You can create a JWKSet object using three static methods:
new JWKSet(array $keys)
: creates a JWKSet using a list of JWK objects.
JWKSet::createFromJson(string $json)
: creates a JWKSet using a JSON object.
JWKSet::createFromKeyData(array $values)
: creates a JWKSet using a decoded JSON object.
Hereafter all methods available for a JWKSet object. The variable $jwkset
is a valid JWKSet object.
Please note a JWKSet object is an immutable object. When you add keys, you get a new JWKSet object
You can create a JWK object using two static methods:
new JWK(array $values)
: creates a JWK using direct values.
JWK::createFromJson(string $json)
: creates a JWK using a JSON object.
Hereafter all methods available for a JWK object. The variable $jwk
is a valid JWK object.
Please note a JWK object is an immutable object. If you change a value using a setter, it will return a new object.
This framework is able to create private and public keys on the fly using the JWKFactory
. It is available in the web-token/jwt-key-mgmt
component.
4 types of keys are supported:
Symmetric Key:
oct
: octet string
Asymmetric Key:
RSA
: RSA key pair
EC
: Elliptic Curve key pair
OKP
: Octet key pair
The none
algorithm needs a key of type none
. This is a specific key type that must only be used with this algorithm.
The following example will show you how to create an oct
key.
Additional parameters will be set to limit the scope of this key (e.g. signature/verification only with the HS256
algorithm).
If you already have a shared secret, you can use it to create an oct
key:
The following example will show you how to create a RSA
key.
The key size must be of 384 bits at least, but nowadays the recommended size is 2048 bits.
The following example will show you how to create a EC
key.
The supported curves are:
P-256
P-384
P-521
(note that this is 521 and not 512)
The following example will show you how to create a OKP
key.
The supported curves are:
Ed25519
for signature/verification only
X25519
for encryption/decryption only
The none
key type is a special type used only for the none
algorithm.
In case you already have key values, you can create a key by passing those values as an argument:
You can convert a PKCS#1 or PKCS#8 key file into a JWK. The following method supports PEM and DER formats. Encrypted keys are also supported.
You can convert a PKCS#12 Certificate into a JWK. Encrypted certificates are also supported.
You can convert a X.509 Certificate into a JWK.
Please note that X.509 certificates only contains public keys.
To perform cryptographic operations (signature/verification and encryption/decryption), you will also need keys.
The JWK
object is part of the web-token/jwt-core
component:
A JWK object represents a key. It contains all parameters needed by the algorithm and may also provide information parameters.
This framework is able to create private and public keys easily. It can also generate those keys from external resources such as binary key files or certificates.
The keys can be grouped in key sets. A JWKSet
object represents a key set. It can contain as many keys as you need.
We strongly recommend you to avoid mixing public, private or shared keys in the same key set.