Package com.nimbusds.jose.crypto

Class MACSigner

java.lang.Object
com.nimbusds.jose.crypto.impl.BaseJWSProvider
com.nimbusds.jose.crypto.impl.MACProvider
com.nimbusds.jose.crypto.MACSigner
All Implemented Interfaces:
JCAAware<JCAContext>, JOSEProvider, JWSProvider, JWSSigner
@ThreadSafe public class MACSigner extends MACProvider implements JWSSigner
Message Authentication Code (MAC) signer of JWS objects. Expects a secret key.

See RFC 7518 section 3.2 for more information.

This class is thread-safe.

Supports the following algorithms:

Tested with the AWS CloudHSM JCE provider.

Version:
2023-09-14
Author:
Vladimir Dzhuvinov, Ulrich Winter

  • Constructor Details

    • MACSigner

      public MACSigner(byte[] secret) throws KeyLengthException
      Creates a new Message Authentication (MAC) signer.
      Parameters:
      secret - The secret. Must be at least 256 bits long and not null.
      Throws:
      KeyLengthException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACSigner

      public MACSigner(String secretString) throws KeyLengthException
      Creates a new Message Authentication (MAC) signer.
      Parameters:
      secretString - The secret as a UTF-8 encoded string. Must be at least 256 bits long and not null.
      Throws:
      KeyLengthException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACSigner

      public MACSigner(SecretKey secretKey) throws KeyLengthException
      Creates a new Message Authentication (MAC) signer.
      Parameters:
      secretKey - The secret key. Must be at least 256 bits long and not null.
      Throws:
      KeyLengthException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACSigner

      public MACSigner(OctetSequenceKey jwk) throws KeyLengthException
      Creates a new Message Authentication (MAC) signer.
      Parameters:
      jwk - The secret as a JWK. Must be at least 256 bits long and not null.
      Throws:
      KeyLengthException - If the secret length is shorter than the minimum 256-bit requirement.

  • Method Details

    • getMinRequiredSecretLength

      public static int getMinRequiredSecretLength(JWSAlgorithm alg) throws JOSEException
      Returns the minimal required secret length for the specified HMAC JWS algorithm.
      Parameters:
      alg - The HMAC JWS algorithm. Must be supported and not null.
      Returns:
      The minimal required secret length, in bits.
      Throws:
      JOSEException - If the algorithm is not supported.

    • getCompatibleAlgorithms

      public static Set<JWSAlgorithm> getCompatibleAlgorithms(int secretLength)
      Returns the compatible JWS HMAC algorithms for the specified secret length.
      Parameters:
      secretLength - The secret length in bits. Must not be negative.
      Returns:
      The compatible HMAC algorithms, empty set if the secret length is too short for any algorithm.

    • sign

      public Base64URL sign(JWSHeader header, byte[] signingInput) throws JOSEException
      Description copied from interface: JWSSigner
      Signs the specified input of a JWS object.
      Specified by:
      sign in interface JWSSigner
      Parameters:
      header - The JSON Web Signature (JWS) header. Must specify a supported JWS algorithm and must not be null.
      signingInput - The input to sign. Must not be null.
      Returns:
      The resulting signature part (third part) of the JWS object.
      Throws:
      JOSEException - If the JWS algorithm is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if signing failed for some other internal reason.