@ThreadSafe public class DirectDecrypter extends DirectCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware
JWE objects
with a
shared symmetric key.
See RFC 7518 section 4.5 for more information.
This class is thread-safe.
Supports the following key management algorithms:
Supports the following content encryption algorithms:
EncryptionMethod.A128CBC_HS256
(requires 256 bit key)
EncryptionMethod.A192CBC_HS384
(requires 384 bit key)
EncryptionMethod.A256CBC_HS512
(requires 512 bit key)
EncryptionMethod.A128GCM
(requires 128 bit key)
EncryptionMethod.A192GCM
(requires 192 bit key)
EncryptionMethod.A256GCM
(requires 256 bit key)
EncryptionMethod.A128CBC_HS256_DEPRECATED
(requires 256 bit key)
EncryptionMethod.A256CBC_HS512_DEPRECATED
(requires 512 bit key)
Also supports a promiscuous mode to decrypt any JWE by passing the content encryption key (CEK) directly. The that mode the JWE algorithm checks for ("alg":"dir") and encrypted key not being present will be skipped.
SUPPORTED_ALGORITHMS, SUPPORTED_ENCRYPTION_METHODS
Constructor and Description |
---|
DirectDecrypter(byte[] keyBytes)
Creates a new direct decrypter.
|
DirectDecrypter(OctetSequenceKey octJWK)
Creates a new direct decrypter.
|
DirectDecrypter(SecretKey key)
Creates a new direct decrypter.
|
DirectDecrypter(SecretKey key,
boolean promiscuousMode)
Creates a new direct decrypter with the option to set it in
promiscuous mode.
|
DirectDecrypter(SecretKey key,
Set<String> defCritHeaders)
Creates a new direct decrypter with the option to set it in
promiscuous mode.
|
DirectDecrypter(SecretKey key,
Set<String> defCritHeaders,
boolean promiscuousMode)
Creates a new direct decrypter.
|
Modifier and Type | Method and Description |
---|---|
byte[] |
decrypt(JWEHeader header,
Base64URL encryptedKey,
Base64URL iv,
Base64URL cipherText,
Base64URL authTag)
Decrypts the specified cipher text of a
JWE Object . |
Set<String> |
getDeferredCriticalHeaderParams()
Returns the names of the critical (
crit ) header parameters
that are deferred to the application for processing and will be
ignored by the JWS verifier / JWE decrypter. |
JWEJCAContext |
getJCAContext()
Returns the Java Cryptography Architecture (JCA) context.
|
Set<String> |
getProcessedCriticalHeaderParams()
Returns the names of the critical (
crit ) header parameters
that are understood and processed by the JWS verifier / JWE
decrypter. |
Set<EncryptionMethod> |
supportedEncryptionMethods()
Returns the names of the supported encryption methods by the JWE
provier.
|
Set<JWEAlgorithm> |
supportedJWEAlgorithms()
Returns the names of the supported algorithms by the JWE provider
instance.
|
getKey
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
supportedEncryptionMethods, supportedJWEAlgorithms
getJCAContext
public DirectDecrypter(SecretKey key) throws KeyLengthException
key
- The symmetric key. Its algorithm should be "AES". Must be
128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32
bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long.
Must not be null
.KeyLengthException
- If the symmetric key length is not
compatible.public DirectDecrypter(SecretKey key, boolean promiscuousMode) throws KeyLengthException
key
- The symmetric key. Its algorithm should be
"AES". Must be 128 bits (16 bytes), 192 bits
(24 bytes), 256 bits (32 bytes), 384 bits (48
bytes) or 512 bits (64 bytes) long. Must not
be null
.promiscuousMode
- If true
set the decrypter in
promiscuous mode to permit decryption of any
JWE with the supplied symmetric key. The that
mode the JWE algorithm checks for
("alg":"dir") and encrypted key not being
present will be skipped.KeyLengthException
- If the symmetric key length is not
compatible.public DirectDecrypter(byte[] keyBytes) throws KeyLengthException
keyBytes
- The symmetric key, as a byte array. Must be 128 bits
(16 bytes), 192 bits (24 bytes), 256 bits (32
bytes), 384 bits (48 bytes) or 512 bits (64 bytes)
long. Must not be null
.KeyLengthException
- If the symmetric key length is not
compatible.public DirectDecrypter(OctetSequenceKey octJWK) throws KeyLengthException
octJWK
- The symmetric key, as a JWK. Must be 128 bits (16
bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384
bits (48 bytes) or 512 bits (64 bytes) long. Must not
be null
.KeyLengthException
- If the symmetric key length is not
compatible.public DirectDecrypter(SecretKey key, Set<String> defCritHeaders) throws KeyLengthException
key
- The symmetric key. Its algorithm should be
"AES". Must be 128 bits (16 bytes), 192 bits
(24 bytes), 256 bits (32 bytes), 384 bits (48
bytes) or 512 bits (64 bytes) long. Must not
be null
.defCritHeaders
- The names of the critical header parameters
that are deferred to the application for
processing, empty set or null
if none.KeyLengthException
- If the symmetric key length is not
compatible.public DirectDecrypter(SecretKey key, Set<String> defCritHeaders, boolean promiscuousMode) throws KeyLengthException
key
- The symmetric key. Its algorithm should be
"AES". Must be 128 bits (16 bytes), 192 bits
(24 bytes), 256 bits (32 bytes), 384 bits (48
bytes) or 512 bits (64 bytes) long. Must not
be null
.defCritHeaders
- The names of the critical header parameters
that are deferred to the application for
processing, empty set or null
if none.promiscuousMode
- If true
set the decrypter in
promiscuous mode to permit decryption of any
JWE with the supplied symmetric key. The that
mode the JWE algorithm checks for
("alg":"dir") and encrypted key not being
present will be skipped.KeyLengthException
- If the symmetric key length is not
compatible.public Set<String> getProcessedCriticalHeaderParams()
CriticalHeaderParamsAware
crit
) header parameters
that are understood and processed by the JWS verifier / JWE
decrypter.getProcessedCriticalHeaderParams
in interface CriticalHeaderParamsAware
public Set<String> getDeferredCriticalHeaderParams()
CriticalHeaderParamsAware
crit
) header parameters
that are deferred to the application for processing and will be
ignored by the JWS verifier / JWE decrypter.getDeferredCriticalHeaderParams
in interface CriticalHeaderParamsAware
public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag) throws JOSEException
JWEDecrypter
JWE Object
.decrypt
in interface JWEDecrypter
header
- The JSON Web Encryption (JWE) header. Must
specify a supported JWE algorithm and method.
Must not be null
.encryptedKey
- The encrypted key, null
if not required
by the JWE algorithm.iv
- The initialisation vector, null
if not
required by the JWE algorithm.cipherText
- The cipher text to decrypt. Must not be
null
.authTag
- The authentication tag, null
if not
required.JOSEException
- If the JWE algorithm or method is not
supported, if a critical header parameter is
not supported or marked for deferral to the
application, or if decryption failed for some
other reason.public Set<JWEAlgorithm> supportedJWEAlgorithms()
JWEProvider
alg
JWE header parameter.supportedJWEAlgorithms
in interface JWEProvider
public Set<EncryptionMethod> supportedEncryptionMethods()
JWEProvider
enc
JWE header parameter.supportedEncryptionMethods
in interface JWEProvider
public JWEJCAContext getJCAContext()
JCAAware
getJCAContext
in interface JCAAware<JWEJCAContext>
null
.Copyright © 2020 Connect2id Ltd.. All rights reserved.