@Immutable public final class ECKey extends JWK implements AssymetricJWK, CurveBasedJWK
Elliptic Curve
JSON Web Key (JWK).
This class is immutable.
Supported curves:
Provides EC JWK import from / export to the following standard Java interfaces and classes:
ECPublicKey
ECPrivateKey
PrivateKey
for an EC key in a PKCS#11 store
KeyPair
Example JSON object representation of a public EC JWK:
{ "kty" : "EC", "crv" : "P-256", "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "use" : "enc", "kid" : "1" }
Example JSON object representation of a private EC JWK:
{ "kty" : "EC", "crv" : "P-256", "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "d" : "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE", "use" : "enc", "kid" : "1" }
Use the builder to create a new EC JWK:
ECKey key = new ECKey.Builder(Curve.P_256, x, y) .keyUse(KeyUse.SIGNATURE) .keyID("1") .build();
See http://en.wikipedia.org/wiki/Elliptic_curve_cryptography
Modifier and Type | Class and Description |
---|---|
static class |
ECKey.Builder
Builder for constructing Elliptic Curve JWKs.
|
Modifier and Type | Field and Description |
---|---|
static Set<Curve> |
SUPPORTED_CURVES
Supported EC curves.
|
Constructor and Description |
---|
ECKey(Curve crv,
Base64URL x,
Base64URL y,
Base64URL d,
KeyUse use,
Set<KeyOperation> ops,
Algorithm alg,
String kid,
URI x5u,
Base64URL x5t,
Base64URL x5t256,
List<Base64> x5c,
KeyStore ks)
Creates a new public / private Elliptic Curve JSON Web Key (JWK)
with the specified parameters.
|
ECKey(Curve crv,
Base64URL x,
Base64URL y,
KeyUse use,
Set<KeyOperation> ops,
Algorithm alg,
String kid,
URI x5u,
Base64URL x5t,
Base64URL x5t256,
List<Base64> x5c,
KeyStore ks)
Creates a new public Elliptic Curve JSON Web Key (JWK) with the
specified parameters.
|
ECKey(Curve crv,
Base64URL x,
Base64URL y,
PrivateKey priv,
KeyUse use,
Set<KeyOperation> ops,
Algorithm alg,
String kid,
URI x5u,
Base64URL x5t,
Base64URL x5t256,
List<Base64> x5c,
KeyStore ks)
Creates a new public / private Elliptic Curve JSON Web Key (JWK)
with the specified parameters.
|
ECKey(Curve crv,
ECPublicKey pub,
ECPrivateKey priv,
KeyUse use,
Set<KeyOperation> ops,
Algorithm alg,
String kid,
URI x5u,
Base64URL x5t,
Base64URL x5t256,
List<Base64> x5c,
KeyStore ks)
Creates a new public / private Elliptic Curve JSON Web Key (JWK)
with the specified parameters.
|
ECKey(Curve crv,
ECPublicKey pub,
KeyUse use,
Set<KeyOperation> ops,
Algorithm alg,
String kid,
URI x5u,
Base64URL x5t,
Base64URL x5t256,
List<Base64> x5c,
KeyStore ks)
Creates a new public Elliptic Curve JSON Web Key (JWK) with the
specified parameters.
|
ECKey(Curve crv,
ECPublicKey pub,
PrivateKey priv,
KeyUse use,
Set<KeyOperation> ops,
Algorithm alg,
String kid,
URI x5u,
Base64URL x5t,
Base64URL x5t256,
List<Base64> x5c,
KeyStore ks)
Creates a new public / private Elliptic Curve JSON Web Key (JWK)
with the specified parameters.
|
Modifier and Type | Method and Description |
---|---|
static Base64URL |
encodeCoordinate(int fieldSize,
BigInteger coordinate)
Returns the Base64URL encoding of the specified elliptic curve 'x',
'y' or 'd' coordinate, with leading zero padding up to the specified
field size in bits.
|
Curve |
getCurve()
Returns the cryptographic curve.
|
Base64URL |
getD()
Gets the private 'd' coordinate for the elliptic curve point.
|
LinkedHashMap<String,?> |
getRequiredParams()
Returns the required JWK parameters.
|
Base64URL |
getX()
Gets the public 'x' coordinate for the elliptic curve point.
|
Base64URL |
getY()
Gets the public 'y' coordinate for the elliptic curve point.
|
boolean |
isPrivate()
Returns
true if this JWK contains private or sensitive
(non-public) parameters. |
static ECKey |
load(KeyStore keyStore,
String alias,
char[] pin)
Loads a public / private Elliptic Curve JWK from the specified JCA
key store.
|
static ECKey |
parse(net.minidev.json.JSONObject jsonObject)
Parses a public / private Elliptic Curve JWK from the specified JSON
object representation.
|
static ECKey |
parse(String s)
Parses a public / private Elliptic Curve JWK from the specified JSON
object string representation.
|
static ECKey |
parse(X509Certificate cert)
Parses a public Elliptic Curve JWK from the specified X.509
certificate.
|
int |
size()
Returns the size of this JWK.
|
ECPrivateKey |
toECPrivateKey()
Returns a standard
java.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK. |
ECPrivateKey |
toECPrivateKey(Provider provider)
Returns a standard
java.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK. |
ECPublicKey |
toECPublicKey()
Returns a standard
java.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK. |
ECPublicKey |
toECPublicKey(Provider provider)
Returns a standard
java.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK. |
net.minidev.json.JSONObject |
toJSONObject()
Returns a JSON object representation of this JWK.
|
KeyPair |
toKeyPair()
Returns a standard
java.security.KeyPair representation of
this Elliptic Curve JWK. |
KeyPair |
toKeyPair(Provider provider)
Returns a standard
java.security.KeyPair representation of
this Elliptic Curve JWK. |
PrivateKey |
toPrivateKey()
Returns a Java private key representation of this JWK.
|
ECKey |
toPublicJWK()
Returns a copy of this Elliptic Curve JWK with any private values
removed.
|
PublicKey |
toPublicKey()
Returns a Java public key representation of the JWK.
|
computeThumbprint, computeThumbprint, getAlgorithm, getKeyID, getKeyOperations, getKeyStore, getKeyType, getKeyUse, getX509CertChain, getX509CertSHA256Thumbprint, getX509CertThumbprint, getX509CertURL, toJSONString, toString
public static final Set<Curve> SUPPORTED_CURVES
public ECKey(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
crv
- The cryptographic curve. Must not be null
.x
- The public 'x' coordinate for the elliptic curve
point. It is represented as the Base64URL encoding of
the coordinate's big endian representation. Must not
be null
.y
- The public 'y' coordinate for the elliptic curve
point. It is represented as the Base64URL encoding of
the coordinate's big endian representation. Must not
be null
.use
- The key use, null
if not specified or if the
key is intended for signing as well as encryption.ops
- The key operations, null
if not specified.alg
- The intended JOSE algorithm for the key, null
if not specified.kid
- The key ID, null
if not specified.x5u
- The X.509 certificate URL, null
if not
specified.x5t
- The X.509 certificate SHA-1 thumbprint, null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint, null
if not specified.x5c
- The X.509 certificate chain, null
if not
specified.ks
- Reference to the underlying key store, null
if
not specified.public ECKey(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
crv
- The cryptographic curve. Must not be null
.x
- The public 'x' coordinate for the elliptic curve
point. It is represented as the Base64URL encoding of
the coordinate's big endian representation. Must not
be null
.y
- The public 'y' coordinate for the elliptic curve
point. It is represented as the Base64URL encoding of
the coordinate's big endian representation. Must not
be null
.d
- The private 'd' coordinate for the elliptic curve
point. It is represented as the Base64URL encoding of
the coordinate's big endian representation. Must not
be null
.use
- The key use, null
if not specified or if the
key is intended for signing as well as encryption.ops
- The key operations, null
if not specified.alg
- The intended JOSE algorithm for the key, null
if not specified.kid
- The key ID, null
if not specified.x5u
- The X.509 certificate URL, null
if not
specified.x5t
- The X.509 certificate SHA-1 thumbprint, null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint, null
if not specified.x5c
- The X.509 certificate chain, null
if not
specified.ks
- Reference to the underlying key store, null
if
not specified.public ECKey(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
crv
- The cryptographic curve. Must not be null
.x
- The public 'x' coordinate for the elliptic curve
point. It is represented as the Base64URL encoding of
the coordinate's big endian representation. Must not
be null
.y
- The public 'y' coordinate for the elliptic curve
point. It is represented as the Base64URL encoding of
the coordinate's big endian representation. Must not
be null
.priv
- The private key as a PKCS#11 handle, null
if
not specified.use
- The key use, null
if not specified or if the
key is intended for signing as well as encryption.ops
- The key operations, null
if not specified.alg
- The intended JOSE algorithm for the key, null
if not specified.kid
- The key ID, null
if not specified.x5u
- The X.509 certificate URL, null
if not
specified.x5t
- The X.509 certificate SHA-1 thumbprint, null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint, null
if not specified.x5c
- The X.509 certificate chain, null
if not
specified.public ECKey(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
crv
- The cryptographic curve. Must not be null
.pub
- The public EC key to represent. Must not be
null
.use
- The key use, null
if not specified or if the
key is intended for signing as well as encryption.ops
- The key operations, null
if not specified.alg
- The intended JOSE algorithm for the key, null
if not specified.kid
- The key ID, null
if not specified.x5u
- The X.509 certificate URL, null
if not
specified.x5t
- The X.509 certificate SHA-1 thumbprint, null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint, null
if not specified.x5c
- The X.509 certificate chain, null
if not
specified.ks
- Reference to the underlying key store, null
if
not specified.public ECKey(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
crv
- The cryptographic curve. Must not be null
.pub
- The public EC key to represent. Must not be
null
.priv
- The private EC key to represent. Must not be
null
.use
- The key use, null
if not specified or if the
key is intended for signing as well as encryption.ops
- The key operations, null
if not specified.alg
- The intended JOSE algorithm for the key, null
if not specified.kid
- The key ID, null
if not specified.x5u
- The X.509 certificate URL, null
if not
specified.x5t
- The X.509 certificate SHA-1 thumbprint, null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint, null
if not specified.x5c
- The X.509 certificate chain, null
if not
specified.ks
- Reference to the underlying key store, null
if
not specified.public ECKey(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
crv
- The cryptographic curve. Must not be null
.pub
- The public EC key to represent. Must not be
null
.priv
- The private key as a PKCS#11 handle, null
if
not specified.use
- The key use, null
if not specified or if the
key is intended for signing as well as encryption.ops
- The key operations, null
if not specified.alg
- The intended JOSE algorithm for the key, null
if not specified.kid
- The key ID, null
if not specified.x5u
- The X.509 certificate URL, null
if not
specified.x5t
- The X.509 certificate SHA-1 thumbprint, null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint, null
if not specified.x5c
- The X.509 certificate chain, null
if not
specified.ks
- Reference to the underlying key store, null
if
not specified.public static Base64URL encodeCoordinate(int fieldSize, BigInteger coordinate)
fieldSize
- The field size in bits.coordinate
- The elliptic curve coordinate. Must not be
null
.public Curve getCurve()
CurveBasedJWK
getCurve
in interface CurveBasedJWK
public Base64URL getX()
public Base64URL getY()
public Base64URL getD()
null
if not specified (for a public key).public ECPublicKey toECPublicKey() throws JOSEException
java.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK. Uses the default JCA
provider.JOSEException
- If EC is not supported by the underlying Java
Cryptography (JCA) provider or if the JWK
parameters are invalid for a public EC key.public ECPublicKey toECPublicKey(Provider provider) throws JOSEException
java.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK.provider
- The specific JCA provider to use, null
implies the default one.JOSEException
- If EC is not supported by the underlying Java
Cryptography (JCA) provider or if the JWK
parameters are invalid for a public EC key.public ECPrivateKey toECPrivateKey() throws JOSEException
java.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK. Uses the default JCA
provider.null
if not
specified by this JWK.JOSEException
- If EC is not supported by the underlying Java
Cryptography (JCA) provider or if the JWK
parameters are invalid for a private EC key.public ECPrivateKey toECPrivateKey(Provider provider) throws JOSEException
java.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK.provider
- The specific JCA provider to use, null
implies the default one.null
if not
specified by this JWK.JOSEException
- If EC is not supported by the underlying Java
Cryptography (JCA) provider or if the JWK
parameters are invalid for a private EC key.public PublicKey toPublicKey() throws JOSEException
AssymetricJWK
toPublicKey
in interface AssymetricJWK
JOSEException
- If conversion failed or is not supported.public PrivateKey toPrivateKey() throws JOSEException
AssymetricJWK
toPrivateKey
in interface AssymetricJWK
null
if not specified.JOSEException
- If conversion failed or is not supported.public KeyPair toKeyPair() throws JOSEException
java.security.KeyPair
representation of
this Elliptic Curve JWK. Uses the default JCA provider.toKeyPair
in interface AssymetricJWK
null
if not specified.JOSEException
- If EC is not supported by the underlying Java
Cryptography (JCA) provider or if the JWK
parameters are invalid for a public and / or
private EC key.public KeyPair toKeyPair(Provider provider) throws JOSEException
java.security.KeyPair
representation of
this Elliptic Curve JWK.provider
- The specific JCA provider to use, null
implies the default one.null
if not specified.JOSEException
- If EC is not supported by the underlying Java
Cryptography (JCA) provider or if the JWK
parameters are invalid for a public and / or
private EC key.public LinkedHashMap<String,?> getRequiredParams()
JWK
getRequiredParams
in class JWK
public boolean isPrivate()
JWK
true
if this JWK contains private or sensitive
(non-public) parameters.public ECKey toPublicJWK()
toPublicJWK
in class JWK
public net.minidev.json.JSONObject toJSONObject()
JWK
Example:
{ "kty" : "RSA", "use" : "sig", "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b" }
toJSONObject
in class JWK
public static ECKey parse(String s) throws ParseException
s
- The JSON object string to parse. Must not be null
.ParseException
- If the string couldn't be parsed to an
Elliptic Curve JWK.public static ECKey parse(net.minidev.json.JSONObject jsonObject) throws ParseException
jsonObject
- The JSON object to parse. Must not be
null
.ParseException
- If the JSON object couldn't be parsed to an
Elliptic Curve JWK.public static ECKey parse(X509Certificate cert) throws JOSEException
Important: The X.509 certificate is not validated!
Sets the following JWK parameters:
KeyUse.from(java.security.cert.X509Certificate)
.
cert
- The X.509 certificate. Must not be null
.JOSEException
- If parsing failed.public static ECKey load(KeyStore keyStore, String alias, char[] pin) throws KeyStoreException, JOSEException
Important: The X.509 certificate is not validated!
keyStore
- The key store. Must not be null
.alias
- The alias. Must not be null
.pin
- The pin to unlock the private key if any, empty or
null
if not required.null
if no
key with the specified alias was found.KeyStoreException
- On a key store exception.JOSEException
- If EC key loading failed.Copyright © 2017 Connect2id Ltd.. All rights reserved.