public abstract class JWK extends Object implements net.minidev.json.JSONAware, Serializable
The following JSON object members are common to all JWK types:
kty
(required)
use
(optional)
key_ops
(optional)
kid
(optional)
x5u
(optional)
x5t
(optional)
x5t#S256
(optional)
x5c
(optional)
getKeyStore()
Example JWK (of the Elliptic Curve type):
{ "kty" : "EC", "crv" : "P-256", "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "use" : "enc", "kid" : "1" }
Modifier and Type | Field and Description |
---|---|
static String |
MIME_TYPE
The MIME type of JWK objects:
application/jwk+json; charset=UTF-8 |
Modifier | Constructor and Description |
---|---|
protected |
JWK(KeyType kty,
KeyUse use,
Set<KeyOperation> ops,
Algorithm alg,
String kid,
URI x5u,
Base64URL x5t,
Base64URL x5t256,
List<Base64> x5c,
KeyStore ks)
Creates a new JSON Web Key (JWK).
|
Modifier and Type | Method and Description |
---|---|
Base64URL |
computeThumbprint()
Computes the SHA-256 thumbprint of this JWK.
|
Base64URL |
computeThumbprint(String hashAlg)
Computes the thumbprint of this JWK using the specified hash
algorithm.
|
boolean |
equals(Object o) |
Algorithm |
getAlgorithm()
Gets the intended JOSE algorithm (
alg ) for this JWK. |
String |
getKeyID()
Gets the ID (
kid ) of this JWK. |
Set<KeyOperation> |
getKeyOperations()
Gets the operations (
key_ops ) for this JWK. |
KeyStore |
getKeyStore()
Returns a reference to the underlying key store.
|
KeyType |
getKeyType()
Gets the type (
kty ) of this JWK. |
KeyUse |
getKeyUse()
Gets the use (
use ) of this JWK. |
List<X509Certificate> |
getParsedX509CertChain()
Gets the parsed X.509 certificate chain (
x5c ) of this JWK. |
abstract LinkedHashMap<String,?> |
getRequiredParams()
Returns the required JWK parameters.
|
List<Base64> |
getX509CertChain()
Gets the X.509 certificate chain (
x5c ) of this JWK. |
Base64URL |
getX509CertSHA256Thumbprint()
Gets the X.509 certificate SHA-256 thumbprint (
x5t#S256 ) of
this JWK. |
Base64URL |
getX509CertThumbprint()
Deprecated.
|
URI |
getX509CertURL()
Gets the X.509 certificate URL (
x5u ) of this JWK. |
int |
hashCode() |
abstract boolean |
isPrivate()
Returns
true if this JWK contains private or sensitive
(non-public) parameters. |
static JWK |
load(KeyStore keyStore,
String alias,
char[] pin)
Loads a JWK from the specified JCE key store.
|
static JWK |
parse(net.minidev.json.JSONObject jsonObject)
Parses a JWK from the specified JSON object representation.
|
static JWK |
parse(String s)
Parses a JWK from the specified JSON object string representation.
|
static JWK |
parse(X509Certificate cert)
|
static JWK |
parseFromPEMEncodedObjects(String pemEncodedObjects)
Parses an RSA or EC JWK from the specified string of one or more
PEM-encoded object(s):
X.509 certificate (PEM header: BEGIN CERTIFICATE)
PKCS#1 RSAPublicKey (PEM header: BEGIN RSA PUBLIC KEY)
X.509 SubjectPublicKeyInfo (PEM header: BEGIN PUBLIC KEY)
PKCS#1 RSAPrivateKey (PEM header: BEGIN RSA PRIVATE KEY)
PKCS#8 PrivateKeyInfo (PEM header: BEGIN PRIVATE KEY)
matching pair of the above
|
static JWK |
parseFromPEMEncodedX509Cert(String pemEncodedCert)
|
abstract int |
size()
Returns the size of this JWK.
|
ECKey |
toECKey()
Casts this JWK to an EC JWK.
|
net.minidev.json.JSONObject |
toJSONObject()
Returns a JSON object representation of this JWK.
|
String |
toJSONString()
Returns the JSON object string representation of this JWK.
|
OctetKeyPair |
toOctetKeyPair()
Casts this JWK to an octet key pair JWK.
|
OctetSequenceKey |
toOctetSequenceKey()
Casts this JWK to an octet sequence JWK.
|
abstract JWK |
toPublicJWK()
Creates a copy of this JWK with all private or sensitive parameters
removed.
|
RSAKey |
toRSAKey()
Casts this JWK to an RSA JWK.
|
String |
toString() |
public static final String MIME_TYPE
application/jwk+json; charset=UTF-8
protected JWK(KeyType kty, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
kty
- The key type. Must not be null
.use
- The key use, null
if not specified or if the
key is intended for signing as well as encryption.ops
- The key operations, null
if not specified.alg
- The intended JOSE algorithm for the key, null
if not specified.kid
- The key ID, null
if not specified.x5u
- The X.509 certificate URL, null
if not
specified.x5t
- The X.509 certificate thumbprint, null
if not
specified.x5t256
- The X.509 certificate SHA-256 thumbprint, null
if not specified.x5c
- The X.509 certificate chain, null
if not
specified.ks
- Reference to the underlying key store, null
if
none.public KeyType getKeyType()
kty
) of this JWK.public KeyUse getKeyUse()
use
) of this JWK.null
if not specified or if the key is
intended for signing as well as encryption.public Set<KeyOperation> getKeyOperations()
key_ops
) for this JWK.null
if not specified.public Algorithm getAlgorithm()
alg
) for this JWK.null
if not specified.public String getKeyID()
kid
) of this JWK. The key ID can be used to
match a specific key. This can be used, for instance, to choose a
key within a JWKSet
during key rollover. The key ID may also
correspond to a JWS/JWE kid
header parameter value.null
if not specified.public URI getX509CertURL()
x5u
) of this JWK.null
if not specified.@Deprecated public Base64URL getX509CertThumbprint()
x5t
) of this
JWK.null
if not
specified.public Base64URL getX509CertSHA256Thumbprint()
x5t#S256
) of
this JWK.null
if
not specified.public List<Base64> getX509CertChain()
x5c
) of this JWK.null
if not specified.public List<X509Certificate> getParsedX509CertChain()
x5c
) of this JWK.null
if not specified.public KeyStore getKeyStore()
null
if none.public abstract LinkedHashMap<String,?> getRequiredParams()
public Base64URL computeThumbprint() throws JOSEException
JOSEException
- If the SHA-256 hash algorithm is not
supported.public Base64URL computeThumbprint(String hashAlg) throws JOSEException
hashAlg
- The hash algorithm. Must not be null
.JOSEException
- If the hash algorithm is not supported.public abstract boolean isPrivate()
true
if this JWK contains private or sensitive
(non-public) parameters.true
if this JWK contains private parameters, else
false
.public abstract JWK toPublicJWK()
null
if none can be
created.public abstract int size()
public OctetSequenceKey toOctetSequenceKey()
public OctetKeyPair toOctetKeyPair()
public net.minidev.json.JSONObject toJSONObject()
Example:
{ "kty" : "RSA", "use" : "sig", "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b" }
public String toJSONString()
toJSONString
in interface net.minidev.json.JSONAware
public String toString()
toString
in class Object
toJSONString()
public static JWK parse(String s) throws ParseException
ECKey
, an RSAKey
, or a
OctetSequenceKey
.s
- The JSON object string to parse. Must not be null
.ParseException
- If the string couldn't be parsed to a
supported JWK.public static JWK parse(net.minidev.json.JSONObject jsonObject) throws ParseException
ECKey
, an RSAKey
, or a
OctetSequenceKey
.jsonObject
- The JSON object to parse. Must not be
null
.ParseException
- If the JSON object couldn't be parsed to a
supported JWK.public static JWK parse(X509Certificate cert) throws JOSEException
RSA
or EC JWK
from the
specified X.509 certificate. Requires BouncyCastle.
Important: The X.509 certificate is not validated!
Sets the following JWK parameters:
KeyUse.from(java.security.cert.X509Certificate)
.
cert
- The X.509 certificate. Must not be null
.JOSEException
- If parsing failed.public static JWK parseFromPEMEncodedX509Cert(String pemEncodedCert) throws JOSEException
RSA
or EC JWK
from the
specified PEM-encoded X.509 certificate. Requires BouncyCastle.
Important: The X.509 certificate is not validated!
Sets the following JWK parameters:
KeyUse.from(java.security.cert.X509Certificate)
.
pemEncodedCert
- The PEM-encoded X.509 certificate. Must not be
null
.JOSEException
- If parsing failed.public static JWK load(KeyStore keyStore, String alias, char[] pin) throws KeyStoreException, JOSEException
RSA key
, a public / private
EC key
, or a secret key
.
Requires BouncyCastle.
Important: The X.509 certificate is not validated!
keyStore
- The key store. Must not be null
.alias
- The alias. Must not be null
.pin
- The pin to unlock the private key if any, empty or
null
if not required.null
if no key with the specified alias was found.KeyStoreException
- On a key store exception.JOSEException
- If RSA or EC key loading failed.public static JWK parseFromPEMEncodedObjects(String pemEncodedObjects) throws JOSEException
Requires BouncyCastle.
pemEncodedObjects
- The string of PEM-encoded object(s).JOSEException
- If RSA or EC key parsing failed.Copyright © 2021 Connect2id Ltd.. All rights reserved.