encryption – PHP Decrypt JWT using JWKs

I am spending days to decrypt JWT claims from response acquired token from authorization server, I found Jose and Firebase to decrypt this token, however I cannot reach the result.

here is response of the server:

{"access_token":"HPWKl8BBSbTy0Q4FZI9hnKHNwjMmgP+c9HU4UMpMhKY=","token_type":"Bearer","id_token":"eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJCY2l2NFBucW96OEo1V3NnbU1fX2tLTkpPVnJQWkJZVDVOeGxRXzA1VlFRIiwieSI6IktfeDZwM09NbjVUTFVIWGtQWFRPNE1PMjdUenVDRjFQYzJtdS1Lb3RKbDAifSwia2lkIjoib2N0b3B1czhfZW5jX2tleV8wMSIsImN0eSI6IkpXVCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJhbGciOiJFQ0RILUVTK0ExMjhLVyJ9.VTTCQu9eWAGXBNQg4rjHJV7tQocHs0xXP1fstWFn4wf3qnPCct81u2dPMcZO2kQl81FPmcIGeQEK6DJxMIam6-bPAHBn3ISx.J4j2rz0RlXPctWa8V0BaDA.B7PRbtws5ys-iHmTaa-cYABMMQ2es65_poX9EEsz59pIbbN70wIkbmajXQ45oBXE2L0j35R-5vrP3rhL1dJZAmNMWcZG4kZXCKt-Ui6MvzHI-ekUzfDHp-t8VhvHQFk7VZ_EtVpYn_3X810wvdc2nnZFhAF81Wb5urw2UvX9ZeFKHQnWzpKq9dobMlYjThIYDEm4tpeFycCg_g8gMBbhpZK1asyfdhAzjxcy__tF3_9lfVnFImE8GEk4uz4svQmz9lD0_b2RskG0yUvXf84xbUNmMj5aSYiwdgs8-fi-ICBIK80fPk-xrHfxQX0FqxElRRPJExMOC6wQXHW3twwZGzoiNnLMmzd21tkHLIPcaZrbAQM2eRiwpJ2COEXBjQNpcWVf4Xriy_4zddiYTvpoEgRw2cWGnqfSOHRZznZbHvqvyybfyJ5bc-x9EvUlv4Zvc8XVlOM0qK288HvEwxpKqDOEnQzYeIf2wawkib7D0W-FM3Rn_8uGmdtqbxqdPfLlEb2Kx4VGoKChmrbC3gg0P5bi20WKoE7A2IysZ_zkwOpqEk1s8KkX4AFaOp2o7r_aRrssv-B76fM80BaMxPy9SNWgEy72FfGZOlta0MSzKJ0.aMFnB9jKX_PtcIXatQr2oc1odfCw7CCWAH3TTWIxRjc"}

In the following you can find it’s encryption and signing keys.

SIGNING KEYS

Public and Private Keypair

{
    "kty": "EC",
    "d": "J9iJEKvHTaUsRPruZQMJnvlzw5wpFqffjb4a3FvrUuw",
    "use": "sig",
    "crv": "P-256",
    "kid": "octopus8_sig_key_01",
    "x": "25qGBnzAT1kA0t41In4HYFC3p0RCLbCILKu3Pgepj90",
    "y": "ZoE2CNnKgR-MAIbRiEIoj8rzbhL9UicUyHE-qzV2NsE",
    "alg": "ES256"
}

Private Key (X.509 PEM Format)

-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCAn2IkQq8dNpSxE+u5l
Awme+XPDnCkWp9+NvhrcW+tS7A==
-----END PRIVATE KEY-----

Public and Private Keypair Set

{
    "keys": [
        {
            "kty": "EC",
            "d": "J9iJEKvHTaUsRPruZQMJnvlzw5wpFqffjb4a3FvrUuw",
            "use": "sig",
            "crv": "P-256",
            "kid": "octopus8_sig_key_01",
            "x": "25qGBnzAT1kA0t41In4HYFC3p0RCLbCILKu3Pgepj90",
            "y": "ZoE2CNnKgR-MAIbRiEIoj8rzbhL9UicUyHE-qzV2NsE",
            "alg": "ES256"
        }
    ]
}

Self-Signed Certificate

-----BEGIN CERTIFICATE-----
MIIBLTCB1KADAgECAgYBgEKZTNwwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTb2N0
b3B1czhfc2lnX2tleV8wMTAeFw0yMjA0MTkxNjEzMDRaFw0yMzAyMTMxNjEzMDRa
MB4xHDAaBgNVBAMME29jdG9wdXM4X3NpZ19rZXlfMDEwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAATbmoYGfMBPWQDS3jUifgdgULenREItsIgsq7c+B6mP3WaBNgjZ
yoEfjACG0YhCKI/K824S/VInFMhxPqs1djbBMAoGCCqGSM49BAMCA0gAMEUCIDKq
wlZTdg6mBNKDyt4ABe1yjYb9J12/hd9/UK9ya7rNAiEAzy2EFplqXqmdGkauXAha
qzCsI9IVFKw6dnbFnwzEGTM=
-----END CERTIFICATE-----

Public Key

{
    "kty": "EC",
    "use": "sig",
    "crv": "P-256",
    "kid": "octopus8_sig_key_01",
    "x": "25qGBnzAT1kA0t41In4HYFC3p0RCLbCILKu3Pgepj90",
    "y": "ZoE2CNnKgR-MAIbRiEIoj8rzbhL9UicUyHE-qzV2NsE",
    "alg": "ES256"
}

Public Key (X.509 PEM Format)

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE25qGBnzAT1kA0t41In4HYFC3p0RC
LbCILKu3Pgepj91mgTYI2cqBH4wAhtGIQiiPyvNuEv1SJxTIcT6rNXY2wQ==
-----END PUBLIC KEY-----

ENCRYPTION KEYS

Public and Private Keypair

{
    "kty": "EC",
    "d": "cV6QfdH46rZ1t5qYAq9IiZOmkxbQxoU1S_oYr0BDYdI",
    "use": "enc",
    "crv": "P-256",
    "kid": "octopus8_enc_key_01",
    "x": "OZ0iGy9uaK-esgDx021JalqAh8Kyop4m0v8OvSSq5UQ",
    "y": "httcDJHMKWVQ3vtiBKXJRnUcPpYdojzXT2IhdFVpFLw",
    "alg": "ECDH-ES+A128KW"
}

Private Key (X.509 PEM Format)

-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCBxXpB90fjqtnW3mpgC
r0iJk6aTFtDGhTVL+hivQENh0g==
-----END PRIVATE KEY-----

Public and Private Keypair Set

{
    "keys": [
        {
            "kty": "EC",
            "d": "cV6QfdH46rZ1t5qYAq9IiZOmkxbQxoU1S_oYr0BDYdI",
            "use": "enc",
            "crv": "P-256",
            "kid": "octopus8_enc_key_01",
            "x": "OZ0iGy9uaK-esgDx021JalqAh8Kyop4m0v8OvSSq5UQ",
            "y": "httcDJHMKWVQ3vtiBKXJRnUcPpYdojzXT2IhdFVpFLw",
            "alg": "ECDH-ES+A128KW"
        }
    ]
}

Self-Signed Certificate

-----BEGIN CERTIFICATE-----
MIIBLTCB1KADAgECAgYBgHC9XlUwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAwwTb2N0
b3B1czhfZW5jX2tleV8wMTAeFw0yMjA0MjgxNTE1MDBaFw0yMzAyMjIxNTE1MDBa
MB4xHDAaBgNVBAMME29jdG9wdXM4X2VuY19rZXlfMDEwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQ5nSIbL25or56yAPHTbUlqWoCHwrKinibS/w69JKrlRIbbXAyR
zCllUN77YgSlyUZ1HD6WHaI8109iIXRVaRS8MAoGCCqGSM49BAMCA0gAMEUCIQDU
vsMHxe1XcjIJS+ubxc8W3IhjMtxNE/07HelmC5vk6QIgWcfio/ayX1R+x/GXf2E+
mYF/B4xWQUV/nmM2aCLdBbg=
-----END CERTIFICATE-----

Public Key

{
    "kty": "EC",
    "use": "enc",
    "crv": "P-256",
    "kid": "octopus8_enc_key_01",
    "x": "OZ0iGy9uaK-esgDx021JalqAh8Kyop4m0v8OvSSq5UQ",
    "y": "httcDJHMKWVQ3vtiBKXJRnUcPpYdojzXT2IhdFVpFLw",
    "alg": "ECDH-ES+A128KW"
}

Public Key (X.509 PEM Format)

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOZ0iGy9uaK+esgDx021JalqAh8Ky
op4m0v8OvSSq5USG21wMkcwpZVDe+2IEpclGdRw+lh2iPNdPYiF0VWkUvA==
-----END PUBLIC KEY-----

JWK publik keys(standing at the endpoint)

{
    "keys": [
        {
            "kty": "EC",
            "use": "sig",
            "crv": "P-256",
            "kid": "octopus8_sig_key_01",
            "x": "25qGBnzAT1kA0t41In4HYFC3p0RCLbCILKu3Pgepj90",
            "y": "ZoE2CNnKgR-MAIbRiEIoj8rzbhL9UicUyHE-qzV2NsE",
            "alg": "ES256"
        },
        {
            "kty": "EC",
            "use": "enc",
            "crv": "P-256",
            "kid": "octopus8_enc_key_01",
            "x": "OZ0iGy9uaK-esgDx021JalqAh8Kyop4m0v8OvSSq5UQ",
            "y": "httcDJHMKWVQ3vtiBKXJRnUcPpYdojzXT2IhdFVpFLw",
            "alg": "ECDH-ES+A128KW"
        }
    ]
}

I saw many libraries from php does not support ECDH-ESwho have example or code template to decrypt data from payload?

thanks in advance.

Leave a Comment