/**
* @param \Jose\Object\JWEInterface $jwe
* @param \Jose\Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm
* @param string $key_management_mode
* @param array $additional_headers
*
* @return string
*/
private function determineCEK(Object\JWEInterface $jwe, Algorithm\ContentEncryptionAlgorithmInterface $content_encryption_algorithm, $key_management_mode, array &$additional_headers)
{
switch ($key_management_mode) {
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_ENCRYPT:
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_WRAP:
return $this->createCEK($content_encryption_algorithm->getCEKSize());
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_AGREEMENT:
Assertion::eq(1, $jwe->countRecipients(), 'Unable to encrypt for multiple recipients using key agreement algorithms.');
$complete_headers = array_merge($jwe->getSharedProtectedHeaders(), $jwe->getSharedHeaders(), $jwe->getRecipient(0)->getHeaders());
$algorithm = $this->findKeyEncryptionAlgorithm($complete_headers);
return $algorithm->getAgreementKey($content_encryption_algorithm->getCEKSize(), $content_encryption_algorithm->getAlgorithmName(), $jwe->getRecipient(0)->getRecipientKey(), $complete_headers, $additional_headers);
case Algorithm\KeyEncryption\KeyEncryptionInterface::MODE_DIRECT:
Assertion::eq(1, $jwe->countRecipients(), 'Unable to encrypt for multiple recipients using key agreement algorithms.');
Assertion::eq($jwe->getRecipient(0)->getRecipientKey()->get('kty'), 'oct', 'Wrong key type.');
Assertion::true($jwe->getRecipient(0)->getRecipientKey()->has('k'), 'The key parameter "k" is missing.');
return Base64Url::decode($jwe->getRecipient(0)->getRecipientKey()->get('k'));
default:
throw new \InvalidArgumentException(sprintf('Unsupported key management mode "%s".', $key_management_mode));
}
}
