001/* 002 * nimbus-jose-jwt 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.jose.crypto.impl; 019 020 021import java.util.*; 022import javax.crypto.SecretKey; 023 024import com.nimbusds.jose.EncryptionMethod; 025import com.nimbusds.jose.JWEAlgorithm; 026import com.nimbusds.jose.KeyLengthException; 027import com.nimbusds.jose.util.ByteUtils; 028 029 030/** 031 * The base abstract class for AES and AES GCM key wrap encrypters and 032 * decrypters of {@link com.nimbusds.jose.JWEObject JWE objects}. 033 * 034 * <p>Supports the following key management algorithms: 035 * 036 * <ul> 037 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A128KW} 038 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A192KW} 039 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A256KW} 040 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A128GCMKW} 041 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A192GCMKW} 042 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A256GCMKW} 043 * </ul> 044 * 045 * <p>Supports the following content encryption algorithms: 046 * 047 * <ul> 048 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256} 049 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384} 050 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512} 051 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128GCM} 052 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192GCM} 053 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256GCM} 054 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED} 055 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED} 056 * </ul> 057 * 058 * @author Melisa Halsband 059 * @author Vladimir Dzhuvinov 060 * @version 2015-06-29 061 */ 062public abstract class AESCryptoProvider extends BaseJWEProvider { 063 064 065 /** 066 * The supported JWE algorithms by the AES crypto provider class. 067 */ 068 public static final Set<JWEAlgorithm> SUPPORTED_ALGORITHMS; 069 070 071 /** 072 * The supported encryption methods by the AES crypto provider class. 073 */ 074 public static final Set<EncryptionMethod> SUPPORTED_ENCRYPTION_METHODS = ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS; 075 076 077 /** 078 * The JWE algorithms compatible with each key size in bits. 079 */ 080 public static final Map<Integer,Set<JWEAlgorithm>> COMPATIBLE_ALGORITHMS; 081 082 083 static { 084 Set<JWEAlgorithm> algs = new LinkedHashSet<>(); 085 algs.add(JWEAlgorithm.A128KW); 086 algs.add(JWEAlgorithm.A192KW); 087 algs.add(JWEAlgorithm.A256KW); 088 algs.add(JWEAlgorithm.A128GCMKW); 089 algs.add(JWEAlgorithm.A192GCMKW); 090 algs.add(JWEAlgorithm.A256GCMKW); 091 SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs); 092 093 Map<Integer,Set<JWEAlgorithm>> algsMap = new HashMap<>(); 094 Set<JWEAlgorithm> bit128Algs = new HashSet<>(); 095 Set<JWEAlgorithm> bit192Algs = new HashSet<>(); 096 Set<JWEAlgorithm> bit256Algs = new HashSet<>(); 097 bit128Algs.add(JWEAlgorithm.A128GCMKW); 098 bit128Algs.add(JWEAlgorithm.A128KW); 099 bit192Algs.add(JWEAlgorithm.A192GCMKW); 100 bit192Algs.add(JWEAlgorithm.A192KW); 101 bit256Algs.add(JWEAlgorithm.A256GCMKW); 102 bit256Algs.add(JWEAlgorithm.A256KW); 103 algsMap.put(128,Collections.unmodifiableSet(bit128Algs)); 104 algsMap.put(192,Collections.unmodifiableSet(bit192Algs)); 105 algsMap.put(256,Collections.unmodifiableSet(bit256Algs)); 106 COMPATIBLE_ALGORITHMS = Collections.unmodifiableMap(algsMap); 107 } 108 109 110 /** 111 * The Key Encryption Key (KEK). 112 */ 113 private final SecretKey kek; 114 115 116 /** 117 * Returns the compatible JWE algorithms for the specified Key 118 * Encryption Key (CEK) length. 119 * 120 * @param kekLength The KEK length in bits. 121 * 122 * @return The compatible JWE algorithms. 123 * 124 * @throws KeyLengthException If the KEK length is not compatible. 125 */ 126 private static Set<JWEAlgorithm> getCompatibleJWEAlgorithms(final int kekLength) 127 throws KeyLengthException { 128 129 Set<JWEAlgorithm> algs = COMPATIBLE_ALGORITHMS.get(kekLength); 130 131 if (algs == null) { 132 throw new KeyLengthException("The Key Encryption Key length must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes)"); 133 } 134 135 return algs; 136 } 137 138 139 /** 140 * Creates a new AES encryption / decryption provider. 141 * 142 * @param kek The Key Encryption Key. Must be 128 bits (16 bytes), 192 143 * bits (24 bytes) or 256 bits (32 bytes). Must not be 144 * {@code null}. 145 * 146 * @throws KeyLengthException If the KEK length is invalid. 147 */ 148 protected AESCryptoProvider(final SecretKey kek) 149 throws KeyLengthException { 150 151 super(getCompatibleJWEAlgorithms(ByteUtils.bitLength(kek.getEncoded())), ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS); 152 153 this.kek = kek; 154 } 155 156 157 /** 158 * Gets the Key Encryption Key (KEK). 159 * 160 * @return The Key Encryption Key. 161 */ 162 public SecretKey getKey() { 163 164 return kek; 165 } 166}