Package com.nimbusds.jose.crypto

Class ECDSASigner

java.lang.Object
com.nimbusds.jose.crypto.impl.BaseJWSProvider
com.nimbusds.jose.crypto.impl.ECDSAProvider
com.nimbusds.jose.crypto.ECDSASigner
All Implemented Interfaces:
JCAAware<JCAContext>, JOSEProvider, JWSProvider, JWSSigner
@ThreadSafe public class ECDSASigner extends ECDSAProvider implements JWSSigner
Elliptic Curve Digital Signature Algorithm (ECDSA) signer of JWS objects. Expects a private EC key (with a P-256, P-384, P-521 or secp256k1 curve).

See RFC 7518 section 3.4 for more information.

This class is thread-safe.

Supports the following algorithms:

Supports the following options:

  • UserAuthenticationRequired -- to prompt the user to authenticate in order to complete the signing operation. Android applications can use this option to trigger a biometric prompt that is required to unlock a private key created with setUserAuthenticationRequired(true).
Version:
2023-04-20
Author:
Axel Nennker, Vladimir Dzhuvinov

  • Constructor Details

    • ECDSASigner

      public ECDSASigner(ECPrivateKey privateKey) throws JOSEException
      Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA) signer.
      Parameters:
      privateKey - The private EC key. Must not be null.
      Throws:
      JOSEException - If the elliptic curve of key is not supported.

    • ECDSASigner

      public ECDSASigner(ECPrivateKey privateKey, Set<JWSSignerOption> opts) throws JOSEException
      Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA) signer.
      Parameters:
      privateKey - The private EC key. Must not be null.
      opts - The signing options, empty or null if none.
      Throws:
      JOSEException - If the elliptic curve of key is not supported.

    • ECDSASigner

      public ECDSASigner(PrivateKey privateKey, Curve curve) throws JOSEException
      Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA) signer. This constructor is intended for a private EC key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
      Parameters:
      privateKey - The private EC key. Its algorithm must be "EC". Must not be null.
      curve - The elliptic curve for the key. Must not be null.
      Throws:
      JOSEException - If the elliptic curve of key is not supported.

    • ECDSASigner

      public ECDSASigner(PrivateKey privateKey, Curve curve, Set<JWSSignerOption> opts) throws JOSEException
      Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA) signer. This constructor is intended for a private EC key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
      Parameters:
      privateKey - The private EC key. Its algorithm must be "EC". Must not be null.
      curve - The elliptic curve for the key. Must not be null.
      opts - The signing options, empty or null if none.
      Throws:
      JOSEException - If the elliptic curve of key is not supported.

    • ECDSASigner

      public ECDSASigner(ECKey ecJWK) throws JOSEException
      Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA) signer.
      Parameters:
      ecJWK - The EC JSON Web Key (JWK). Must contain a private part. Must not be null.
      Throws:
      JOSEException - If the EC JWK doesn't contain a private part, its extraction failed, or the elliptic curve is not supported.

    • ECDSASigner

      public ECDSASigner(ECKey ecJWK, Set<JWSSignerOption> opts) throws JOSEException
      Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA) signer.
      Parameters:
      ecJWK - The EC JSON Web Key (JWK). Must contain a private part. Must not be null.
      opts - The signing options, empty or null if none.
      Throws:
      JOSEException - If the EC JWK doesn't contain a private part, its extraction failed, or the elliptic curve is not supported.

  • Method Details

    • getPrivateKey

      public PrivateKey getPrivateKey()
      Gets the private EC key.
      Returns:
      The private EC key. Casting to ECPrivateKey may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.

    • sign

      public Base64URL sign(JWSHeader header, byte[] signingInput) throws JOSEException
      Description copied from interface: JWSSigner
      Signs the specified input of a JWS object.
      Specified by:
      sign in interface JWSSigner
      Parameters:
      header - The JSON Web Signature (JWS) header. Must specify a supported JWS algorithm and must not be null.
      signingInput - The input to sign. Must not be null.
      Returns:
      The resulting signature part (third part) of the JWS object.
      Throws:
      JOSEException - If the JWS algorithm is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if signing failed for some other internal reason.