JWEBuilder - Code Metrics - Inspection of "Merge branch 'v1.1'" - web-token/jwt-framework - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — master ( d2ad41...5d048e )

by Florent

created 2018-03-13 12:49 UTC

JWEBuilder D

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	570
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	14

Importance

Changes

Metric	Value
wmc	71
c	0
b	0
f	0
lcom	1
cbo	14
dl	0
loc	570
rs	4.0259

28 Methods

Rating	Name	Size	Complexity
A	__construct()	7	1
A	create()	13	1
A	getKeyEncryptionAlgorithmManager()	4	1
A	getContentEncryptionAlgorithmManager()	4	1
A	getCompressionMethodManager()	4	1
A	withPayload()	11	3
A	withAAD()	7	1
A	withSharedProtectedHeader()	11	2
A	withSharedHeader()	11	2
C	addRecipient()	36	8
C	build()	29	7
A	checkAndSetContentEncryptionAlgorithm()	9	3
A	processRecipient()	14	3
A	encryptJWE()	11	2
A	preparePayload()	11	2
B	getEncryptedKey()	16	6
A	getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm()	4	1
A	getEncryptedKeyFromKeyEncryptionAlgorithm()	4	1
A	getEncryptedKeyFromKeyWrappingAlgorithm()	4	1
A	checkKey()	9	2
C	determineCEK()	32	8
A	getCompressionMethod()	8	2
A	areKeyManagementModesCompatible()	14	2
A	createCEK()	4	1
A	createIV()	4	1
A	getKeyEncryptionAlgorithm()	12	3
A	getContentEncryptionAlgorithm()	12	3
A	checkDuplicatedHeaderParameters()	7	2

How to fix Complexity

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace Jose\Component\Encryption;

use Base64Url\Base64Url;
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\Converter\JsonConverter;
use Jose\Component\Core\JWK;
use Jose\Component\Core\Util\KeyChecker;
use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
use Jose\Component\Encryption\Algorithm\KeyEncryption\DirectEncryption;
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyAgreement;
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyAgreementWithKeyWrapping;
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyEncryption;
use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyWrapping;
use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithm;
use Jose\Component\Encryption\Compression\CompressionMethod;
use Jose\Component\Encryption\Compression\CompressionMethodManager;

class JWEBuilder
{
    /**
     * @var JsonConverter
     */
    private $jsonConverter;

    /**
     * @var null|string
     */
    private $payload;

    /**
     * @var string|null
     */
    private $aad;

    /**
     * @var array
     */
    private $recipients = [];

    /**
     * @var AlgorithmManager
     */
    private $keyEncryptionAlgorithmManager;

    /**
     * @var AlgorithmManager
     */
    private $contentEncryptionAlgorithmManager;

    /**
     * @var CompressionMethodManager
     */
    private $compressionManager;

    /**
     * @var array
     */
    private $sharedProtectedHeader = [];

    /**
     * @var array
     */
    private $sharedHeader = [];

    /**
     * @var null|CompressionMethod
     */
    private $compressionMethod = null;

    /**
     * @var null|ContentEncryptionAlgorithm
     */
    private $contentEncryptionAlgorithm = null;

    /**
     * @var null|string
     */
    private $keyManagementMode = null;

    /**
     * JWEBuilder constructor.
     *
     * @param JsonConverter            $jsonConverter
     * @param AlgorithmManager         $keyEncryptionAlgorithmManager
     * @param AlgorithmManager         $contentEncryptionAlgorithmManager
     * @param CompressionMethodManager $compressionManager
     */
    public function __construct(JsonConverter $jsonConverter, AlgorithmManager $keyEncryptionAlgorithmManager, AlgorithmManager $contentEncryptionAlgorithmManager, CompressionMethodManager $compressionManager)
    {
        $this->jsonConverter = $jsonConverter;
        $this->keyEncryptionAlgorithmManager = $keyEncryptionAlgorithmManager;
        $this->contentEncryptionAlgorithmManager = $contentEncryptionAlgorithmManager;
        $this->compressionManager = $compressionManager;
    }

    /**
     * Reset the current data.
     *
     * @return JWEBuilder
     */
    public function create(): self
    {
        $this->payload = null;
        $this->aad = null;
        $this->recipients = [];
        $this->sharedProtectedHeader = [];
        $this->sharedHeader = [];
        $this->compressionMethod = null;
        $this->contentEncryptionAlgorithm = null;
        $this->keyManagementMode = null;

        return $this;
    }

    /**
     * Returns the key encryption algorithm manager.
     *
     * @return AlgorithmManager
     */
    public function getKeyEncryptionAlgorithmManager(): AlgorithmManager
    {
        return $this->keyEncryptionAlgorithmManager;
    }

    /**
     * Returns the content encryption algorithm manager.
     *
     * @return AlgorithmManager
     */
    public function getContentEncryptionAlgorithmManager(): AlgorithmManager
    {
        return $this->contentEncryptionAlgorithmManager;
    }

    /**
     * Returns the compression method manager.
     *
     * @return CompressionMethodManager
     */
    public function getCompressionMethodManager(): CompressionMethodManager
    {
        return $this->compressionManager;
    }

    /**
     * Set the payload of the JWE to build.
     *
     * @param mixed $payload
     *
     * @return JWEBuilder
     */
    public function withPayload($payload): self
    {
        $payload = is_string($payload) ? $payload : $this->jsonConverter->encode($payload);
        if (false === mb_detect_encoding($payload, 'UTF-8', true)) {
            throw new \InvalidArgumentException('The payload must be encoded in UTF-8');
        }
        $clone = clone $this;
        $clone->payload = $payload;

        return $clone;
    }

    /**
     * Set the Additional Authenticated Data of the JWE to build.
     *
     * @param string|null $aad
     *
     * @return JWEBuilder
     */
    public function withAAD(?string $aad): self
    {
        $clone = clone $this;
        $clone->aad = $aad;

        return $clone;
    }

    /**
     * Set the shared protected header of the JWE to build.
     *
     * @param array $sharedProtectedHeader
     *
     * @return JWEBuilder
     */
    public function withSharedProtectedHeader(array $sharedProtectedHeader): self
    {
        $this->checkDuplicatedHeaderParameters($sharedProtectedHeader, $this->sharedHeader);
        foreach ($this->recipients as $recipient) {
            $this->checkDuplicatedHeaderParameters($sharedProtectedHeader, $recipient->getHeader());
        }
        $clone = clone $this;
        $clone->sharedProtectedHeader = $sharedProtectedHeader;

        return $clone;
    }

    /**
     * Set the shared header of the JWE to build.
     *
     * @param array $sharedHeader
     *
     * @return JWEBuilder
     */
    public function withSharedHeader(array $sharedHeader): self
    {
        $this->checkDuplicatedHeaderParameters($this->sharedProtectedHeader, $sharedHeader);
        foreach ($this->recipients as $recipient) {
            $this->checkDuplicatedHeaderParameters($sharedHeader, $recipient->getHeader());
        }
        $clone = clone $this;
        $clone->sharedHeader = $sharedHeader;

        return $clone;
    }

    /**
     * Adds a recipient to the JWE to build.
     *
     * @param JWK   $recipientKey
     * @param array $recipientHeader
     *
     * @return JWEBuilder
     */
    public function addRecipient(JWK $recipientKey, array $recipientHeader = []): self
    {
        $this->checkDuplicatedHeaderParameters($this->sharedProtectedHeader, $recipientHeader);
        $this->checkDuplicatedHeaderParameters($this->sharedHeader, $recipientHeader);
        $clone = clone $this;
        $completeHeader = array_merge($clone->sharedHeader, $recipientHeader, $clone->sharedProtectedHeader);
        $clone->checkAndSetContentEncryptionAlgorithm($completeHeader);
        $keyEncryptionAlgorithm = $clone->getKeyEncryptionAlgorithm($completeHeader);
        if (null === $clone->keyManagementMode) {
            $clone->keyManagementMode = $keyEncryptionAlgorithm->getKeyManagementMode();
        } else {
            if (!$clone->areKeyManagementModesCompatible($clone->keyManagementMode, $keyEncryptionAlgorithm->getKeyManagementMode())) {
                throw new \InvalidArgumentException('Foreign key management mode forbidden.');
            }
        }

        $compressionMethod = $clone->getCompressionMethod($completeHeader);
        if (null !== $compressionMethod) {
            if (null === $clone->compressionMethod) {
                $clone->compressionMethod = $compressionMethod;
            } elseif ($clone->compressionMethod->name() !== $compressionMethod->name()) {
                throw new \InvalidArgumentException('Incompatible compression method.');
            }
        }
        if (null === $compressionMethod && null !== $clone->compressionMethod) {
            throw new \InvalidArgumentException('Inconsistent compression method.');
        }
        $clone->checkKey($keyEncryptionAlgorithm, $recipientKey);
        $clone->recipients[] = [
            'key'                      => $recipientKey,
            'header'                   => $recipientHeader,
            'key_encryption_algorithm' => $keyEncryptionAlgorithm,
        ];

        return $clone;
    }

    /**
     * Builds the JWE.
     *
     * @return JWE
     */
    public function build(): JWE
    {
        if (null === $this->payload) {
            throw new \LogicException('Payload not set.');
        }
        if (0 === count($this->recipients)) {
            throw new \LogicException('No recipient.');
        }

        $additionalHeader = [];
        $cek = $this->determineCEK($additionalHeader);

        $recipients = [];
        foreach ($this->recipients as $recipient) {
            $recipient = $this->processRecipient($recipient, $cek, $additionalHeader);
            $recipients[] = $recipient;
        }

        if (!empty($additionalHeader) && 1 === count($this->recipients)) {
            $sharedProtectedHeader = array_merge($additionalHeader, $this->sharedProtectedHeader);
        } else {
            $sharedProtectedHeader = $this->sharedProtectedHeader;
        }
        $encodedSharedProtectedHeader = empty($sharedProtectedHeader) ? '' : Base64Url::encode($this->jsonConverter->encode($sharedProtectedHeader));

        list($ciphertext, $iv, $tag) = $this->encryptJWE($cek, $encodedSharedProtectedHeader);

        return JWE::create($ciphertext, $iv, $tag, $this->aad, $this->sharedHeader, $sharedProtectedHeader, $encodedSharedProtectedHeader, $recipients);
    }

    /**
     * @param array $completeHeader
     */
    private function checkAndSetContentEncryptionAlgorithm(array $completeHeader): void
    {
        $contentEncryptionAlgorithm = $this->getContentEncryptionAlgorithm($completeHeader);
        if (null === $this->contentEncryptionAlgorithm) {
            $this->contentEncryptionAlgorithm = $contentEncryptionAlgorithm;
        } elseif ($contentEncryptionAlgorithm->name() !== $this->contentEncryptionAlgorithm->name()) {
            throw new \InvalidArgumentException('Inconsistent content encryption algorithm');
        }
    }

    /**
     * @param array  $recipient
     * @param string $cek
     * @param array  $additionalHeader
     *
     * @return Recipient
     */
    private function processRecipient(array $recipient, string $cek, array &$additionalHeader): Recipient
    {
        $completeHeader = array_merge($this->sharedHeader, $recipient['header'], $this->sharedProtectedHeader);
        /** @var KeyEncryptionAlgorithm $keyEncryptionAlgorithm */
        $keyEncryptionAlgorithm = $recipient['key_encryption_algorithm'];
        $encryptedContentEncryptionKey = $this->getEncryptedKey($completeHeader, $cek, $keyEncryptionAlgorithm, $additionalHeader, $recipient['key']);
        $recipientHeader = $recipient['header'];
        if (!empty($additionalHeader) && 1 !== count($this->recipients)) {
            $recipientHeader = array_merge($recipientHeader, $additionalHeader);
            $additionalHeader = [];
        }

        return Recipient::create($recipientHeader, $encryptedContentEncryptionKey);
    }

    /**
     * @param string $cek
     * @param string $encodedSharedProtectedHeader
     *
     * @return array
     */
    private function encryptJWE(string $cek, string $encodedSharedProtectedHeader): array
    {
        $tag = null;
        $iv_size = $this->contentEncryptionAlgorithm->getIVSize();
        $iv = $this->createIV($iv_size);
        $payload = $this->preparePayload();
        $aad = $this->aad ? Base64Url::encode($this->aad) : null;
        $ciphertext = $this->contentEncryptionAlgorithm->encryptContent($payload, $cek, $iv, $aad, $encodedSharedProtectedHeader, $tag);

        return [$ciphertext, $iv, $tag];
    }

    /**
     * @return string
     */
    private function preparePayload(): ?string
    {
        $prepared = $this->payload;

        if (null === $this->compressionMethod) {
            return $prepared;
        }
        $compressedPayload = $this->compressionMethod->compress($prepared);

        return $compressedPayload;
    }

    /**
     * @param array                  $completeHeader
     * @param string                 $cek
     * @param KeyEncryptionAlgorithm $keyEncryptionAlgorithm
     * @param JWK                    $recipientKey
     * @param array                  $additionalHeader
     *
     * @return string|null
     */
    private function getEncryptedKey(array $completeHeader, string $cek, KeyEncryptionAlgorithm $keyEncryptionAlgorithm, array &$additionalHeader, JWK $recipientKey): ?string
    {
        if ($keyEncryptionAlgorithm instanceof KeyEncryption) {
            return $this->getEncryptedKeyFromKeyEncryptionAlgorithm($completeHeader, $cek, $keyEncryptionAlgorithm, $recipientKey, $additionalHeader);
        } elseif ($keyEncryptionAlgorithm instanceof KeyWrapping) {
            return $this->getEncryptedKeyFromKeyWrappingAlgorithm($completeHeader, $cek, $keyEncryptionAlgorithm, $recipientKey, $additionalHeader);
        } elseif ($keyEncryptionAlgorithm instanceof KeyAgreementWithKeyWrapping) {
            return $this->getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm($completeHeader, $cek, $keyEncryptionAlgorithm, $additionalHeader, $recipientKey);
        } elseif ($keyEncryptionAlgorithm instanceof KeyAgreement) {
            return null;
        } elseif ($keyEncryptionAlgorithm instanceof DirectEncryption) {
            return null;
        }

        throw new \InvalidArgumentException('Unsupported key encryption algorithm.');
    }

    /**
     * @param array                       $completeHeader
     * @param string                      $cek
     * @param KeyAgreementWithKeyWrapping $keyEncryptionAlgorithm
     * @param array                       $additionalHeader
     * @param JWK                         $recipientKey
     *
     * @return string
     */
    private function getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm(array $completeHeader, string $cek, KeyAgreementWithKeyWrapping $keyEncryptionAlgorithm, array &$additionalHeader, JWK $recipientKey): string
    {
        return $keyEncryptionAlgorithm->wrapAgreementKey($recipientKey, $cek, $this->contentEncryptionAlgorithm->getCEKSize(), $completeHeader, $additionalHeader);
    }

    /**
     * @param array         $completeHeader
     * @param string        $cek
     * @param KeyEncryption $keyEncryptionAlgorithm
     * @param JWK           $recipientKey
     * @param array         $additionalHeader
     *
     * @return string
     */
    private function getEncryptedKeyFromKeyEncryptionAlgorithm(array $completeHeader, string $cek, KeyEncryption $keyEncryptionAlgorithm, JWK $recipientKey, array &$additionalHeader): string
    {
        return $keyEncryptionAlgorithm->encryptKey($recipientKey, $cek, $completeHeader, $additionalHeader);
    }

    /**
     * @param array       $completeHeader
     * @param string      $cek
     * @param KeyWrapping $keyEncryptionAlgorithm
     * @param JWK         $recipientKey
     * @param array       $additionalHeader
     *
     * @return string
     */
    private function getEncryptedKeyFromKeyWrappingAlgorithm(array $completeHeader, string $cek, KeyWrapping $keyEncryptionAlgorithm, JWK $recipientKey, array &$additionalHeader): string
    {
        return $keyEncryptionAlgorithm->wrapKey($recipientKey, $cek, $completeHeader, $additionalHeader);
    }

    /**
     * @param KeyEncryptionAlgorithm $keyEncryptionAlgorithm
     * @param JWK                    $recipientKey
     */
    private function checkKey(KeyEncryptionAlgorithm $keyEncryptionAlgorithm, JWK $recipientKey)
    {
        KeyChecker::checkKeyUsage($recipientKey, 'encryption');
        if ('dir' !== $keyEncryptionAlgorithm->name()) {
            KeyChecker::checkKeyAlgorithm($recipientKey, $keyEncryptionAlgorithm->name());
        } else {
            KeyChecker::checkKeyAlgorithm($recipientKey, $this->contentEncryptionAlgorithm->name());
        }
    }

    /**
     * @param array $additionalHeader
     *
     * @return string
     */
    private function determineCEK(array &$additionalHeader): string
    {
        switch ($this->keyManagementMode) {
            case KeyEncryption::MODE_ENCRYPT:
            case KeyEncryption::MODE_WRAP:
                return $this->createCEK($this->contentEncryptionAlgorithm->getCEKSize());
            case KeyEncryption::MODE_AGREEMENT:
                if (1 !== count($this->recipients)) {
                    throw new \LogicException('Unable to encrypt for multiple recipients using key agreement algorithms.');
                }
                /** @var JWK $key */
                $key = $this->recipients[0]['key'];
                /** @var KeyAgreement $algorithm */
                $algorithm = $this->recipients[0]['key_encryption_algorithm'];
                $completeHeader = array_merge($this->sharedHeader, $this->recipients[0]['header'], $this->sharedProtectedHeader);

                return $algorithm->getAgreementKey($this->contentEncryptionAlgorithm->getCEKSize(), $this->contentEncryptionAlgorithm->name(), $key, $completeHeader, $additionalHeader);
            case KeyEncryption::MODE_DIRECT:
                if (1 !== count($this->recipients)) {
                    throw new \LogicException('Unable to encrypt for multiple recipients using key agreement algorithms.');
                }
                /** @var JWK $key */
                $key = $this->recipients[0]['key'];
                if ('oct' !== $key->get('kty')) {
                    throw new \RuntimeException('Wrong key type.');
                }

                return Base64Url::decode($key->get('k'));
            default:
                throw new \InvalidArgumentException(sprintf('Unsupported key management mode "%s".', $this->keyManagementMode));
        }
    }

    /**
     * @param array $completeHeader
     *
     * @return CompressionMethod|null
     */
    private function getCompressionMethod(array $completeHeader): ?CompressionMethod
    {
        if (!array_key_exists('zip', $completeHeader)) {
            return null;
        }

        return $this->compressionManager->get($completeHeader['zip']);
    }

    /**
     * @param string $current
     * @param string $new
     *
     * @return bool
     */
    private function areKeyManagementModesCompatible(string $current, string $new): bool
    {
        $agree = KeyEncryptionAlgorithm::MODE_AGREEMENT;
        $dir = KeyEncryptionAlgorithm::MODE_DIRECT;
        $enc = KeyEncryptionAlgorithm::MODE_ENCRYPT;
        $wrap = KeyEncryptionAlgorithm::MODE_WRAP;
        $supportedKeyManagementModeCombinations = [$enc.$enc => true, $enc.$wrap => true, $wrap.$enc => true, $wrap.$wrap => true, $agree.$agree => false, $agree.$dir => false, $agree.$enc => false, $agree.$wrap => false, $dir.$agree => false, $dir.$dir => false, $dir.$enc => false, $dir.$wrap => false, $enc.$agree => false, $enc.$dir => false, $wrap.$agree => false, $wrap.$dir => false];

        if (array_key_exists($current.$new, $supportedKeyManagementModeCombinations)) {
            return $supportedKeyManagementModeCombinations[$current.$new];
        }

        return false;
    }

    /**
     * @param int $size
     *
     * @return string
     */
    private function createCEK(int $size): string
    {
        return random_bytes($size / 8);
    }

    /**
     * @param int $size
     *
     * @return string
     */
    private function createIV(int $size): string
    {
        return random_bytes($size / 8);
    }

    /**
     * @param array $completeHeader
     *
     * @return KeyEncryptionAlgorithm
     */
    private function getKeyEncryptionAlgorithm(array $completeHeader): KeyEncryptionAlgorithm
    {
        if (!array_key_exists('alg', $completeHeader)) {
            throw new \InvalidArgumentException('Parameter "alg" is missing.');
        }
        $keyEncryptionAlgorithm = $this->keyEncryptionAlgorithmManager->get($completeHeader['alg']);
        if (!$keyEncryptionAlgorithm instanceof KeyEncryptionAlgorithm) {
            throw new \InvalidArgumentException(sprintf('The key encryption algorithm "%s" is not supported or not a key encryption algorithm instance.', $completeHeader['alg']));
        }

        return $keyEncryptionAlgorithm;
    }

    /**
     * @param array $completeHeader
     *
     * @return ContentEncryptionAlgorithm
     */
    private function getContentEncryptionAlgorithm(array $completeHeader): ContentEncryptionAlgorithm
    {
        if (!array_key_exists('enc', $completeHeader)) {
            throw new \InvalidArgumentException('Parameter "enc" is missing.');
        }
        $contentEncryptionAlgorithm = $this->contentEncryptionAlgorithmManager->get($completeHeader['enc']);
        if (!$contentEncryptionAlgorithm instanceof ContentEncryptionAlgorithm) {
            throw new \InvalidArgumentException(sprintf('The content encryption algorithm "%s" is not supported or not a content encryption algorithm instance.', $completeHeader['alg']));
        }

        return $contentEncryptionAlgorithm;
    }

    /**
     * @param array $header1
     * @param array $header2
     */
    private function checkDuplicatedHeaderParameters(array $header1, array $header2)
    {
        $inter = array_intersect_key($header1, $header2);
        if (!empty($inter)) {
            throw new \InvalidArgumentException(sprintf('The header contains duplicated entries: %s.', implode(', ', array_keys($inter))));
        }
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace Jose\Component\Encryption;
15
16			use Base64Url\Base64Url;
17			use Jose\Component\Core\AlgorithmManager;
18			use Jose\Component\Core\Converter\JsonConverter;
19			use Jose\Component\Core\JWK;
20			use Jose\Component\Core\Util\KeyChecker;
21			use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
22			use Jose\Component\Encryption\Algorithm\KeyEncryption\DirectEncryption;
23			use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyAgreement;
24			use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyAgreementWithKeyWrapping;
25			use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyEncryption;
26			use Jose\Component\Encryption\Algorithm\KeyEncryption\KeyWrapping;
27			use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithm;
28			use Jose\Component\Encryption\Compression\CompressionMethod;
29			use Jose\Component\Encryption\Compression\CompressionMethodManager;
30
31			class JWEBuilder
32			{
33			/**
34			* @var JsonConverter
35			*/
36			private $jsonConverter;
37
38			/**
39			* @var null\|string
40			*/
41			private $payload;
42
43			/**
44			* @var string\|null
45			*/
46			private $aad;
47
48			/**
49			* @var array
50			*/
51			private $recipients = [];
52
53			/**
54			* @var AlgorithmManager
55			*/
56			private $keyEncryptionAlgorithmManager;
57
58			/**
59			* @var AlgorithmManager
60			*/
61			private $contentEncryptionAlgorithmManager;
62
63			/**
64			* @var CompressionMethodManager
65			*/
66			private $compressionManager;
67
68			/**
69			* @var array
70			*/
71			private $sharedProtectedHeader = [];
72
73			/**
74			* @var array
75			*/
76			private $sharedHeader = [];
77
78			/**
79			* @var null\|CompressionMethod
80			*/
81			private $compressionMethod = null;
82
83			/**
84			* @var null\|ContentEncryptionAlgorithm
85			*/
86			private $contentEncryptionAlgorithm = null;
87
88			/**
89			* @var null\|string
90			*/
91			private $keyManagementMode = null;
92
93			/**
94			* JWEBuilder constructor.
95			*
96			* @param JsonConverter $jsonConverter
97			* @param AlgorithmManager $keyEncryptionAlgorithmManager
98			* @param AlgorithmManager $contentEncryptionAlgorithmManager
99			* @param CompressionMethodManager $compressionManager
100			*/
101			public function __construct(JsonConverter $jsonConverter, AlgorithmManager $keyEncryptionAlgorithmManager, AlgorithmManager $contentEncryptionAlgorithmManager, CompressionMethodManager $compressionManager)
102			{
103			$this->jsonConverter = $jsonConverter;
104			$this->keyEncryptionAlgorithmManager = $keyEncryptionAlgorithmManager;
105			$this->contentEncryptionAlgorithmManager = $contentEncryptionAlgorithmManager;
106			$this->compressionManager = $compressionManager;
107			}
108
109			/**
110			* Reset the current data.
111			*
112			* @return JWEBuilder
113			*/
114			public function create(): self
115			{
116			$this->payload = null;
117			$this->aad = null;
118			$this->recipients = [];
119			$this->sharedProtectedHeader = [];
120			$this->sharedHeader = [];
121			$this->compressionMethod = null;
122			$this->contentEncryptionAlgorithm = null;
123			$this->keyManagementMode = null;
124
125			return $this;
126			}
127
128			/**
129			* Returns the key encryption algorithm manager.
130			*
131			* @return AlgorithmManager
132			*/
133			public function getKeyEncryptionAlgorithmManager(): AlgorithmManager
134			{
135			return $this->keyEncryptionAlgorithmManager;
136			}
137
138			/**
139			* Returns the content encryption algorithm manager.
140			*
141			* @return AlgorithmManager
142			*/
143			public function getContentEncryptionAlgorithmManager(): AlgorithmManager
144			{
145			return $this->contentEncryptionAlgorithmManager;
146			}
147
148			/**
149			* Returns the compression method manager.
150			*
151			* @return CompressionMethodManager
152			*/
153			public function getCompressionMethodManager(): CompressionMethodManager
154			{
155			return $this->compressionManager;
156			}
157
158			/**
159			* Set the payload of the JWE to build.
160			*
161			* @param mixed $payload
162			*
163			* @return JWEBuilder
164			*/
165			public function withPayload($payload): self
166			{
167			$payload = is_string($payload) ? $payload : $this->jsonConverter->encode($payload);
168			if (false === mb_detect_encoding($payload, 'UTF-8', true)) {
169			throw new \InvalidArgumentException('The payload must be encoded in UTF-8');
170			}
171			$clone = clone $this;
172			$clone->payload = $payload;
173
174			return $clone;
175			}
176
177			/**
178			* Set the Additional Authenticated Data of the JWE to build.
179			*
180			* @param string\|null $aad
181			*
182			* @return JWEBuilder
183			*/
184			public function withAAD(?string $aad): self
185			{
186			$clone = clone $this;
187			$clone->aad = $aad;
188
189			return $clone;
190			}
191
192			/**
193			* Set the shared protected header of the JWE to build.
194			*
195			* @param array $sharedProtectedHeader
196			*
197			* @return JWEBuilder
198			*/
199			public function withSharedProtectedHeader(array $sharedProtectedHeader): self
200			{
201			$this->checkDuplicatedHeaderParameters($sharedProtectedHeader, $this->sharedHeader);
202			foreach ($this->recipients as $recipient) {
203			$this->checkDuplicatedHeaderParameters($sharedProtectedHeader, $recipient->getHeader());
204			}
205			$clone = clone $this;
206			$clone->sharedProtectedHeader = $sharedProtectedHeader;
207
208			return $clone;
209			}
210
211			/**
212			* Set the shared header of the JWE to build.
213			*
214			* @param array $sharedHeader
215			*
216			* @return JWEBuilder
217			*/
218			public function withSharedHeader(array $sharedHeader): self
219			{
220			$this->checkDuplicatedHeaderParameters($this->sharedProtectedHeader, $sharedHeader);
221			foreach ($this->recipients as $recipient) {
222			$this->checkDuplicatedHeaderParameters($sharedHeader, $recipient->getHeader());
223			}
224			$clone = clone $this;
225			$clone->sharedHeader = $sharedHeader;
226
227			return $clone;
228			}
229
230			/**
231			* Adds a recipient to the JWE to build.
232			*
233			* @param JWK $recipientKey
234			* @param array $recipientHeader
235			*
236			* @return JWEBuilder
237			*/
238			public function addRecipient(JWK $recipientKey, array $recipientHeader = []): self
239			{
240			$this->checkDuplicatedHeaderParameters($this->sharedProtectedHeader, $recipientHeader);
241			$this->checkDuplicatedHeaderParameters($this->sharedHeader, $recipientHeader);
242			$clone = clone $this;
243			$completeHeader = array_merge($clone->sharedHeader, $recipientHeader, $clone->sharedProtectedHeader);
244			$clone->checkAndSetContentEncryptionAlgorithm($completeHeader);
245			$keyEncryptionAlgorithm = $clone->getKeyEncryptionAlgorithm($completeHeader);
246			if (null === $clone->keyManagementMode) {
247			$clone->keyManagementMode = $keyEncryptionAlgorithm->getKeyManagementMode();
248			} else {
249			if (!$clone->areKeyManagementModesCompatible($clone->keyManagementMode, $keyEncryptionAlgorithm->getKeyManagementMode())) {
250			throw new \InvalidArgumentException('Foreign key management mode forbidden.');
251			}
252			}
253
254			$compressionMethod = $clone->getCompressionMethod($completeHeader);
255			if (null !== $compressionMethod) {
256			if (null === $clone->compressionMethod) {
257			$clone->compressionMethod = $compressionMethod;
258			} elseif ($clone->compressionMethod->name() !== $compressionMethod->name()) {
259			throw new \InvalidArgumentException('Incompatible compression method.');
260			}
261			}
262			if (null === $compressionMethod && null !== $clone->compressionMethod) {
263			throw new \InvalidArgumentException('Inconsistent compression method.');
264			}
265			$clone->checkKey($keyEncryptionAlgorithm, $recipientKey);
266			$clone->recipients[] = [
267			'key' => $recipientKey,
268			'header' => $recipientHeader,
269			'key_encryption_algorithm' => $keyEncryptionAlgorithm,
270			];
271
272			return $clone;
273			}
274
275			/**
276			* Builds the JWE.
277			*
278			* @return JWE
279			*/
280			public function build(): JWE
281			{
282			if (null === $this->payload) {
283			throw new \LogicException('Payload not set.');
284			}
285			if (0 === count($this->recipients)) {
286			throw new \LogicException('No recipient.');
287			}
288
289			$additionalHeader = [];
290			$cek = $this->determineCEK($additionalHeader);
291
292			$recipients = [];
293			foreach ($this->recipients as $recipient) {
294			$recipient = $this->processRecipient($recipient, $cek, $additionalHeader);
295			$recipients[] = $recipient;
296			}
297
298			if (!empty($additionalHeader) && 1 === count($this->recipients)) {
299			$sharedProtectedHeader = array_merge($additionalHeader, $this->sharedProtectedHeader);
300			} else {
301			$sharedProtectedHeader = $this->sharedProtectedHeader;
302			}
303			$encodedSharedProtectedHeader = empty($sharedProtectedHeader) ? '' : Base64Url::encode($this->jsonConverter->encode($sharedProtectedHeader));
304
305			list($ciphertext, $iv, $tag) = $this->encryptJWE($cek, $encodedSharedProtectedHeader);
306
307			return JWE::create($ciphertext, $iv, $tag, $this->aad, $this->sharedHeader, $sharedProtectedHeader, $encodedSharedProtectedHeader, $recipients);
308			}
309
310			/**
311			* @param array $completeHeader
312			*/
313			private function checkAndSetContentEncryptionAlgorithm(array $completeHeader): void
314			{
315			$contentEncryptionAlgorithm = $this->getContentEncryptionAlgorithm($completeHeader);
316			if (null === $this->contentEncryptionAlgorithm) {
317			$this->contentEncryptionAlgorithm = $contentEncryptionAlgorithm;
318			} elseif ($contentEncryptionAlgorithm->name() !== $this->contentEncryptionAlgorithm->name()) {
319			throw new \InvalidArgumentException('Inconsistent content encryption algorithm');
320			}
321			}
322
323			/**
324			* @param array $recipient
325			* @param string $cek
326			* @param array $additionalHeader
327			*
328			* @return Recipient
329			*/
330			private function processRecipient(array $recipient, string $cek, array &$additionalHeader): Recipient
331			{
332			$completeHeader = array_merge($this->sharedHeader, $recipient['header'], $this->sharedProtectedHeader);
333			/** @var KeyEncryptionAlgorithm $keyEncryptionAlgorithm */
334			$keyEncryptionAlgorithm = $recipient['key_encryption_algorithm'];
335			$encryptedContentEncryptionKey = $this->getEncryptedKey($completeHeader, $cek, $keyEncryptionAlgorithm, $additionalHeader, $recipient['key']);
336			$recipientHeader = $recipient['header'];
337			if (!empty($additionalHeader) && 1 !== count($this->recipients)) {
338			$recipientHeader = array_merge($recipientHeader, $additionalHeader);
339			$additionalHeader = [];
340			}
341
342			return Recipient::create($recipientHeader, $encryptedContentEncryptionKey);
343			}
344
345			/**
346			* @param string $cek
347			* @param string $encodedSharedProtectedHeader
348			*
349			* @return array
350			*/
351			private function encryptJWE(string $cek, string $encodedSharedProtectedHeader): array
352			{
353			$tag = null;
354			$iv_size = $this->contentEncryptionAlgorithm->getIVSize();
355			$iv = $this->createIV($iv_size);
356			$payload = $this->preparePayload();
357			$aad = $this->aad ? Base64Url::encode($this->aad) : null;
358			$ciphertext = $this->contentEncryptionAlgorithm->encryptContent($payload, $cek, $iv, $aad, $encodedSharedProtectedHeader, $tag);
359
360			return [$ciphertext, $iv, $tag];
361			}
362
363			/**
364			* @return string
365			*/
366			private function preparePayload(): ?string
367			{
368			$prepared = $this->payload;
369
370			if (null === $this->compressionMethod) {
371			return $prepared;
372			}
373			$compressedPayload = $this->compressionMethod->compress($prepared);
374
375			return $compressedPayload;
376			}
377
378			/**
379			* @param array $completeHeader
380			* @param string $cek
381			* @param KeyEncryptionAlgorithm $keyEncryptionAlgorithm
382			* @param JWK $recipientKey
383			* @param array $additionalHeader
384			*
385			* @return string\|null
386			*/
387			private function getEncryptedKey(array $completeHeader, string $cek, KeyEncryptionAlgorithm $keyEncryptionAlgorithm, array &$additionalHeader, JWK $recipientKey): ?string
388			{
389			if ($keyEncryptionAlgorithm instanceof KeyEncryption) {
390			return $this->getEncryptedKeyFromKeyEncryptionAlgorithm($completeHeader, $cek, $keyEncryptionAlgorithm, $recipientKey, $additionalHeader);
391			} elseif ($keyEncryptionAlgorithm instanceof KeyWrapping) {
392			return $this->getEncryptedKeyFromKeyWrappingAlgorithm($completeHeader, $cek, $keyEncryptionAlgorithm, $recipientKey, $additionalHeader);
393			} elseif ($keyEncryptionAlgorithm instanceof KeyAgreementWithKeyWrapping) {
394			return $this->getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm($completeHeader, $cek, $keyEncryptionAlgorithm, $additionalHeader, $recipientKey);
395			} elseif ($keyEncryptionAlgorithm instanceof KeyAgreement) {
396			return null;
397			} elseif ($keyEncryptionAlgorithm instanceof DirectEncryption) {
398			return null;
399			}
400
401			throw new \InvalidArgumentException('Unsupported key encryption algorithm.');
402			}
403
404			/**
405			* @param array $completeHeader
406			* @param string $cek
407			* @param KeyAgreementWithKeyWrapping $keyEncryptionAlgorithm
408			* @param array $additionalHeader
409			* @param JWK $recipientKey
410			*
411			* @return string
412			*/
413			private function getEncryptedKeyFromKeyAgreementAndKeyWrappingAlgorithm(array $completeHeader, string $cek, KeyAgreementWithKeyWrapping $keyEncryptionAlgorithm, array &$additionalHeader, JWK $recipientKey): string
414			{
415			return $keyEncryptionAlgorithm->wrapAgreementKey($recipientKey, $cek, $this->contentEncryptionAlgorithm->getCEKSize(), $completeHeader, $additionalHeader);
416			}
417
418			/**
419			* @param array $completeHeader
420			* @param string $cek
421			* @param KeyEncryption $keyEncryptionAlgorithm
422			* @param JWK $recipientKey
423			* @param array $additionalHeader
424			*
425			* @return string
426			*/
427			private function getEncryptedKeyFromKeyEncryptionAlgorithm(array $completeHeader, string $cek, KeyEncryption $keyEncryptionAlgorithm, JWK $recipientKey, array &$additionalHeader): string
428			{
429			return $keyEncryptionAlgorithm->encryptKey($recipientKey, $cek, $completeHeader, $additionalHeader);
430			}
431
432			/**
433			* @param array $completeHeader
434			* @param string $cek
435			* @param KeyWrapping $keyEncryptionAlgorithm
436			* @param JWK $recipientKey
437			* @param array $additionalHeader
438			*
439			* @return string
440			*/
441			private function getEncryptedKeyFromKeyWrappingAlgorithm(array $completeHeader, string $cek, KeyWrapping $keyEncryptionAlgorithm, JWK $recipientKey, array &$additionalHeader): string
442			{
443			return $keyEncryptionAlgorithm->wrapKey($recipientKey, $cek, $completeHeader, $additionalHeader);
444			}
445
446			/**
447			* @param KeyEncryptionAlgorithm $keyEncryptionAlgorithm
448			* @param JWK $recipientKey
449			*/
450			private function checkKey(KeyEncryptionAlgorithm $keyEncryptionAlgorithm, JWK $recipientKey)
451			{
452			KeyChecker::checkKeyUsage($recipientKey, 'encryption');
453			if ('dir' !== $keyEncryptionAlgorithm->name()) {
454			KeyChecker::checkKeyAlgorithm($recipientKey, $keyEncryptionAlgorithm->name());
455			} else {
456			KeyChecker::checkKeyAlgorithm($recipientKey, $this->contentEncryptionAlgorithm->name());
457			}
458			}
459
460			/**
461			* @param array $additionalHeader
462			*
463			* @return string
464			*/
465			private function determineCEK(array &$additionalHeader): string
466			{
467			switch ($this->keyManagementMode) {
468			case KeyEncryption::MODE_ENCRYPT:
469			case KeyEncryption::MODE_WRAP:
470			return $this->createCEK($this->contentEncryptionAlgorithm->getCEKSize());
471			case KeyEncryption::MODE_AGREEMENT:
472			if (1 !== count($this->recipients)) {
473			throw new \LogicException('Unable to encrypt for multiple recipients using key agreement algorithms.');
474			}
475			/** @var JWK $key */
476			$key = $this->recipients[0]['key'];
477			/** @var KeyAgreement $algorithm */
478			$algorithm = $this->recipients[0]['key_encryption_algorithm'];
479			$completeHeader = array_merge($this->sharedHeader, $this->recipients[0]['header'], $this->sharedProtectedHeader);
480
481			return $algorithm->getAgreementKey($this->contentEncryptionAlgorithm->getCEKSize(), $this->contentEncryptionAlgorithm->name(), $key, $completeHeader, $additionalHeader);
482			case KeyEncryption::MODE_DIRECT:
483			if (1 !== count($this->recipients)) {
484			throw new \LogicException('Unable to encrypt for multiple recipients using key agreement algorithms.');
485			}
486			/** @var JWK $key */
487			$key = $this->recipients[0]['key'];
488			if ('oct' !== $key->get('kty')) {
489			throw new \RuntimeException('Wrong key type.');
490			}
491
492			return Base64Url::decode($key->get('k'));
493			default:
494			throw new \InvalidArgumentException(sprintf('Unsupported key management mode "%s".', $this->keyManagementMode));
495			}
496			}
497
498			/**
499			* @param array $completeHeader
500			*
501			* @return CompressionMethod\|null
502			*/
503			private function getCompressionMethod(array $completeHeader): ?CompressionMethod
504			{
505			if (!array_key_exists('zip', $completeHeader)) {
506			return null;
507			}
508
509			return $this->compressionManager->get($completeHeader['zip']);
510			}
511
512			/**
513			* @param string $current
514			* @param string $new
515			*
516			* @return bool
517			*/
518			private function areKeyManagementModesCompatible(string $current, string $new): bool
519			{
520			$agree = KeyEncryptionAlgorithm::MODE_AGREEMENT;
521			$dir = KeyEncryptionAlgorithm::MODE_DIRECT;
522			$enc = KeyEncryptionAlgorithm::MODE_ENCRYPT;
523			$wrap = KeyEncryptionAlgorithm::MODE_WRAP;
524			$supportedKeyManagementModeCombinations = [$enc.$enc => true, $enc.$wrap => true, $wrap.$enc => true, $wrap.$wrap => true, $agree.$agree => false, $agree.$dir => false, $agree.$enc => false, $agree.$wrap => false, $dir.$agree => false, $dir.$dir => false, $dir.$enc => false, $dir.$wrap => false, $enc.$agree => false, $enc.$dir => false, $wrap.$agree => false, $wrap.$dir => false];
525
526			if (array_key_exists($current.$new, $supportedKeyManagementModeCombinations)) {
527			return $supportedKeyManagementModeCombinations[$current.$new];
528			}
529
530			return false;
531			}
532
533			/**
534			* @param int $size
535			*
536			* @return string
537			*/
538			private function createCEK(int $size): string
539			{
540			return random_bytes($size / 8);
541			}
542
543			/**
544			* @param int $size
545			*
546			* @return string
547			*/
548			private function createIV(int $size): string
549			{
550			return random_bytes($size / 8);
551			}
552
553			/**
554			* @param array $completeHeader
555			*
556			* @return KeyEncryptionAlgorithm
557			*/
558			private function getKeyEncryptionAlgorithm(array $completeHeader): KeyEncryptionAlgorithm
559			{
560			if (!array_key_exists('alg', $completeHeader)) {
561			throw new \InvalidArgumentException('Parameter "alg" is missing.');
562			}
563			$keyEncryptionAlgorithm = $this->keyEncryptionAlgorithmManager->get($completeHeader['alg']);
564			if (!$keyEncryptionAlgorithm instanceof KeyEncryptionAlgorithm) {
565			throw new \InvalidArgumentException(sprintf('The key encryption algorithm "%s" is not supported or not a key encryption algorithm instance.', $completeHeader['alg']));
566			}
567
568			return $keyEncryptionAlgorithm;
569			}
570
571			/**
572			* @param array $completeHeader
573			*
574			* @return ContentEncryptionAlgorithm
575			*/
576			private function getContentEncryptionAlgorithm(array $completeHeader): ContentEncryptionAlgorithm
577			{
578			if (!array_key_exists('enc', $completeHeader)) {
579			throw new \InvalidArgumentException('Parameter "enc" is missing.');
580			}
581			$contentEncryptionAlgorithm = $this->contentEncryptionAlgorithmManager->get($completeHeader['enc']);
582			if (!$contentEncryptionAlgorithm instanceof ContentEncryptionAlgorithm) {
583			throw new \InvalidArgumentException(sprintf('The content encryption algorithm "%s" is not supported or not a content encryption algorithm instance.', $completeHeader['alg']));
584			}
585
586			return $contentEncryptionAlgorithm;
587			}
588
589			/**
590			* @param array $header1
591			* @param array $header2
592			*/
593			private function checkDuplicatedHeaderParameters(array $header1, array $header2)
594			{
595			$inter = array_intersect_key($header1, $header2);
596			if (!empty($inter)) {
597			throw new \InvalidArgumentException(sprintf('The header contains duplicated entries: %s.', implode(', ', array_keys($inter))));
598			}
599			}
600			}
601

web-token / jwt-framework

Push — master ( d2ad41...5d048e )

JWEBuilder D

Complexity

Size/Duplication

Coupling/Cohesion

Importance

28 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like