001/* 002 * nimbus-jose-jwt 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.jose.crypto.impl; 019 020 021import java.util.*; 022import javax.crypto.SecretKey; 023 024import com.nimbusds.jose.EncryptionMethod; 025import com.nimbusds.jose.JWEAlgorithm; 026import com.nimbusds.jose.KeyLengthException; 027import com.nimbusds.jose.util.ByteUtils; 028 029 030/** 031 * The base abstract class for AES and AES GCM key wrap encrypters and 032 * decrypters of {@link com.nimbusds.jose.JWEObject JWE objects}. 033 * 034 * <p>Supports the following key management algorithms: 035 * 036 * <ul> 037 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A128KW} 038 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A192KW} 039 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A256KW} 040 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A128GCMKW} 041 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A192GCMKW} 042 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A256GCMKW} 043 * </ul> 044 * 045 * <p>Supports the following content encryption algorithms: 046 * 047 * <ul> 048 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256} 049 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384} 050 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512} 051 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128GCM} 052 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192GCM} 053 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256GCM} 054 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED} 055 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED} 056 * <li>{@link com.nimbusds.jose.EncryptionMethod#XC20P} 057 * </ul> 058 * 059 * @author Melisa Halsband 060 * @author Vladimir Dzhuvinov 061 * @version 2015-06-29 062 */ 063public abstract class AESCryptoProvider extends BaseJWEProvider { 064 065 066 /** 067 * The supported JWE algorithms by the AES crypto provider class. 068 */ 069 public static final Set<JWEAlgorithm> SUPPORTED_ALGORITHMS; 070 071 072 /** 073 * The supported encryption methods by the AES crypto provider class. 074 */ 075 public static final Set<EncryptionMethod> SUPPORTED_ENCRYPTION_METHODS = ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS; 076 077 078 /** 079 * The JWE algorithms compatible with each key size in bits. 080 */ 081 public static final Map<Integer,Set<JWEAlgorithm>> COMPATIBLE_ALGORITHMS; 082 083 084 static { 085 Set<JWEAlgorithm> algs = new LinkedHashSet<>(); 086 algs.add(JWEAlgorithm.A128KW); 087 algs.add(JWEAlgorithm.A192KW); 088 algs.add(JWEAlgorithm.A256KW); 089 algs.add(JWEAlgorithm.A128GCMKW); 090 algs.add(JWEAlgorithm.A192GCMKW); 091 algs.add(JWEAlgorithm.A256GCMKW); 092 SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs); 093 094 Map<Integer,Set<JWEAlgorithm>> algsMap = new HashMap<>(); 095 Set<JWEAlgorithm> bit128Algs = new HashSet<>(); 096 Set<JWEAlgorithm> bit192Algs = new HashSet<>(); 097 Set<JWEAlgorithm> bit256Algs = new HashSet<>(); 098 bit128Algs.add(JWEAlgorithm.A128GCMKW); 099 bit128Algs.add(JWEAlgorithm.A128KW); 100 bit192Algs.add(JWEAlgorithm.A192GCMKW); 101 bit192Algs.add(JWEAlgorithm.A192KW); 102 bit256Algs.add(JWEAlgorithm.A256GCMKW); 103 bit256Algs.add(JWEAlgorithm.A256KW); 104 algsMap.put(128,Collections.unmodifiableSet(bit128Algs)); 105 algsMap.put(192,Collections.unmodifiableSet(bit192Algs)); 106 algsMap.put(256,Collections.unmodifiableSet(bit256Algs)); 107 COMPATIBLE_ALGORITHMS = Collections.unmodifiableMap(algsMap); 108 } 109 110 111 /** 112 * The Key Encryption Key (KEK). 113 */ 114 private final SecretKey kek; 115 116 117 /** 118 * Returns the compatible JWE algorithms for the specified Key 119 * Encryption Key (CEK) length. 120 * 121 * @param kekLength The KEK length in bits. 122 * 123 * @return The compatible JWE algorithms. 124 * 125 * @throws KeyLengthException If the KEK length is not compatible. 126 */ 127 private static Set<JWEAlgorithm> getCompatibleJWEAlgorithms(final int kekLength) 128 throws KeyLengthException { 129 130 Set<JWEAlgorithm> algs = COMPATIBLE_ALGORITHMS.get(kekLength); 131 132 if (algs == null) { 133 throw new KeyLengthException("The Key Encryption Key length must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes)"); 134 } 135 136 return algs; 137 } 138 139 140 /** 141 * Creates a new AES encryption / decryption provider. 142 * 143 * @param kek The Key Encryption Key. Must be 128 bits (16 bytes), 192 144 * bits (24 bytes) or 256 bits (32 bytes). Must not be 145 * {@code null}. 146 * 147 * @throws KeyLengthException If the KEK length is invalid. 148 */ 149 protected AESCryptoProvider(final SecretKey kek) 150 throws KeyLengthException { 151 152 super(getCompatibleJWEAlgorithms(ByteUtils.bitLength(kek.getEncoded())), ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS); 153 154 this.kek = kek; 155 } 156 157 158 /** 159 * Gets the Key Encryption Key (KEK). 160 * 161 * @return The Key Encryption Key. 162 */ 163 public SecretKey getKey() { 164 165 return kek; 166 } 167}