Package com.nimbusds.jose.crypto

Class MACVerifier

java.lang.Object
com.nimbusds.jose.crypto.impl.BaseJWSProvider
com.nimbusds.jose.crypto.impl.MACProvider
com.nimbusds.jose.crypto.MACVerifier
All Implemented Interfaces:
CriticalHeaderParamsAware, JCAAware<JCAContext>, JOSEProvider, JWSProvider, JWSVerifier
@ThreadSafe public class MACVerifier extends MACProvider implements JWSVerifier, CriticalHeaderParamsAware
Message Authentication Code (MAC) verifier of JWS objects. Expects a secret key.

See RFC 7518 section 3.2 for more information.

This class is thread-safe.

Supports the following algorithms:

Tested with the AWS CloudHSM JCE provider.

Version:
2024-10-28
Author:
Vladimir Dzhuvinov

  • Constructor Details

    • MACVerifier

      public MACVerifier(byte[] secret) throws JOSEException
      Creates a new Message Authentication (MAC) verifier.
      Parameters:
      secret - The secret. Must be at least 256 bits long and not null.
      Throws:
      JOSEException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACVerifier

      public MACVerifier(String secretString) throws JOSEException
      Creates a new Message Authentication (MAC) verifier.
      Parameters:
      secretString - The secret as a UTF-8 encoded string. Must be at least 256 bits long and not null.
      Throws:
      JOSEException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACVerifier

      public MACVerifier(SecretKey secretKey) throws JOSEException
      Creates a new Message Authentication (MAC) verifier.
      Parameters:
      secretKey - The secret key. Must be at least 256 bits long and not null.
      Throws:
      JOSEException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACVerifier

      public MACVerifier(OctetSequenceKey jwk) throws JOSEException
      Creates a new Message Authentication (MAC) verifier.
      Parameters:
      jwk - The secret as a JWK. Must be at least 256 bits long and not null.
      Throws:
      JOSEException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACVerifier

      public MACVerifier(byte[] secret, Set<String> defCritHeaders) throws JOSEException
      Creates a new Message Authentication (MAC) verifier.
      Parameters:
      secret - The secret. Must be at least 256 bits long and not null.
      defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
      Throws:
      JOSEException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACVerifier

      public MACVerifier(SecretKey secretKey, Set<String> defCritHeaders) throws JOSEException
      Creates a new Message Authentication (MAC) verifier.
      Parameters:
      secretKey - The secret key. Must be at least 256 bits long and not null.
      defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
      Throws:
      JOSEException - If the secret length is shorter than the minimum 256-bit requirement.

    • MACVerifier

      public MACVerifier(OctetSequenceKey jwk, Set<String> defCritHeaders) throws JOSEException
      Creates a new Message Authentication (MAC) verifier.
      Parameters:
      jwk - The secret as a JWK. Must be at least 256 bits long and not null.
      defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
      Throws:
      JOSEException - If the secret length is shorter than the minimum 256-bit requirement.

  • Method Details

    • getProcessedCriticalHeaderParams

      public Set<String> getProcessedCriticalHeaderParams()
      Description copied from interface: CriticalHeaderParamsAware
      Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.
      Specified by:
      getProcessedCriticalHeaderParams in interface CriticalHeaderParamsAware
      Returns:
      The names of the critical header parameters that are understood and processed, empty set if none.

    • getDeferredCriticalHeaderParams

      public Set<String> getDeferredCriticalHeaderParams()
      Description copied from interface: CriticalHeaderParamsAware
      Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.
      Specified by:
      getDeferredCriticalHeaderParams in interface CriticalHeaderParamsAware
      Returns:
      The names of the critical header parameters that are deferred to the application for processing, empty set if none.

    • verify

      public boolean verify(JWSHeader header, byte[] signedContent, Base64URL signature) throws JOSEException
      Description copied from interface: JWSVerifier
      Verifies the specified signature of a JWS object.
      Specified by:
      verify in interface JWSVerifier
      Parameters:
      header - The JSON Web Signature (JWS) header. Must specify a supported JWS algorithm and must not be null.
      signedContent - The signing input. Must not be null.
      signature - The signature part of the JWS object. Must not be null.
      Returns:
      true if the signature was successfully verified, false if the signature is invalid or if a critical header is neither supported nor marked for deferral to the application.
      Throws:
      JOSEException - If the JWS algorithm is not supported, or if signature verification failed for some other internal reason.