com.nimbusds.openid.connect.provider.jwksetgen

Class JWKSetGenerator

java.lang.Object

com.nimbusds.openid.connect.provider.jwksetgen.JWKSetGenerator

public class JWKSetGenerator
extends Object

JWK set generator for Connect2id servers.

Field Summary

Fields

Modifier and Type	Field and Description
static int	AES_KEY_BIT_SIZE The AES key bit size.
static int	HMAC_SHA_KEY_BIT_SIZE The HMAC SHA key bit size.
static com.nimbusds.jose.jwk.JWKMatcher	HMAC_SHA256_KEY_MATCHER JWK matcher for the 256 bit HMAC SHA key with key ID "hmac".
static int	REFRESH_TOKEN_AES_SIV_KEY_BIT_SIZE The refresh token AES SIV key bit size.
static com.nimbusds.jose.jwk.JWKMatcher	REFRESH_TOKEN_ENCRYPTION_KEY_MATCHER JWK matcher for the 256 bit refresh token encryption key (intended for AES SIV mode) with key ID "refresh-token-encrypt".
static int	RSA_KEY_BIT_SIZE The RSA key bit size.
static int	SUBJECT_AES_SIV_KEY_BIT_SIZE The subject AES SIV key bit size.
static com.nimbusds.jose.jwk.JWKMatcher	SUBJECT_ENCRYPTION_KEY_MATCHER JWK matcher for the 256 bit subject encryption key (intended for AES SIV mode) with key ID "subject-encrypt".

Constructor Summary

Constructors

Constructor and Description
JWKSetGenerator()

Method Summary

Modifier and Type	Method and Description
com.nimbusds.jose.jwk.JWKSet	generate(Consumer<String> eventMessageSink) Generates a new JWK set for a Connect2id server.
com.nimbusds.jose.jwk.JWKSet	generateAndPrefixNewKeys(com.nimbusds.jose.jwk.JWKSet oldJWKSet, Consumer<String> eventMessageSink) A generates a new set of signing and encryption keys and prefixes them to the specified Connect2id server JWK set.
static com.nimbusds.jose.jwk.OctetSequenceKey	generateEncryptionAESKey(String kid) Generates a 128 bit AES encryption key with the specified key ID.
static com.nimbusds.jose.jwk.ECKey	generateEncryptionECKey(com.nimbusds.jose.jwk.Curve crv, String kid) Generates an EC encryption key with the specified curve and key ID.
static com.nimbusds.jose.jwk.RSAKey	generateEncryptionRSAKey(String kid) Generates a 2048 bit RSA encryption key with the specified key ID.
static com.nimbusds.jose.jwk.OctetSequenceKey	generateHMACSHA256Key() Generates a 256 bit HMAC SHA key with key ID "hmac".
List<com.nimbusds.jose.jwk.JWK>	generateMissingPermanentKeys(com.nimbusds.jose.jwk.JWKSet jwkSet, Consumer<String> eventMessageSink) Generates the missing permanent keys for a Connect2id server not found in the specified JWK set.
List<com.nimbusds.jose.jwk.JWK>	generatePermanentKeys(Consumer<String> eventMessageSink) Generates a new set of permanent keys for a Connect2id server.
static com.nimbusds.jose.jwk.OctetSequenceKey	generateRefreshTokenEncryptionKey() Generates a 256 bit refresh token encryption key (intended for AES SIV mode) with key ID "refresh-token-encrypt".
List<com.nimbusds.jose.jwk.JWK>	generateRotatingKeys(KeyIDs reservedKeyIDs, Consumer<String> eventMessageSink) Generates a new set of rotating signature and encryption keys for a Connect2id server.
static com.nimbusds.jose.jwk.ECKey	generateSigningECKey(com.nimbusds.jose.jwk.Curve crv, String kid) Generates an EC signing key with the specified curve and key ID.
static com.nimbusds.jose.jwk.OctetKeyPair	generateSigningEd25519Key(String kid) Generates an Ed25519 signing key with the specified key ID.
static com.nimbusds.jose.jwk.RSAKey	generateSigningRSAKey(String kid) Generates a 2048 bit RSA signing key with the specified key ID.
static com.nimbusds.jose.jwk.OctetSequenceKey	generateSubjectEncryptionKey() Generates a 256 bit subject encryption key (intended for AES SIV mode) with key ID "subject-encrypt".
static void	main(String[] args) Console method for generating a new Connect2id server JWK set, or updating an existing JWK set with new signing and encryption keys.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

RSA_KEY_BIT_SIZE

public static final int RSA_KEY_BIT_SIZE

The RSA key bit size.

See Also:

Constant Field Values

AES_KEY_BIT_SIZE

public static final int AES_KEY_BIT_SIZE

The AES key bit size.

See Also:

Constant Field Values

HMAC_SHA_KEY_BIT_SIZE

public static final int HMAC_SHA_KEY_BIT_SIZE

The HMAC SHA key bit size.

See Also:

Constant Field Values

SUBJECT_AES_SIV_KEY_BIT_SIZE

public static final int SUBJECT_AES_SIV_KEY_BIT_SIZE

The subject AES SIV key bit size.

See Also:

Constant Field Values

REFRESH_TOKEN_AES_SIV_KEY_BIT_SIZE

public static final int REFRESH_TOKEN_AES_SIV_KEY_BIT_SIZE

The refresh token AES SIV key bit size.

See Also:

Constant Field Values

HMAC_SHA256_KEY_MATCHER

public static final com.nimbusds.jose.jwk.JWKMatcher HMAC_SHA256_KEY_MATCHER

JWK matcher for the 256 bit HMAC SHA key with key ID "hmac".

SUBJECT_ENCRYPTION_KEY_MATCHER

public static final com.nimbusds.jose.jwk.JWKMatcher SUBJECT_ENCRYPTION_KEY_MATCHER

JWK matcher for the 256 bit subject encryption key (intended for AES SIV mode) with key ID "subject-encrypt".

REFRESH_TOKEN_ENCRYPTION_KEY_MATCHER

public static final com.nimbusds.jose.jwk.JWKMatcher REFRESH_TOKEN_ENCRYPTION_KEY_MATCHER

JWK matcher for the 256 bit refresh token encryption key (intended for AES SIV mode) with key ID "refresh-token-encrypt".

Constructor Detail

JWKSetGenerator

public JWKSetGenerator()

Method Detail

generateSigningRSAKey

public static com.nimbusds.jose.jwk.RSAKey generateSigningRSAKey(String kid)
                                                          throws com.nimbusds.jose.JOSEException

Generates a 2048 bit RSA signing key with the specified key ID.

Parameters:

kid - The key ID, null if not specified.

Returns:

The RSA key pair.

Throws:

com.nimbusds.jose.JOSEException

generateEncryptionRSAKey

public static com.nimbusds.jose.jwk.RSAKey generateEncryptionRSAKey(String kid)
                                                             throws com.nimbusds.jose.JOSEException

Generates a 2048 bit RSA encryption key with the specified key ID.

Parameters:

kid - The key ID, null if not specified.

Returns:

The RSA key pair.

Throws:

com.nimbusds.jose.JOSEException

generateSigningECKey

public static com.nimbusds.jose.jwk.ECKey generateSigningECKey(com.nimbusds.jose.jwk.Curve crv,
                                                               String kid)
                                                        throws com.nimbusds.jose.JOSEException

Generates an EC signing key with the specified curve and key ID.

Parameters:

crv - The curve. Must not be null.

kid - The key ID, null if not specified.

Returns:

The EC key pair.

Throws:

com.nimbusds.jose.JOSEException

generateEncryptionECKey

public static com.nimbusds.jose.jwk.ECKey generateEncryptionECKey(com.nimbusds.jose.jwk.Curve crv,
                                                                  String kid)
                                                           throws com.nimbusds.jose.JOSEException

Generates an EC encryption key with the specified curve and key ID.

Parameters:

crv - The curve. Must not be null.

kid - The key ID, null if not specified.

Returns:

The EC key pair.

Throws:

com.nimbusds.jose.JOSEException

generateSigningEd25519Key

public static com.nimbusds.jose.jwk.OctetKeyPair generateSigningEd25519Key(String kid)
                                                                    throws com.nimbusds.jose.JOSEException

Generates an Ed25519 signing key with the specified key ID.

Parameters:

kid - The key ID, null if not specified.

Returns:

The EC key pair.

Throws:

com.nimbusds.jose.JOSEException

generateEncryptionAESKey

public static com.nimbusds.jose.jwk.OctetSequenceKey generateEncryptionAESKey(String kid)
                                                                       throws com.nimbusds.jose.JOSEException

Generates a 128 bit AES encryption key with the specified key ID.

Parameters:

kid - The key ID, null if not specified.

Returns:

The AES key.

Throws:

com.nimbusds.jose.JOSEException

generateHMACSHA256Key

public static com.nimbusds.jose.jwk.OctetSequenceKey generateHMACSHA256Key()
                                                                    throws com.nimbusds.jose.JOSEException

Generates a 256 bit HMAC SHA key with key ID "hmac".

Returns:

The HMAC SHA key.

Throws:

com.nimbusds.jose.JOSEException

generateSubjectEncryptionKey

public static com.nimbusds.jose.jwk.OctetSequenceKey generateSubjectEncryptionKey()
                                                                           throws com.nimbusds.jose.JOSEException

Generates a 256 bit subject encryption key (intended for AES SIV mode) with key ID "subject-encrypt".

Returns:

The subject encryption key.

Throws:

com.nimbusds.jose.JOSEException

generateRefreshTokenEncryptionKey

public static com.nimbusds.jose.jwk.OctetSequenceKey generateRefreshTokenEncryptionKey()
                                                                                throws com.nimbusds.jose.JOSEException

Generates a 256 bit refresh token encryption key (intended for AES SIV mode) with key ID "refresh-token-encrypt".

Returns:

The refresh token encryption key.

Throws:

com.nimbusds.jose.JOSEException

generateRotatingKeys

public List<com.nimbusds.jose.jwk.JWK> generateRotatingKeys(KeyIDs reservedKeyIDs,
                                                            Consumer<String> eventMessageSink)
                                                     throws com.nimbusds.jose.JOSEException

Generates a new set of rotating signature and encryption keys for a Connect2id server.

Parameters:

reservedKeyIDs - The reserved key IDs, empty if none.

eventMessageSink - Optional sink for event messages, null if not specified.

Returns:

The generated rotating keys.

Throws:

com.nimbusds.jose.JOSEException

generatePermanentKeys

public List<com.nimbusds.jose.jwk.JWK> generatePermanentKeys(Consumer<String> eventMessageSink)
                                                      throws com.nimbusds.jose.JOSEException

Generates a new set of permanent keys for a Connect2id server.

Parameters:

eventMessageSink - Optional sink for event messages, null if not specified.

Returns:

The generated keys.

Throws:

com.nimbusds.jose.JOSEException

generateMissingPermanentKeys

public List<com.nimbusds.jose.jwk.JWK> generateMissingPermanentKeys(com.nimbusds.jose.jwk.JWKSet jwkSet,
                                                                    Consumer<String> eventMessageSink)
                                                             throws com.nimbusds.jose.JOSEException

Generates the missing permanent keys for a Connect2id server not found in the specified JWK set.

Parameters:

jwkSet - The JWK set.

eventMessageSink - Optional sink for event messages, null if not specified.

Returns:

The generated missing permanent keys, empty list if none.

Throws:

com.nimbusds.jose.JOSEException

generate

public com.nimbusds.jose.jwk.JWKSet generate(Consumer<String> eventMessageSink)
                                      throws com.nimbusds.jose.JOSEException

Generates a new JWK set for a Connect2id server.

Parameters:

eventMessageSink - Optional sink for event messages, null if not specified.

Returns:

The JWK set.

Throws:

com.nimbusds.jose.JOSEException

generateAndPrefixNewKeys

public com.nimbusds.jose.jwk.JWKSet generateAndPrefixNewKeys(com.nimbusds.jose.jwk.JWKSet oldJWKSet,
                                                             Consumer<String> eventMessageSink)
                                                      throws Exception

A generates a new set of signing and encryption keys and prefixes them to the specified Connect2id server JWK set.

Parameters:

oldJWKSet - The Connect2id server JWK set. Must not be null.

eventMessageSink - Optional sink for event messages, null if not specified.

Returns:

The updated JWK set.

Throws:

Exception

main

public static void main(String[] args)

Console method for generating a new Connect2id server JWK set, or updating an existing JWK set with new signing and encryption keys.

Parameters:

args - The command line arguments.