To perform cryptographic operations (signature/verification and encryption/decryption), you will need keys. The keys can be grouped in key sets.
The JWK and JWKSet objects are part of the web-token/jwt-core component:
A JWK object represents a key. It contains all parameters needed by the algorithm and also information parameters.
This framework is able to create private and public keys easily. It can also generate those keys from external resources.
Read this section to know how to create your keys.
A JWKSet object represents a key set. It can contain several keys.
We recommend you to avoid mixing public, private or shared keys in the same key set.
Please refer to this page to know how to create and use the key sets.
You can create a JWKSet object using three static methods:
JWKSet::createFromKeys(array $keys): creates a JWKSet using a list of JWK objects.
JWKSet::createFromJson(string $json): creates a JWKSet using a JSON object.
JWKSet::createFromKeyData(array $values): creates a JWKSet using a decoded JSON object.
Hereafter all methods available for a JWKSet object. The variable $jwkset is a valid JWKSet object.
Please note a JWKSet object is an immutable object
We recommend you to avoid mixing public, private or shared keys in the same key set.
You can create a JWK object using two static methods:
JWK::create(array $values): creates a JWK using direct values.
JWK::createFromJson(string $json): creates a JWK using a JSON object.
Hereafter all methods available for a JWK object. The variable $jwk is a valid JWK object.
Please note a JWK object is an immutable object
This framework is able to create private and public keys easily using the JWKFactory. It is available in the web-token/jwt-key-mgmt component.
4 types of keys are supported:
Symmetric Key:
oct: octet string
Asymmetric Key:
RSA: RSA key pair
EC : Elliptic Curve key pair
OKP: Octet key pair
Note: for the none algorithm, the framework needs a key of type none. This is a specific key type that must only be used with this algorithm.
The following example will show you how to create an oct key.
Additional parameters will be set to limit the scope of this key (e.g. signature/verification only with the HS256 algorithm).
The following feature was introduced in version 1.1.
If you already have a shared secret, you can use it to create an oct key:
The following example will show you how to create a RSA key.
The key size must be of 384 bits at least.
The following example will show you how to create a EC key.
The supported curves are:
P-256
P-384
P-521 (note that this is 521 and not 512)
The following example will show you how to create a OKP key.
The supported curves are:
Ed25519 for signature/verification only
X25519 for encryption/decryption only
The none key type is a special type used only for the none algorithm.
In case you already have key values, you can create a key by passing those values as an argument:
You can convert a PKCS#1 or PKCS#8 key file into a JWK. The following method supports PEM and DER formats. Encrypted keys are also supported.
You can convert a PKCS#12 Certificate into a JWK. Encrypted certificates are also supported.
You can convert a X.509 Certificate into a JWK.
Please note that X.509 certificates only contains public keys.