Package com.nimbusds.jose.jwk

Class ECKey

  • All Implemented Interfaces:
    AsymmetricJWK, CurveBasedJWK, Serializable
    @Immutable
public final class ECKey
extends JWK
implements AsymmetricJWK, CurveBasedJWK
    Public and private Elliptic Curve JSON Web Key (JWK). This class is immutable.

    Supported curves:

    Provides EC JWK import from / export to the following standard Java interfaces and classes:

    Example JSON object representation of a public EC JWK: 

     {
   "kty" : "EC",
   "crv" : "P-256",
   "x"   : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
   "y"   : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
   "use" : "enc",
   "kid" : "1"
 }

    Example JSON object representation of a private EC JWK: 

     {
   "kty" : "EC",
   "crv" : "P-256",
   "x"   : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
   "y"   : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
   "d"   : "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE",
   "use" : "enc",
   "kid" : "1"
 }

    Use the builder to create a new EC JWK: 

     ECKey key = new ECKey.Builder(Curve.P_256, x, y)
        .keyUse(KeyUse.SIGNATURE)
        .keyID("1")
        .build();

    See http://en.wikipedia.org/wiki/Elliptic_curve_cryptography

    Version:
    2020-06-03
    Author:
    Vladimir Dzhuvinov, Justin Richer
    See Also:
    Serialized Form

    • Constructor Detail

      • ECKey

        public ECKey​(Curve crv,
             Base64URL x,
             Base64URL y,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)
        Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.
        Parameters:
        crv - The cryptographic curve. Must not be null.
        x - The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.
        y - The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.
        use - The key use, null if not specified or if the key is intended for signing as well as encryption.
        ops - The key operations, null if not specified.
        alg - The intended JOSE algorithm for the key, null if not specified.
        kid - The key ID, null if not specified.
        x5u - The X.509 certificate URL, null if not specified.
        x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
        x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
        x5c - The X.509 certificate chain, null if not specified.
        ks - Reference to the underlying key store, null if not specified.

      • ECKey

        public ECKey​(Curve crv,
             Base64URL x,
             Base64URL y,
             Base64URL d,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)
        Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.
        Parameters:
        crv - The cryptographic curve. Must not be null.
        x - The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.
        y - The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.
        d - The private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.
        use - The key use, null if not specified or if the key is intended for signing as well as encryption.
        ops - The key operations, null if not specified.
        alg - The intended JOSE algorithm for the key, null if not specified.
        kid - The key ID, null if not specified.
        x5u - The X.509 certificate URL, null if not specified.
        x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
        x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
        x5c - The X.509 certificate chain, null if not specified.
        ks - Reference to the underlying key store, null if not specified.

      • ECKey

        public ECKey​(Curve crv,
             Base64URL x,
             Base64URL y,
             PrivateKey priv,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)
        Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.
        Parameters:
        crv - The cryptographic curve. Must not be null.
        x - The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.
        y - The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.
        priv - The private key as a PKCS#11 handle, null if not specified.
        use - The key use, null if not specified or if the key is intended for signing as well as encryption.
        ops - The key operations, null if not specified.
        alg - The intended JOSE algorithm for the key, null if not specified.
        kid - The key ID, null if not specified.
        x5u - The X.509 certificate URL, null if not specified.
        x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
        x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
        x5c - The X.509 certificate chain, null if not specified.

      • ECKey

        public ECKey​(Curve crv,
             ECPublicKey pub,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)
        Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.
        Parameters:
        crv - The cryptographic curve. Must not be null.
        pub - The public EC key to represent. Must not be null.
        use - The key use, null if not specified or if the key is intended for signing as well as encryption.
        ops - The key operations, null if not specified.
        alg - The intended JOSE algorithm for the key, null if not specified.
        kid - The key ID, null if not specified.
        x5u - The X.509 certificate URL, null if not specified.
        x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
        x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
        x5c - The X.509 certificate chain, null if not specified.
        ks - Reference to the underlying key store, null if not specified.

      • ECKey

        public ECKey​(Curve crv,
             ECPublicKey pub,
             ECPrivateKey priv,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)
        Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.
        Parameters:
        crv - The cryptographic curve. Must not be null.
        pub - The public EC key to represent. Must not be null.
        priv - The private EC key to represent. Must not be null.
        use - The key use, null if not specified or if the key is intended for signing as well as encryption.
        ops - The key operations, null if not specified.
        alg - The intended JOSE algorithm for the key, null if not specified.
        kid - The key ID, null if not specified.
        x5u - The X.509 certificate URL, null if not specified.
        x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
        x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
        x5c - The X.509 certificate chain, null if not specified.
        ks - Reference to the underlying key store, null if not specified.

      • ECKey

        public ECKey​(Curve crv,
             ECPublicKey pub,
             PrivateKey priv,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)
        Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.
        Parameters:
        crv - The cryptographic curve. Must not be null.
        pub - The public EC key to represent. Must not be null.
        priv - The private key as a PKCS#11 handle, null if not specified.
        use - The key use, null if not specified or if the key is intended for signing as well as encryption.
        ops - The key operations, null if not specified.
        alg - The intended JOSE algorithm for the key, null if not specified.
        kid - The key ID, null if not specified.
        x5u - The X.509 certificate URL, null if not specified.
        x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
        x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
        x5c - The X.509 certificate chain, null if not specified.
        ks - Reference to the underlying key store, null if not specified.

    • Method Detail

      • encodeCoordinate

        public static Base64URL encodeCoordinate​(int fieldSize,
                                         BigInteger coordinate)
        Returns the Base64URL encoding of the specified elliptic curve 'x', 'y' or 'd' coordinate, with leading zero padding up to the specified field size in bits.
        Parameters:
        fieldSize - The field size in bits.
        coordinate - The elliptic curve coordinate. Must not be null.
        Returns:
        The Base64URL-encoded coordinate, with leading zero padding up to the curve's field size.

      • getX

        public Base64URL getX()
        Gets the public 'x' coordinate for the elliptic curve point.
        Returns:
        The 'x' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation.

      • getY

        public Base64URL getY()
        Gets the public 'y' coordinate for the elliptic curve point.
        Returns:
        The 'y' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation.

      • getD

        public Base64URL getD()
        Gets the private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation.
        Returns:
        The 'd' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation. null if not specified (for a public key).

      • toECPublicKey

        public ECPublicKey toECPublicKey()
                          throws JOSEException
        Returns a standard java.security.interfaces.ECPublicKey representation of this Elliptic Curve JWK. Uses the default JCA provider.
        Returns:
        The public Elliptic Curve key.
        Throws:
        JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public EC key.

      • toECPublicKey

        public ECPublicKey toECPublicKey​(Provider provider)
                          throws JOSEException
        Returns a standard java.security.interfaces.ECPublicKey representation of this Elliptic Curve JWK.
        Parameters:
        provider - The specific JCA provider to use, null implies the default one.
        Returns:
        The public Elliptic Curve key.
        Throws:
        JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public EC key.

      • toECPrivateKey

        public ECPrivateKey toECPrivateKey()
                            throws JOSEException
        Returns a standard java.security.interfaces.ECPrivateKey representation of this Elliptic Curve JWK. Uses the default JCA provider.
        Returns:
        The private Elliptic Curve key, null if not specified by this JWK.
        Throws:
        JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private EC key.

      • toECPrivateKey

        public ECPrivateKey toECPrivateKey​(Provider provider)
                            throws JOSEException
        Returns a standard java.security.interfaces.ECPrivateKey representation of this Elliptic Curve JWK.
        Parameters:
        provider - The specific JCA provider to use, null implies the default one.
        Returns:
        The private Elliptic Curve key, null if not specified by this JWK.
        Throws:
        JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private EC key.

      • toKeyPair

        public KeyPair toKeyPair()
                  throws JOSEException
        Returns a standard java.security.KeyPair representation of this Elliptic Curve JWK. Uses the default JCA provider.
        Specified by:
        toKeyPair in interface AsymmetricJWK
        Returns:
        The Elliptic Curve key pair. The private Elliptic Curve key will be null if not specified.
        Throws:
        JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private EC key.

      • toKeyPair

        public KeyPair toKeyPair​(Provider provider)
                  throws JOSEException
        Returns a standard java.security.KeyPair representation of this Elliptic Curve JWK.
        Parameters:
        provider - The specific JCA provider to use, null implies the default one.
        Returns:
        The Elliptic Curve key pair. The private Elliptic Curve key will be null if not specified.
        Throws:
        JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private EC key.

      • matches

        public boolean matches​(X509Certificate cert)
        Description copied from interface: AsymmetricJWK
        Returns true if the public key material of this JWK matches the public subject key info of the specified X.509 certificate.
        Specified by:
        matches in interface AsymmetricJWK
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        true if the public key material of this JWK matches the public subject key info of the specified X.509 certificate, else false.

      • getRequiredParams

        public LinkedHashMap<String,​?> getRequiredParams()
        Description copied from class: JWK
        Returns the required JWK parameters. Intended as input for JWK thumbprint computation. See RFC 7638 for more information.
        Specified by:
        getRequiredParams in class JWK
        Returns:
        The required JWK parameters, sorted alphanumerically by key name and ready for JSON serialisation.

      • isPrivate

        public boolean isPrivate()
        Description copied from class: JWK
        Returns true if this JWK contains private or sensitive (non-public) parameters.
        Specified by:
        isPrivate in class JWK
        Returns:
        true if this JWK contains private parameters, else false.

      • size

        public int size()
        Description copied from class: JWK
        Returns the size of this JWK.
        Specified by:
        size in class JWK
        Returns:
        The JWK size, in bits.

      • toPublicJWK

        public ECKey toPublicJWK()
        Returns a copy of this Elliptic Curve JWK with any private values removed.
        Specified by:
        toPublicJWK in class JWK
        Returns:
        The copied public Elliptic Curve JWK.

      • toJSONObject

        public Map<String,​ObjecttoJSONObject()
        Description copied from class: JWK
        Returns a JSON object representation of this JWK. This method is intended to be called from extending classes.

        Example: 

         {
   "kty" : "RSA",
   "use" : "sig",
   "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b"
 }
        Overrides:
        toJSONObject in class JWK
        Returns:
        The JSON object representation.

      • parse

        public static ECKey parse​(String s)
                   throws ParseException
        Parses a public / private Elliptic Curve JWK from the specified JSON object string representation.
        Parameters:
        s - The JSON object string to parse. Must not be null.
        Returns:
        The public / private Elliptic Curve JWK.
        Throws:
        ParseException - If the string couldn't be parsed to an Elliptic Curve JWK.

      • parse

        public static ECKey parse​(Map<String,​Object> jsonObject)
                   throws ParseException
        Parses a public / private Elliptic Curve JWK from the specified JSON object representation.
        Parameters:
        jsonObject - The JSON object to parse. Must not be null.
        Returns:
        The public / private Elliptic Curve JWK.
        Throws:
        ParseException - If the JSON object couldn't be parsed to an Elliptic Curve JWK.

      • parse

        public static ECKey parse​(X509Certificate cert)
                   throws JOSEException
        Parses a public Elliptic Curve JWK from the specified X.509 certificate. Requires BouncyCastle.

        Important: The X.509 certificate is not validated!

        Sets the following JWK parameters:

        • The curve is obtained from the subject public key info algorithm parameters.
        • The JWK use inferred by KeyUse.from(java.security.cert.X509Certificate).
        • The JWK ID from the X.509 serial number (in base 10).
        • The JWK X.509 certificate chain (this certificate only).
        • The JWK X.509 certificate SHA-256 thumbprint.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        The public Elliptic Curve JWK.
        Throws:
        JOSEException - If parsing failed.

      • load

        public static ECKey load​(KeyStore keyStore,
                         String alias,
                         char[] pin)
                  throws KeyStoreException,
                         JOSEException
        Loads a public / private Elliptic Curve JWK from the specified JCA key store. Requires BouncyCastle.

        Important: The X.509 certificate is not validated!

        Parameters:
        keyStore - The key store. Must not be null.
        alias - The alias. Must not be null.
        pin - The pin to unlock the private key if any, empty or null if not required.
        Returns:
        The public / private Elliptic Curve JWK., null if no key with the specified alias was found.
        Throws:
        KeyStoreException - On a key store exception.
        JOSEException - If EC key loading failed.