+	 * @param JWK    $jwk
+	 * @param Header $header
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
+	{
+		$jwk = SymmetricKeyJWK::fromJWK($jwk);
+		if (!$header->hasPBES2SaltInput()) {
+			throw new \UnexpectedValueException('No salt input.');
+		}
+		$salt_input = $header->PBES2SaltInput()->saltInput();
+		if (!$header->hasPBES2Count()) {
+			throw new \UnexpectedValueException('No iteration count.');
+		}
+		$count = $header->PBES2Count()->value();
+		$alg = JWA::deriveAlgorithmName($header, $jwk);
+		if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
+			throw new \UnexpectedValueException("Unsupported algorithm '{$alg}'.");
+		}
+		$cls = self::MAP_ALGO_TO_CLASS[$alg];
+		return new $cls($jwk->key(), $salt_input, $count);
+	}
+
+	/**
+	 * Initialize from a password with random salt and default iteration count.
+	 *
+	 * @param string $password   Password
+	 * @param int    $count      Optional user defined iteration count
+	 * @param int    $salt_bytes Optional user defined salt length
+	 *
+	 * @return self
+	 */
+	public static function fromPassword(string $password, int $count = 64000,
+		int $salt_bytes = 8): self
+	{
+		$salt_input = openssl_random_pseudo_bytes($salt_bytes);
+		return new static($password, $salt_input, $count);
+	}
+
+	/**
+	 * Get salt input.
+	 *
+	 * @return string
+	 */
+	public function saltInput(): string
+	{
+		return $this->_saltInput;
+	}
+
+	/**
+	 * Get computed salt.
+	 *
+	 * @return string
+	 */
+	public function salt(): string
+	{
+		return PBES2SaltInputParameter::fromString($this->_saltInput)->salt(
+			AlgorithmParameter::fromAlgorithm($this));
+	}
+
+	/**
+	 * Get iteration count.
+	 *
+	 * @return int
+	 */
+	public function iterationCount(): int
+	{
+		return $this->_count;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function headerParameters(): array
+	{
+		return array_merge(parent::headerParameters(),
+			[AlgorithmParameter::fromAlgorithm($this),
+				PBES2SaltInputParameter::fromString($this->_saltInput),
+				new PBES2CountParameter($this->_count), ]);
+	}
+
+	/**
+	 * Get hash algorithm for hash_pbkdf2.
+	 *
+	 * @return string
+	 */
+	abstract protected function _hashAlgo(): string;
+
+	/**
+	 * Get derived key length.
+	 *
+	 * @return int
+	 */
+	abstract protected function _keyLength(): int;
+
+	/**
+	 * Get key wrapping algoritym.
+	 *
+	 * @return AESKeyWrapAlgorithm
+	 */
+	abstract protected function _kwAlgo(): AESKeyWrapAlgorithm;
+
+	/**
+	 * Get derived key.
+	 *
+	 * @return string
+	 */
+	protected function _derivedKey(): string
+	{
+		if (!isset($this->_derivedKey)) {
+			$this->_derivedKey = hash_pbkdf2($this->_hashAlgo(),
+				$this->_password, $this->salt(), $this->_count,
+				$this->_keyLength(), true);
+		}
+		return $this->_derivedKey;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _encryptKey(string $key, Header &$header): string
+	{
+		return $this->_kwAlgo()->wrap($key, $this->_derivedKey());
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _decryptKey(string $ciphertext, Header $header): string
+	{
+		return $this->_kwAlgo()->unwrap($ciphertext, $this->_derivedKey());
+	}
 }

lib/JWX/JWE/KeyAlgorithm/RSAESKeyAlgorithm.php

Indentation +198 added lines, -198 removed lines

@@ -21,202 +21,202 @@
  */
 abstract class RSAESKeyAlgorithm extends KeyManagementAlgorithm
 {
-    use RandomCEK;
-
-    /**
-     * Mapping from algorithm name to class name.
-     *
-     * @internal
-     *
-     * @var array
-     */
-    const MAP_ALGO_TO_CLASS = [
-        JWA::ALGO_RSA1_5 => RSAESPKCS1Algorithm::class,
-        JWA::ALGO_RSA_OAEP => RSAESOAEPAlgorithm::class,
-    ];
-
-    /**
-     * Public key.
-     *
-     * @var RSAPublicKeyJWK
-     */
-    protected $_publicKey;
-
-    /**
-     * Private key.
-     *
-     * @var null|RSAPrivateKeyJWK
-     */
-    protected $_privateKey;
-
-    /**
-     * Constructor.
-     *
-     * Use <code>fromPublicKey</code> or <code>fromPrivateKey</code> instead!
-     *
-     * @param RSAPublicKeyJWK  $pub_key  RSA public key
-     * @param RSAPrivateKeyJWK $priv_key Optional RSA private key
-     */
-    protected function __construct(RSAPublicKeyJWK $pub_key,
-        ?RSAPrivateKeyJWK $priv_key = null)
-    {
-        $this->_publicKey = $pub_key;
-        $this->_privateKey = $priv_key;
-    }
-
-    /**
-     * Initialize from JWK.
-     *
-     * @param JWK    $jwk
-     * @param Header $header
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
-    {
-        $alg = JWA::deriveAlgorithmName($header, $jwk);
-        if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
-            throw new \UnexpectedValueException("Unsupported algorithm '{$alg}'.");
-        }
-        $cls = self::MAP_ALGO_TO_CLASS[$alg];
-        if ($jwk->has(...RSAPrivateKeyJWK::MANAGED_PARAMS)) {
-            return $cls::fromPrivateKey(RSAPrivateKeyJWK::fromJWK($jwk));
-        }
-        return $cls::fromPublicKey(RSAPublicKeyJWK::fromJWK($jwk));
-    }
-
-    /**
-     * Initialize from a public key.
-     *
-     * @param RSAPublicKeyJWK $jwk
-     *
-     * @return self
-     */
-    public static function fromPublicKey(RSAPublicKeyJWK $jwk): self
-    {
-        return new static($jwk);
-    }
-
-    /**
-     * Initialize from a private key.
-     *
-     * @param RSAPrivateKeyJWK $jwk
-     *
-     * @return self
-     */
-    public static function fromPrivateKey(RSAPrivateKeyJWK $jwk): self
-    {
-        return new static($jwk->publicKey(), $jwk);
-    }
-
-    /**
-     * Get the public key.
-     *
-     * @return RSAPublicKeyJWK
-     */
-    public function publicKey(): RSAPublicKeyJWK
-    {
-        return $this->_publicKey;
-    }
-
-    /**
-     * Check whether the private key is present.
-     *
-     * @return bool
-     */
-    public function hasPrivateKey(): bool
-    {
-        return isset($this->_privateKey);
-    }
-
-    /**
-     * Get the private key.
-     *
-     * @throws \LogicException
-     *
-     * @return RSAPrivateKeyJWK
-     */
-    public function privateKey(): RSAPrivateKeyJWK
-    {
-        if (!$this->hasPrivateKey()) {
-            throw new \LogicException('Private key not set.');
-        }
-        return $this->_privateKey;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function headerParameters(): array
-    {
-        return array_merge(parent::headerParameters(),
-            [AlgorithmParameter::fromAlgorithm($this)]);
-    }
-
-    /**
-     * Get the padding scheme.
-     *
-     * @return int
-     */
-    abstract protected function _paddingScheme(): int;
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _encryptKey(string $key, Header &$header): string
-    {
-        $pubkey = openssl_pkey_get_public(
-            $this->publicKey()->toPEM()->string());
-        if (false === $pubkey) {
-            throw new \RuntimeException(
-                'openssl_pkey_get_public() failed: ' .
-                     $this->_getLastOpenSSLError());
-        }
-        $result = openssl_public_encrypt($key, $crypted, $pubkey,
-            $this->_paddingScheme());
-        if (!$result) {
-            throw new \RuntimeException(
-                'openssl_public_encrypt() failed: ' .
-                     $this->_getLastOpenSSLError());
-        }
-        return $crypted;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _decryptKey(string $ciphertext, Header $header): string
-    {
-        $privkey = openssl_pkey_get_private(
-            $this->privateKey()->toPEM()->string());
-        if (false === $privkey) {
-            throw new \RuntimeException(
-                'openssl_pkey_get_private() failed: ' .
-                     $this->_getLastOpenSSLError());
-        }
-        $result = openssl_private_decrypt($ciphertext, $cek, $privkey,
-            $this->_paddingScheme());
-        if (!$result) {
-            throw new \RuntimeException(
-                'openssl_private_decrypt() failed: ' .
-                     $this->_getLastOpenSSLError());
-        }
-        return $cek;
-    }
-
-    /**
-     * Get last OpenSSL error message.
-     *
-     * @return null|string
-     */
-    protected function _getLastOpenSSLError(): ?string
-    {
-        $msg = null;
-        while (false !== ($err = openssl_error_string())) {
-            $msg = $err;
-        }
-        return $msg;
-    }
+	use RandomCEK;
+
+	/**
+	 * Mapping from algorithm name to class name.
+	 *
+	 * @internal
+	 *
+	 * @var array
+	 */
+	const MAP_ALGO_TO_CLASS = [
+		JWA::ALGO_RSA1_5 => RSAESPKCS1Algorithm::class,
+		JWA::ALGO_RSA_OAEP => RSAESOAEPAlgorithm::class,
+	];
+
+	/**
+	 * Public key.
+	 *
+	 * @var RSAPublicKeyJWK
+	 */
+	protected $_publicKey;
+
+	/**
+	 * Private key.
+	 *
+	 * @var null|RSAPrivateKeyJWK
+	 */
+	protected $_privateKey;
+
+	/**
+	 * Constructor.
+	 *
+	 * Use <code>fromPublicKey</code> or <code>fromPrivateKey</code> instead!
+	 *
+	 * @param RSAPublicKeyJWK  $pub_key  RSA public key
+	 * @param RSAPrivateKeyJWK $priv_key Optional RSA private key
+	 */
+	protected function __construct(RSAPublicKeyJWK $pub_key,
+		?RSAPrivateKeyJWK $priv_key = null)
+	{
+		$this->_publicKey = $pub_key;
+		$this->_privateKey = $priv_key;
+	}
+
+	/**
+	 * Initialize from JWK.
+	 *
+	 * @param JWK    $jwk
+	 * @param Header $header
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
+	{
+		$alg = JWA::deriveAlgorithmName($header, $jwk);
+		if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
+			throw new \UnexpectedValueException("Unsupported algorithm '{$alg}'.");
+		}
+		$cls = self::MAP_ALGO_TO_CLASS[$alg];
+		if ($jwk->has(...RSAPrivateKeyJWK::MANAGED_PARAMS)) {
+			return $cls::fromPrivateKey(RSAPrivateKeyJWK::fromJWK($jwk));
+		}
+		return $cls::fromPublicKey(RSAPublicKeyJWK::fromJWK($jwk));
+	}
+
+	/**
+	 * Initialize from a public key.
+	 *
+	 * @param RSAPublicKeyJWK $jwk
+	 *
+	 * @return self
+	 */
+	public static function fromPublicKey(RSAPublicKeyJWK $jwk): self
+	{
+		return new static($jwk);
+	}
+
+	/**
+	 * Initialize from a private key.
+	 *
+	 * @param RSAPrivateKeyJWK $jwk
+	 *
+	 * @return self
+	 */
+	public static function fromPrivateKey(RSAPrivateKeyJWK $jwk): self
+	{
+		return new static($jwk->publicKey(), $jwk);
+	}
+
+	/**
+	 * Get the public key.
+	 *
+	 * @return RSAPublicKeyJWK
+	 */
+	public function publicKey(): RSAPublicKeyJWK
+	{
+		return $this->_publicKey;
+	}
+
+	/**
+	 * Check whether the private key is present.
+	 *
+	 * @return bool
+	 */
+	public function hasPrivateKey(): bool
+	{
+		return isset($this->_privateKey);
+	}
+
+	/**
+	 * Get the private key.
+	 *
+	 * @throws \LogicException
+	 *
+	 * @return RSAPrivateKeyJWK
+	 */
+	public function privateKey(): RSAPrivateKeyJWK
+	{
+		if (!$this->hasPrivateKey()) {
+			throw new \LogicException('Private key not set.');
+		}
+		return $this->_privateKey;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function headerParameters(): array
+	{
+		return array_merge(parent::headerParameters(),
+			[AlgorithmParameter::fromAlgorithm($this)]);
+	}
+
+	/**
+	 * Get the padding scheme.
+	 *
+	 * @return int
+	 */
+	abstract protected function _paddingScheme(): int;
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _encryptKey(string $key, Header &$header): string
+	{
+		$pubkey = openssl_pkey_get_public(
+			$this->publicKey()->toPEM()->string());
+		if (false === $pubkey) {
+			throw new \RuntimeException(
+				'openssl_pkey_get_public() failed: ' .
+					 $this->_getLastOpenSSLError());
+		}
+		$result = openssl_public_encrypt($key, $crypted, $pubkey,
+			$this->_paddingScheme());
+		if (!$result) {
+			throw new \RuntimeException(
+				'openssl_public_encrypt() failed: ' .
+					 $this->_getLastOpenSSLError());
+		}
+		return $crypted;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _decryptKey(string $ciphertext, Header $header): string
+	{
+		$privkey = openssl_pkey_get_private(
+			$this->privateKey()->toPEM()->string());
+		if (false === $privkey) {
+			throw new \RuntimeException(
+				'openssl_pkey_get_private() failed: ' .
+					 $this->_getLastOpenSSLError());
+		}
+		$result = openssl_private_decrypt($ciphertext, $cek, $privkey,
+			$this->_paddingScheme());
+		if (!$result) {
+			throw new \RuntimeException(
+				'openssl_private_decrypt() failed: ' .
+					 $this->_getLastOpenSSLError());
+		}
+		return $cek;
+	}
+
+	/**
+	 * Get last OpenSSL error message.
+	 *
+	 * @return null|string
+	 */
+	protected function _getLastOpenSSLError(): ?string
+	{
+		$msg = null;
+		while (false !== ($err = openssl_error_string())) {
+			$msg = $err;
+		}
+		return $msg;
+	}
 }

lib/JWX/JWE/KeyAlgorithm/A192GCMKWAlgorithm.php

Indentation +21 added lines, -21 removed lines

@@ -15,27 +15,27 @@
  */
 class A192GCMKWAlgorithm extends AESGCMKWAlgorithm
 {
-    /**
-     * {@inheritdoc}
-     */
-    public function algorithmParamValue(): string
-    {
-        return JWA::ALGO_A192GCMKW;
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	public function algorithmParamValue(): string
+	{
+		return JWA::ALGO_A192GCMKW;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _getGCMCipher(): Cipher
-    {
-        return new AES192Cipher();
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _getGCMCipher(): Cipher
+	{
+		return new AES192Cipher();
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _keySize(): int
-    {
-        return 24;
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _keySize(): int
+	{
+		return 24;
+	}
 }

lib/JWX/JWE/KeyAlgorithm/PBES2HS256A128KWAlgorithm.php

Indentation +28 added lines, -28 removed lines

@@ -15,35 +15,35 @@
  */
 class PBES2HS256A128KWAlgorithm extends PBES2Algorithm
 {
-    /**
-     * {@inheritdoc}
-     */
-    public function algorithmParamValue(): string
-    {
-        return JWA::ALGO_PBES2_HS256_A128KW;
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	public function algorithmParamValue(): string
+	{
+		return JWA::ALGO_PBES2_HS256_A128KW;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _hashAlgo(): string
-    {
-        return 'sha256';
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _hashAlgo(): string
+	{
+		return 'sha256';
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _keyLength(): int
-    {
-        return 16;
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _keyLength(): int
+	{
+		return 16;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _kwAlgo(): AESKeyWrapAlgorithm
-    {
-        return new AESKW128();
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _kwAlgo(): AESKeyWrapAlgorithm
+	{
+		return new AESKW128();
+	}
 }

lib/JWX/JWE/KeyAlgorithm/Feature/RandomCEK.php

Indentation +17 added lines, -17 removed lines

@@ -9,21 +9,21 @@
  */
 trait RandomCEK
 {
-    /**
-     * Generate a random content encryption key.
-     *
-     * @param int $length Key length in bytes
-     *
-     * @throws \RuntimeException
-     *
-     * @return string
-     */
-    public function cekForEncryption(int $length): string
-    {
-        $ret = openssl_random_pseudo_bytes($length);
-        if (false === $ret) {
-            throw new \RuntimeException('openssl_random_pseudo_bytes() failed.');
-        }
-        return $ret;
-    }
+	/**
+	 * Generate a random content encryption key.
+	 *
+	 * @param int $length Key length in bytes
+	 *
+	 * @throws \RuntimeException
+	 *
+	 * @return string
+	 */
+	public function cekForEncryption(int $length): string
+	{
+		$ret = openssl_random_pseudo_bytes($length);
+		if (false === $ret) {
+			throw new \RuntimeException('openssl_random_pseudo_bytes() failed.');
+		}
+		return $ret;
+	}
 }

lib/JWX/JWE/KeyAlgorithm/AESGCMKWAlgorithm.php

Indentation +161 added lines, -161 removed lines

@@ -23,165 +23,165 @@
  */
 abstract class AESGCMKWAlgorithm extends KeyManagementAlgorithm
 {
-    use RandomCEK;
-
-    /**
-     * Mapping from algorithm name to class name.
-     *
-     * @internal
-     *
-     * @var array
-     */
-    const MAP_ALGO_TO_CLASS = [
-        JWA::ALGO_A128GCMKW => A128GCMKWAlgorithm::class,
-        JWA::ALGO_A192GCMKW => A192GCMKWAlgorithm::class,
-        JWA::ALGO_A256GCMKW => A256GCMKWAlgorithm::class,
-    ];
-
-    /**
-     * Required IV size in bytes.
-     *
-     * @var int
-     */
-    const IV_SIZE = 12;
-
-    /**
-     * Authentication tag size in bytes.
-     *
-     * @var int
-     */
-    const AUTH_TAG_SIZE = 16;
-
-    /**
-     * Key encryption key.
-     *
-     * @var string
-     */
-    protected $_kek;
-
-    /**
-     * Initialization vector.
-     *
-     * @var string
-     */
-    protected $_iv;
-
-    /**
-     * Constructor.
-     *
-     * @param string $kek Key encryption key
-     * @param string $iv  Initialization vector
-     */
-    public function __construct(string $kek, string $iv)
-    {
-        if (strlen($kek) !== $this->_keySize()) {
-            throw new \LengthException('Invalid key size.');
-        }
-        if (self::IV_SIZE !== strlen($iv)) {
-            throw new \LengthException('Initialization vector must be 96 bits.');
-        }
-        $this->_kek = $kek;
-        $this->_iv = $iv;
-    }
-
-    /**
-     * Initialize from JWK.
-     *
-     * @param JWK    $jwk
-     * @param Header $header
-     *
-     * @throws \UnexpectedValueException
-     *
-     * @return self
-     */
-    public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
-    {
-        $jwk = SymmetricKeyJWK::fromJWK($jwk);
-        if (!$header->hasInitializationVector()) {
-            throw new \UnexpectedValueException('No initialization vector.');
-        }
-        $iv = $header->initializationVector()->initializationVector();
-        $alg = JWA::deriveAlgorithmName($header, $jwk);
-        if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
-            throw new \UnexpectedValueException("Unsupported algorithm '{$alg}'.");
-        }
-        $cls = self::MAP_ALGO_TO_CLASS[$alg];
-        return new $cls($jwk->key(), $iv);
-    }
-
-    /**
-     * Initialize from key encryption key with random IV.
-     *
-     * Key size must match the underlying cipher.
-     *
-     * @param string $key Key encryption key
-     *
-     * @return self
-     */
-    public static function fromKey(string $key): self
-    {
-        $iv = openssl_random_pseudo_bytes(self::IV_SIZE);
-        return new static($key, $iv);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function headerParameters(): array
-    {
-        return array_merge(parent::headerParameters(),
-            [AlgorithmParameter::fromAlgorithm($this),
-                InitializationVectorParameter::fromString($this->_iv), ]);
-    }
-
-    /**
-     * Get GCM Cipher instance.
-     *
-     * @return Cipher
-     */
-    abstract protected function _getGCMCipher(): Cipher;
-
-    /**
-     * Get the required key size.
-     *
-     * @return int
-     */
-    abstract protected function _keySize(): int;
-
-    /**
-     * Get GCM instance.
-     *
-     * @return GCM
-     */
-    final protected function _getGCM(): GCM
-    {
-        return new GCM($this->_getGCMCipher(), self::AUTH_TAG_SIZE);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _encryptKey(string $key, Header &$header): string
-    {
-        [$ciphertext, $auth_tag] = $this->_getGCM()
-            ->encrypt($key, '', $this->_kek, $this->_iv);
-        // insert authentication tag to the header
-        $header = $header->withParameters(
-            AuthenticationTagParameter::fromString($auth_tag));
-        return $ciphertext;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function _decryptKey(string $ciphertext, Header $header): string
-    {
-        if (!$header->hasAuthenticationTag()) {
-            throw new \RuntimeException(
-                "Header doesn't contain authentication tag.");
-        }
-        $auth_tag = $header->authenticationTag()->authenticationTag();
-        return $this->_getGCM()
-            ->decrypt($ciphertext, $auth_tag, '', $this->_kek, $this->_iv);
-    }
+	use RandomCEK;
+
+	/**
+	 * Mapping from algorithm name to class name.
+	 *
+	 * @internal
+	 *
+	 * @var array
+	 */
+	const MAP_ALGO_TO_CLASS = [
+		JWA::ALGO_A128GCMKW => A128GCMKWAlgorithm::class,
+		JWA::ALGO_A192GCMKW => A192GCMKWAlgorithm::class,
+		JWA::ALGO_A256GCMKW => A256GCMKWAlgorithm::class,
+	];
+
+	/**
+	 * Required IV size in bytes.
+	 *
+	 * @var int
+	 */
+	const IV_SIZE = 12;
+
+	/**
+	 * Authentication tag size in bytes.
+	 *
+	 * @var int
+	 */
+	const AUTH_TAG_SIZE = 16;
+
+	/**
+	 * Key encryption key.
+	 *
+	 * @var string
+	 */
+	protected $_kek;
+
+	/**
+	 * Initialization vector.
+	 *
+	 * @var string
+	 */
+	protected $_iv;
+
+	/**
+	 * Constructor.
+	 *
+	 * @param string $kek Key encryption key
+	 * @param string $iv  Initialization vector
+	 */
+	public function __construct(string $kek, string $iv)
+	{
+		if (strlen($kek) !== $this->_keySize()) {
+			throw new \LengthException('Invalid key size.');
+		}
+		if (self::IV_SIZE !== strlen($iv)) {
+			throw new \LengthException('Initialization vector must be 96 bits.');
+		}
+		$this->_kek = $kek;
+		$this->_iv = $iv;
+	}
+
+	/**
+	 * Initialize from JWK.
+	 *
+	 * @param JWK    $jwk
+	 * @param Header $header
+	 *
+	 * @throws \UnexpectedValueException
+	 *
+	 * @return self
+	 */
+	public static function fromJWK(JWK $jwk, Header $header): KeyManagementAlgorithm
+	{
+		$jwk = SymmetricKeyJWK::fromJWK($jwk);
+		if (!$header->hasInitializationVector()) {
+			throw new \UnexpectedValueException('No initialization vector.');
+		}
+		$iv = $header->initializationVector()->initializationVector();
+		$alg = JWA::deriveAlgorithmName($header, $jwk);
+		if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) {
+			throw new \UnexpectedValueException("Unsupported algorithm '{$alg}'.");
+		}
+		$cls = self::MAP_ALGO_TO_CLASS[$alg];
+		return new $cls($jwk->key(), $iv);
+	}
+
+	/**
+	 * Initialize from key encryption key with random IV.
+	 *
+	 * Key size must match the underlying cipher.
+	 *
+	 * @param string $key Key encryption key
+	 *
+	 * @return self
+	 */
+	public static function fromKey(string $key): self
+	{
+		$iv = openssl_random_pseudo_bytes(self::IV_SIZE);
+		return new static($key, $iv);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function headerParameters(): array
+	{
+		return array_merge(parent::headerParameters(),
+			[AlgorithmParameter::fromAlgorithm($this),
+				InitializationVectorParameter::fromString($this->_iv), ]);
+	}
+
+	/**
+	 * Get GCM Cipher instance.
+	 *
+	 * @return Cipher
+	 */
+	abstract protected function _getGCMCipher(): Cipher;
+
+	/**
+	 * Get the required key size.
+	 *
+	 * @return int
+	 */
+	abstract protected function _keySize(): int;
+
+	/**
+	 * Get GCM instance.
+	 *
+	 * @return GCM
+	 */
+	final protected function _getGCM(): GCM
+	{
+		return new GCM($this->_getGCMCipher(), self::AUTH_TAG_SIZE);
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _encryptKey(string $key, Header &$header): string
+	{
+		[$ciphertext, $auth_tag] = $this->_getGCM()
+			->encrypt($key, '', $this->_kek, $this->_iv);
+		// insert authentication tag to the header
+		$header = $header->withParameters(
+			AuthenticationTagParameter::fromString($auth_tag));
+		return $ciphertext;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _decryptKey(string $ciphertext, Header $header): string
+	{
+		if (!$header->hasAuthenticationTag()) {
+			throw new \RuntimeException(
+				"Header doesn't contain authentication tag.");
+		}
+		$auth_tag = $header->authenticationTag()->authenticationTag();
+		return $this->_getGCM()
+			->decrypt($ciphertext, $auth_tag, '', $this->_kek, $this->_iv);
+	}
 }

lib/JWX/JWE/KeyAlgorithm/A128KWAlgorithm.php

Indentation +21 added lines, -21 removed lines

@@ -15,27 +15,27 @@
  */
 class A128KWAlgorithm extends AESKWAlgorithm
 {
-    /**
-     * {@inheritdoc}
-     */
-    public function algorithmParamValue(): string
-    {
-        return JWA::ALGO_A128KW;
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	public function algorithmParamValue(): string
+	{
+		return JWA::ALGO_A128KW;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _kekSize(): int
-    {
-        return 16;
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _kekSize(): int
+	{
+		return 16;
+	}
 
-    /**
-     * {@inheritdoc}
-     */
-    protected function _AESKWAlgo(): AESKeyWrapAlgorithm
-    {
-        return new AESKW128();
-    }
+	/**
+	 * {@inheritdoc}
+	 */
+	protected function _AESKWAlgo(): AESKeyWrapAlgorithm
+	{
+		return new AESKW128();
+	}
 }