@ThreadSafe public class AESCBC extends Object
Also supports the deprecated AES/CBC/HMAC encryption using a custom concat KDF (JOSE draft suite 08).
See RFC 7518 (JWA), section 5.2.
Modifier and Type | Field and Description |
---|---|
static int |
IV_BIT_LENGTH
The standard Initialisation Vector (IV) length (128 bits).
|
Modifier and Type | Method and Description |
---|---|
static byte[] |
decrypt(SecretKey secretKey,
byte[] iv,
byte[] cipherText,
Provider provider)
Decrypts the specified cipher text using AES/CBC/PKCS5Padding.
|
static byte[] |
decryptAuthenticated(SecretKey secretKey,
byte[] iv,
byte[] cipherText,
byte[] aad,
byte[] authTag,
Provider ceProvider,
Provider macProvider)
Decrypts the specified cipher text using AES/CBC/PKCS5Padding/
HMAC-SHA2.
|
static byte[] |
decryptWithConcatKDF(JWEHeader header,
SecretKey secretKey,
Base64URL encryptedKey,
Base64URL iv,
Base64URL cipherText,
Base64URL authTag,
Provider ceProvider,
Provider macProvider)
Decrypts the specified cipher text using the deprecated concat KDF
from JOSE draft suite 09.
|
static byte[] |
encrypt(SecretKey secretKey,
byte[] iv,
byte[] plainText,
Provider provider)
Encrypts the specified plain text using AES/CBC/PKCS5Padding.
|
static AuthenticatedCipherText |
encryptAuthenticated(SecretKey secretKey,
byte[] iv,
byte[] plainText,
byte[] aad,
Provider ceProvider,
Provider macProvider)
Encrypts the specified plain text using AES/CBC/PKCS5Padding/
HMAC-SHA2.
|
static AuthenticatedCipherText |
encryptWithConcatKDF(JWEHeader header,
SecretKey secretKey,
Base64URL encryptedKey,
byte[] iv,
byte[] plainText,
Provider ceProvider,
Provider macProvider)
Encrypts the specified plain text using the deprecated concat KDF
from JOSE draft suite 09.
|
static byte[] |
generateIV(SecureRandom randomGen)
Generates a random 128 bit (16 byte) Initialisation Vector(IV) for
use in AES-CBC encryption.
|
public static final int IV_BIT_LENGTH
public static byte[] generateIV(SecureRandom randomGen)
randomGen
- The secure random generator to use. Must be
correctly initialised and not null
.public static byte[] encrypt(SecretKey secretKey, byte[] iv, byte[] plainText, Provider provider) throws JOSEException
secretKey
- The AES key. Must not be null
.iv
- The initialisation vector (IV). Must not be
null
.plainText
- The plain text. Must not be null
.provider
- The JCA provider, or null
to use the
default one.JOSEException
- If encryption failed.public static AuthenticatedCipherText encryptAuthenticated(SecretKey secretKey, byte[] iv, byte[] plainText, byte[] aad, Provider ceProvider, Provider macProvider) throws JOSEException
See RFC 7518 (JWA), section 5.2.2.1
See draft-mcgrew-aead-aes-cbc-hmac-sha2-01
secretKey
- The secret key. Must be 256 or 512 bits long.
Must not be null
.iv
- The initialisation vector (IV). Must not be
null
.plainText
- The plain text. Must not be null
.aad
- The additional authenticated data. Must not be
null
.ceProvider
- The JCA provider for the content encryption, or
null
to use the default one.macProvider
- The JCA provider for the MAC computation, or
null
to use the default one.JOSEException
- If encryption failed.public static AuthenticatedCipherText encryptWithConcatKDF(JWEHeader header, SecretKey secretKey, Base64URL encryptedKey, byte[] iv, byte[] plainText, Provider ceProvider, Provider macProvider) throws JOSEException
header
- The JWE header. Must not be null
.secretKey
- The secret key. Must be 256 or 512 bits long.
Must not be null
.encryptedKey
- The encrypted key. Must not be null
.iv
- The initialisation vector (IV). Must not be
null
.plainText
- The plain text. Must not be null
.ceProvider
- The JCA provider for the content encryption, or
null
to use the default one.macProvider
- The JCA provider for the MAC computation, or
null
to use the default one.JOSEException
- If encryption failed.public static byte[] decrypt(SecretKey secretKey, byte[] iv, byte[] cipherText, Provider provider) throws JOSEException
secretKey
- The AES key. Must not be null
.iv
- The initialisation vector (IV). Must not be
null
.cipherText
- The cipher text. Must not be null
.provider
- The JCA provider, or null
to use the
default one.JOSEException
- If decryption failed.public static byte[] decryptAuthenticated(SecretKey secretKey, byte[] iv, byte[] cipherText, byte[] aad, byte[] authTag, Provider ceProvider, Provider macProvider) throws JOSEException
See RFC 7518 (JWA), section 5.2.2.2
See draft-mcgrew-aead-aes-cbc-hmac-sha2-01
secretKey
- The secret key. Must be 256 or 512 bits long.
Must not be null
.iv
- The initialisation vector (IV). Must not be
null
.cipherText
- The cipher text. Must not be null
.aad
- The additional authenticated data. Must not be
null
.authTag
- The authentication tag. Must not be null
.ceProvider
- The JCA provider for the content encryption, or
null
to use the default one.macProvider
- The JCA provider for the MAC computation, or
null
to use the default one.JOSEException
- If decryption failed.public static byte[] decryptWithConcatKDF(JWEHeader header, SecretKey secretKey, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, Provider ceProvider, Provider macProvider) throws JOSEException
header
- The JWE header. Must not be null
.secretKey
- The secret key. Must be 256 or 512 bits long.
Must not be null
.encryptedKey
- The encrypted key. Must not be null
.iv
- The initialisation vector (IV). Must not be
null
.cipherText
- The cipher text. Must not be null
.authTag
- The authentication tag. Must not be null
.ceProvider
- The JCA provider for the content encryption, or
null
to use the default one.macProvider
- The JCA provider for the MAC computation, or
null
to use the default one.JOSEException
- If decryption failed.Copyright © 2019 Connect2id Ltd.. All rights reserved.