1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
declare(strict_types=1); |
4
|
|
|
|
5
|
|
|
/* |
6
|
|
|
* The MIT License (MIT) |
7
|
|
|
* |
8
|
|
|
* Copyright (c) 2014-2019 Spomky-Labs |
9
|
|
|
* |
10
|
|
|
* This software may be modified and distributed under the terms |
11
|
|
|
* of the MIT license. See the LICENSE file for details. |
12
|
|
|
*/ |
13
|
|
|
|
14
|
|
|
namespace Jose\Component\NestedToken; |
15
|
|
|
|
16
|
|
|
use InvalidArgumentException; |
17
|
|
|
use Jose\Component\Encryption\JWEBuilder; |
18
|
|
|
use Jose\Component\Encryption\Serializer\JWESerializerManager; |
19
|
|
|
use Jose\Component\Signature\JWSBuilder; |
20
|
|
|
use Jose\Component\Signature\Serializer\JWSSerializerManager; |
21
|
|
|
|
22
|
|
|
class NestedTokenBuilder |
23
|
|
|
{ |
24
|
|
|
/** |
25
|
|
|
* @var JWSBuilder |
26
|
|
|
*/ |
27
|
|
|
private $jwsBuilder; |
28
|
|
|
|
29
|
|
|
/** |
30
|
|
|
* @var JWSSerializerManager |
31
|
|
|
*/ |
32
|
|
|
private $jwsSerializerManager; |
33
|
|
|
|
34
|
|
|
/** |
35
|
|
|
* @var JWEBuilder |
36
|
|
|
*/ |
37
|
|
|
private $jweBuilder; |
38
|
|
|
|
39
|
|
|
/** |
40
|
|
|
* @var JWESerializerManager |
41
|
|
|
*/ |
42
|
|
|
private $jweSerializerManager; |
43
|
|
|
|
44
|
|
|
public function __construct(JWEBuilder $jweBuilder, JWESerializerManager $jweSerializerManager, JWSBuilder $jwsBuilder, JWSSerializerManager $jwsSerializerManager) |
45
|
|
|
{ |
46
|
|
|
$this->jweBuilder = $jweBuilder; |
47
|
|
|
$this->jwsSerializerManager = $jwsSerializerManager; |
48
|
|
|
$this->jwsBuilder = $jwsBuilder; |
49
|
|
|
$this->jweSerializerManager = $jweSerializerManager; |
50
|
|
|
} |
51
|
|
|
|
52
|
|
|
/** |
53
|
|
|
* Creates a nested token. |
54
|
|
|
* |
55
|
|
|
* @param array $signatures |
56
|
|
|
* @param array $recipients |
57
|
|
|
* |
58
|
|
|
* @throws InvalidArgumentException if the argument "$signatures" does not include the expected structure |
59
|
|
|
* @throws InvalidArgumentException if the argument "$recipients" does not include the expected structure |
60
|
|
|
*/ |
61
|
|
|
public function create(string $payload, array $signatures, string $jws_serialization_mode, array $jweSharedProtectedHeader, array $jweSharedHeader, array $recipients, string $jwe_serialization_mode, ?string $aad = null): string |
62
|
|
|
{ |
63
|
|
|
$jws = $this->jwsBuilder->create()->withPayload($payload); |
64
|
|
|
foreach ($signatures as $signature) { |
65
|
|
|
if (!\is_array($signature) || !\array_key_exists('key', $signature)) { |
66
|
|
|
throw new InvalidArgumentException('The signatures must be an array of arrays containing a key, a protected header and a header'); |
67
|
|
|
} |
68
|
|
|
$signature['protected_header'] = \array_key_exists('protected_header', $signature) ? $signature['protected_header'] : []; |
69
|
|
|
$signature['header'] = \array_key_exists('header', $signature) ? $signature['header'] : []; |
70
|
|
|
$jws = $jws->addSignature($signature['key'], $signature['protected_header'], $signature['header']); |
71
|
|
|
} |
72
|
|
|
$jws = $jws->build(); |
73
|
|
|
$token = $this->jwsSerializerManager->serialize($jws_serialization_mode, $jws); |
74
|
|
|
|
75
|
|
|
$jweSharedProtectedHeader['cty'] = 'JWT'; |
76
|
|
|
|
77
|
|
|
$jwe = $this->jweBuilder |
78
|
|
|
->create() |
79
|
|
|
->withPayload($token) |
80
|
|
|
->withSharedProtectedHeader($jweSharedProtectedHeader) |
81
|
|
|
->withSharedHeader($jweSharedHeader) |
82
|
|
|
->withAAD($aad) |
83
|
|
|
; |
84
|
|
|
foreach ($recipients as $recipient) { |
85
|
|
|
if (!\is_array($recipient) || !\array_key_exists('key', $recipient)) { |
86
|
|
|
throw new InvalidArgumentException('The recipients must be an array of arrays containing a key and a header'); |
87
|
|
|
} |
88
|
|
|
$recipient['header'] = \array_key_exists('header', $recipient) ? $recipient['header'] : []; |
89
|
|
|
$jwe = $jwe->addRecipient($recipient['key'], $recipient['header']); |
90
|
|
|
} |
91
|
|
|
$jwe = $jwe->build(); |
92
|
|
|
|
93
|
|
|
return $this->jweSerializerManager->serialize($jwe_serialization_mode, $jwe); |
94
|
|
|
} |
95
|
|
|
} |
96
|
|
|
|