Package com.nimbusds.jose.crypto

Class MultiDecrypter

java.lang.Object

com.nimbusds.jose.crypto.impl.BaseJWEProvider

com.nimbusds.jose.crypto.impl.MultiCryptoProvider

com.nimbusds.jose.crypto.MultiDecrypter

All Implemented Interfaces:

CriticalHeaderParamsAware, JCAAware<JWEJCAContext>, JOSEProvider, JWEDecrypter, JWEProvider

@ThreadSafe
public class MultiDecrypter
extends MultiCryptoProvider
implements JWEDecrypter, CriticalHeaderParamsAware

Multi-recipient decrypter of JWE objects.

This class is thread-safe.

Supports the following key management algorithms:

• JWEAlgorithm.A128KW
• JWEAlgorithm.A192KW
• JWEAlgorithm.A256KW
• JWEAlgorithm.A128GCMKW
• JWEAlgorithm.A192GCMKW
• JWEAlgorithm.A256GCMKW
• JWEAlgorithm.DIR
• JWEAlgorithm.ECDH_ES_A128KW
• JWEAlgorithm.ECDH_ES_A192KW
• JWEAlgorithm.ECDH_ES_A256KW
• JWEAlgorithm.RSA_OAEP_256
• JWEAlgorithm.RSA_OAEP_384
• JWEAlgorithm.RSA_OAEP_512
• JWEAlgorithm.RSA_OAEP (deprecated)
• JWEAlgorithm.RSA1_5 (deprecated)

Supports the following elliptic curves:

• Curve.P_256
• Curve.P_384
• Curve.P_521
• Curve.X25519 (Curve25519)

Supports the following content encryption algorithms:

• EncryptionMethod.A128CBC_HS256 (requires 256 bit key)
• EncryptionMethod.A192CBC_HS384 (requires 384 bit key)
• EncryptionMethod.A256CBC_HS512 (requires 512 bit key)
• EncryptionMethod.A128GCM (requires 128 bit key)
• EncryptionMethod.A192GCM (requires 192 bit key)
• EncryptionMethod.A256GCM (requires 256 bit key)
• EncryptionMethod.A128CBC_HS256_DEPRECATED (requires 256 bit key)
• EncryptionMethod.A256CBC_HS512_DEPRECATED (requires 512 bit key)
• EncryptionMethod.XC20P (requires 256 bit key)

Version:

2023-09-10

Author:

Egor Puzanov

Field Summary

Fields inherited from class com.nimbusds.jose.crypto.impl.MultiCryptoProvider

COMPATIBLE_ALGORITHMS, SUPPORTED_ALGORITHMS, SUPPORTED_ELLIPTIC_CURVES, SUPPORTED_ENCRYPTION_METHODS

Constructor Summary

Constructors

Constructor	Description
MultiDecrypter(JWK jwk)	Creates a new multi-recipient decrypter.
MultiDecrypter(JWK jwk, Set<String> defCritHeaders)	Creates a new multi-recipient decrypter.

Method Summary

Modifier and Type	Method	Description
byte[]	decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag)	Deprecated.
byte[]	decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad)	Decrypts the specified cipher text of a JWE Object.
Set<String>	getDeferredCriticalHeaderParams()	Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.
Set<String>	getProcessedCriticalHeaderParams()	Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.

Methods inherited from class com.nimbusds.jose.crypto.impl.MultiCryptoProvider

supportedEllipticCurves

Methods inherited from class com.nimbusds.jose.crypto.impl.BaseJWEProvider

getCEK, getJCAContext, isCEKProvided, supportedEncryptionMethods, supportedJWEAlgorithms

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.nimbusds.jose.jca.JCAAware

getJCAContext

Methods inherited from interface com.nimbusds.jose.JWEProvider

supportedEncryptionMethods, supportedJWEAlgorithms

Constructor Detail

MultiDecrypter

public MultiDecrypter(JWK jwk)
               throws JOSEException,
                      KeyLengthException

Creates a new multi-recipient decrypter.

Parameters:

jwk - The JSON Web Key (JWK). Must contain a private part. Must not be null.

Throws:

KeyLengthException - If the symmetric key length is not compatible.

JOSEException - If an internal exception is encountered.

MultiDecrypter

public MultiDecrypter(JWK jwk,
                      Set<String> defCritHeaders)
               throws JOSEException,
                      KeyLengthException

Creates a new multi-recipient decrypter.

Parameters:

jwk - The JSON Web Key (JWK). Must contain a private part. Must not be null.

defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.

Throws:

KeyLengthException - If the symmetric key length is not compatible.

JOSEException - If an internal exception is encountered.

Method Detail

getProcessedCriticalHeaderParams

public Set<String> getProcessedCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.

Specified by:

getProcessedCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are understood and processed, empty set if none.

getDeferredCriticalHeaderParams

public Set<String> getDeferredCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.

Specified by:

getDeferredCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are deferred to the application for processing, empty set if none.

decrypt

@Deprecated
public byte[] decrypt(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag)
               throws JOSEException

Deprecated.

Decrypts the specified cipher text of a JWE Object.

Parameters:

header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.

encryptedKey - The encrypted key, null if not required by the JWE algorithm.

iv - The initialisation vector, null if not required by the JWE algorithm.

cipherText - The cipher text to decrypt. Must not be null.

authTag - The authentication tag, null if not required.

Returns:

The clear text.

Throws:

JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

decrypt

public byte[] decrypt(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag,
                      byte[] aad)
               throws JOSEException

Description copied from interface: JWEDecrypter

Decrypts the specified cipher text of a JWE Object.

Specified by:

decrypt in interface JWEDecrypter

Parameters:

header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.

encryptedKey - The encrypted key, null if not required by the JWE algorithm.

iv - The initialisation vector, null if not required by the JWE algorithm.

cipherText - The cipher text to decrypt. Must not be null.

authTag - The authentication tag, null if not required.

aad - The additional authenticated data. Must not be null.

Returns:

The clear text.

Throws:

JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.