sop /
jwx
@@ -18,96 +18,96 @@ |
||
| 18 | 18 | */ |
| 19 | 19 | abstract class AESGCMAlgorithm implements ContentEncryptionAlgorithm |
| 20 | 20 | { |
| 21 | - /** |
|
| 22 | - * Get GCM Cipher instance. |
|
| 23 | - * |
|
| 24 | - * @return Cipher |
|
| 25 | - */ |
|
| 26 | - abstract protected function _getGCMCipher(): Cipher; |
|
| 21 | + /** |
|
| 22 | + * Get GCM Cipher instance. |
|
| 23 | + * |
|
| 24 | + * @return Cipher |
|
| 25 | + */ |
|
| 26 | + abstract protected function _getGCMCipher(): Cipher; |
|
| 27 | 27 | |
| 28 | - /** |
|
| 29 | - * Get GCM instance. |
|
| 30 | - * |
|
| 31 | - * @return GCM |
|
| 32 | - */ |
|
| 33 | - final protected function _getGCM(): GCM |
|
| 34 | - { |
|
| 35 | - return new GCM($this->_getGCMCipher(), 16); |
|
| 36 | - } |
|
| 28 | + /** |
|
| 29 | + * Get GCM instance. |
|
| 30 | + * |
|
| 31 | + * @return GCM |
|
| 32 | + */ |
|
| 33 | + final protected function _getGCM(): GCM |
|
| 34 | + { |
|
| 35 | + return new GCM($this->_getGCMCipher(), 16); |
|
| 36 | + } |
|
| 37 | 37 | |
| 38 | - /** |
|
| 39 | - * Check that key is valid. |
|
| 40 | - * |
|
| 41 | - * @param string $key |
|
| 42 | - * @throws \RuntimeException |
|
| 43 | - */ |
|
| 44 | - final protected function _validateKey(string $key) |
|
| 45 | - { |
|
| 46 | - if (strlen($key) != $this->keySize()) { |
|
| 47 | - throw new \RuntimeException("Invalid key size."); |
|
| 48 | - } |
|
| 49 | - } |
|
| 38 | + /** |
|
| 39 | + * Check that key is valid. |
|
| 40 | + * |
|
| 41 | + * @param string $key |
|
| 42 | + * @throws \RuntimeException |
|
| 43 | + */ |
|
| 44 | + final protected function _validateKey(string $key) |
|
| 45 | + { |
|
| 46 | + if (strlen($key) != $this->keySize()) { |
|
| 47 | + throw new \RuntimeException("Invalid key size."); |
|
| 48 | + } |
|
| 49 | + } |
|
| 50 | 50 | |
| 51 | - /** |
|
| 52 | - * Check that IV is valid. |
|
| 53 | - * |
|
| 54 | - * @param string $iv |
|
| 55 | - * @throws \RuntimeException |
|
| 56 | - */ |
|
| 57 | - final protected function _validateIV(string $iv) |
|
| 58 | - { |
|
| 59 | - if (strlen($iv) != $this->ivSize()) { |
|
| 60 | - throw new \RuntimeException("Invalid IV length."); |
|
| 61 | - } |
|
| 62 | - } |
|
| 51 | + /** |
|
| 52 | + * Check that IV is valid. |
|
| 53 | + * |
|
| 54 | + * @param string $iv |
|
| 55 | + * @throws \RuntimeException |
|
| 56 | + */ |
|
| 57 | + final protected function _validateIV(string $iv) |
|
| 58 | + { |
|
| 59 | + if (strlen($iv) != $this->ivSize()) { |
|
| 60 | + throw new \RuntimeException("Invalid IV length."); |
|
| 61 | + } |
|
| 62 | + } |
|
| 63 | 63 | |
| 64 | - /** |
|
| 65 | - * |
|
| 66 | - * {@inheritdoc} |
|
| 67 | - */ |
|
| 68 | - public function encrypt(string $plaintext, string $key, string $iv, |
|
| 69 | - string $aad): array |
|
| 70 | - { |
|
| 71 | - $this->_validateKey($key); |
|
| 72 | - $this->_validateIV($iv); |
|
| 73 | - list($ciphertext, $auth_tag) = $this->_getGCM()->encrypt($plaintext, |
|
| 74 | - $aad, $key, $iv); |
|
| 75 | - return [$ciphertext, $auth_tag]; |
|
| 76 | - } |
|
| 64 | + /** |
|
| 65 | + * |
|
| 66 | + * {@inheritdoc} |
|
| 67 | + */ |
|
| 68 | + public function encrypt(string $plaintext, string $key, string $iv, |
|
| 69 | + string $aad): array |
|
| 70 | + { |
|
| 71 | + $this->_validateKey($key); |
|
| 72 | + $this->_validateIV($iv); |
|
| 73 | + list($ciphertext, $auth_tag) = $this->_getGCM()->encrypt($plaintext, |
|
| 74 | + $aad, $key, $iv); |
|
| 75 | + return [$ciphertext, $auth_tag]; |
|
| 76 | + } |
|
| 77 | 77 | |
| 78 | - /** |
|
| 79 | - * |
|
| 80 | - * {@inheritdoc} |
|
| 81 | - */ |
|
| 82 | - public function decrypt(string $ciphertext, string $key, string $iv, |
|
| 83 | - string $aad, string $auth_tag): string |
|
| 84 | - { |
|
| 85 | - $this->_validateKey($key); |
|
| 86 | - $this->_validateIV($iv); |
|
| 87 | - try { |
|
| 88 | - $plaintext = $this->_getGCM()->decrypt($ciphertext, $auth_tag, $aad, |
|
| 89 | - $key, $iv); |
|
| 90 | - } catch (GCMAuthException $e) { |
|
| 91 | - throw new AuthenticationException("Message authentication failed."); |
|
| 92 | - } |
|
| 93 | - return $plaintext; |
|
| 94 | - } |
|
| 78 | + /** |
|
| 79 | + * |
|
| 80 | + * {@inheritdoc} |
|
| 81 | + */ |
|
| 82 | + public function decrypt(string $ciphertext, string $key, string $iv, |
|
| 83 | + string $aad, string $auth_tag): string |
|
| 84 | + { |
|
| 85 | + $this->_validateKey($key); |
|
| 86 | + $this->_validateIV($iv); |
|
| 87 | + try { |
|
| 88 | + $plaintext = $this->_getGCM()->decrypt($ciphertext, $auth_tag, $aad, |
|
| 89 | + $key, $iv); |
|
| 90 | + } catch (GCMAuthException $e) { |
|
| 91 | + throw new AuthenticationException("Message authentication failed."); |
|
| 92 | + } |
|
| 93 | + return $plaintext; |
|
| 94 | + } |
|
| 95 | 95 | |
| 96 | - /** |
|
| 97 | - * |
|
| 98 | - * {@inheritdoc} |
|
| 99 | - */ |
|
| 100 | - public function ivSize(): int |
|
| 101 | - { |
|
| 102 | - return 12; |
|
| 103 | - } |
|
| 96 | + /** |
|
| 97 | + * |
|
| 98 | + * {@inheritdoc} |
|
| 99 | + */ |
|
| 100 | + public function ivSize(): int |
|
| 101 | + { |
|
| 102 | + return 12; |
|
| 103 | + } |
|
| 104 | 104 | |
| 105 | - /** |
|
| 106 | - * |
|
| 107 | - * {@inheritdoc} |
|
| 108 | - */ |
|
| 109 | - public function headerParameters(): array |
|
| 110 | - { |
|
| 111 | - return array(EncryptionAlgorithmParameter::fromAlgorithm($this)); |
|
| 112 | - } |
|
| 105 | + /** |
|
| 106 | + * |
|
| 107 | + * {@inheritdoc} |
|
| 108 | + */ |
|
| 109 | + public function headerParameters(): array |
|
| 110 | + { |
|
| 111 | + return array(EncryptionAlgorithmParameter::fromAlgorithm($this)); |
|
| 112 | + } |
|
| 113 | 113 | } |
@@ -20,354 +20,354 @@ |
||
| 20 | 20 | */ |
| 21 | 21 | class JWE |
| 22 | 22 | { |
| 23 | - /** |
|
| 24 | - * Protected header. |
|
| 25 | - * |
|
| 26 | - * @var Header $_protectedHeader |
|
| 27 | - */ |
|
| 28 | - protected $_protectedHeader; |
|
| 23 | + /** |
|
| 24 | + * Protected header. |
|
| 25 | + * |
|
| 26 | + * @var Header $_protectedHeader |
|
| 27 | + */ |
|
| 28 | + protected $_protectedHeader; |
|
| 29 | 29 | |
| 30 | - /** |
|
| 31 | - * Encrypted key. |
|
| 32 | - * |
|
| 33 | - * @var string $_encryptedKey |
|
| 34 | - */ |
|
| 35 | - protected $_encryptedKey; |
|
| 30 | + /** |
|
| 31 | + * Encrypted key. |
|
| 32 | + * |
|
| 33 | + * @var string $_encryptedKey |
|
| 34 | + */ |
|
| 35 | + protected $_encryptedKey; |
|
| 36 | 36 | |
| 37 | - /** |
|
| 38 | - * Initialization vector. |
|
| 39 | - * |
|
| 40 | - * @var string |
|
| 41 | - */ |
|
| 42 | - protected $_iv; |
|
| 37 | + /** |
|
| 38 | + * Initialization vector. |
|
| 39 | + * |
|
| 40 | + * @var string |
|
| 41 | + */ |
|
| 42 | + protected $_iv; |
|
| 43 | 43 | |
| 44 | - /** |
|
| 45 | - * Additional authenticated data. |
|
| 46 | - * |
|
| 47 | - * @var string|null $_aad |
|
| 48 | - */ |
|
| 49 | - protected $_aad; |
|
| 44 | + /** |
|
| 45 | + * Additional authenticated data. |
|
| 46 | + * |
|
| 47 | + * @var string|null $_aad |
|
| 48 | + */ |
|
| 49 | + protected $_aad; |
|
| 50 | 50 | |
| 51 | - /** |
|
| 52 | - * Ciphertext. |
|
| 53 | - * |
|
| 54 | - * @var string $_ciphertext |
|
| 55 | - */ |
|
| 56 | - protected $_ciphertext; |
|
| 51 | + /** |
|
| 52 | + * Ciphertext. |
|
| 53 | + * |
|
| 54 | + * @var string $_ciphertext |
|
| 55 | + */ |
|
| 56 | + protected $_ciphertext; |
|
| 57 | 57 | |
| 58 | - /** |
|
| 59 | - * Authentication tag. |
|
| 60 | - * |
|
| 61 | - * @var string $_authenticationTag |
|
| 62 | - */ |
|
| 63 | - protected $_authenticationTag; |
|
| 58 | + /** |
|
| 59 | + * Authentication tag. |
|
| 60 | + * |
|
| 61 | + * @var string $_authenticationTag |
|
| 62 | + */ |
|
| 63 | + protected $_authenticationTag; |
|
| 64 | 64 | |
| 65 | - /** |
|
| 66 | - * Constructor. |
|
| 67 | - * |
|
| 68 | - * @param Header $protected_header JWE Protected Header |
|
| 69 | - * @param string $encrypted_key Encrypted key |
|
| 70 | - * @param string $iv Initialization vector |
|
| 71 | - * @param string $ciphertext Ciphertext |
|
| 72 | - * @param string $auth_tag Authentication tag |
|
| 73 | - * @param string|null $aad Additional authenticated data |
|
| 74 | - */ |
|
| 75 | - public function __construct(Header $protected_header, string $encrypted_key, |
|
| 76 | - string $iv, string $ciphertext, string $auth_tag, $aad = null) |
|
| 77 | - { |
|
| 78 | - $this->_protectedHeader = $protected_header; |
|
| 79 | - $this->_encryptedKey = $encrypted_key; |
|
| 80 | - $this->_iv = $iv; |
|
| 81 | - $this->_aad = $aad; |
|
| 82 | - $this->_ciphertext = $ciphertext; |
|
| 83 | - $this->_authenticationTag = $auth_tag; |
|
| 84 | - } |
|
| 65 | + /** |
|
| 66 | + * Constructor. |
|
| 67 | + * |
|
| 68 | + * @param Header $protected_header JWE Protected Header |
|
| 69 | + * @param string $encrypted_key Encrypted key |
|
| 70 | + * @param string $iv Initialization vector |
|
| 71 | + * @param string $ciphertext Ciphertext |
|
| 72 | + * @param string $auth_tag Authentication tag |
|
| 73 | + * @param string|null $aad Additional authenticated data |
|
| 74 | + */ |
|
| 75 | + public function __construct(Header $protected_header, string $encrypted_key, |
|
| 76 | + string $iv, string $ciphertext, string $auth_tag, $aad = null) |
|
| 77 | + { |
|
| 78 | + $this->_protectedHeader = $protected_header; |
|
| 79 | + $this->_encryptedKey = $encrypted_key; |
|
| 80 | + $this->_iv = $iv; |
|
| 81 | + $this->_aad = $aad; |
|
| 82 | + $this->_ciphertext = $ciphertext; |
|
| 83 | + $this->_authenticationTag = $auth_tag; |
|
| 84 | + } |
|
| 85 | 85 | |
| 86 | - /** |
|
| 87 | - * Initialize from compact serialization. |
|
| 88 | - * |
|
| 89 | - * @param string $data |
|
| 90 | - * @return self |
|
| 91 | - */ |
|
| 92 | - public static function fromCompact(string $data): self |
|
| 93 | - { |
|
| 94 | - return self::fromParts(explode(".", $data)); |
|
| 95 | - } |
|
| 86 | + /** |
|
| 87 | + * Initialize from compact serialization. |
|
| 88 | + * |
|
| 89 | + * @param string $data |
|
| 90 | + * @return self |
|
| 91 | + */ |
|
| 92 | + public static function fromCompact(string $data): self |
|
| 93 | + { |
|
| 94 | + return self::fromParts(explode(".", $data)); |
|
| 95 | + } |
|
| 96 | 96 | |
| 97 | - /** |
|
| 98 | - * Initialize from parts of compact serialization. |
|
| 99 | - * |
|
| 100 | - * @param array $parts |
|
| 101 | - * @throws \UnexpectedValueException |
|
| 102 | - * @return self |
|
| 103 | - */ |
|
| 104 | - public static function fromParts(array $parts): self |
|
| 105 | - { |
|
| 106 | - if (count($parts) != 5) { |
|
| 107 | - throw new \UnexpectedValueException( |
|
| 108 | - "Invalid JWE compact serialization."); |
|
| 109 | - } |
|
| 110 | - $header = Header::fromJSON(Base64::urlDecode($parts[0])); |
|
| 111 | - $encrypted_key = Base64::urlDecode($parts[1]); |
|
| 112 | - $iv = Base64::urlDecode($parts[2]); |
|
| 113 | - $ciphertext = Base64::urlDecode($parts[3]); |
|
| 114 | - $auth_tag = Base64::urlDecode($parts[4]); |
|
| 115 | - return new self($header, $encrypted_key, $iv, $ciphertext, $auth_tag); |
|
| 116 | - } |
|
| 97 | + /** |
|
| 98 | + * Initialize from parts of compact serialization. |
|
| 99 | + * |
|
| 100 | + * @param array $parts |
|
| 101 | + * @throws \UnexpectedValueException |
|
| 102 | + * @return self |
|
| 103 | + */ |
|
| 104 | + public static function fromParts(array $parts): self |
|
| 105 | + { |
|
| 106 | + if (count($parts) != 5) { |
|
| 107 | + throw new \UnexpectedValueException( |
|
| 108 | + "Invalid JWE compact serialization."); |
|
| 109 | + } |
|
| 110 | + $header = Header::fromJSON(Base64::urlDecode($parts[0])); |
|
| 111 | + $encrypted_key = Base64::urlDecode($parts[1]); |
|
| 112 | + $iv = Base64::urlDecode($parts[2]); |
|
| 113 | + $ciphertext = Base64::urlDecode($parts[3]); |
|
| 114 | + $auth_tag = Base64::urlDecode($parts[4]); |
|
| 115 | + return new self($header, $encrypted_key, $iv, $ciphertext, $auth_tag); |
|
| 116 | + } |
|
| 117 | 117 | |
| 118 | - /** |
|
| 119 | - * Initialize by encrypting the given payload. |
|
| 120 | - * |
|
| 121 | - * @param string $payload Payload |
|
| 122 | - * @param KeyManagementAlgorithm $key_algo Key management algorithm |
|
| 123 | - * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm |
|
| 124 | - * @param CompressionAlgorithm|null $zip_algo Optional compression algorithm |
|
| 125 | - * @param Header|null $header Optional desired header. Algorithm specific |
|
| 126 | - * parameters are automatically added. |
|
| 127 | - * @param string|null $cek Optional content encryption key. Randomly |
|
| 128 | - * generated if not set. |
|
| 129 | - * @param string|null $iv Optional initialization vector. Randomly generated |
|
| 130 | - * if not set. |
|
| 131 | - * @throws \RuntimeException If encrypt fails |
|
| 132 | - * @return self |
|
| 133 | - */ |
|
| 134 | - public static function encrypt(string $payload, |
|
| 135 | - KeyManagementAlgorithm $key_algo, ContentEncryptionAlgorithm $enc_algo, |
|
| 136 | - CompressionAlgorithm $zip_algo = null, Header $header = null, $cek = null, $iv = null): self |
|
| 137 | - { |
|
| 138 | - // if header was not given, initialize empty |
|
| 139 | - if (!isset($header)) { |
|
| 140 | - $header = new Header(); |
|
| 141 | - } |
|
| 142 | - // generate random CEK |
|
| 143 | - if (!isset($cek)) { |
|
| 144 | - $cek = $key_algo->cekForEncryption($enc_algo->keySize()); |
|
| 145 | - } |
|
| 146 | - // generate random IV |
|
| 147 | - if (!isset($iv)) { |
|
| 148 | - $iv = openssl_random_pseudo_bytes($enc_algo->ivSize()); |
|
| 149 | - } |
|
| 150 | - // compress |
|
| 151 | - if (isset($zip_algo)) { |
|
| 152 | - $payload = $zip_algo->compress($payload); |
|
| 153 | - $header = $header->withParameters(...$zip_algo->headerParameters()); |
|
| 154 | - } |
|
| 155 | - return self::_encryptContent($payload, $cek, $iv, $key_algo, $enc_algo, |
|
| 156 | - $header); |
|
| 157 | - } |
|
| 118 | + /** |
|
| 119 | + * Initialize by encrypting the given payload. |
|
| 120 | + * |
|
| 121 | + * @param string $payload Payload |
|
| 122 | + * @param KeyManagementAlgorithm $key_algo Key management algorithm |
|
| 123 | + * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm |
|
| 124 | + * @param CompressionAlgorithm|null $zip_algo Optional compression algorithm |
|
| 125 | + * @param Header|null $header Optional desired header. Algorithm specific |
|
| 126 | + * parameters are automatically added. |
|
| 127 | + * @param string|null $cek Optional content encryption key. Randomly |
|
| 128 | + * generated if not set. |
|
| 129 | + * @param string|null $iv Optional initialization vector. Randomly generated |
|
| 130 | + * if not set. |
|
| 131 | + * @throws \RuntimeException If encrypt fails |
|
| 132 | + * @return self |
|
| 133 | + */ |
|
| 134 | + public static function encrypt(string $payload, |
|
| 135 | + KeyManagementAlgorithm $key_algo, ContentEncryptionAlgorithm $enc_algo, |
|
| 136 | + CompressionAlgorithm $zip_algo = null, Header $header = null, $cek = null, $iv = null): self |
|
| 137 | + { |
|
| 138 | + // if header was not given, initialize empty |
|
| 139 | + if (!isset($header)) { |
|
| 140 | + $header = new Header(); |
|
| 141 | + } |
|
| 142 | + // generate random CEK |
|
| 143 | + if (!isset($cek)) { |
|
| 144 | + $cek = $key_algo->cekForEncryption($enc_algo->keySize()); |
|
| 145 | + } |
|
| 146 | + // generate random IV |
|
| 147 | + if (!isset($iv)) { |
|
| 148 | + $iv = openssl_random_pseudo_bytes($enc_algo->ivSize()); |
|
| 149 | + } |
|
| 150 | + // compress |
|
| 151 | + if (isset($zip_algo)) { |
|
| 152 | + $payload = $zip_algo->compress($payload); |
|
| 153 | + $header = $header->withParameters(...$zip_algo->headerParameters()); |
|
| 154 | + } |
|
| 155 | + return self::_encryptContent($payload, $cek, $iv, $key_algo, $enc_algo, |
|
| 156 | + $header); |
|
| 157 | + } |
|
| 158 | 158 | |
| 159 | - /** |
|
| 160 | - * Encrypt content with explicit parameters. |
|
| 161 | - * |
|
| 162 | - * @param string $plaintext Plaintext content to encrypt |
|
| 163 | - * @param string $cek Content encryption key |
|
| 164 | - * @param string $iv Initialization vector |
|
| 165 | - * @param KeyManagementAlgorithm $key_algo Key management algorithm |
|
| 166 | - * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm |
|
| 167 | - * @param Header $header Header |
|
| 168 | - * @throws \UnexpectedValueException |
|
| 169 | - * @return self |
|
| 170 | - */ |
|
| 171 | - private static function _encryptContent(string $plaintext, string $cek, |
|
| 172 | - string $iv, KeyManagementAlgorithm $key_algo, |
|
| 173 | - ContentEncryptionAlgorithm $enc_algo, Header $header): self |
|
| 174 | - { |
|
| 175 | - // check that content encryption key has correct size |
|
| 176 | - if (strlen($cek) != $enc_algo->keySize()) { |
|
| 177 | - throw new \UnexpectedValueException("Invalid key size."); |
|
| 178 | - } |
|
| 179 | - // check that initialization vector has correct size |
|
| 180 | - if (strlen($iv) != $enc_algo->ivSize()) { |
|
| 181 | - throw new \UnexpectedValueException("Invalid IV size."); |
|
| 182 | - } |
|
| 183 | - // add key and encryption algorithm parameters to the header |
|
| 184 | - $header = $header->withParameters(...$key_algo->headerParameters()) |
|
| 185 | - ->withParameters(...$enc_algo->headerParameters()); |
|
| 186 | - // encrypt the content encryption key |
|
| 187 | - $encrypted_key = $key_algo->encrypt($cek, $header); |
|
| 188 | - // sanity check that header wasn't unset via reference |
|
| 189 | - if (!$header instanceof Header) { |
|
| 190 | - throw new \RuntimeException("Broken key algorithm."); |
|
| 191 | - } |
|
| 192 | - // additional authenticated data |
|
| 193 | - $aad = Base64::urlEncode($header->toJSON()); |
|
| 194 | - // encrypt |
|
| 195 | - list($ciphertext, $auth_tag) = $enc_algo->encrypt($plaintext, $cek, $iv, |
|
| 196 | - $aad); |
|
| 197 | - // TODO: should aad be passed |
|
| 198 | - return new self($header, $encrypted_key, $iv, $ciphertext, $auth_tag); |
|
| 199 | - } |
|
| 159 | + /** |
|
| 160 | + * Encrypt content with explicit parameters. |
|
| 161 | + * |
|
| 162 | + * @param string $plaintext Plaintext content to encrypt |
|
| 163 | + * @param string $cek Content encryption key |
|
| 164 | + * @param string $iv Initialization vector |
|
| 165 | + * @param KeyManagementAlgorithm $key_algo Key management algorithm |
|
| 166 | + * @param ContentEncryptionAlgorithm $enc_algo Content encryption algorithm |
|
| 167 | + * @param Header $header Header |
|
| 168 | + * @throws \UnexpectedValueException |
|
| 169 | + * @return self |
|
| 170 | + */ |
|
| 171 | + private static function _encryptContent(string $plaintext, string $cek, |
|
| 172 | + string $iv, KeyManagementAlgorithm $key_algo, |
|
| 173 | + ContentEncryptionAlgorithm $enc_algo, Header $header): self |
|
| 174 | + { |
|
| 175 | + // check that content encryption key has correct size |
|
| 176 | + if (strlen($cek) != $enc_algo->keySize()) { |
|
| 177 | + throw new \UnexpectedValueException("Invalid key size."); |
|
| 178 | + } |
|
| 179 | + // check that initialization vector has correct size |
|
| 180 | + if (strlen($iv) != $enc_algo->ivSize()) { |
|
| 181 | + throw new \UnexpectedValueException("Invalid IV size."); |
|
| 182 | + } |
|
| 183 | + // add key and encryption algorithm parameters to the header |
|
| 184 | + $header = $header->withParameters(...$key_algo->headerParameters()) |
|
| 185 | + ->withParameters(...$enc_algo->headerParameters()); |
|
| 186 | + // encrypt the content encryption key |
|
| 187 | + $encrypted_key = $key_algo->encrypt($cek, $header); |
|
| 188 | + // sanity check that header wasn't unset via reference |
|
| 189 | + if (!$header instanceof Header) { |
|
| 190 | + throw new \RuntimeException("Broken key algorithm."); |
|
| 191 | + } |
|
| 192 | + // additional authenticated data |
|
| 193 | + $aad = Base64::urlEncode($header->toJSON()); |
|
| 194 | + // encrypt |
|
| 195 | + list($ciphertext, $auth_tag) = $enc_algo->encrypt($plaintext, $cek, $iv, |
|
| 196 | + $aad); |
|
| 197 | + // TODO: should aad be passed |
|
| 198 | + return new self($header, $encrypted_key, $iv, $ciphertext, $auth_tag); |
|
| 199 | + } |
|
| 200 | 200 | |
| 201 | - /** |
|
| 202 | - * Decrypt the content using explicit algorithms. |
|
| 203 | - * |
|
| 204 | - * @param KeyManagementAlgorithm $key_algo |
|
| 205 | - * @param ContentEncryptionAlgorithm $enc_algo |
|
| 206 | - * @throws \RuntimeException If decrypt fails |
|
| 207 | - * @return string Plaintext payload |
|
| 208 | - */ |
|
| 209 | - public function decrypt(KeyManagementAlgorithm $key_algo, |
|
| 210 | - ContentEncryptionAlgorithm $enc_algo): string |
|
| 211 | - { |
|
| 212 | - // check that key management algorithm matches |
|
| 213 | - if ($key_algo->algorithmParamValue() != $this->algorithmName()) { |
|
| 214 | - throw new \UnexpectedValueException( |
|
| 215 | - "Invalid key management algorithm."); |
|
| 216 | - } |
|
| 217 | - // check that encryption algorithm matches |
|
| 218 | - if ($enc_algo->encryptionAlgorithmParamValue() != |
|
| 219 | - $this->encryptionAlgorithmName()) { |
|
| 220 | - throw new \UnexpectedValueException("Invalid encryption algorithm."); |
|
| 221 | - } |
|
| 222 | - $header = $this->header(); |
|
| 223 | - // decrypt content encryption key |
|
| 224 | - $cek = $key_algo->decrypt($this->_encryptedKey, $header); |
|
| 225 | - // decrypt payload |
|
| 226 | - $aad = Base64::urlEncode($this->_protectedHeader->toJSON()); |
|
| 227 | - $payload = $enc_algo->decrypt($this->_ciphertext, $cek, $this->_iv, $aad, |
|
| 228 | - $this->_authenticationTag); |
|
| 229 | - // decompress |
|
| 230 | - if ($header->hasCompressionAlgorithm()) { |
|
| 231 | - $payload = CompressionFactory::algoByHeader($header)->decompress( |
|
| 232 | - $payload); |
|
| 233 | - } |
|
| 234 | - return $payload; |
|
| 235 | - } |
|
| 201 | + /** |
|
| 202 | + * Decrypt the content using explicit algorithms. |
|
| 203 | + * |
|
| 204 | + * @param KeyManagementAlgorithm $key_algo |
|
| 205 | + * @param ContentEncryptionAlgorithm $enc_algo |
|
| 206 | + * @throws \RuntimeException If decrypt fails |
|
| 207 | + * @return string Plaintext payload |
|
| 208 | + */ |
|
| 209 | + public function decrypt(KeyManagementAlgorithm $key_algo, |
|
| 210 | + ContentEncryptionAlgorithm $enc_algo): string |
|
| 211 | + { |
|
| 212 | + // check that key management algorithm matches |
|
| 213 | + if ($key_algo->algorithmParamValue() != $this->algorithmName()) { |
|
| 214 | + throw new \UnexpectedValueException( |
|
| 215 | + "Invalid key management algorithm."); |
|
| 216 | + } |
|
| 217 | + // check that encryption algorithm matches |
|
| 218 | + if ($enc_algo->encryptionAlgorithmParamValue() != |
|
| 219 | + $this->encryptionAlgorithmName()) { |
|
| 220 | + throw new \UnexpectedValueException("Invalid encryption algorithm."); |
|
| 221 | + } |
|
| 222 | + $header = $this->header(); |
|
| 223 | + // decrypt content encryption key |
|
| 224 | + $cek = $key_algo->decrypt($this->_encryptedKey, $header); |
|
| 225 | + // decrypt payload |
|
| 226 | + $aad = Base64::urlEncode($this->_protectedHeader->toJSON()); |
|
| 227 | + $payload = $enc_algo->decrypt($this->_ciphertext, $cek, $this->_iv, $aad, |
|
| 228 | + $this->_authenticationTag); |
|
| 229 | + // decompress |
|
| 230 | + if ($header->hasCompressionAlgorithm()) { |
|
| 231 | + $payload = CompressionFactory::algoByHeader($header)->decompress( |
|
| 232 | + $payload); |
|
| 233 | + } |
|
| 234 | + return $payload; |
|
| 235 | + } |
|
| 236 | 236 | |
| 237 | - /** |
|
| 238 | - * Decrypt content using given JWK. |
|
| 239 | - * |
|
| 240 | - * Key management and content encryption algorithms are determined from the |
|
| 241 | - * header. |
|
| 242 | - * |
|
| 243 | - * @param JWK $jwk JSON Web Key |
|
| 244 | - * @throws \RuntimeException If algorithm initialization fails |
|
| 245 | - * @return string Plaintext payload |
|
| 246 | - */ |
|
| 247 | - public function decryptWithJWK(JWK $jwk): string |
|
| 248 | - { |
|
| 249 | - $header = $this->header(); |
|
| 250 | - $key_algo = KeyManagementAlgorithm::fromJWK($jwk, $header); |
|
| 251 | - $enc_algo = EncryptionAlgorithmFactory::algoByHeader($header); |
|
| 252 | - return $this->decrypt($key_algo, $enc_algo); |
|
| 253 | - } |
|
| 237 | + /** |
|
| 238 | + * Decrypt content using given JWK. |
|
| 239 | + * |
|
| 240 | + * Key management and content encryption algorithms are determined from the |
|
| 241 | + * header. |
|
| 242 | + * |
|
| 243 | + * @param JWK $jwk JSON Web Key |
|
| 244 | + * @throws \RuntimeException If algorithm initialization fails |
|
| 245 | + * @return string Plaintext payload |
|
| 246 | + */ |
|
| 247 | + public function decryptWithJWK(JWK $jwk): string |
|
| 248 | + { |
|
| 249 | + $header = $this->header(); |
|
| 250 | + $key_algo = KeyManagementAlgorithm::fromJWK($jwk, $header); |
|
| 251 | + $enc_algo = EncryptionAlgorithmFactory::algoByHeader($header); |
|
| 252 | + return $this->decrypt($key_algo, $enc_algo); |
|
| 253 | + } |
|
| 254 | 254 | |
| 255 | - /** |
|
| 256 | - * Decrypt content using a key from the given JWK set. |
|
| 257 | - * |
|
| 258 | - * Correct key shall be sought by the key ID indicated by the header. |
|
| 259 | - * |
|
| 260 | - * @param JWKSet $set Set of JSON Web Keys |
|
| 261 | - * @throws \RuntimeException If algorithm initialization fails |
|
| 262 | - * @return string Plaintext payload |
|
| 263 | - */ |
|
| 264 | - public function decryptWithJWKSet(JWKSet $set): string |
|
| 265 | - { |
|
| 266 | - if (!count($set)) { |
|
| 267 | - throw new \RuntimeException("No keys."); |
|
| 268 | - } |
|
| 269 | - $header = $this->header(); |
|
| 270 | - $factory = new KeyAlgorithmFactory($header); |
|
| 271 | - $key_algo = $factory->algoByKeys($set); |
|
| 272 | - $enc_algo = EncryptionAlgorithmFactory::algoByHeader($header); |
|
| 273 | - return $this->decrypt($key_algo, $enc_algo); |
|
| 274 | - } |
|
| 255 | + /** |
|
| 256 | + * Decrypt content using a key from the given JWK set. |
|
| 257 | + * |
|
| 258 | + * Correct key shall be sought by the key ID indicated by the header. |
|
| 259 | + * |
|
| 260 | + * @param JWKSet $set Set of JSON Web Keys |
|
| 261 | + * @throws \RuntimeException If algorithm initialization fails |
|
| 262 | + * @return string Plaintext payload |
|
| 263 | + */ |
|
| 264 | + public function decryptWithJWKSet(JWKSet $set): string |
|
| 265 | + { |
|
| 266 | + if (!count($set)) { |
|
| 267 | + throw new \RuntimeException("No keys."); |
|
| 268 | + } |
|
| 269 | + $header = $this->header(); |
|
| 270 | + $factory = new KeyAlgorithmFactory($header); |
|
| 271 | + $key_algo = $factory->algoByKeys($set); |
|
| 272 | + $enc_algo = EncryptionAlgorithmFactory::algoByHeader($header); |
|
| 273 | + return $this->decrypt($key_algo, $enc_algo); |
|
| 274 | + } |
|
| 275 | 275 | |
| 276 | - /** |
|
| 277 | - * Get JOSE header. |
|
| 278 | - * |
|
| 279 | - * @return JOSE |
|
| 280 | - */ |
|
| 281 | - public function header(): JOSE |
|
| 282 | - { |
|
| 283 | - return new JOSE($this->_protectedHeader); |
|
| 284 | - } |
|
| 276 | + /** |
|
| 277 | + * Get JOSE header. |
|
| 278 | + * |
|
| 279 | + * @return JOSE |
|
| 280 | + */ |
|
| 281 | + public function header(): JOSE |
|
| 282 | + { |
|
| 283 | + return new JOSE($this->_protectedHeader); |
|
| 284 | + } |
|
| 285 | 285 | |
| 286 | - /** |
|
| 287 | - * Get the name of the key management algorithm. |
|
| 288 | - * |
|
| 289 | - * @return string |
|
| 290 | - */ |
|
| 291 | - public function algorithmName(): string |
|
| 292 | - { |
|
| 293 | - return $this->header() |
|
| 294 | - ->algorithm() |
|
| 295 | - ->value(); |
|
| 296 | - } |
|
| 286 | + /** |
|
| 287 | + * Get the name of the key management algorithm. |
|
| 288 | + * |
|
| 289 | + * @return string |
|
| 290 | + */ |
|
| 291 | + public function algorithmName(): string |
|
| 292 | + { |
|
| 293 | + return $this->header() |
|
| 294 | + ->algorithm() |
|
| 295 | + ->value(); |
|
| 296 | + } |
|
| 297 | 297 | |
| 298 | - /** |
|
| 299 | - * Get the name of the encryption algorithm. |
|
| 300 | - * |
|
| 301 | - * @return string |
|
| 302 | - */ |
|
| 303 | - public function encryptionAlgorithmName(): string |
|
| 304 | - { |
|
| 305 | - return $this->header() |
|
| 306 | - ->encryptionAlgorithm() |
|
| 307 | - ->value(); |
|
| 308 | - } |
|
| 298 | + /** |
|
| 299 | + * Get the name of the encryption algorithm. |
|
| 300 | + * |
|
| 301 | + * @return string |
|
| 302 | + */ |
|
| 303 | + public function encryptionAlgorithmName(): string |
|
| 304 | + { |
|
| 305 | + return $this->header() |
|
| 306 | + ->encryptionAlgorithm() |
|
| 307 | + ->value(); |
|
| 308 | + } |
|
| 309 | 309 | |
| 310 | - /** |
|
| 311 | - * Get encrypted CEK. |
|
| 312 | - * |
|
| 313 | - * @return string |
|
| 314 | - */ |
|
| 315 | - public function encryptedKey(): string |
|
| 316 | - { |
|
| 317 | - return $this->_encryptedKey; |
|
| 318 | - } |
|
| 310 | + /** |
|
| 311 | + * Get encrypted CEK. |
|
| 312 | + * |
|
| 313 | + * @return string |
|
| 314 | + */ |
|
| 315 | + public function encryptedKey(): string |
|
| 316 | + { |
|
| 317 | + return $this->_encryptedKey; |
|
| 318 | + } |
|
| 319 | 319 | |
| 320 | - /** |
|
| 321 | - * Get initialization vector. |
|
| 322 | - * |
|
| 323 | - * @return string |
|
| 324 | - */ |
|
| 325 | - public function initializationVector(): string |
|
| 326 | - { |
|
| 327 | - return $this->_iv; |
|
| 328 | - } |
|
| 320 | + /** |
|
| 321 | + * Get initialization vector. |
|
| 322 | + * |
|
| 323 | + * @return string |
|
| 324 | + */ |
|
| 325 | + public function initializationVector(): string |
|
| 326 | + { |
|
| 327 | + return $this->_iv; |
|
| 328 | + } |
|
| 329 | 329 | |
| 330 | - /** |
|
| 331 | - * Get ciphertext. |
|
| 332 | - * |
|
| 333 | - * @return string |
|
| 334 | - */ |
|
| 335 | - public function ciphertext(): string |
|
| 336 | - { |
|
| 337 | - return $this->_ciphertext; |
|
| 338 | - } |
|
| 330 | + /** |
|
| 331 | + * Get ciphertext. |
|
| 332 | + * |
|
| 333 | + * @return string |
|
| 334 | + */ |
|
| 335 | + public function ciphertext(): string |
|
| 336 | + { |
|
| 337 | + return $this->_ciphertext; |
|
| 338 | + } |
|
| 339 | 339 | |
| 340 | - /** |
|
| 341 | - * Get authentication tag. |
|
| 342 | - * |
|
| 343 | - * @return string |
|
| 344 | - */ |
|
| 345 | - public function authenticationTag(): string |
|
| 346 | - { |
|
| 347 | - return $this->_authenticationTag; |
|
| 348 | - } |
|
| 340 | + /** |
|
| 341 | + * Get authentication tag. |
|
| 342 | + * |
|
| 343 | + * @return string |
|
| 344 | + */ |
|
| 345 | + public function authenticationTag(): string |
|
| 346 | + { |
|
| 347 | + return $this->_authenticationTag; |
|
| 348 | + } |
|
| 349 | 349 | |
| 350 | - /** |
|
| 351 | - * Convert to compact serialization. |
|
| 352 | - * |
|
| 353 | - * @return string |
|
| 354 | - */ |
|
| 355 | - public function toCompact(): string |
|
| 356 | - { |
|
| 357 | - return Base64::urlEncode($this->_protectedHeader->toJSON()) . "." . |
|
| 358 | - Base64::urlEncode($this->_encryptedKey) . "." . |
|
| 359 | - Base64::urlEncode($this->_iv) . "." . |
|
| 360 | - Base64::urlEncode($this->_ciphertext) . "." . |
|
| 361 | - Base64::urlEncode($this->_authenticationTag); |
|
| 362 | - } |
|
| 350 | + /** |
|
| 351 | + * Convert to compact serialization. |
|
| 352 | + * |
|
| 353 | + * @return string |
|
| 354 | + */ |
|
| 355 | + public function toCompact(): string |
|
| 356 | + { |
|
| 357 | + return Base64::urlEncode($this->_protectedHeader->toJSON()) . "." . |
|
| 358 | + Base64::urlEncode($this->_encryptedKey) . "." . |
|
| 359 | + Base64::urlEncode($this->_iv) . "." . |
|
| 360 | + Base64::urlEncode($this->_ciphertext) . "." . |
|
| 361 | + Base64::urlEncode($this->_authenticationTag); |
|
| 362 | + } |
|
| 363 | 363 | |
| 364 | - /** |
|
| 365 | - * Convert JWE to string. |
|
| 366 | - * |
|
| 367 | - * @return string |
|
| 368 | - */ |
|
| 369 | - public function __toString() |
|
| 370 | - { |
|
| 371 | - return $this->toCompact(); |
|
| 372 | - } |
|
| 364 | + /** |
|
| 365 | + * Convert JWE to string. |
|
| 366 | + * |
|
| 367 | + * @return string |
|
| 368 | + */ |
|
| 369 | + public function __toString() |
|
| 370 | + { |
|
| 371 | + return $this->toCompact(); |
|
| 372 | + } |
|
| 373 | 373 | } |
@@ -11,45 +11,45 @@ |
||
| 11 | 11 | * Interface for algorithms that may be used to encrypt and decrypt JWE payload. |
| 12 | 12 | */ |
| 13 | 13 | interface ContentEncryptionAlgorithm extends |
| 14 | - EncryptionAlgorithmParameterValue, |
|
| 15 | - HeaderParameters |
|
| 14 | + EncryptionAlgorithmParameterValue, |
|
| 15 | + HeaderParameters |
|
| 16 | 16 | { |
| 17 | - /** |
|
| 18 | - * Encrypt plaintext. |
|
| 19 | - * |
|
| 20 | - * @param string $plaintext Data to encrypt |
|
| 21 | - * @param string $key Encryption key |
|
| 22 | - * @param string $iv Initialization vector |
|
| 23 | - * @param string $aad Additional authenticated data |
|
| 24 | - * @return array Tuple of ciphertext and authentication tag |
|
| 25 | - */ |
|
| 26 | - public function encrypt(string $plaintext, string $key, string $iv, |
|
| 27 | - string $aad); |
|
| 17 | + /** |
|
| 18 | + * Encrypt plaintext. |
|
| 19 | + * |
|
| 20 | + * @param string $plaintext Data to encrypt |
|
| 21 | + * @param string $key Encryption key |
|
| 22 | + * @param string $iv Initialization vector |
|
| 23 | + * @param string $aad Additional authenticated data |
|
| 24 | + * @return array Tuple of ciphertext and authentication tag |
|
| 25 | + */ |
|
| 26 | + public function encrypt(string $plaintext, string $key, string $iv, |
|
| 27 | + string $aad); |
|
| 28 | 28 | |
| 29 | - /** |
|
| 30 | - * Decrypt ciphertext. |
|
| 31 | - * |
|
| 32 | - * @param string $ciphertext Data to decrypt |
|
| 33 | - * @param string $key Encryption key |
|
| 34 | - * @param string $iv Initialization vector |
|
| 35 | - * @param string $aad Additional authenticated data |
|
| 36 | - * @param string $auth_tag Authentication tag to compare |
|
| 37 | - * @return string Plaintext |
|
| 38 | - */ |
|
| 39 | - public function decrypt(string $ciphertext, string $key, string $iv, |
|
| 40 | - string $aad, string $auth_tag); |
|
| 29 | + /** |
|
| 30 | + * Decrypt ciphertext. |
|
| 31 | + * |
|
| 32 | + * @param string $ciphertext Data to decrypt |
|
| 33 | + * @param string $key Encryption key |
|
| 34 | + * @param string $iv Initialization vector |
|
| 35 | + * @param string $aad Additional authenticated data |
|
| 36 | + * @param string $auth_tag Authentication tag to compare |
|
| 37 | + * @return string Plaintext |
|
| 38 | + */ |
|
| 39 | + public function decrypt(string $ciphertext, string $key, string $iv, |
|
| 40 | + string $aad, string $auth_tag); |
|
| 41 | 41 | |
| 42 | - /** |
|
| 43 | - * Get the required key size in bytes. |
|
| 44 | - * |
|
| 45 | - * @return int |
|
| 46 | - */ |
|
| 47 | - public function keySize(): int; |
|
| 42 | + /** |
|
| 43 | + * Get the required key size in bytes. |
|
| 44 | + * |
|
| 45 | + * @return int |
|
| 46 | + */ |
|
| 47 | + public function keySize(): int; |
|
| 48 | 48 | |
| 49 | - /** |
|
| 50 | - * Get the required IV size in bytes. |
|
| 51 | - * |
|
| 52 | - * @return int |
|
| 53 | - */ |
|
| 54 | - public function ivSize(): int; |
|
| 49 | + /** |
|
| 50 | + * Get the required IV size in bytes. |
|
| 51 | + * |
|
| 52 | + * @return int |
|
| 53 | + */ |
|
| 54 | + public function ivSize(): int; |
|
| 55 | 55 | } |
@@ -15,39 +15,39 @@ |
||
| 15 | 15 | */ |
| 16 | 16 | class PBES2HS256A128KWAlgorithm extends PBES2Algorithm |
| 17 | 17 | { |
| 18 | - /** |
|
| 19 | - * |
|
| 20 | - * {@inheritdoc} |
|
| 21 | - */ |
|
| 22 | - protected function _hashAlgo(): string |
|
| 23 | - { |
|
| 24 | - return "sha256"; |
|
| 25 | - } |
|
| 18 | + /** |
|
| 19 | + * |
|
| 20 | + * {@inheritdoc} |
|
| 21 | + */ |
|
| 22 | + protected function _hashAlgo(): string |
|
| 23 | + { |
|
| 24 | + return "sha256"; |
|
| 25 | + } |
|
| 26 | 26 | |
| 27 | - /** |
|
| 28 | - * |
|
| 29 | - * {@inheritdoc} |
|
| 30 | - */ |
|
| 31 | - protected function _keyLength(): int |
|
| 32 | - { |
|
| 33 | - return 16; |
|
| 34 | - } |
|
| 27 | + /** |
|
| 28 | + * |
|
| 29 | + * {@inheritdoc} |
|
| 30 | + */ |
|
| 31 | + protected function _keyLength(): int |
|
| 32 | + { |
|
| 33 | + return 16; |
|
| 34 | + } |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * |
|
| 38 | - * {@inheritdoc} |
|
| 39 | - */ |
|
| 40 | - protected function _kwAlgo(): AESKeyWrapAlgorithm |
|
| 41 | - { |
|
| 42 | - return new AESKW128(); |
|
| 43 | - } |
|
| 36 | + /** |
|
| 37 | + * |
|
| 38 | + * {@inheritdoc} |
|
| 39 | + */ |
|
| 40 | + protected function _kwAlgo(): AESKeyWrapAlgorithm |
|
| 41 | + { |
|
| 42 | + return new AESKW128(); |
|
| 43 | + } |
|
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * |
|
| 47 | - * {@inheritdoc} |
|
| 48 | - */ |
|
| 49 | - public function algorithmParamValue(): string |
|
| 50 | - { |
|
| 51 | - return JWA::ALGO_PBES2_HS256_A128KW; |
|
| 52 | - } |
|
| 45 | + /** |
|
| 46 | + * |
|
| 47 | + * {@inheritdoc} |
|
| 48 | + */ |
|
| 49 | + public function algorithmParamValue(): string |
|
| 50 | + { |
|
| 51 | + return JWA::ALGO_PBES2_HS256_A128KW; |
|
| 52 | + } |
|
| 53 | 53 | } |
@@ -21,206 +21,206 @@ |
||
| 21 | 21 | */ |
| 22 | 22 | abstract class RSAESKeyAlgorithm extends KeyManagementAlgorithm |
| 23 | 23 | { |
| 24 | - use RandomCEK; |
|
| 24 | + use RandomCEK; |
|
| 25 | 25 | |
| 26 | - /** |
|
| 27 | - * Public key. |
|
| 28 | - * |
|
| 29 | - * @var RSAPublicKeyJWK $_publicKey |
|
| 30 | - */ |
|
| 31 | - protected $_publicKey; |
|
| 26 | + /** |
|
| 27 | + * Public key. |
|
| 28 | + * |
|
| 29 | + * @var RSAPublicKeyJWK $_publicKey |
|
| 30 | + */ |
|
| 31 | + protected $_publicKey; |
|
| 32 | 32 | |
| 33 | - /** |
|
| 34 | - * Private key. |
|
| 35 | - * |
|
| 36 | - * @var RSAPrivateKeyJWK|null $_privateKey |
|
| 37 | - */ |
|
| 38 | - protected $_privateKey; |
|
| 33 | + /** |
|
| 34 | + * Private key. |
|
| 35 | + * |
|
| 36 | + * @var RSAPrivateKeyJWK|null $_privateKey |
|
| 37 | + */ |
|
| 38 | + protected $_privateKey; |
|
| 39 | 39 | |
| 40 | - /** |
|
| 41 | - * Mapping from algorithm name to class name. |
|
| 42 | - * |
|
| 43 | - * @internal |
|
| 44 | - * |
|
| 45 | - * @var array |
|
| 46 | - */ |
|
| 47 | - const MAP_ALGO_TO_CLASS = array( |
|
| 48 | - /* @formatter:off */ |
|
| 49 | - JWA::ALGO_RSA1_5 => RSAESPKCS1Algorithm::class, |
|
| 50 | - JWA::ALGO_RSA_OAEP => RSAESOAEPAlgorithm::class |
|
| 51 | - /* @formatter:on */ |
|
| 52 | - ); |
|
| 40 | + /** |
|
| 41 | + * Mapping from algorithm name to class name. |
|
| 42 | + * |
|
| 43 | + * @internal |
|
| 44 | + * |
|
| 45 | + * @var array |
|
| 46 | + */ |
|
| 47 | + const MAP_ALGO_TO_CLASS = array( |
|
| 48 | + /* @formatter:off */ |
|
| 49 | + JWA::ALGO_RSA1_5 => RSAESPKCS1Algorithm::class, |
|
| 50 | + JWA::ALGO_RSA_OAEP => RSAESOAEPAlgorithm::class |
|
| 51 | + /* @formatter:on */ |
|
| 52 | + ); |
|
| 53 | 53 | |
| 54 | - /** |
|
| 55 | - * Get the padding scheme. |
|
| 56 | - * |
|
| 57 | - * @return int |
|
| 58 | - */ |
|
| 59 | - abstract protected function _paddingScheme(): int; |
|
| 54 | + /** |
|
| 55 | + * Get the padding scheme. |
|
| 56 | + * |
|
| 57 | + * @return int |
|
| 58 | + */ |
|
| 59 | + abstract protected function _paddingScheme(): int; |
|
| 60 | 60 | |
| 61 | - /** |
|
| 62 | - * Constructor. |
|
| 63 | - * |
|
| 64 | - * Use <code>fromPublicKey</code> or <code>fromPrivateKey</code> instead! |
|
| 65 | - * |
|
| 66 | - * @param RSAPublicKeyJWK $pub_key RSA public key |
|
| 67 | - * @param RSAPrivateKeyJWK $priv_key Optional RSA private key |
|
| 68 | - */ |
|
| 69 | - protected function __construct(RSAPublicKeyJWK $pub_key, |
|
| 70 | - RSAPrivateKeyJWK $priv_key = null) |
|
| 71 | - { |
|
| 72 | - $this->_publicKey = $pub_key; |
|
| 73 | - $this->_privateKey = $priv_key; |
|
| 74 | - } |
|
| 61 | + /** |
|
| 62 | + * Constructor. |
|
| 63 | + * |
|
| 64 | + * Use <code>fromPublicKey</code> or <code>fromPrivateKey</code> instead! |
|
| 65 | + * |
|
| 66 | + * @param RSAPublicKeyJWK $pub_key RSA public key |
|
| 67 | + * @param RSAPrivateKeyJWK $priv_key Optional RSA private key |
|
| 68 | + */ |
|
| 69 | + protected function __construct(RSAPublicKeyJWK $pub_key, |
|
| 70 | + RSAPrivateKeyJWK $priv_key = null) |
|
| 71 | + { |
|
| 72 | + $this->_publicKey = $pub_key; |
|
| 73 | + $this->_privateKey = $priv_key; |
|
| 74 | + } |
|
| 75 | 75 | |
| 76 | - /** |
|
| 77 | - * |
|
| 78 | - * @param JWK $jwk |
|
| 79 | - * @param Header $header |
|
| 80 | - * @throws \UnexpectedValueException |
|
| 81 | - * @return self |
|
| 82 | - */ |
|
| 83 | - public static function fromJWK(JWK $jwk, Header $header) |
|
| 84 | - { |
|
| 85 | - $alg = JWA::deriveAlgorithmName($header, $jwk); |
|
| 86 | - if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) { |
|
| 87 | - throw new \UnexpectedValueException("Unsupported algorithm '$alg'."); |
|
| 88 | - } |
|
| 89 | - $cls = self::MAP_ALGO_TO_CLASS[$alg]; |
|
| 90 | - if ($jwk->has(...RSAPrivateKeyJWK::MANAGED_PARAMS)) { |
|
| 91 | - return $cls::fromPrivateKey(RSAPrivateKeyJWK::fromJWK($jwk)); |
|
| 92 | - } |
|
| 93 | - return $cls::fromPublicKey(RSAPublicKeyJWK::fromJWK($jwk)); |
|
| 94 | - } |
|
| 76 | + /** |
|
| 77 | + * |
|
| 78 | + * @param JWK $jwk |
|
| 79 | + * @param Header $header |
|
| 80 | + * @throws \UnexpectedValueException |
|
| 81 | + * @return self |
|
| 82 | + */ |
|
| 83 | + public static function fromJWK(JWK $jwk, Header $header) |
|
| 84 | + { |
|
| 85 | + $alg = JWA::deriveAlgorithmName($header, $jwk); |
|
| 86 | + if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) { |
|
| 87 | + throw new \UnexpectedValueException("Unsupported algorithm '$alg'."); |
|
| 88 | + } |
|
| 89 | + $cls = self::MAP_ALGO_TO_CLASS[$alg]; |
|
| 90 | + if ($jwk->has(...RSAPrivateKeyJWK::MANAGED_PARAMS)) { |
|
| 91 | + return $cls::fromPrivateKey(RSAPrivateKeyJWK::fromJWK($jwk)); |
|
| 92 | + } |
|
| 93 | + return $cls::fromPublicKey(RSAPublicKeyJWK::fromJWK($jwk)); |
|
| 94 | + } |
|
| 95 | 95 | |
| 96 | - /** |
|
| 97 | - * Initialize from a public key. |
|
| 98 | - * |
|
| 99 | - * @param RSAPublicKeyJWK $jwk |
|
| 100 | - * @return self |
|
| 101 | - */ |
|
| 102 | - public static function fromPublicKey(RSAPublicKeyJWK $jwk): self |
|
| 103 | - { |
|
| 104 | - return new static($jwk); |
|
| 105 | - } |
|
| 96 | + /** |
|
| 97 | + * Initialize from a public key. |
|
| 98 | + * |
|
| 99 | + * @param RSAPublicKeyJWK $jwk |
|
| 100 | + * @return self |
|
| 101 | + */ |
|
| 102 | + public static function fromPublicKey(RSAPublicKeyJWK $jwk): self |
|
| 103 | + { |
|
| 104 | + return new static($jwk); |
|
| 105 | + } |
|
| 106 | 106 | |
| 107 | - /** |
|
| 108 | - * Initialize from a private key. |
|
| 109 | - * |
|
| 110 | - * @param RSAPrivateKeyJWK $jwk |
|
| 111 | - * @return self |
|
| 112 | - */ |
|
| 113 | - public static function fromPrivateKey(RSAPrivateKeyJWK $jwk): self |
|
| 114 | - { |
|
| 115 | - return new static($jwk->publicKey(), $jwk); |
|
| 116 | - } |
|
| 107 | + /** |
|
| 108 | + * Initialize from a private key. |
|
| 109 | + * |
|
| 110 | + * @param RSAPrivateKeyJWK $jwk |
|
| 111 | + * @return self |
|
| 112 | + */ |
|
| 113 | + public static function fromPrivateKey(RSAPrivateKeyJWK $jwk): self |
|
| 114 | + { |
|
| 115 | + return new static($jwk->publicKey(), $jwk); |
|
| 116 | + } |
|
| 117 | 117 | |
| 118 | - /** |
|
| 119 | - * Get the public key. |
|
| 120 | - * |
|
| 121 | - * @return RSAPublicKeyJWK |
|
| 122 | - */ |
|
| 123 | - public function publicKey(): RSAPublicKeyJWK |
|
| 124 | - { |
|
| 125 | - return $this->_publicKey; |
|
| 126 | - } |
|
| 118 | + /** |
|
| 119 | + * Get the public key. |
|
| 120 | + * |
|
| 121 | + * @return RSAPublicKeyJWK |
|
| 122 | + */ |
|
| 123 | + public function publicKey(): RSAPublicKeyJWK |
|
| 124 | + { |
|
| 125 | + return $this->_publicKey; |
|
| 126 | + } |
|
| 127 | 127 | |
| 128 | - /** |
|
| 129 | - * Check whether the private key is present. |
|
| 130 | - * |
|
| 131 | - * @return bool |
|
| 132 | - */ |
|
| 133 | - public function hasPrivateKey(): bool |
|
| 134 | - { |
|
| 135 | - return isset($this->_privateKey); |
|
| 136 | - } |
|
| 128 | + /** |
|
| 129 | + * Check whether the private key is present. |
|
| 130 | + * |
|
| 131 | + * @return bool |
|
| 132 | + */ |
|
| 133 | + public function hasPrivateKey(): bool |
|
| 134 | + { |
|
| 135 | + return isset($this->_privateKey); |
|
| 136 | + } |
|
| 137 | 137 | |
| 138 | - /** |
|
| 139 | - * Get the private key. |
|
| 140 | - * |
|
| 141 | - * @throws \LogicException |
|
| 142 | - * @return RSAPrivateKeyJWK |
|
| 143 | - */ |
|
| 144 | - public function privateKey(): RSAPrivateKeyJWK |
|
| 145 | - { |
|
| 146 | - if (!$this->hasPrivateKey()) { |
|
| 147 | - throw new \LogicException("Private key not set."); |
|
| 148 | - } |
|
| 149 | - return $this->_privateKey; |
|
| 150 | - } |
|
| 138 | + /** |
|
| 139 | + * Get the private key. |
|
| 140 | + * |
|
| 141 | + * @throws \LogicException |
|
| 142 | + * @return RSAPrivateKeyJWK |
|
| 143 | + */ |
|
| 144 | + public function privateKey(): RSAPrivateKeyJWK |
|
| 145 | + { |
|
| 146 | + if (!$this->hasPrivateKey()) { |
|
| 147 | + throw new \LogicException("Private key not set."); |
|
| 148 | + } |
|
| 149 | + return $this->_privateKey; |
|
| 150 | + } |
|
| 151 | 151 | |
| 152 | - /** |
|
| 153 | - * |
|
| 154 | - * {@inheritdoc} |
|
| 155 | - */ |
|
| 156 | - protected function _encryptKey(string $key, Header &$header): string |
|
| 157 | - { |
|
| 158 | - $pubkey = openssl_pkey_get_public( |
|
| 159 | - $this->publicKey() |
|
| 160 | - ->toPEM() |
|
| 161 | - ->string()); |
|
| 162 | - if (false === $pubkey) { |
|
| 163 | - throw new \RuntimeException( |
|
| 164 | - "openssl_pkey_get_public() failed: " . |
|
| 165 | - $this->_getLastOpenSSLError()); |
|
| 166 | - } |
|
| 167 | - $result = openssl_public_encrypt($key, $crypted, $pubkey, |
|
| 168 | - $this->_paddingScheme()); |
|
| 169 | - if (!$result) { |
|
| 170 | - throw new \RuntimeException( |
|
| 171 | - "openssl_public_encrypt() failed: " . |
|
| 172 | - $this->_getLastOpenSSLError()); |
|
| 173 | - } |
|
| 174 | - return $crypted; |
|
| 175 | - } |
|
| 152 | + /** |
|
| 153 | + * |
|
| 154 | + * {@inheritdoc} |
|
| 155 | + */ |
|
| 156 | + protected function _encryptKey(string $key, Header &$header): string |
|
| 157 | + { |
|
| 158 | + $pubkey = openssl_pkey_get_public( |
|
| 159 | + $this->publicKey() |
|
| 160 | + ->toPEM() |
|
| 161 | + ->string()); |
|
| 162 | + if (false === $pubkey) { |
|
| 163 | + throw new \RuntimeException( |
|
| 164 | + "openssl_pkey_get_public() failed: " . |
|
| 165 | + $this->_getLastOpenSSLError()); |
|
| 166 | + } |
|
| 167 | + $result = openssl_public_encrypt($key, $crypted, $pubkey, |
|
| 168 | + $this->_paddingScheme()); |
|
| 169 | + if (!$result) { |
|
| 170 | + throw new \RuntimeException( |
|
| 171 | + "openssl_public_encrypt() failed: " . |
|
| 172 | + $this->_getLastOpenSSLError()); |
|
| 173 | + } |
|
| 174 | + return $crypted; |
|
| 175 | + } |
|
| 176 | 176 | |
| 177 | - /** |
|
| 178 | - * |
|
| 179 | - * {@inheritdoc} |
|
| 180 | - */ |
|
| 181 | - protected function _decryptKey(string $ciphertext, Header $header): string |
|
| 182 | - { |
|
| 183 | - $privkey = openssl_pkey_get_private( |
|
| 184 | - $this->privateKey() |
|
| 185 | - ->toPEM() |
|
| 186 | - ->string()); |
|
| 187 | - if (!$privkey) { |
|
| 188 | - throw new \RuntimeException( |
|
| 189 | - "openssl_pkey_get_private() failed: " . |
|
| 190 | - $this->_getLastOpenSSLError()); |
|
| 191 | - } |
|
| 192 | - $result = openssl_private_decrypt($ciphertext, $cek, $privkey, |
|
| 193 | - $this->_paddingScheme()); |
|
| 194 | - if (!$result) { |
|
| 195 | - throw new \RuntimeException( |
|
| 196 | - "openssl_private_decrypt() failed: " . |
|
| 197 | - $this->_getLastOpenSSLError()); |
|
| 198 | - } |
|
| 199 | - return $cek; |
|
| 200 | - } |
|
| 177 | + /** |
|
| 178 | + * |
|
| 179 | + * {@inheritdoc} |
|
| 180 | + */ |
|
| 181 | + protected function _decryptKey(string $ciphertext, Header $header): string |
|
| 182 | + { |
|
| 183 | + $privkey = openssl_pkey_get_private( |
|
| 184 | + $this->privateKey() |
|
| 185 | + ->toPEM() |
|
| 186 | + ->string()); |
|
| 187 | + if (!$privkey) { |
|
| 188 | + throw new \RuntimeException( |
|
| 189 | + "openssl_pkey_get_private() failed: " . |
|
| 190 | + $this->_getLastOpenSSLError()); |
|
| 191 | + } |
|
| 192 | + $result = openssl_private_decrypt($ciphertext, $cek, $privkey, |
|
| 193 | + $this->_paddingScheme()); |
|
| 194 | + if (!$result) { |
|
| 195 | + throw new \RuntimeException( |
|
| 196 | + "openssl_private_decrypt() failed: " . |
|
| 197 | + $this->_getLastOpenSSLError()); |
|
| 198 | + } |
|
| 199 | + return $cek; |
|
| 200 | + } |
|
| 201 | 201 | |
| 202 | - /** |
|
| 203 | - * Get last OpenSSL error message. |
|
| 204 | - * |
|
| 205 | - * @return string|null |
|
| 206 | - */ |
|
| 207 | - protected function _getLastOpenSSLError() |
|
| 208 | - { |
|
| 209 | - $msg = null; |
|
| 210 | - while (false !== ($err = openssl_error_string())) { |
|
| 211 | - $msg = $err; |
|
| 212 | - } |
|
| 213 | - return $msg; |
|
| 214 | - } |
|
| 202 | + /** |
|
| 203 | + * Get last OpenSSL error message. |
|
| 204 | + * |
|
| 205 | + * @return string|null |
|
| 206 | + */ |
|
| 207 | + protected function _getLastOpenSSLError() |
|
| 208 | + { |
|
| 209 | + $msg = null; |
|
| 210 | + while (false !== ($err = openssl_error_string())) { |
|
| 211 | + $msg = $err; |
|
| 212 | + } |
|
| 213 | + return $msg; |
|
| 214 | + } |
|
| 215 | 215 | |
| 216 | - /** |
|
| 217 | - * |
|
| 218 | - * @see \JWX\JWE\KeyManagementAlgorithm::headerParameters() |
|
| 219 | - * @return \JWX\JWT\Parameter\JWTParameter[] |
|
| 220 | - */ |
|
| 221 | - public function headerParameters(): array |
|
| 222 | - { |
|
| 223 | - return array_merge(parent::headerParameters(), |
|
| 224 | - array(AlgorithmParameter::fromAlgorithm($this))); |
|
| 225 | - } |
|
| 216 | + /** |
|
| 217 | + * |
|
| 218 | + * @see \JWX\JWE\KeyManagementAlgorithm::headerParameters() |
|
| 219 | + * @return \JWX\JWT\Parameter\JWTParameter[] |
|
| 220 | + */ |
|
| 221 | + public function headerParameters(): array |
|
| 222 | + { |
|
| 223 | + return array_merge(parent::headerParameters(), |
|
| 224 | + array(AlgorithmParameter::fromAlgorithm($this))); |
|
| 225 | + } |
|
| 226 | 226 | } |
@@ -153,7 +153,7 @@ |
||
| 153 | 153 | * |
| 154 | 154 | * {@inheritdoc} |
| 155 | 155 | */ |
| 156 | - protected function _encryptKey(string $key, Header &$header): string |
|
| 156 | + protected function _encryptKey(string $key, Header&$header): string |
|
| 157 | 157 | { |
| 158 | 158 | $pubkey = openssl_pkey_get_public( |
| 159 | 159 | $this->publicKey() |
@@ -15,30 +15,30 @@ |
||
| 15 | 15 | */ |
| 16 | 16 | class A192KWAlgorithm extends AESKWAlgorithm |
| 17 | 17 | { |
| 18 | - /** |
|
| 19 | - * |
|
| 20 | - * {@inheritdoc} |
|
| 21 | - */ |
|
| 22 | - protected function _kekSize(): int |
|
| 23 | - { |
|
| 24 | - return 24; |
|
| 25 | - } |
|
| 18 | + /** |
|
| 19 | + * |
|
| 20 | + * {@inheritdoc} |
|
| 21 | + */ |
|
| 22 | + protected function _kekSize(): int |
|
| 23 | + { |
|
| 24 | + return 24; |
|
| 25 | + } |
|
| 26 | 26 | |
| 27 | - /** |
|
| 28 | - * |
|
| 29 | - * {@inheritdoc} |
|
| 30 | - */ |
|
| 31 | - protected function _AESKWAlgo(): AESKeyWrapAlgorithm |
|
| 32 | - { |
|
| 33 | - return new AESKW192(); |
|
| 34 | - } |
|
| 27 | + /** |
|
| 28 | + * |
|
| 29 | + * {@inheritdoc} |
|
| 30 | + */ |
|
| 31 | + protected function _AESKWAlgo(): AESKeyWrapAlgorithm |
|
| 32 | + { |
|
| 33 | + return new AESKW192(); |
|
| 34 | + } |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * |
|
| 38 | - * {@inheritdoc} |
|
| 39 | - */ |
|
| 40 | - public function algorithmParamValue(): string |
|
| 41 | - { |
|
| 42 | - return JWA::ALGO_A192KW; |
|
| 43 | - } |
|
| 36 | + /** |
|
| 37 | + * |
|
| 38 | + * {@inheritdoc} |
|
| 39 | + */ |
|
| 40 | + public function algorithmParamValue(): string |
|
| 41 | + { |
|
| 42 | + return JWA::ALGO_A192KW; |
|
| 43 | + } |
|
| 44 | 44 | } |
@@ -15,92 +15,92 @@ |
||
| 15 | 15 | */ |
| 16 | 16 | class KeyAlgorithmFactory |
| 17 | 17 | { |
| 18 | - /** |
|
| 19 | - * Header. |
|
| 20 | - * |
|
| 21 | - * @var Header $_header |
|
| 22 | - */ |
|
| 23 | - protected $_header; |
|
| 18 | + /** |
|
| 19 | + * Header. |
|
| 20 | + * |
|
| 21 | + * @var Header $_header |
|
| 22 | + */ |
|
| 23 | + protected $_header; |
|
| 24 | 24 | |
| 25 | - /** |
|
| 26 | - * Mapping from algorithm name to class name. |
|
| 27 | - * |
|
| 28 | - * @internal |
|
| 29 | - * |
|
| 30 | - * @var array |
|
| 31 | - */ |
|
| 32 | - const MAP_ALGO_TO_CLASS = array( |
|
| 33 | - /* @formatter:off */ |
|
| 34 | - JWA::ALGO_A128KW => A128KWAlgorithm::class, |
|
| 35 | - JWA::ALGO_A192KW => A192KWAlgorithm::class, |
|
| 36 | - JWA::ALGO_A128KW => A256KWAlgorithm::class, |
|
| 37 | - JWA::ALGO_A128GCMKW => A128GCMKWAlgorithm::class, |
|
| 38 | - JWA::ALGO_A192GCMKW => A192GCMKWAlgorithm::class, |
|
| 39 | - JWA::ALGO_A256GCMKW => A256GCMKWAlgorithm::class, |
|
| 40 | - JWA::ALGO_PBES2_HS256_A128KW => PBES2HS256A128KWAlgorithm::class, |
|
| 41 | - JWA::ALGO_PBES2_HS384_A192KW => PBES2HS384A192KWAlgorithm::class, |
|
| 42 | - JWA::ALGO_PBES2_HS512_A256KW => PBES2HS512A256KWAlgorithm::class, |
|
| 43 | - JWA::ALGO_DIR => DirectCEKAlgorithm::class, |
|
| 44 | - JWA::ALGO_RSA1_5 => RSAESPKCS1Algorithm::class, |
|
| 45 | - JWA::ALGO_RSA_OAEP => RSAESOAEPAlgorithm::class |
|
| 46 | - /* @formatter:on */ |
|
| 47 | - ); |
|
| 25 | + /** |
|
| 26 | + * Mapping from algorithm name to class name. |
|
| 27 | + * |
|
| 28 | + * @internal |
|
| 29 | + * |
|
| 30 | + * @var array |
|
| 31 | + */ |
|
| 32 | + const MAP_ALGO_TO_CLASS = array( |
|
| 33 | + /* @formatter:off */ |
|
| 34 | + JWA::ALGO_A128KW => A128KWAlgorithm::class, |
|
| 35 | + JWA::ALGO_A192KW => A192KWAlgorithm::class, |
|
| 36 | + JWA::ALGO_A128KW => A256KWAlgorithm::class, |
|
| 37 | + JWA::ALGO_A128GCMKW => A128GCMKWAlgorithm::class, |
|
| 38 | + JWA::ALGO_A192GCMKW => A192GCMKWAlgorithm::class, |
|
| 39 | + JWA::ALGO_A256GCMKW => A256GCMKWAlgorithm::class, |
|
| 40 | + JWA::ALGO_PBES2_HS256_A128KW => PBES2HS256A128KWAlgorithm::class, |
|
| 41 | + JWA::ALGO_PBES2_HS384_A192KW => PBES2HS384A192KWAlgorithm::class, |
|
| 42 | + JWA::ALGO_PBES2_HS512_A256KW => PBES2HS512A256KWAlgorithm::class, |
|
| 43 | + JWA::ALGO_DIR => DirectCEKAlgorithm::class, |
|
| 44 | + JWA::ALGO_RSA1_5 => RSAESPKCS1Algorithm::class, |
|
| 45 | + JWA::ALGO_RSA_OAEP => RSAESOAEPAlgorithm::class |
|
| 46 | + /* @formatter:on */ |
|
| 47 | + ); |
|
| 48 | 48 | |
| 49 | - /** |
|
| 50 | - * Constructor. |
|
| 51 | - * |
|
| 52 | - * @param Header $header |
|
| 53 | - */ |
|
| 54 | - public function __construct(Header $header) |
|
| 55 | - { |
|
| 56 | - $this->_header = $header; |
|
| 57 | - } |
|
| 49 | + /** |
|
| 50 | + * Constructor. |
|
| 51 | + * |
|
| 52 | + * @param Header $header |
|
| 53 | + */ |
|
| 54 | + public function __construct(Header $header) |
|
| 55 | + { |
|
| 56 | + $this->_header = $header; |
|
| 57 | + } |
|
| 58 | 58 | |
| 59 | - /** |
|
| 60 | - * Get key management algorithm by given JWK. |
|
| 61 | - * |
|
| 62 | - * @param JWK $jwk |
|
| 63 | - * @return KeyManagementAlgorithm |
|
| 64 | - */ |
|
| 65 | - public function algoByKey(JWK $jwk): KeyManagementAlgorithm |
|
| 66 | - { |
|
| 67 | - $alg = JWA::deriveAlgorithmName($this->_header, $jwk); |
|
| 68 | - $cls = self::_algoClassByName($alg); |
|
| 69 | - return $cls::fromJWK($jwk, $this->_header); |
|
| 70 | - } |
|
| 59 | + /** |
|
| 60 | + * Get key management algorithm by given JWK. |
|
| 61 | + * |
|
| 62 | + * @param JWK $jwk |
|
| 63 | + * @return KeyManagementAlgorithm |
|
| 64 | + */ |
|
| 65 | + public function algoByKey(JWK $jwk): KeyManagementAlgorithm |
|
| 66 | + { |
|
| 67 | + $alg = JWA::deriveAlgorithmName($this->_header, $jwk); |
|
| 68 | + $cls = self::_algoClassByName($alg); |
|
| 69 | + return $cls::fromJWK($jwk, $this->_header); |
|
| 70 | + } |
|
| 71 | 71 | |
| 72 | - /** |
|
| 73 | - * Get key management algorithm using a matching key from given JWK set. |
|
| 74 | - * |
|
| 75 | - * @param JWKSet $set |
|
| 76 | - * @throws \UnexpectedValueException If a key cannot be found |
|
| 77 | - * @return KeyManagementAlgorithm |
|
| 78 | - */ |
|
| 79 | - public function algoByKeys(JWKSet $set): KeyManagementAlgorithm |
|
| 80 | - { |
|
| 81 | - if (!$this->_header->hasKeyID()) { |
|
| 82 | - throw new \UnexpectedValueException("No key ID paremeter."); |
|
| 83 | - } |
|
| 84 | - $id = $this->_header->keyID()->value(); |
|
| 85 | - if (!$set->hasKeyID($id)) { |
|
| 86 | - throw new \UnexpectedValueException("No key for ID '$id'."); |
|
| 87 | - } |
|
| 88 | - return $this->algoByKey($set->keyByID($id)); |
|
| 89 | - } |
|
| 72 | + /** |
|
| 73 | + * Get key management algorithm using a matching key from given JWK set. |
|
| 74 | + * |
|
| 75 | + * @param JWKSet $set |
|
| 76 | + * @throws \UnexpectedValueException If a key cannot be found |
|
| 77 | + * @return KeyManagementAlgorithm |
|
| 78 | + */ |
|
| 79 | + public function algoByKeys(JWKSet $set): KeyManagementAlgorithm |
|
| 80 | + { |
|
| 81 | + if (!$this->_header->hasKeyID()) { |
|
| 82 | + throw new \UnexpectedValueException("No key ID paremeter."); |
|
| 83 | + } |
|
| 84 | + $id = $this->_header->keyID()->value(); |
|
| 85 | + if (!$set->hasKeyID($id)) { |
|
| 86 | + throw new \UnexpectedValueException("No key for ID '$id'."); |
|
| 87 | + } |
|
| 88 | + return $this->algoByKey($set->keyByID($id)); |
|
| 89 | + } |
|
| 90 | 90 | |
| 91 | - /** |
|
| 92 | - * Get the algorithm implementation class name by an algorithm name. |
|
| 93 | - * |
|
| 94 | - * @param string $alg Algorithm name |
|
| 95 | - * @throws \UnexpectedValueException |
|
| 96 | - * @return string Class name |
|
| 97 | - */ |
|
| 98 | - private static function _algoClassByName(string $alg): string |
|
| 99 | - { |
|
| 100 | - if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) { |
|
| 101 | - throw new \UnexpectedValueException( |
|
| 102 | - "Algorithm '$alg' not supported."); |
|
| 103 | - } |
|
| 104 | - return self::MAP_ALGO_TO_CLASS[$alg]; |
|
| 105 | - } |
|
| 91 | + /** |
|
| 92 | + * Get the algorithm implementation class name by an algorithm name. |
|
| 93 | + * |
|
| 94 | + * @param string $alg Algorithm name |
|
| 95 | + * @throws \UnexpectedValueException |
|
| 96 | + * @return string Class name |
|
| 97 | + */ |
|
| 98 | + private static function _algoClassByName(string $alg): string |
|
| 99 | + { |
|
| 100 | + if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) { |
|
| 101 | + throw new \UnexpectedValueException( |
|
| 102 | + "Algorithm '$alg' not supported."); |
|
| 103 | + } |
|
| 104 | + return self::MAP_ALGO_TO_CLASS[$alg]; |
|
| 105 | + } |
|
| 106 | 106 | } |
@@ -15,30 +15,30 @@ |
||
| 15 | 15 | */ |
| 16 | 16 | class A256GCMKWAlgorithm extends AESGCMKWAlgorithm |
| 17 | 17 | { |
| 18 | - /** |
|
| 19 | - * |
|
| 20 | - * {@inheritdoc} |
|
| 21 | - */ |
|
| 22 | - protected function _getGCMCipher(): Cipher |
|
| 23 | - { |
|
| 24 | - return new AES256Cipher(); |
|
| 25 | - } |
|
| 18 | + /** |
|
| 19 | + * |
|
| 20 | + * {@inheritdoc} |
|
| 21 | + */ |
|
| 22 | + protected function _getGCMCipher(): Cipher |
|
| 23 | + { |
|
| 24 | + return new AES256Cipher(); |
|
| 25 | + } |
|
| 26 | 26 | |
| 27 | - /** |
|
| 28 | - * |
|
| 29 | - * {@inheritdoc} |
|
| 30 | - */ |
|
| 31 | - protected function _keySize(): int |
|
| 32 | - { |
|
| 33 | - return 32; |
|
| 34 | - } |
|
| 27 | + /** |
|
| 28 | + * |
|
| 29 | + * {@inheritdoc} |
|
| 30 | + */ |
|
| 31 | + protected function _keySize(): int |
|
| 32 | + { |
|
| 33 | + return 32; |
|
| 34 | + } |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * |
|
| 38 | - * {@inheritdoc} |
|
| 39 | - */ |
|
| 40 | - public function algorithmParamValue(): string |
|
| 41 | - { |
|
| 42 | - return JWA::ALGO_A256GCMKW; |
|
| 43 | - } |
|
| 36 | + /** |
|
| 37 | + * |
|
| 38 | + * {@inheritdoc} |
|
| 39 | + */ |
|
| 40 | + public function algorithmParamValue(): string |
|
| 41 | + { |
|
| 42 | + return JWA::ALGO_A256GCMKW; |
|
| 43 | + } |
|
| 44 | 44 | } |
@@ -23,171 +23,171 @@ |
||
| 23 | 23 | */ |
| 24 | 24 | abstract class AESGCMKWAlgorithm extends KeyManagementAlgorithm |
| 25 | 25 | { |
| 26 | - use RandomCEK; |
|
| 26 | + use RandomCEK; |
|
| 27 | 27 | |
| 28 | - /** |
|
| 29 | - * Key encryption key. |
|
| 30 | - * |
|
| 31 | - * @var string $_kek |
|
| 32 | - */ |
|
| 33 | - protected $_kek; |
|
| 28 | + /** |
|
| 29 | + * Key encryption key. |
|
| 30 | + * |
|
| 31 | + * @var string $_kek |
|
| 32 | + */ |
|
| 33 | + protected $_kek; |
|
| 34 | 34 | |
| 35 | - /** |
|
| 36 | - * Initialization vector. |
|
| 37 | - * |
|
| 38 | - * @var string $_iv |
|
| 39 | - */ |
|
| 40 | - protected $_iv; |
|
| 35 | + /** |
|
| 36 | + * Initialization vector. |
|
| 37 | + * |
|
| 38 | + * @var string $_iv |
|
| 39 | + */ |
|
| 40 | + protected $_iv; |
|
| 41 | 41 | |
| 42 | - /** |
|
| 43 | - * Mapping from algorithm name to class name. |
|
| 44 | - * |
|
| 45 | - * @internal |
|
| 46 | - * |
|
| 47 | - * @var array |
|
| 48 | - */ |
|
| 49 | - const MAP_ALGO_TO_CLASS = array( |
|
| 50 | - /* @formatter:off */ |
|
| 51 | - JWA::ALGO_A128GCMKW => A128GCMKWAlgorithm::class, |
|
| 52 | - JWA::ALGO_A192GCMKW => A192GCMKWAlgorithm::class, |
|
| 53 | - JWA::ALGO_A256GCMKW => A256GCMKWAlgorithm::class |
|
| 54 | - /* @formatter:on */ |
|
| 55 | - ); |
|
| 42 | + /** |
|
| 43 | + * Mapping from algorithm name to class name. |
|
| 44 | + * |
|
| 45 | + * @internal |
|
| 46 | + * |
|
| 47 | + * @var array |
|
| 48 | + */ |
|
| 49 | + const MAP_ALGO_TO_CLASS = array( |
|
| 50 | + /* @formatter:off */ |
|
| 51 | + JWA::ALGO_A128GCMKW => A128GCMKWAlgorithm::class, |
|
| 52 | + JWA::ALGO_A192GCMKW => A192GCMKWAlgorithm::class, |
|
| 53 | + JWA::ALGO_A256GCMKW => A256GCMKWAlgorithm::class |
|
| 54 | + /* @formatter:on */ |
|
| 55 | + ); |
|
| 56 | 56 | |
| 57 | - /** |
|
| 58 | - * Required IV size in bytes. |
|
| 59 | - * |
|
| 60 | - * @var int |
|
| 61 | - */ |
|
| 62 | - const IV_SIZE = 12; |
|
| 57 | + /** |
|
| 58 | + * Required IV size in bytes. |
|
| 59 | + * |
|
| 60 | + * @var int |
|
| 61 | + */ |
|
| 62 | + const IV_SIZE = 12; |
|
| 63 | 63 | |
| 64 | - /** |
|
| 65 | - * Authentication tag size in bytes. |
|
| 66 | - * |
|
| 67 | - * @var int |
|
| 68 | - */ |
|
| 69 | - const AUTH_TAG_SIZE = 16; |
|
| 64 | + /** |
|
| 65 | + * Authentication tag size in bytes. |
|
| 66 | + * |
|
| 67 | + * @var int |
|
| 68 | + */ |
|
| 69 | + const AUTH_TAG_SIZE = 16; |
|
| 70 | 70 | |
| 71 | - /** |
|
| 72 | - * Get GCM Cipher instance. |
|
| 73 | - * |
|
| 74 | - * @return Cipher |
|
| 75 | - */ |
|
| 76 | - abstract protected function _getGCMCipher(): Cipher; |
|
| 71 | + /** |
|
| 72 | + * Get GCM Cipher instance. |
|
| 73 | + * |
|
| 74 | + * @return Cipher |
|
| 75 | + */ |
|
| 76 | + abstract protected function _getGCMCipher(): Cipher; |
|
| 77 | 77 | |
| 78 | - /** |
|
| 79 | - * Get the required key size. |
|
| 80 | - * |
|
| 81 | - * @return int |
|
| 82 | - */ |
|
| 83 | - abstract protected function _keySize(): int; |
|
| 78 | + /** |
|
| 79 | + * Get the required key size. |
|
| 80 | + * |
|
| 81 | + * @return int |
|
| 82 | + */ |
|
| 83 | + abstract protected function _keySize(): int; |
|
| 84 | 84 | |
| 85 | - /** |
|
| 86 | - * Get GCM instance. |
|
| 87 | - * |
|
| 88 | - * @return GCM |
|
| 89 | - */ |
|
| 90 | - final protected function _getGCM(): GCM |
|
| 91 | - { |
|
| 92 | - return new GCM($this->_getGCMCipher(), self::AUTH_TAG_SIZE); |
|
| 93 | - } |
|
| 85 | + /** |
|
| 86 | + * Get GCM instance. |
|
| 87 | + * |
|
| 88 | + * @return GCM |
|
| 89 | + */ |
|
| 90 | + final protected function _getGCM(): GCM |
|
| 91 | + { |
|
| 92 | + return new GCM($this->_getGCMCipher(), self::AUTH_TAG_SIZE); |
|
| 93 | + } |
|
| 94 | 94 | |
| 95 | - /** |
|
| 96 | - * Constructor. |
|
| 97 | - * |
|
| 98 | - * @param string $kek Key encryption key |
|
| 99 | - * @param string $iv Initialization vector |
|
| 100 | - */ |
|
| 101 | - public function __construct(string $kek, string $iv) |
|
| 102 | - { |
|
| 103 | - if (strlen($kek) != $this->_keySize()) { |
|
| 104 | - throw new \LengthException("Invalid key size."); |
|
| 105 | - } |
|
| 106 | - if (strlen($iv) != self::IV_SIZE) { |
|
| 107 | - throw new \LengthException("Initialization vector must be 96 bits."); |
|
| 108 | - } |
|
| 109 | - $this->_kek = $kek; |
|
| 110 | - $this->_iv = $iv; |
|
| 111 | - } |
|
| 95 | + /** |
|
| 96 | + * Constructor. |
|
| 97 | + * |
|
| 98 | + * @param string $kek Key encryption key |
|
| 99 | + * @param string $iv Initialization vector |
|
| 100 | + */ |
|
| 101 | + public function __construct(string $kek, string $iv) |
|
| 102 | + { |
|
| 103 | + if (strlen($kek) != $this->_keySize()) { |
|
| 104 | + throw new \LengthException("Invalid key size."); |
|
| 105 | + } |
|
| 106 | + if (strlen($iv) != self::IV_SIZE) { |
|
| 107 | + throw new \LengthException("Initialization vector must be 96 bits."); |
|
| 108 | + } |
|
| 109 | + $this->_kek = $kek; |
|
| 110 | + $this->_iv = $iv; |
|
| 111 | + } |
|
| 112 | 112 | |
| 113 | - /** |
|
| 114 | - * |
|
| 115 | - * @param JWK $jwk |
|
| 116 | - * @param Header $header |
|
| 117 | - * @throws \UnexpectedValueException |
|
| 118 | - * @return self |
|
| 119 | - */ |
|
| 120 | - public static function fromJWK(JWK $jwk, Header $header) |
|
| 121 | - { |
|
| 122 | - $jwk = SymmetricKeyJWK::fromJWK($jwk); |
|
| 123 | - if (!$header->hasInitializationVector()) { |
|
| 124 | - throw new \UnexpectedValueException("No initialization vector."); |
|
| 125 | - } |
|
| 126 | - $iv = $header->initializationVector()->initializationVector(); |
|
| 127 | - $alg = JWA::deriveAlgorithmName($header, $jwk); |
|
| 128 | - if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) { |
|
| 129 | - throw new \UnexpectedValueException("Unsupported algorithm '$alg'."); |
|
| 130 | - } |
|
| 131 | - $cls = self::MAP_ALGO_TO_CLASS[$alg]; |
|
| 132 | - return new $cls($jwk->key(), $iv); |
|
| 133 | - } |
|
| 113 | + /** |
|
| 114 | + * |
|
| 115 | + * @param JWK $jwk |
|
| 116 | + * @param Header $header |
|
| 117 | + * @throws \UnexpectedValueException |
|
| 118 | + * @return self |
|
| 119 | + */ |
|
| 120 | + public static function fromJWK(JWK $jwk, Header $header) |
|
| 121 | + { |
|
| 122 | + $jwk = SymmetricKeyJWK::fromJWK($jwk); |
|
| 123 | + if (!$header->hasInitializationVector()) { |
|
| 124 | + throw new \UnexpectedValueException("No initialization vector."); |
|
| 125 | + } |
|
| 126 | + $iv = $header->initializationVector()->initializationVector(); |
|
| 127 | + $alg = JWA::deriveAlgorithmName($header, $jwk); |
|
| 128 | + if (!array_key_exists($alg, self::MAP_ALGO_TO_CLASS)) { |
|
| 129 | + throw new \UnexpectedValueException("Unsupported algorithm '$alg'."); |
|
| 130 | + } |
|
| 131 | + $cls = self::MAP_ALGO_TO_CLASS[$alg]; |
|
| 132 | + return new $cls($jwk->key(), $iv); |
|
| 133 | + } |
|
| 134 | 134 | |
| 135 | - /** |
|
| 136 | - * Initialize from key encryption key with random IV. |
|
| 137 | - * |
|
| 138 | - * Key size must match the underlying cipher. |
|
| 139 | - * |
|
| 140 | - * @param string $key Key encryption key |
|
| 141 | - * @return self |
|
| 142 | - */ |
|
| 143 | - public static function fromKey(string $key): self |
|
| 144 | - { |
|
| 145 | - $iv = openssl_random_pseudo_bytes(self::IV_SIZE); |
|
| 146 | - return new static($key, $iv); |
|
| 147 | - } |
|
| 135 | + /** |
|
| 136 | + * Initialize from key encryption key with random IV. |
|
| 137 | + * |
|
| 138 | + * Key size must match the underlying cipher. |
|
| 139 | + * |
|
| 140 | + * @param string $key Key encryption key |
|
| 141 | + * @return self |
|
| 142 | + */ |
|
| 143 | + public static function fromKey(string $key): self |
|
| 144 | + { |
|
| 145 | + $iv = openssl_random_pseudo_bytes(self::IV_SIZE); |
|
| 146 | + return new static($key, $iv); |
|
| 147 | + } |
|
| 148 | 148 | |
| 149 | - /** |
|
| 150 | - * |
|
| 151 | - * @see \JWX\JWE\KeyManagementAlgorithm::_encryptKey() |
|
| 152 | - * @return string |
|
| 153 | - */ |
|
| 154 | - protected function _encryptKey(string $key, Header &$header): string |
|
| 155 | - { |
|
| 156 | - list($ciphertext, $auth_tag) = $this->_getGCM()->encrypt($key, "", |
|
| 157 | - $this->_kek, $this->_iv); |
|
| 158 | - // insert authentication tag to the header |
|
| 159 | - $header = $header->withParameters( |
|
| 160 | - AuthenticationTagParameter::fromString($auth_tag)); |
|
| 161 | - return $ciphertext; |
|
| 162 | - } |
|
| 149 | + /** |
|
| 150 | + * |
|
| 151 | + * @see \JWX\JWE\KeyManagementAlgorithm::_encryptKey() |
|
| 152 | + * @return string |
|
| 153 | + */ |
|
| 154 | + protected function _encryptKey(string $key, Header &$header): string |
|
| 155 | + { |
|
| 156 | + list($ciphertext, $auth_tag) = $this->_getGCM()->encrypt($key, "", |
|
| 157 | + $this->_kek, $this->_iv); |
|
| 158 | + // insert authentication tag to the header |
|
| 159 | + $header = $header->withParameters( |
|
| 160 | + AuthenticationTagParameter::fromString($auth_tag)); |
|
| 161 | + return $ciphertext; |
|
| 162 | + } |
|
| 163 | 163 | |
| 164 | - /** |
|
| 165 | - * |
|
| 166 | - * @see \JWX\JWE\KeyManagementAlgorithm::_decryptKey() |
|
| 167 | - * @throws \RuntimeException For generic errors |
|
| 168 | - * @return string |
|
| 169 | - */ |
|
| 170 | - protected function _decryptKey(string $ciphertext, Header $header): string |
|
| 171 | - { |
|
| 172 | - if (!$header->hasAuthenticationTag()) { |
|
| 173 | - throw new \RuntimeException( |
|
| 174 | - "Header doesn't contain authentication tag."); |
|
| 175 | - } |
|
| 176 | - $auth_tag = $header->authenticationTag()->authenticationTag(); |
|
| 177 | - $cek = $this->_getGCM()->decrypt($ciphertext, $auth_tag, "", $this->_kek, |
|
| 178 | - $this->_iv); |
|
| 179 | - return $cek; |
|
| 180 | - } |
|
| 164 | + /** |
|
| 165 | + * |
|
| 166 | + * @see \JWX\JWE\KeyManagementAlgorithm::_decryptKey() |
|
| 167 | + * @throws \RuntimeException For generic errors |
|
| 168 | + * @return string |
|
| 169 | + */ |
|
| 170 | + protected function _decryptKey(string $ciphertext, Header $header): string |
|
| 171 | + { |
|
| 172 | + if (!$header->hasAuthenticationTag()) { |
|
| 173 | + throw new \RuntimeException( |
|
| 174 | + "Header doesn't contain authentication tag."); |
|
| 175 | + } |
|
| 176 | + $auth_tag = $header->authenticationTag()->authenticationTag(); |
|
| 177 | + $cek = $this->_getGCM()->decrypt($ciphertext, $auth_tag, "", $this->_kek, |
|
| 178 | + $this->_iv); |
|
| 179 | + return $cek; |
|
| 180 | + } |
|
| 181 | 181 | |
| 182 | - /** |
|
| 183 | - * |
|
| 184 | - * @see \JWX\JWE\KeyManagementAlgorithm::headerParameters() |
|
| 185 | - * @return \JWX\JWT\Parameter\JWTParameter[] |
|
| 186 | - */ |
|
| 187 | - public function headerParameters(): array |
|
| 188 | - { |
|
| 189 | - return array_merge(parent::headerParameters(), |
|
| 190 | - array(AlgorithmParameter::fromAlgorithm($this), |
|
| 191 | - InitializationVectorParameter::fromString($this->_iv))); |
|
| 192 | - } |
|
| 182 | + /** |
|
| 183 | + * |
|
| 184 | + * @see \JWX\JWE\KeyManagementAlgorithm::headerParameters() |
|
| 185 | + * @return \JWX\JWT\Parameter\JWTParameter[] |
|
| 186 | + */ |
|
| 187 | + public function headerParameters(): array |
|
| 188 | + { |
|
| 189 | + return array_merge(parent::headerParameters(), |
|
| 190 | + array(AlgorithmParameter::fromAlgorithm($this), |
|
| 191 | + InitializationVectorParameter::fromString($this->_iv))); |
|
| 192 | + } |
|
| 193 | 193 | } |
@@ -151,7 +151,7 @@ |
||
| 151 | 151 | * @see \JWX\JWE\KeyManagementAlgorithm::_encryptKey() |
| 152 | 152 | * @return string |
| 153 | 153 | */ |
| 154 | - protected function _encryptKey(string $key, Header &$header): string |
|
| 154 | + protected function _encryptKey(string $key, Header&$header): string |
|
| 155 | 155 | { |
| 156 | 156 | list($ciphertext, $auth_tag) = $this->_getGCM()->encrypt($key, "", |
| 157 | 157 | $this->_kek, $this->_iv); |
