001package com.nimbusds.jose.proc; 002 003 004import java.security.Key; 005import java.util.List; 006 007import com.nimbusds.jose.JWSHeader; 008import com.nimbusds.jose.KeySourceException; 009 010 011/** 012 * Interface for selecting key candidates for verifying a JSON Web Signature 013 * (JWS) object. Applications should utilise this interface or a similar 014 * framework to determine whether a received JWS object (or signed JWT) is 015 * eligible for {@link com.nimbusds.jose.JWSVerifier verification} and further 016 * processing. 017 * 018 * <p>The key selection should be based on application specific criteria, such 019 * as recognised header parameters referencing the key (e.g. {@code kid}, 020 * {@code x5t}) and / or the JWS object {@link SecurityContext}. 021 * 022 * <p>See JSON Web Signature (JWS), Appendix D. Notes on Key Selection for 023 * suggestions. 024 * 025 * <p>Possible key types: 026 * 027 * <ul> 028 * <li>{@link javax.crypto.SecretKey} for HMAC keys. 029 * <li>{@link java.security.interfaces.RSAPublicKey} public RSA keys. 030 * <li>{@link java.security.interfaces.ECPublicKey} public EC keys. 031 * </ul> 032 * 033 * @author Vladimir Dzhuvinov 034 * @version 2016-06-21 035 */ 036public interface JWSKeySelector<C extends SecurityContext> { 037 038 039 /** 040 * Selects key candidates for verifying a JWS object. 041 * 042 * @param header The header of the JWS object. Must not be 043 * {@code null}. 044 * @param context Optional context of the JWS object, {@code null} if 045 * not required. 046 * 047 * @return The key candidates in trial order, empty list if none. 048 * 049 * @throws KeySourceException If a key sourcing exception is 050 * encountered, e.g. on remote JWK 051 * retrieval. 052 */ 053 List<? extends Key> selectJWSKeys(final JWSHeader header, final C context) 054 throws KeySourceException; 055}