private function validateOptionsAndEnvelope()

in src/Crypto/DecryptionTraitV2.php [133:192]

• 57 lines of code
• 8 McCabe index (conditional complexity)

    private function validateOptionsAndEnvelope($options, $envelope)
    {
        $allowedCiphers = AbstractCryptoClientV2::$supportedCiphers;
        $allowedKeywraps = AbstractCryptoClientV2::$supportedKeyWraps;
        if ($options['@SecurityProfile'] == 'V2_AND_LEGACY') {
            $allowedCiphers = array_unique(array_merge(
                $allowedCiphers,
                AbstractCryptoClient::$supportedCiphers
            ));
            $allowedKeywraps = array_unique(array_merge(
                $allowedKeywraps,
                AbstractCryptoClient::$supportedKeyWraps
            ));
        }

        $v1SchemaException = new CryptoException("The requested object is encrypted"
            . " with V1 encryption schemas that have been disabled by"
            . " client configuration @SecurityProfile=V2. Retry with"
            . " V2_AND_LEGACY enabled or reencrypt the object.");

        if (!in_array($options['@CipherOptions']['Cipher'], $allowedCiphers)) {
            if (in_array($options['@CipherOptions']['Cipher'], AbstractCryptoClient::$supportedCiphers)) {
                throw $v1SchemaException;
            }
            throw new CryptoException("The requested object is encrypted with"
                . " the cipher '{$options['@CipherOptions']['Cipher']}', which is not"
                . " supported for decryption with the selected security profile."
                . " This profile allows decryption with: "
                . implode(", ", $allowedCiphers));
        }
        if (!in_array(
            $envelope[MetadataEnvelope::KEY_WRAP_ALGORITHM_HEADER],
            $allowedKeywraps
        )) {
            if (in_array(
                $envelope[MetadataEnvelope::KEY_WRAP_ALGORITHM_HEADER],
                AbstractCryptoClient::$supportedKeyWraps)
            ) {
                throw $v1SchemaException;
            }
            throw new CryptoException("The requested object is encrypted with"
                . " the keywrap schema '{$envelope[MetadataEnvelope::KEY_WRAP_ALGORITHM_HEADER]}',"
                . " which is not supported for decryption with the current security"
                . " profile.");
        }

        $matdesc = json_decode(
            $envelope[MetadataEnvelope::MATERIALS_DESCRIPTION_HEADER],
            true
        );
        if (isset($matdesc['aws:x-amz-cek-alg'])
            && $envelope[MetadataEnvelope::CONTENT_CRYPTO_SCHEME_HEADER] !==
                $matdesc['aws:x-amz-cek-alg']
        ) {
            throw new CryptoException("There is a mismatch in specified content"
                . " encryption algrithm between the materials description value"
                . " and the metadata envelope value: {$matdesc['aws:x-amz-cek-alg']}"
                . " vs. {$envelope[MetadataEnvelope::CONTENT_CRYPTO_SCHEME_HEADER]}.");
        }
    }