Package com.nimbusds.jose.crypto
Class AESDecrypter
- java.lang.Object
-
- com.nimbusds.jose.crypto.impl.AESCryptoProvider
-
- com.nimbusds.jose.crypto.AESDecrypter
-
- All Implemented Interfaces:
CriticalHeaderParamsAware
,JCAAware<JWEJCAContext>
,JOSEProvider
,JWEDecrypter
,JWEProvider
@ThreadSafe public class AESDecrypter extends AESCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware
AES and AES GCM key wrap decrypter ofJWE objects
. Expects an AES key.Unwraps the encrypted Content Encryption Key (CEK) with the specified AES key, and then uses the CEK along with the IV and authentication tag to decrypt the cipher text. See RFC 7518, sections 4.4 and 4.7 for more information.
This class is thread-safe.
Supports the following key management algorithms:
JWEAlgorithm.A128KW
JWEAlgorithm.A192KW
JWEAlgorithm.A256KW
JWEAlgorithm.A128GCMKW
JWEAlgorithm.A192GCMKW
JWEAlgorithm.A256GCMKW
Supports the following content encryption algorithms:
- Version:
- 2023-09-10
- Author:
- Melisa Halsband, Vladimir Dzhuvinov, Egor Puzanov
-
-
Field Summary
-
Fields inherited from class com.nimbusds.jose.crypto.impl.AESCryptoProvider
COMPATIBLE_ALGORITHMS, SUPPORTED_ALGORITHMS, SUPPORTED_ENCRYPTION_METHODS
-
-
Constructor Summary
Constructors Constructor Description AESDecrypter(byte[] keyBytes)
Creates a new AES decrypter.AESDecrypter(OctetSequenceKey octJWK)
Creates a new AES decrypter.AESDecrypter(SecretKey kek)
Creates a new AES decrypter.AESDecrypter(SecretKey kek, Set<String> defCritHeaders)
Creates a new AES decrypter.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description byte[]
decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag)
Deprecated.byte[]
decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad)
Decrypts the specified cipher text of aJWE Object
.protected SecretKey
getCEK(EncryptionMethod enc)
Returns the content encryption key (CEK) to use.Set<String>
getDeferredCriticalHeaderParams()
Returns the names of the critical (crit
) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.JWEJCAContext
getJCAContext()
Returns the Java Cryptography Architecture (JCA) context.Set<String>
getProcessedCriticalHeaderParams()
Returns the names of the critical (crit
) header parameters that are understood and processed by the JWS verifier / JWE decrypter.protected boolean
isCEKProvided()
Returnstrue
if a content encryption key (CEK) was provided at construction time.Set<EncryptionMethod>
supportedEncryptionMethods()
Returns the names of the supported encryption methods by the JWE provier.Set<JWEAlgorithm>
supportedJWEAlgorithms()
Returns the names of the supported algorithms by the JWE provider instance.-
Methods inherited from class com.nimbusds.jose.crypto.impl.AESCryptoProvider
getKey
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface com.nimbusds.jose.jca.JCAAware
getJCAContext
-
Methods inherited from interface com.nimbusds.jose.JWEProvider
supportedEncryptionMethods, supportedJWEAlgorithms
-
-
-
-
Constructor Detail
-
AESDecrypter
public AESDecrypter(SecretKey kek) throws KeyLengthException
Creates a new AES decrypter.- Parameters:
kek
- The Key Encrypting Key. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not benull
.- Throws:
KeyLengthException
- If the KEK length is invalid.
-
AESDecrypter
public AESDecrypter(byte[] keyBytes) throws KeyLengthException
Creates a new AES decrypter.- Parameters:
keyBytes
- The Key Encrypting Key, as a byte array. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not benull
.- Throws:
KeyLengthException
- If the KEK length is invalid.
-
AESDecrypter
public AESDecrypter(OctetSequenceKey octJWK) throws KeyLengthException
Creates a new AES decrypter.- Parameters:
octJWK
- The Key Encryption Key, as a JWK. Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not benull
.- Throws:
KeyLengthException
- If the KEK length is invalid.
-
AESDecrypter
public AESDecrypter(SecretKey kek, Set<String> defCritHeaders) throws KeyLengthException
Creates a new AES decrypter.- Parameters:
kek
- The Key Encrypting Key. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not benull
.defCritHeaders
- The names of the critical header parameters that are deferred to the application for processing, empty set ornull
if none.- Throws:
KeyLengthException
- If the KEK length is invalid.
-
-
Method Detail
-
getProcessedCriticalHeaderParams
public Set<String> getProcessedCriticalHeaderParams()
Description copied from interface:CriticalHeaderParamsAware
Returns the names of the critical (crit
) header parameters that are understood and processed by the JWS verifier / JWE decrypter.- Specified by:
getProcessedCriticalHeaderParams
in interfaceCriticalHeaderParamsAware
- Returns:
- The names of the critical header parameters that are understood and processed, empty set if none.
-
getDeferredCriticalHeaderParams
public Set<String> getDeferredCriticalHeaderParams()
Description copied from interface:CriticalHeaderParamsAware
Returns the names of the critical (crit
) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.- Specified by:
getDeferredCriticalHeaderParams
in interfaceCriticalHeaderParamsAware
- Returns:
- The names of the critical header parameters that are deferred to the application for processing, empty set if none.
-
decrypt
@Deprecated public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag) throws JOSEException
Deprecated.Decrypts the specified cipher text of aJWE Object
.- Parameters:
header
- The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not benull
.encryptedKey
- The encrypted key,null
if not required by the JWE algorithm.iv
- The initialisation vector,null
if not required by the JWE algorithm.cipherText
- The cipher text to decrypt. Must not benull
.authTag
- The authentication tag,null
if not required.- Returns:
- The clear text.
- Throws:
JOSEException
- If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.
-
decrypt
public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad) throws JOSEException
Description copied from interface:JWEDecrypter
Decrypts the specified cipher text of aJWE Object
.- Specified by:
decrypt
in interfaceJWEDecrypter
- Parameters:
header
- The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not benull
.encryptedKey
- The encrypted key,null
if not required by the JWE algorithm.iv
- The initialisation vector,null
if not required by the JWE algorithm.cipherText
- The cipher text to decrypt. Must not benull
.authTag
- The authentication tag,null
if not required.aad
- The additional authenticated data. Must not benull
.- Returns:
- The clear text.
- Throws:
JOSEException
- If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.
-
supportedJWEAlgorithms
public Set<JWEAlgorithm> supportedJWEAlgorithms()
Description copied from interface:JWEProvider
Returns the names of the supported algorithms by the JWE provider instance. These correspond to thealg
JWE header parameter.- Specified by:
supportedJWEAlgorithms
in interfaceJWEProvider
- Returns:
- The supported JWE algorithms, empty set if none.
-
supportedEncryptionMethods
public Set<EncryptionMethod> supportedEncryptionMethods()
Description copied from interface:JWEProvider
Returns the names of the supported encryption methods by the JWE provier. These correspond to theenc
JWE header parameter.- Specified by:
supportedEncryptionMethods
in interfaceJWEProvider
- Returns:
- The supported encryption methods, empty set if none.
-
getJCAContext
public JWEJCAContext getJCAContext()
Description copied from interface:JCAAware
Returns the Java Cryptography Architecture (JCA) context. May be used to set a specific JCA security provider or secure random generator.- Specified by:
getJCAContext
in interfaceJCAAware<JWEJCAContext>
- Returns:
- The JCA context. Not
null
.
-
isCEKProvided
protected boolean isCEKProvided()
Returnstrue
if a content encryption key (CEK) was provided at construction time.- Returns:
true
if a CEK was provided at construction time,false
if CEKs will be internally generated.
-
getCEK
protected SecretKey getCEK(EncryptionMethod enc) throws JOSEException
Returns the content encryption key (CEK) to use. Unless a CEK was provided at construction time this will be a new internally generated CEK.- Parameters:
enc
- The encryption method. Must not benull
.- Returns:
- The content encryption key (CEK).
- Throws:
JOSEException
- If an internal exception is encountered.
-
-