public class ECDH1PU extends Object
Modifier and Type | Method and Description |
---|---|
static SecretKey |
deriveSharedKey(JWEHeader header,
SecretKey Z,
Base64URL tag,
ConcatKDF concatKDF)
Derives a shared key (via concat KDF).
|
static SecretKey |
deriveSharedKey(JWEHeader header,
SecretKey Z,
ConcatKDF concatKDF)
Derives a shared key (via concat KDF).
|
static SecretKey |
deriveZ(SecretKey Ze,
SecretKey Zs)
Derives a shared secret (also called 'Z') where Z is the concatenation
of Ze and Zs.
|
static ECDH.AlgorithmMode |
resolveAlgorithmMode(JWEAlgorithm alg)
Resolves the ECDH algorithm mode.
|
static int |
sharedKeyLength(JWEAlgorithm alg,
EncryptionMethod enc)
Returns the bit length of the shared key (derived via concat KDF)
for the specified JWE ECDH algorithm.
|
static void |
validateSameCurve(ECPrivateKey privateKey,
ECPublicKey publicKey)
Ensures the private key and public key are from the same curve.
|
static void |
validateSameCurve(OctetKeyPair privateKey,
OctetKeyPair publicKey)
Ensures the private key and public key are from the same curve.
|
public static ECDH.AlgorithmMode resolveAlgorithmMode(JWEAlgorithm alg) throws JOSEException
alg
- The JWE algorithm. Must be supported and not null
.JOSEException
- If the JWE algorithm is not supported.public static int sharedKeyLength(JWEAlgorithm alg, EncryptionMethod enc) throws JOSEException
alg
- The JWE ECDH algorithm. Must be supported and not
null
.enc
- The encryption method. Must be supported and not
null
.JOSEException
- If the JWE algorithm or encryption method is
not supported.public static SecretKey deriveSharedKey(JWEHeader header, SecretKey Z, ConcatKDF concatKDF) throws JOSEException
ECDH.AlgorithmMode.DIRECT
mode.
The method derives the Content Encryption Key (CEK) for the "enc"
algorithm, in the ECDH.AlgorithmMode.DIRECT
mode.
The method does not take the auth tag because the auth tag will be
generated using a CEK derived as an output of this method.header
- The JWE header. Its algorithm and encryption method
must be supported. Must not be null
.Z
- The derived shared secret ('Z'). Must not be
null
.concatKDF
- The concat KDF. Must be initialised and not
null
.JOSEException
- If derivation of the shared key failed.public static SecretKey deriveSharedKey(JWEHeader header, SecretKey Z, Base64URL tag, ConcatKDF concatKDF) throws JOSEException
ECDH.AlgorithmMode.KW
.
In Key Agreement with ECDH.AlgorithmMode.KW
mode, the JWE
Authentication Tag is included in the input to the KDF. This ensures
that the content of the JWE was produced by the original sender and not
by another recipient.header
- The JWE header. Its algorithm and encryption method
must be supported. Must not be null
.Z
- The derived shared secret ('Z'). Must not be
null
.tag
- In Direct Key Agreement mode this is set to an empty
octet string. In Key Agreement with Key Wrapping mode,
this is set to a value of the form Data, where Data is
the raw octets of the JWE Authentication Tag.concatKDF
- The concat KDF. Must be initialised and not
null
.JOSEException
- If derivation of the shared key failed.public static SecretKey deriveZ(SecretKey Ze, SecretKey Zs)
Ze
- The shared secret derived from applying the ECDH primitive to
the sender's ephemeral private key and the recipient's static
public key (when sending) or the recipient's static private
key and the sender's ephemeral public key (when receiving).
Must not be null
.Zs
- The shared secret derived from applying the ECDH primitive to
the sender's static private key and the recipient's static
public key (when sending) or the recipient's static private
key and the sender's static public key (when receiving). Must
not be null
.public static void validateSameCurve(ECPrivateKey privateKey, ECPublicKey publicKey) throws JOSEException
privateKey
- EC private key. Must not be null
.publicKey
- EC public key. Must not be null
.JOSEException
- If the key curves don't match.public static void validateSameCurve(OctetKeyPair privateKey, OctetKeyPair publicKey) throws JOSEException
privateKey
- OKP private key. Must not be null
.publicKey
- OKP public key. Must not be null
.JOSEException
- If the curves don't match.Copyright © 2021 Connect2id Ltd.. All rights reserved.