Package com.nimbusds.jose.crypto

Class RSADecrypter

    • Constructor Detail

      • RSADecrypter

        public RSADecrypter​(PrivateKey privateKey)
        Creates a new RSA decrypter. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
        Parameters:
        privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.

      • RSADecrypter

        public RSADecrypter​(RSAKey rsaJWK)
             throws JOSEException
        Creates a new RSA decrypter.
        Parameters:
        rsaJWK - The RSA JSON Web Key (JWK). Must contain or reference a private part. Its length must be at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
        Throws:
        JOSEException - If the RSA JWK doesn't contain a private part or its extraction failed.

      • RSADecrypter

        public RSADecrypter​(PrivateKey privateKey,
                    Set<String> defCritHeaders)
        Creates a new RSA decrypter. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
        Parameters:
        privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
        defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.

      • RSADecrypter

        public RSADecrypter​(PrivateKey privateKey,
                    Set<String> defCritHeaders,
                    boolean allowWeakKey)
        Creates a new RSA decrypter. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
        Parameters:
        privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
        defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
        allowWeakKey - true to allow an RSA key shorter than 2048 bits.

    • Method Detail

      • getPrivateKey

        public PrivateKey getPrivateKey()
        Gets the private RSA key.
        Returns:
        The private RSA key. Casting to RSAPrivateKey may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.

      • decrypt

        @Deprecated
public byte[] decrypt​(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag)
               throws JOSEException
        Deprecated.
        Decrypts the specified cipher text of a JWE Object.
        Parameters:
        header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
        encryptedKey - The encrypted key, null if not required by the JWE algorithm.
        iv - The initialisation vector, null if not required by the JWE algorithm.
        cipherText - The cipher text to decrypt. Must not be null.
        authTag - The authentication tag, null if not required.
        Returns:
        The clear text.
        Throws:
        JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

      • decrypt

        public byte[] decrypt​(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag,
                      byte[] aad)
               throws JOSEException
        Description copied from interface: JWEDecrypter
        Decrypts the specified cipher text of a JWE Object.
        Specified by:
        decrypt in interface JWEDecrypter
        Parameters:
        header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
        encryptedKey - The encrypted key, null if not required by the JWE algorithm.
        iv - The initialisation vector, null if not required by the JWE algorithm.
        cipherText - The cipher text to decrypt. Must not be null.
        authTag - The authentication tag, null if not required.
        aad - The additional authenticated data. Must not be null.
        Returns:
        The clear text.
        Throws:
        JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

      • supportedJWEAlgorithms

        public Set<JWEAlgorithm> supportedJWEAlgorithms()
        Description copied from interface: JWEProvider
        Returns the names of the supported algorithms by the JWE provider instance. These correspond to the alg JWE header parameter.
        Specified by:
        supportedJWEAlgorithms in interface JWEProvider
        Returns:
        The supported JWE algorithms, empty set if none.

      • supportedEncryptionMethods

        public Set<EncryptionMethod> supportedEncryptionMethods()
        Description copied from interface: JWEProvider
        Returns the names of the supported encryption methods by the JWE provier. These correspond to the enc JWE header parameter.
        Specified by:
        supportedEncryptionMethods in interface JWEProvider
        Returns:
        The supported encryption methods, empty set if none.

      • getJCAContext

        public JWEJCAContext getJCAContext()
        Description copied from interface: JCAAware
        Returns the Java Cryptography Architecture (JCA) context. May be used to set a specific JCA security provider or secure random generator.
        Specified by:
        getJCAContext in interface JCAAware<JWEJCAContext>
        Returns:
        The JCA context. Not null.

      • isCEKProvided

        protected boolean isCEKProvided()
        Returns true if a content encryption key (CEK) was provided at construction time.
        Returns:
        true if a CEK was provided at construction time, false if CEKs will be internally generated.

      • getCEK

        protected SecretKey getCEK​(EncryptionMethod enc)
                    throws JOSEException
        Returns the content encryption key (CEK) to use. Unless a CEK was provided at construction time this will be a new internally generated CEK.
        Parameters:
        enc - The encryption method. Must not be null.
        Returns:
        The content encryption key (CEK).
        Throws:
        JOSEException - If an internal exception is encountered.