Package com.nimbusds.jose.crypto

Class X25519Decrypter

java.lang.Object

com.nimbusds.jose.crypto.impl.ECDHCryptoProvider

com.nimbusds.jose.crypto.X25519Decrypter

All Implemented Interfaces:

CriticalHeaderParamsAware, JCAAware<JWEJCAContext>, JOSEProvider, JWEDecrypter, JWEProvider

public class X25519Decrypter
extends ECDHCryptoProvider
implements JWEDecrypter, CriticalHeaderParamsAware

Curve25519 Elliptic Curve Diffie-Hellman decrypter of JWE objects. Expects a private OctetKeyPair key with "crv" X25519.

See RFC 8037 for more information.

See also ECDHDecrypter for ECDH on other curves.

This class is thread-safe.

Supports the following key management algorithms:

• JWEAlgorithm.ECDH_ES
• JWEAlgorithm.ECDH_ES_A128KW
• JWEAlgorithm.ECDH_ES_A192KW
• JWEAlgorithm.ECDH_ES_A256KW

Supports the following elliptic curve:

• Curve.X25519 (Curve25519)

Supports the following content encryption algorithms:

• EncryptionMethod.A128CBC_HS256
• EncryptionMethod.A192CBC_HS384
• EncryptionMethod.A256CBC_HS512
• EncryptionMethod.A128GCM
• EncryptionMethod.A192GCM
• EncryptionMethod.A256GCM
• EncryptionMethod.A128CBC_HS256_DEPRECATED
• EncryptionMethod.A256CBC_HS512_DEPRECATED
• EncryptionMethod.XC20P

Version:

2023-03-26

Author:

Tim McLean, Egor Puzanov

Field Summary

Fields inherited from class com.nimbusds.jose.crypto.impl.ECDHCryptoProvider

SUPPORTED_ALGORITHMS, SUPPORTED_ENCRYPTION_METHODS

Constructor Summary

Constructors

Constructor	Description
X25519Decrypter(OctetKeyPair privateKey)	Creates a new Curve25519 Elliptic Curve Diffie-Hellman decrypter.
X25519Decrypter(OctetKeyPair privateKey, Set<String> defCritHeaders)	Creates a new Curve25519 Elliptic Curve Diffie-Hellman decrypter.

Method Summary

Modifier and Type	Method	Description
byte[]	decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag)	Deprecated.
byte[]	decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad)	Decrypts the specified cipher text of a JWE Object.
protected SecretKey	getCEK(EncryptionMethod enc)	Returns the content encryption key (CEK) to use.
Set<String>	getDeferredCriticalHeaderParams()	Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.
JWEJCAContext	getJCAContext()	Returns the Java Cryptography Architecture (JCA) context.
OctetKeyPair	getPrivateKey()	Returns the private key.
Set<String>	getProcessedCriticalHeaderParams()	Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.
protected boolean	isCEKProvided()	Returns true if a content encryption key (CEK) was provided at construction time.
Set<Curve>	supportedEllipticCurves()	Returns the names of the supported elliptic curves.
Set<EncryptionMethod>	supportedEncryptionMethods()	Returns the names of the supported encryption methods by the JWE provier.
Set<JWEAlgorithm>	supportedJWEAlgorithms()	Returns the names of the supported algorithms by the JWE provider instance.

Methods inherited from class com.nimbusds.jose.crypto.impl.ECDHCryptoProvider

decryptWithZ, encryptWithZ, getConcatKDF, getCurve

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.nimbusds.jose.jca.JCAAware

getJCAContext

Methods inherited from interface com.nimbusds.jose.JWEProvider

supportedEncryptionMethods, supportedJWEAlgorithms

Constructor Detail

X25519Decrypter

public X25519Decrypter(OctetKeyPair privateKey)
                throws JOSEException

Creates a new Curve25519 Elliptic Curve Diffie-Hellman decrypter.

Parameters:

privateKey - The private key. Must not be null.

Throws:

JOSEException - If the key subtype is not supported.

X25519Decrypter

public X25519Decrypter(OctetKeyPair privateKey,
                       Set<String> defCritHeaders)
                throws JOSEException

Creates a new Curve25519 Elliptic Curve Diffie-Hellman decrypter.

Parameters:

privateKey - The private key. Must not be null.

defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.

Throws:

JOSEException - If the key subtype is not supported.

Method Detail

supportedEllipticCurves

public Set<Curve> supportedEllipticCurves()

Description copied from class: ECDHCryptoProvider

Returns the names of the supported elliptic curves. These correspond to the crv EC JWK parameter.

Specified by:

supportedEllipticCurves in class ECDHCryptoProvider

Returns:

The supported elliptic curves.

getPrivateKey

public OctetKeyPair getPrivateKey()

Returns the private key.

Returns:

The private key.

getProcessedCriticalHeaderParams

public Set<String> getProcessedCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.

Specified by:

getProcessedCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are understood and processed, empty set if none.

getDeferredCriticalHeaderParams

public Set<String> getDeferredCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.

Specified by:

getDeferredCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are deferred to the application for processing, empty set if none.

decrypt

@Deprecated
public byte[] decrypt(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag)
               throws JOSEException

Deprecated.

Decrypts the specified cipher text of a JWE Object.

Parameters:

header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.

encryptedKey - The encrypted key, null if not required by the JWE algorithm.

iv - The initialisation vector, null if not required by the JWE algorithm.

cipherText - The cipher text to decrypt. Must not be null.

authTag - The authentication tag, null if not required.

Returns:

The clear text.

Throws:

JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

decrypt

public byte[] decrypt(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag,
                      byte[] aad)
               throws JOSEException

Description copied from interface: JWEDecrypter

Decrypts the specified cipher text of a JWE Object.

Specified by:

decrypt in interface JWEDecrypter

Parameters:

header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.

encryptedKey - The encrypted key, null if not required by the JWE algorithm.

iv - The initialisation vector, null if not required by the JWE algorithm.

cipherText - The cipher text to decrypt. Must not be null.

authTag - The authentication tag, null if not required.

aad - The additional authenticated data. Must not be null.

Returns:

The clear text.

Throws:

JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

supportedJWEAlgorithms

public Set<JWEAlgorithm> supportedJWEAlgorithms()

Description copied from interface: JWEProvider

Returns the names of the supported algorithms by the JWE provider instance. These correspond to the alg JWE header parameter.

Specified by:

supportedJWEAlgorithms in interface JWEProvider

Returns:

The supported JWE algorithms, empty set if none.

supportedEncryptionMethods

public Set<EncryptionMethod> supportedEncryptionMethods()

Description copied from interface: JWEProvider

Returns the names of the supported encryption methods by the JWE provier. These correspond to the enc JWE header parameter.

Specified by:

supportedEncryptionMethods in interface JWEProvider

Returns:

The supported encryption methods, empty set if none.

getJCAContext

public JWEJCAContext getJCAContext()

Description copied from interface: JCAAware

Returns the Java Cryptography Architecture (JCA) context. May be used to set a specific JCA security provider or secure random generator.

Specified by:

getJCAContext in interface JCAAware<JWEJCAContext>

Returns:

The JCA context. Not null.

isCEKProvided

protected boolean isCEKProvided()

Returns true if a content encryption key (CEK) was provided at construction time.

Returns:

true if a CEK was provided at construction time, false if CEKs will be internally generated.

getCEK

protected SecretKey getCEK(EncryptionMethod enc)
                    throws JOSEException

Returns the content encryption key (CEK) to use. Unless a CEK was provided at construction time this will be a new internally generated CEK.

Parameters:

enc - The encryption method. Must not be null.

Returns:

The content encryption key (CEK).

Throws:

JOSEException - If an internal exception is encountered.