1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
declare(strict_types=1); |
4
|
|
|
|
5
|
|
|
/* |
6
|
|
|
* The MIT License (MIT) |
7
|
|
|
* |
8
|
|
|
* Copyright (c) 2014-2018 Spomky-Labs |
9
|
|
|
* |
10
|
|
|
* This software may be modified and distributed under the terms |
11
|
|
|
* of the MIT license. See the LICENSE file for details. |
12
|
|
|
*/ |
13
|
|
|
|
14
|
|
|
namespace Jose\Component\Encryption; |
15
|
|
|
|
16
|
|
|
use Jose\Component\Core\JWKSet; |
17
|
|
|
use Jose\Component\Signature\JWS; |
18
|
|
|
use Jose\Component\Signature\JWSLoader; |
19
|
|
|
|
20
|
|
|
class NestedTokenLoader |
21
|
|
|
{ |
22
|
|
|
/** |
23
|
|
|
* @var JWSLoader |
24
|
|
|
*/ |
25
|
|
|
private $jwsLoader; |
26
|
|
|
|
27
|
|
|
/** |
28
|
|
|
* @var JWELoader |
29
|
|
|
*/ |
30
|
|
|
private $jweLoader; |
31
|
|
|
|
32
|
|
|
/** |
33
|
|
|
* NestedToken constructor. |
34
|
|
|
* |
35
|
|
|
* @param JWELoader $jweLoader |
36
|
|
|
* @param JWSLoader $jwsLoader |
37
|
|
|
*/ |
38
|
|
|
public function __construct(JWELoader $jweLoader, JWSLoader $jwsLoader) |
39
|
|
|
{ |
40
|
|
|
$this->jweLoader = $jweLoader; |
41
|
|
|
$this->jwsLoader = $jwsLoader; |
42
|
|
|
} |
43
|
|
|
|
44
|
|
|
/** |
45
|
|
|
* @param string $token |
46
|
|
|
* @param JWKSet $encryptionKeySet |
47
|
|
|
* @param JWKSet $signatureKeySet |
48
|
|
|
* @param int|null $signature |
49
|
|
|
* |
50
|
|
|
* @throws \Exception |
51
|
|
|
* |
52
|
|
|
* @return JWS |
53
|
|
|
*/ |
54
|
|
|
public function load(string $token, JWKSet $encryptionKeySet, JWKSet $signatureKeySet, ?int &$signature = null): JWS |
55
|
|
|
{ |
56
|
|
|
$recipient = null; |
57
|
|
|
$jwe = $this->jweLoader->loadAndDecryptWithKeySet($token, $encryptionKeySet, $recipient); |
58
|
|
|
$this->checkContentTypeHeader($jwe, $recipient); |
59
|
|
|
if (null === $jwe->getPayload()) { |
60
|
|
|
throw new \InvalidArgumentException('The token has no payload.'); |
61
|
|
|
} |
62
|
|
|
|
63
|
|
|
return $this->jwsLoader->loadAndVerifyWithKeySet($jwe->getPayload(), $signatureKeySet, $signature); |
64
|
|
|
} |
65
|
|
|
|
66
|
|
|
/** |
67
|
|
|
* @param JWE $jwe |
68
|
|
|
* @param int $recipient |
69
|
|
|
* |
70
|
|
|
* @throws \InvalidArgumentException |
71
|
|
|
*/ |
72
|
|
|
private function checkContentTypeHeader(JWE $jwe, int $recipient) |
73
|
|
|
{ |
74
|
|
|
switch (true) { |
75
|
|
|
case $jwe->hasSharedProtectedHeaderParameter('cty'): |
76
|
|
|
$cty = $jwe->getSharedProtectedHeaderParameter('cty'); |
77
|
|
|
break; |
78
|
|
|
case $jwe->hasSharedHeaderParameter('cty'): |
79
|
|
|
$cty = $jwe->getSharedHeaderParameter('cty'); |
80
|
|
|
break; |
81
|
|
|
case $jwe->getRecipient($recipient)->hasHeaderParameter('cty'): |
82
|
|
|
$cty = $jwe->getRecipient($recipient)->getHeaderParameter('cty'); |
83
|
|
|
break; |
84
|
|
|
default: |
85
|
|
|
throw new \InvalidArgumentException('The token is not a nested token.'); |
86
|
|
|
} |
87
|
|
|
|
88
|
|
|
if (0 !== strcasecmp($cty, 'jwt')) { |
89
|
|
|
throw new \InvalidArgumentException('The token is not a nested token.'); |
90
|
|
|
} |
91
|
|
|
} |
92
|
|
|
} |
93
|
|
|
|