primo commit

libraries/vendor/web-token/jwt-library/NestedToken/NestedTokenBuilder.php

@@ -0,0 +1,83 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Jose\Component\NestedToken;
+
+use InvalidArgumentException;
+use Jose\Component\Core\JWK;
+use Jose\Component\Encryption\JWEBuilder;
+use Jose\Component\Encryption\Serializer\JWESerializerManager;
+use Jose\Component\Signature\JWSBuilder;
+use Jose\Component\Signature\Serializer\JWSSerializerManager;
+use function array_key_exists;
+use function is_array;
+
+class NestedTokenBuilder
+{
+    public function __construct(
+        private readonly JWEBuilder $jweBuilder,
+        private readonly JWESerializerManager $jweSerializerManager,
+        private readonly JWSBuilder $jwsBuilder,
+        private readonly JWSSerializerManager $jwsSerializerManager
+    ) {
+    }
+
+    /**
+     * Creates a nested token.
+     *
+     * @param array{array{key: JWK, protected_header?: array<string, mixed>, header?: array<string, mixed>}} $signatures
+     * @param array{alg?: string, string?: mixed} $jweSharedProtectedHeader
+     * @param array{alg?: string, string?: mixed} $jweSharedHeader
+     * @param array{array{key: JWK, header?: array<string, mixed>}} $recipients
+     */
+    public function create(
+        string $payload,
+        array $signatures,
+        string $jws_serialization_mode,
+        array $jweSharedProtectedHeader,
+        array $jweSharedHeader,
+        array $recipients,
+        string $jwe_serialization_mode,
+        ?string $aad = null
+    ): string {
+        $jws = $this->jwsBuilder->create()
+            ->withPayload($payload);
+        foreach ($signatures as $signature) {
+            if (! is_array($signature) || ! array_key_exists('key', $signature)) {
+                throw new InvalidArgumentException(
+                    'The signatures must be an array of arrays containing a key, a protected header and a header'
+                );
+            }
+            $signature['protected_header'] = array_key_exists(
+                'protected_header',
+                $signature
+            ) ? $signature['protected_header'] : [];
+            $signature['header'] = array_key_exists('header', $signature) ? $signature['header'] : [];
+            $jws = $jws->addSignature($signature['key'], $signature['protected_header'], $signature['header']);
+        }
+        $jws = $jws->build();
+        $token = $this->jwsSerializerManager->serialize($jws_serialization_mode, $jws);
+
+        $jweSharedProtectedHeader['cty'] = 'JWT';
+
+        $jwe = $this->jweBuilder
+            ->create()
+            ->withPayload($token)
+            ->withSharedProtectedHeader($jweSharedProtectedHeader)
+            ->withSharedHeader($jweSharedHeader)
+            ->withAAD($aad);
+        foreach ($recipients as $recipient) {
+            if (! is_array($recipient) || ! array_key_exists('key', $recipient)) {
+                throw new InvalidArgumentException(
+                    'The recipients must be an array of arrays containing a key and a header'
+                );
+            }
+            $recipient['header'] = array_key_exists('header', $recipient) ? $recipient['header'] : [];
+            $jwe = $jwe->addRecipient($recipient['key'], $recipient['header']);
+        }
+        $jwe = $jwe->build();
+
+        return $this->jweSerializerManager->serialize($jwe_serialization_mode, $jwe);
+    }
+}