com.nimbusds.jose.crypto

Class AESDecrypter

java.lang.Object

com.nimbusds.jose.crypto.AESDecrypter

All Implemented Interfaces:

CriticalHeaderParamsAware, JCAAware<JWEJCAContext>, JOSEProvider, JWEDecrypter, JWEProvider

@ThreadSafe
public class AESDecrypter
extends Object
implements JWEDecrypter, CriticalHeaderParamsAware

AES and AES GCM key wrap decrypter of JWE objects. This class is thread-safe.

Supports the following key management algorithms:

• JWEAlgorithm.A128KW
• JWEAlgorithm.A192KW
• JWEAlgorithm.A256KW
• JWEAlgorithm.A128GCMKW
• JWEAlgorithm.A192GCMKW
• JWEAlgorithm.A256GCMKW

Supports the following content encryption algorithms:

• EncryptionMethod.A128CBC_HS256
• EncryptionMethod.A192CBC_HS384
• EncryptionMethod.A256CBC_HS512
• EncryptionMethod.A128GCM
• EncryptionMethod.A192GCM
• EncryptionMethod.A256GCM
• EncryptionMethod.A128CBC_HS256_DEPRECATED
• EncryptionMethod.A256CBC_HS512_DEPRECATED

Version:

2015-06-29

Author:

Melisa Halsband, Vladimir Dzhuvinov

Field Summary

Fields

Modifier and Type	Field and Description
static Map<Integer,Set<JWEAlgorithm>>	COMPATIBLE_ALGORITHMS The JWE algorithms compatible with each key size in bits.
static Set<JWEAlgorithm>	SUPPORTED_ALGORITHMS The supported JWE algorithms by the AES crypto provider class.
static Set<EncryptionMethod>	SUPPORTED_ENCRYPTION_METHODS The supported encryption methods by the AES crypto provider class.

Constructor Summary

Constructors

Constructor and Description
AESDecrypter(byte[] keyBytes) Creates a new AES decrypter.
AESDecrypter(OctetSequenceKey octJWK) Creates a new AES decrypter.
AESDecrypter(SecretKey kek) Creates a new AES decrypter.
AESDecrypter(SecretKey kek, Set<String> defCritHeaders) Creates a new AES decrypter.

Method Summary

Methods

Modifier and Type	Method and Description
byte[]	decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag) Decrypts the specified cipher text of a JWE Object.
Set<String>	getDeferredCriticalHeaderParams() Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.
JWEJCAContext	getJCAContext() Returns the Java Cryptography Architecture (JCA) context.
SecretKey	getKey() Gets the Key Encryption Key (KEK).
Set<String>	getProcessedCriticalHeaderParams() Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.
Set<EncryptionMethod>	supportedEncryptionMethods() Returns the names of the supported encryption methods by the JWE provier.
Set<JWEAlgorithm>	supportedJWEAlgorithms() Returns the names of the supported algorithms by the JWE provider instance.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.nimbusds.jose.JWEProvider

supportedEncryptionMethods, supportedJWEAlgorithms

Field Detail

SUPPORTED_ALGORITHMS

public static final Set<JWEAlgorithm> SUPPORTED_ALGORITHMS

The supported JWE algorithms by the AES crypto provider class.

SUPPORTED_ENCRYPTION_METHODS

public static final Set<EncryptionMethod> SUPPORTED_ENCRYPTION_METHODS

The supported encryption methods by the AES crypto provider class.

COMPATIBLE_ALGORITHMS

public static final Map<Integer,Set<JWEAlgorithm>> COMPATIBLE_ALGORITHMS

The JWE algorithms compatible with each key size in bits.

Constructor Detail

AESDecrypter

public AESDecrypter(SecretKey kek)
             throws KeyLengthException

Creates a new AES decrypter.

Parameters:

kek - The Key Encrypting Key. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not be null.

Throws:

KeyLengthException - If the KEK length is invalid.

AESDecrypter

public AESDecrypter(byte[] keyBytes)
             throws KeyLengthException

Creates a new AES decrypter.

Parameters:

keyBytes - The Key Encrypting Key, as a byte array. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not be null.

Throws:

KeyLengthException - If the KEK length is invalid.

AESDecrypter

public AESDecrypter(OctetSequenceKey octJWK)
             throws KeyLengthException

Creates a new AES decrypter.

Parameters:

octJWK - The Key Encryption Key, as a JWK. Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.

Throws:

KeyLengthException - If the KEK length is invalid.

AESDecrypter

public AESDecrypter(SecretKey kek,
            Set<String> defCritHeaders)
             throws KeyLengthException

Creates a new AES decrypter.

Parameters:

kek - The Key Encrypting Key. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not be null.

defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.

Throws:

KeyLengthException - If the KEK length is invalid.

Method Detail

getProcessedCriticalHeaderParams

public Set<String> getProcessedCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.

Specified by:

getProcessedCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are understood and processed, empty set if none.

getDeferredCriticalHeaderParams

public Set<String> getDeferredCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.

Specified by:

getDeferredCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are deferred to the application for processing, empty set if none.

decrypt

public byte[] decrypt(JWEHeader header,
             Base64URL encryptedKey,
             Base64URL iv,
             Base64URL cipherText,
             Base64URL authTag)
               throws JOSEException

Description copied from interface: JWEDecrypter

Decrypts the specified cipher text of a JWE Object.

Specified by:

decrypt in interface JWEDecrypter

Parameters:

header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.

encryptedKey - The encrypted key, null if not required by the JWE algorithm.

iv - The initialisation vector, null if not required by the JWE algorithm.

cipherText - The cipher text to decrypt. Must not be null.

authTag - The authentication tag, null if not required.

Returns:

The clear text.

Throws:

JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

getKey

public SecretKey getKey()

Gets the Key Encryption Key (KEK).

Returns:

The Key Encryption Key.

supportedJWEAlgorithms

public Set<JWEAlgorithm> supportedJWEAlgorithms()

Description copied from interface: JWEProvider

Returns the names of the supported algorithms by the JWE provider instance. These correspond to the alg JWE header parameter.

Specified by:

supportedJWEAlgorithms in interface JWEProvider

Returns:

The supported JWE algorithms, empty set if none.

supportedEncryptionMethods

public Set<EncryptionMethod> supportedEncryptionMethods()

Description copied from interface: JWEProvider

Returns the names of the supported encryption methods by the JWE provier. These correspond to the enc JWE header parameter.

Specified by:

supportedEncryptionMethods in interface JWEProvider

Returns:

The supported encryption methods, empty set if none.

getJCAContext

public JWEJCAContext getJCAContext()

Description copied from interface: JCAAware

Returns the Java Cryptography Architecture (JCA) context. May be used to set a specific JCA security provider or secure random generator.

Specified by:

getJCAContext in interface JCAAware<JWEJCAContext>

Returns:

The JCA context. Not null.