Package com.nimbusds.jose.crypto

Class DirectDecrypter

    • Constructor Detail

      • DirectDecrypter

        public DirectDecrypter​(SecretKey key)
                throws KeyLengthException
        Creates a new direct decrypter.
        Parameters:
        key - The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.
        Throws:
        KeyLengthException - If the symmetric key length is not compatible.

      • DirectDecrypter

        public DirectDecrypter​(SecretKey key,
                       boolean promiscuousMode)
                throws KeyLengthException
        Creates a new direct decrypter with the option to set it in promiscuous mode.
        Parameters:
        key - The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.
        promiscuousMode - If true set the decrypter in promiscuous mode to permit decryption of any JWE with the supplied symmetric key. The that mode the JWE algorithm checks for ("alg":"dir") and encrypted key not being present will be skipped.
        Throws:
        KeyLengthException - If the symmetric key length is not compatible.

      • DirectDecrypter

        public DirectDecrypter​(byte[] keyBytes)
                throws KeyLengthException
        Creates a new direct decrypter.
        Parameters:
        keyBytes - The symmetric key, as a byte array. Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.
        Throws:
        KeyLengthException - If the symmetric key length is not compatible.

      • DirectDecrypter

        public DirectDecrypter​(OctetSequenceKey octJWK)
                throws KeyLengthException
        Creates a new direct decrypter.
        Parameters:
        octJWK - The symmetric key, as a JWK. Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.
        Throws:
        KeyLengthException - If the symmetric key length is not compatible.

      • DirectDecrypter

        public DirectDecrypter​(SecretKey key,
                       Set<String> defCritHeaders)
                throws KeyLengthException
        Creates a new direct decrypter with the option to set it in promiscuous mode.
        Parameters:
        key - The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.
        defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
        Throws:
        KeyLengthException - If the symmetric key length is not compatible.

      • DirectDecrypter

        public DirectDecrypter​(SecretKey key,
                       Set<String> defCritHeaders,
                       boolean promiscuousMode)
                throws KeyLengthException
        Creates a new direct decrypter.
        Parameters:
        key - The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.
        defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
        promiscuousMode - If true set the decrypter in promiscuous mode to permit decryption of any JWE with the supplied symmetric key. The that mode the JWE algorithm checks for ("alg":"dir") and encrypted key not being present will be skipped.
        Throws:
        KeyLengthException - If the symmetric key length is not compatible.

    • Method Detail

      • decrypt

        @Deprecated
public byte[] decrypt​(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag)
               throws JOSEException
        Deprecated.
        Decrypts the specified cipher text of a JWE Object.
        Parameters:
        header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
        encryptedKey - The encrypted key, null if not required by the JWE algorithm.
        iv - The initialisation vector, null if not required by the JWE algorithm.
        cipherText - The cipher text to decrypt. Must not be null.
        authTag - The authentication tag, null if not required.
        Returns:
        The clear text.
        Throws:
        JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

      • decrypt

        public byte[] decrypt​(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag,
                      byte[] aad)
               throws JOSEException
        Description copied from interface: JWEDecrypter
        Decrypts the specified cipher text of a JWE Object.
        Specified by:
        decrypt in interface JWEDecrypter
        Parameters:
        header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
        encryptedKey - The encrypted key, null if not required by the JWE algorithm.
        iv - The initialisation vector, null if not required by the JWE algorithm.
        cipherText - The cipher text to decrypt. Must not be null.
        authTag - The authentication tag, null if not required.
        aad - The additional authenticated data. Must not be null.
        Returns:
        The clear text.
        Throws:
        JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

      • supportedJWEAlgorithms

        public Set<JWEAlgorithm> supportedJWEAlgorithms()
        Description copied from interface: JWEProvider
        Returns the names of the supported algorithms by the JWE provider instance. These correspond to the alg JWE header parameter.
        Specified by:
        supportedJWEAlgorithms in interface JWEProvider
        Returns:
        The supported JWE algorithms, empty set if none.

      • supportedEncryptionMethods

        public Set<EncryptionMethod> supportedEncryptionMethods()
        Description copied from interface: JWEProvider
        Returns the names of the supported encryption methods by the JWE provier. These correspond to the enc JWE header parameter.
        Specified by:
        supportedEncryptionMethods in interface JWEProvider
        Returns:
        The supported encryption methods, empty set if none.

      • getJCAContext

        public JWEJCAContext getJCAContext()
        Description copied from interface: JCAAware
        Returns the Java Cryptography Architecture (JCA) context. May be used to set a specific JCA security provider or secure random generator.
        Specified by:
        getJCAContext in interface JCAAware<JWEJCAContext>
        Returns:
        The JCA context. Not null.

      • isCEKProvided

        protected boolean isCEKProvided()
        Returns true if a content encryption key (CEK) was provided at construction time.
        Returns:
        true if a CEK was provided at construction time, false if CEKs will be internally generated.

      • getCEK

        protected SecretKey getCEK​(EncryptionMethod enc)
                    throws JOSEException
        Returns the content encryption key (CEK) to use. Unless a CEK was provided at construction time this will be a new internally generated CEK.
        Parameters:
        enc - The encryption method. Must not be null.
        Returns:
        The content encryption key (CEK).
        Throws:
        JOSEException - If an internal exception is encountered.