Package com.nimbusds.jose.crypto
Class ECDH1PUDecrypter
- java.lang.Object
-
- com.nimbusds.jose.crypto.impl.BaseJWEProvider
-
- com.nimbusds.jose.crypto.impl.ECDH1PUCryptoProvider
-
- com.nimbusds.jose.crypto.ECDH1PUDecrypter
-
- All Implemented Interfaces:
CriticalHeaderParamsAware
,JCAAware<JWEJCAContext>
,JOSEProvider
,JWEDecrypter
,JWEProvider
@ThreadSafe public class ECDH1PUDecrypter extends ECDH1PUCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware
Elliptic Curve Diffie-Hellman decrypter ofJWE objects
for curves using an EC JWK. Expects a private EC key (with a P-256, P-384 or P-521 curve).Public Key Authenticated Encryption for JOSE ECDH-1PU for more information.
For Curve25519/X25519, see
ECDH1PUX25519Decrypter
instead.This class is thread-safe.
Supports the following key management algorithms:
JWEAlgorithm.ECDH_1PU
JWEAlgorithm.ECDH_1PU_A128KW
JWEAlgorithm.ECDH_1PU_A192KW
JWEAlgorithm.ECDH_1PU_A256KW
Supports the following elliptic curves:
Supports the following content encryption algorithms for Direct key agreement mode:
EncryptionMethod.A128CBC_HS256
EncryptionMethod.A192CBC_HS384
EncryptionMethod.A256CBC_HS512
EncryptionMethod.A128GCM
EncryptionMethod.A192GCM
EncryptionMethod.A256GCM
EncryptionMethod.A128CBC_HS256_DEPRECATED
EncryptionMethod.A256CBC_HS512_DEPRECATED
EncryptionMethod.XC20P
Supports the following content encryption algorithms for Key wrapping mode:
- Version:
- 2023-05-17
- Author:
- Alexander Martynov, Egor Puzanov
-
-
Field Summary
Fields Modifier and Type Field Description static Set<Curve>
SUPPORTED_ELLIPTIC_CURVES
The supported EC JWK curves by the ECDH crypto provider class.-
Fields inherited from class com.nimbusds.jose.crypto.impl.ECDH1PUCryptoProvider
SUPPORTED_ALGORITHMS, SUPPORTED_ENCRYPTION_METHODS
-
-
Constructor Summary
Constructors Constructor Description ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey)
Creates a new Elliptic Curve Diffie-Hellman decrypter.ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders)
Creates a new Elliptic Curve Diffie-Hellman decrypter.ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders, Curve curve)
Creates a new Elliptic Curve Diffie-Hellman decrypter.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description byte[]
decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag)
Deprecated.byte[]
decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad)
Decrypts the specified cipher text of aJWE Object
.Set<String>
getDeferredCriticalHeaderParams()
Returns the names of the critical (crit
) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.PrivateKey
getPrivateKey()
Returns the private EC key.Set<String>
getProcessedCriticalHeaderParams()
Returns the names of the critical (crit
) header parameters that are understood and processed by the JWS verifier / JWE decrypter.ECPublicKey
getPublicKey()
Returns the public EC key.Set<Curve>
supportedEllipticCurves()
Returns the names of the supported elliptic curves.-
Methods inherited from class com.nimbusds.jose.crypto.impl.ECDH1PUCryptoProvider
decryptWithZ, encryptWithZ, getConcatKDF, getCurve
-
Methods inherited from class com.nimbusds.jose.crypto.impl.BaseJWEProvider
getCEK, getJCAContext, isCEKProvided, supportedEncryptionMethods, supportedJWEAlgorithms
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface com.nimbusds.jose.jca.JCAAware
getJCAContext
-
Methods inherited from interface com.nimbusds.jose.JWEProvider
supportedEncryptionMethods, supportedJWEAlgorithms
-
-
-
-
Field Detail
-
SUPPORTED_ELLIPTIC_CURVES
public static final Set<Curve> SUPPORTED_ELLIPTIC_CURVES
The supported EC JWK curves by the ECDH crypto provider class.
-
-
Constructor Detail
-
ECDH1PUDecrypter
public ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey) throws JOSEException
Creates a new Elliptic Curve Diffie-Hellman decrypter.- Parameters:
privateKey
- The private EC key. Must not benull
.publicKey
- The public EC key. Must not benull
.- Throws:
JOSEException
- If the elliptic curve is not supported.
-
ECDH1PUDecrypter
public ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders) throws JOSEException
Creates a new Elliptic Curve Diffie-Hellman decrypter.- Parameters:
privateKey
- The private EC key. Must not benull
.publicKey
- The public EC key. Must not benull
.defCritHeaders
- The names of the critical header parameters that are deferred to the application for processing, empty set ornull
if none.- Throws:
JOSEException
- If the elliptic curve is not supported.
-
ECDH1PUDecrypter
public ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders, Curve curve) throws JOSEException
Creates a new Elliptic Curve Diffie-Hellman decrypter. This constructor can also accept a private EC key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).- Parameters:
privateKey
- The private EC key. Must not benull
.publicKey
- The public EC key. Must not benull
.defCritHeaders
- The names of the critical header parameters that are deferred to the application for processing, empty set ornull
if none.curve
- The key curve. Must not benull
.- Throws:
JOSEException
- If the elliptic curve is not supported.
-
-
Method Detail
-
getPublicKey
public ECPublicKey getPublicKey()
Returns the public EC key.- Returns:
- The public EC key.
-
getPrivateKey
public PrivateKey getPrivateKey()
Returns the private EC key.- Returns:
- The private EC key. Casting to
ECPrivateKey
may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.
-
supportedEllipticCurves
public Set<Curve> supportedEllipticCurves()
Description copied from class:ECDH1PUCryptoProvider
Returns the names of the supported elliptic curves. These correspond to thecrv
JWK parameter.- Specified by:
supportedEllipticCurves
in classECDH1PUCryptoProvider
- Returns:
- The supported elliptic curves.
-
getProcessedCriticalHeaderParams
public Set<String> getProcessedCriticalHeaderParams()
Description copied from interface:CriticalHeaderParamsAware
Returns the names of the critical (crit
) header parameters that are understood and processed by the JWS verifier / JWE decrypter.- Specified by:
getProcessedCriticalHeaderParams
in interfaceCriticalHeaderParamsAware
- Returns:
- The names of the critical header parameters that are understood and processed, empty set if none.
-
getDeferredCriticalHeaderParams
public Set<String> getDeferredCriticalHeaderParams()
Description copied from interface:CriticalHeaderParamsAware
Returns the names of the critical (crit
) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.- Specified by:
getDeferredCriticalHeaderParams
in interfaceCriticalHeaderParamsAware
- Returns:
- The names of the critical header parameters that are deferred to the application for processing, empty set if none.
-
decrypt
@Deprecated public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag) throws JOSEException
Deprecated.Decrypts the specified cipher text of aJWE Object
.- Parameters:
header
- The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not benull
.encryptedKey
- The encrypted key,null
if not required by the JWE algorithm.iv
- The initialisation vector,null
if not required by the JWE algorithm.cipherText
- The cipher text to decrypt. Must not benull
.authTag
- The authentication tag,null
if not required.- Returns:
- The clear text.
- Throws:
JOSEException
- If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.
-
decrypt
public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad) throws JOSEException
Description copied from interface:JWEDecrypter
Decrypts the specified cipher text of aJWE Object
.- Specified by:
decrypt
in interfaceJWEDecrypter
- Parameters:
header
- The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not benull
.encryptedKey
- The encrypted key,null
if not required by the JWE algorithm.iv
- The initialisation vector,null
if not required by the JWE algorithm.cipherText
- The cipher text to decrypt. Must not benull
.authTag
- The authentication tag,null
if not required.aad
- The additional authenticated data. Must not benull
.- Returns:
- The clear text.
- Throws:
JOSEException
- If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.
-
-