com.nimbusds.jose.jwk

Class RSAKey

java.lang.Object

com.nimbusds.jose.jwk.JWK

com.nimbusds.jose.jwk.RSAKey

All Implemented Interfaces:

AssymetricJWK, Serializable, net.minidev.json.JSONAware

@Immutable
public final class RSAKey
extends JWK
implements AssymetricJWK

Public and private RSA JSON Web Key (JWK). This class is immutable.

Provides RSA JWK import from / export to the following standard Java interfaces and classes:

• RSAPublicKey
• RSAPrivateKey
  • RSAPrivateCrtKey
  • RSAMultiPrimePrivateCrtKey
• PrivateKey for an RSA key in a PKCS#11 store
• KeyPair

Example JSON object representation of a public RSA JWK:

 { 
   "kty" : "RSA",
   "n"   : "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
            4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
            tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
            QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
            SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
            w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
   "e"   : "AQAB",
   "alg" : "RS256",
   "kid" : "2011-04-29"
 }
 

Example JSON object representation of a public and private RSA JWK (with both the first and the second private key representations):

 { 
   "kty" : "RSA",
   "n"   : "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
            4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
            tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
            QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
            SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
            w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
   "e"   : "AQAB",
   "d"   : "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9
            M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij
            wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d
            _cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBz
            nbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFz
            me1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q",
   "p"   : "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPV
            nwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqV
            WlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs",
   "q"   : "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyum
            qjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgx
            kIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk",
   "dp"  : "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oim
            YwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_Nmtu
            YZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
   "dq"  : "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUU
            vMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9
            GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
   "qi"  : "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzg
            UIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rx
            yR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
   "alg" : "RS256",
   "kid" : "2011-04-29"
 }
 

Use the builder to create a new RSA JWK:

 RSAKey key = new RSAKey.Builder(n, e)
        .keyUse(KeyUse.SIGNATURE)
        .keyID("123")
        .build();
 

See RFC 3447.

See http://en.wikipedia.org/wiki/RSA_%28algorithm%29

Version:

2017-06-01

Author:

Vladimir Dzhuvinov, Justin Richer, Cedric Staub

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	RSAKey.Builder Builder for constructing RSA JWKs.
static class	RSAKey.OtherPrimesInfo Other Primes Info, represents the private oth parameter of a RSA JWK.

Field Summary

Fields inherited from class com.nimbusds.jose.jwk.JWK

MIME_TYPE

Constructor Summary

Constructors

Constructor and Description
RSAKey(Base64URL n, Base64URL e, Base64URL d, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c) Deprecated.
RSAKey(Base64URL n, Base64URL e, Base64URL d, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, PrivateKey prv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(Base64URL n, Base64URL e, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(Base64URL n, Base64URL e, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(Base64URL n, Base64URL e, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(RSAPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(RSAPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(RSAPublicKey pub, RSAMultiPrimePrivateCrtKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(RSAPublicKey pub, RSAPrivateCrtKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters.
RSAKey(RSAPublicKey pub, RSAPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters.

Method Summary

Modifier and Type	Method and Description
Base64URL	getFirstCRTCoefficient() Gets the first Chinese Remainder Theorem (CRT) coefficient (qi)} of the private RSA key.
Base64URL	getFirstFactorCRTExponent() Gets the first factor Chinese Remainder Theorem (CRT) exponent (dp) of the private RSA key.
Base64URL	getFirstPrimeFactor() Gets the first prime factor (p) of the private RSA key.
Base64URL	getModulus() Gets the modulus value (n) of the RSA key.
List<RSAKey.OtherPrimesInfo>	getOtherPrimes() Gets the other primes information (oth) for the private RSA key, should they exist.
Base64URL	getPrivateExponent() Gets the private exponent (d) of the RSA key.
Base64URL	getPublicExponent() Gets the public exponent (e) of the RSA key.
LinkedHashMap<String,?>	getRequiredParams() Returns the required JWK parameters.
Base64URL	getSecondFactorCRTExponent() Gets the second factor Chinese Remainder Theorem (CRT) exponent (dq) of the private RSA key.
Base64URL	getSecondPrimeFactor() Gets the second prime factor (q) of the private RSA key.
boolean	isPrivate() Returns true if this JWK contains private or sensitive (non-public) parameters.
static RSAKey	load(KeyStore keyStore, String alias, char[] pin) Loads a public / private RSA JWK from the specified JCA key store.
static RSAKey	parse(net.minidev.json.JSONObject jsonObject) Parses a public / private RSA JWK from the specified JSON object representation.
static RSAKey	parse(String s) Parses a public / private RSA JWK from the specified JSON object string representation.
static RSAKey	parse(X509Certificate cert) Parses a public RSA JWK from the specified X.509 certificate.
int	size() Returns the size of this JWK.
net.minidev.json.JSONObject	toJSONObject() Returns a JSON object representation of this JWK.
KeyPair	toKeyPair() Returns a standard java.security.KeyPair representation of this RSA JWK.
PrivateKey	toPrivateKey() Returns a Java private key representation of this JWK.
RSAKey	toPublicJWK() Returns a copy of this RSA JWK with any private values removed.
PublicKey	toPublicKey() Returns a Java public key representation of the JWK.
RSAPrivateKey	toRSAPrivateKey() Returns a standard java.security.interfaces.RSAPrivateKey representation of this RSA JWK.
RSAPublicKey	toRSAPublicKey() Returns a standard java.security.interfaces.RSAPublicKey representation of this RSA JWK.

Methods inherited from class com.nimbusds.jose.jwk.JWK

computeThumbprint, computeThumbprint, getAlgorithm, getKeyID, getKeyOperations, getKeyStore, getKeyType, getKeyUse, getX509CertChain, getX509CertSHA256Thumbprint, getX509CertThumbprint, getX509CertURL, toJSONString, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

RSAKey

public RSAKey(Base64URL n,
              Base64URL e,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public RSA JSON Web Key (JWK) with the specified parameters.

Parameters:

n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

public RSAKey(Base64URL n,
              Base64URL e,
              Base64URL d,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its first representation (see RFC 3447, section 3.2).

Parameters:

n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

public RSAKey(Base64URL n,
              Base64URL e,
              Base64URL p,
              Base64URL q,
              Base64URL dp,
              Base64URL dq,
              Base64URL qi,
              List<RSAKey.OtherPrimesInfo> oth,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation (see RFC 3447, section 3.2).

Parameters:

n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.

q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.

dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.

dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.

qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.

oth - The other primes information, should they exist, null or an empty list if not specified.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

@Deprecated
public RSAKey(Base64URL n,
                          Base64URL e,
                          Base64URL d,
                          Base64URL p,
                          Base64URL q,
                          Base64URL dp,
                          Base64URL dq,
                          Base64URL qi,
                          List<RSAKey.OtherPrimesInfo> oth,
                          KeyUse use,
                          Set<KeyOperation> ops,
                          Algorithm alg,
                          String kid,
                          URI x5u,
                          Base64URL x5t,
                          Base64URL x5t256,
                          List<Base64> x5c)

Deprecated.

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by both its first and second representations (see RFC 3447, section 3.2).

A valid first private RSA key representation must specify the d parameter.

A valid second private RSA key representation must specify all required Chinese Remainder Theorem (CRT) parameters - p, q, dp, dq and qi, else an IllegalArgumentException will be thrown.

Parameters:

n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

oth - The other primes information, should they exist, null or an empty list if not specified.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

RSAKey

public RSAKey(Base64URL n,
              Base64URL e,
              Base64URL d,
              Base64URL p,
              Base64URL q,
              Base64URL dp,
              Base64URL dq,
              Base64URL qi,
              List<RSAKey.OtherPrimesInfo> oth,
              PrivateKey prv,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key can be specified by its first representation, its second representation (see RFC 3447, section 3.2), or by a PKCS#11 handle as PrivateKey.

A valid first private RSA key representation must specify the d parameter.

A valid second private RSA key representation must specify all required Chinese Remainder Theorem (CRT) parameters - p, q, dp, dq and qi, else an IllegalArgumentException will be thrown.

Parameters:

n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.

d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. May be null.

oth - The other primes information, should they exist, null or an empty list if not specified.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

public RSAKey(RSAPublicKey pub,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public RSA JSON Web Key (JWK) with the specified parameters.

Parameters:

pub - The public RSA key to represent. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

public RSAKey(RSAPublicKey pub,
              RSAPrivateKey priv,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its first representation (see RFC 3447, section 3.2).

Parameters:

pub - The public RSA key to represent. Must not be null.

priv - The private RSA key to represent. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

public RSAKey(RSAPublicKey pub,
              RSAPrivateCrtKey priv,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation (see RFC 3447, section 3.2).

Parameters:

pub - The public RSA key to represent. Must not be null.

priv - The private RSA key to represent. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

public RSAKey(RSAPublicKey pub,
              RSAMultiPrimePrivateCrtKey priv,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation, with optional other primes info (see RFC 3447, section 3.2).

Parameters:

pub - The public RSA key to represent. Must not be null.

priv - The private RSA key to represent. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

RSAKey

public RSAKey(RSAPublicKey pub,
              PrivateKey priv,
              KeyUse use,
              Set<KeyOperation> ops,
              Algorithm alg,
              String kid,
              URI x5u,
              Base64URL x5t,
              Base64URL x5t256,
              List<Base64> x5c,
              KeyStore ks)

Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by a PKCS#11 handle.

Parameters:

pub - The public RSA key to represent. Must not be null.

priv - The private RSA key as PKCS#11 handle, null if not specified.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID. null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

Method Detail

getModulus

public Base64URL getModulus()

Gets the modulus value (n) of the RSA key.

Returns:

The RSA key modulus. It is represented as the Base64URL encoding of the value's big endian representation.

getPublicExponent

public Base64URL getPublicExponent()

Gets the public exponent (e) of the RSA key.

Returns:

The public RSA key exponent. It is represented as the Base64URL encoding of the value's big endian representation.

getPrivateExponent

public Base64URL getPrivateExponent()

Gets the private exponent (d) of the RSA key.

Returns:

The private RSA key exponent. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the second representation only).

getFirstPrimeFactor

public Base64URL getFirstPrimeFactor()

Gets the first prime factor (p) of the private RSA key.

Returns:

The RSA first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

getSecondPrimeFactor

public Base64URL getSecondPrimeFactor()

Gets the second prime factor (q) of the private RSA key.

Returns:

The RSA second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

getFirstFactorCRTExponent

public Base64URL getFirstFactorCRTExponent()

Gets the first factor Chinese Remainder Theorem (CRT) exponent (dp) of the private RSA key.

Returns:

The RSA first factor CRT exponent. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

getSecondFactorCRTExponent

public Base64URL getSecondFactorCRTExponent()

Gets the second factor Chinese Remainder Theorem (CRT) exponent (dq) of the private RSA key.

Returns:

The RSA second factor CRT exponent. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

getFirstCRTCoefficient

public Base64URL getFirstCRTCoefficient()

Gets the first Chinese Remainder Theorem (CRT) coefficient (qi)} of the private RSA key.

Returns:

The RSA first CRT coefficient. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

getOtherPrimes

public List<RSAKey.OtherPrimesInfo> getOtherPrimes()

Gets the other primes information (oth) for the private RSA key, should they exist.

Returns:

The RSA other primes information, null or empty list if not specified.

toRSAPublicKey

public RSAPublicKey toRSAPublicKey()
                            throws JOSEException

Returns a standard java.security.interfaces.RSAPublicKey representation of this RSA JWK.

Returns:

The public RSA key.

Throws:

JOSEException - If RSA is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public RSA key.

toRSAPrivateKey

public RSAPrivateKey toRSAPrivateKey()
                              throws JOSEException

Returns a standard java.security.interfaces.RSAPrivateKey representation of this RSA JWK.

Returns:

The private RSA key, null if not specified by this JWK.

Throws:

JOSEException - If RSA is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private RSA key.

toPublicKey

public PublicKey toPublicKey()
                      throws JOSEException

Description copied from interface: AssymetricJWK

Returns a Java public key representation of the JWK.

Specified by:

toPublicKey in interface AssymetricJWK

Returns:

The Java public key.

Throws:

JOSEException - If conversion failed or is not supported.

toPrivateKey

public PrivateKey toPrivateKey()
                        throws JOSEException

Description copied from interface: AssymetricJWK

Returns a Java private key representation of this JWK.

Specified by:

toPrivateKey in interface AssymetricJWK

Returns:

The Java private key, null if not specified.

Throws:

JOSEException - If conversion failed or is not supported.

toKeyPair

public KeyPair toKeyPair()
                  throws JOSEException

Returns a standard java.security.KeyPair representation of this RSA JWK.

Specified by:

toKeyPair in interface AssymetricJWK

Returns:

The RSA key pair. The private RSA key will be null if not specified.

Throws:

JOSEException - If RSA is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private RSA key.

getRequiredParams

public LinkedHashMap<String,?> getRequiredParams()

Description copied from class: JWK

Returns the required JWK parameters. Intended as input for JWK thumbprint computation. See RFC 7638 for more information.

Specified by:

getRequiredParams in class JWK

Returns:

The required JWK parameters, sorted alphanumerically by key name and ready for JSON serialisation.

isPrivate

public boolean isPrivate()

Description copied from class: JWK

Returns true if this JWK contains private or sensitive (non-public) parameters.

Specified by:

isPrivate in class JWK

Returns:

true if this JWK contains private parameters, else false.

size

public int size()

Description copied from class: JWK

Returns the size of this JWK.

Specified by:

size in class JWK

Returns:

The JWK size, in bits.

toPublicJWK

public RSAKey toPublicJWK()

Returns a copy of this RSA JWK with any private values removed.

Specified by:

toPublicJWK in class JWK

Returns:

The copied public RSA JWK.

toJSONObject

public net.minidev.json.JSONObject toJSONObject()

Description copied from class: JWK

Returns a JSON object representation of this JWK. This method is intended to be called from extending classes.

Example:

 {
   "kty" : "RSA",
   "use" : "sig",
   "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b"
 }
 

Overrides:

toJSONObject in class JWK

Returns:

The JSON object representation.

parse

public static RSAKey parse(String s)
                    throws ParseException

Parses a public / private RSA JWK from the specified JSON object string representation.

Parameters:

s - The JSON object string to parse. Must not be null.

Returns:

The public / private RSA JWK.

Throws:

ParseException - If the string couldn't be parsed to an RSA JWK.

parse

public static RSAKey parse(net.minidev.json.JSONObject jsonObject)
                    throws ParseException

Parses a public / private RSA JWK from the specified JSON object representation.

Parameters:

jsonObject - The JSON object to parse. Must not be null.

Returns:

The public / private RSA Key.

Throws:

ParseException - If the JSON object couldn't be parsed to an RSA JWK.

parse

public static RSAKey parse(X509Certificate cert)
                    throws JOSEException

Parses a public RSA JWK from the specified X.509 certificate.

Important: The X.509 certificate is not validated!

Sets the following JWK parameters:

• The JWK use inferred by KeyUse.from(java.security.cert.X509Certificate).
• The JWK ID from the X.509 serial number (in base 10).
• The JWK X.509 certificate chain (this certificate only).
• The JWK X.509 certificate SHA-256 thumbprint.

Parameters:

cert - The X.509 certificate. Must not be null.

Returns:

The public RSA key.

Throws:

JOSEException - If parsing failed.

load

public static RSAKey load(KeyStore keyStore,
                          String alias,
                          char[] pin)
                   throws KeyStoreException,
                          JOSEException

Loads a public / private RSA JWK from the specified JCA key store.

Important: The X.509 certificate is not validated!

Parameters:

keyStore - The key store. Must not be null.

alias - The alias. Must not be null.

pin - The pin to unlock the private key if any, empty or null if not required.

Returns:

The public / private RSA key, null if no key with the specified alias was found.

Throws:

KeyStoreException - On a key store exception.

JOSEException - If RSA key loading failed.