Nimbus JOSE + JWT v9.34

Nimbus JOSE + JWT

Create, parse and process:

A framework for secure application-specific processing of JWTs as well as generic (i.e. arbitrary payload) JOSE objects is provided.

The library implements the following JWS and JWE algorithms:

JWS algorithms:

  1. HMAC integrity protection: HS256, HS384 and HS512
  2. RSA signatures: RS256, RS384, RS512, PS256, PS384 and PS512.
  3. EC signatures: ES256, ES256K, ES384 and ES512
  4. EdDSA signatures: EdDSA

JWE key management algorithms:

  1. Key encryption with RSAES-PKCS1-V1_5: RSA1_5 (deprecated)
  2. Key encryption with RSAES OAEP: RSA-OAEP (deprecated) and RSA-OAEP-256
  3. Key encryption with AES key wrap: A128KW, A192KW and A256KW
  4. Key encryption with AES GCM key wrap: A128CGMKW, A192CGMKW and A256CGMKW
  5. Direct encryption with a symmetric key: dir
  6. Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW
  7. Public key authenticated encryption utilising the One-Pass Unified Model for Elliptic Curve Diffie-Hellman key agreement: ECDH-1PU, ECDH-1PU+A128KW, ECDH-1PU+A128KW, ECDH-1PU+A256KW
  8. Password-based encryption: PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW

JWE content encryption algorithms:

  1. AES_CBC_HMAC_SHA2: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, the deprecated A128CBC+HS256 and A256CBC+HS512 are also supported
  2. AES GCM: A128GCM, A192GCM and A256GCM
  3. Extended nonce ChaCha20-Poly1305: XC20P

New JWA algorithms can be easily added. The library provides a set of interfaces to decouple the representation of JOSE / JWT objects from JWA cryptography code for signing / verification or encryption / decryption. Multiple JCA providers, including hardware-based (PKCS#11) can be configured.

Supported specifications:

  1. RFC 7515 - JWS
  2. RFC 7516 - JWE
  3. RFC 7517 - JWK
  4. RFC 7518 - JWA
  5. RFC 7519 - JWT
  6. RFC 7165 - Use Cases and Requirements for JSON Object Signing and Encryption (JOSE)
  7. RFC 7520 - Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE)
  8. RFC 7638 - JWK Thumbprint
  9. RFC 7797 - JWS Unencoded Payload Option
  10. RFC 8037 - CFRG ECDH and Signatures in JOSE
  11. RFC 8812 - CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) Registrations for Web Authentication (WebAuthn) Algorithms
  12. RFC 9278 - JWK Thumbprint URI
  13. draft-madden-jose-ecdh-1pu-04 - Public Key Authenticated Encryption for JOSE: ECDH-1PU
  14. draft-amringer-jose-chacha-02 - Chacha derived AEAD algorithms in JSON Object Signing and Encryption (JOSE) (support for XC20P only)
  15. XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
  16. OpenID Connect Federation 1.0 (JWK exp, nbf and iat parameters)

Dependencies (see the Maven pom.xml for details):

  1. JCIP for concurrency annotations
  2. [shaded] GSon for parsing and serialisation of JSON
  3. [optional] BouncyCastle as an alternative JCA provider and for selected key and certificate utilities
  4. [optional] Tink for OKP generation, EdDSA with Ed25519, ECDH with X25519 and content encryption with XC20P

To post bug reports and suggestions:

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues

Follow updates and new releases on Twitter:

https://twitter.com/connect2id

Packages 
Package Description
com.nimbusds.jose
Base Javascript Object Signing and Encryption (JOSE) interfaces and classes.
com.nimbusds.jose.crypto
Implementations of standard Javascript Object Signing and Encryption (JOSE) algorithms.
com.nimbusds.jose.crypto.bc
BouncyCastle JCA provider singletons.
com.nimbusds.jose.crypto.factories
JWS signer, JWS verifier, JWE encrypter and JWE decrypter factory implementations.
com.nimbusds.jose.crypto.impl
Cryptographic primitives for JWS signers, JWS verifiers, JWE encrypters and JWE decrypters in the com.nimbusds.jose.crypto package.
com.nimbusds.jose.crypto.opts
Javascript Object Signing and Encryption (JOSE) options.
com.nimbusds.jose.crypto.utils
Cryptographic utilities.
com.nimbusds.jose.jca
Java Cryptography Architecture (JCA) context interfaces and classes.
com.nimbusds.jose.jwk
JSON Web Key (JWK) classes.
com.nimbusds.jose.jwk.gen
JSON Web Key (JWK) generation utilities.
com.nimbusds.jose.jwk.source
JSON Web Key (JWK) sourcing interface and utilities.
com.nimbusds.jose.mint
JSON Web Signature (JWS) minting framework.
com.nimbusds.jose.proc
Framework for application-specific verification and decryption of JOSE objects (with arbitrary payloads).
com.nimbusds.jose.produce
Framework for producing JOSE objects (with arbitrary payloads).
com.nimbusds.jose.util
Utility interfaces and classes.
com.nimbusds.jose.util.cache
Simple object caching.
com.nimbusds.jose.util.events
Event listener interfaces.
com.nimbusds.jose.util.health
Health status reporting.
com.nimbusds.jwt
JSON Web Token (JWT) interfaces and classes.
com.nimbusds.jwt.proc
Framework for application-specific verification and decryption of JSON Web Tokens (JWTs).
com.nimbusds.jwt.util
JSON Web Token (JWT) utility interfaces and classes.