Package com.nimbusds.jose.crypto
Class DirectDecrypter
- java.lang.Object
-
- com.nimbusds.jose.crypto.impl.BaseJWEProvider
-
- com.nimbusds.jose.crypto.impl.DirectCryptoProvider
-
- com.nimbusds.jose.crypto.DirectDecrypter
-
- All Implemented Interfaces:
CriticalHeaderParamsAware,JCAAware<JWEJCAContext>,JOSEProvider,JWEDecrypter,JWEProvider
@ThreadSafe public class DirectDecrypter extends DirectCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware
Direct decrypter ofJWE objectswith a shared symmetric key.See RFC 7518 section 4.5 for more information.
This class is thread-safe.
Supports the following key management algorithms:
Supports the following content encryption algorithms:
EncryptionMethod.A128CBC_HS256(requires 256 bit key)EncryptionMethod.A192CBC_HS384(requires 384 bit key)EncryptionMethod.A256CBC_HS512(requires 512 bit key)EncryptionMethod.A128GCM(requires 128 bit key)EncryptionMethod.A192GCM(requires 192 bit key)EncryptionMethod.A256GCM(requires 256 bit key)EncryptionMethod.A128CBC_HS256_DEPRECATED(requires 256 bit key)EncryptionMethod.A256CBC_HS512_DEPRECATED(requires 512 bit key)EncryptionMethod.XC20P(requires 256 bit key)
Also supports a promiscuous mode to decrypt any JWE by passing the content encryption key (CEK) directly. The that mode the JWE algorithm checks for ("alg":"dir") and encrypted key not being present will be skipped.
- Version:
- 2023-09-10
- Author:
- Vladimir Dzhuvinov, Egor Puzanov
-
-
Field Summary
-
Fields inherited from class com.nimbusds.jose.crypto.impl.DirectCryptoProvider
SUPPORTED_ALGORITHMS, SUPPORTED_ENCRYPTION_METHODS
-
-
Constructor Summary
Constructors Constructor Description DirectDecrypter(byte[] keyBytes)Creates a new direct decrypter.DirectDecrypter(OctetSequenceKey octJWK)Creates a new direct decrypter.DirectDecrypter(SecretKey key)Creates a new direct decrypter.DirectDecrypter(SecretKey key, boolean promiscuousMode)Creates a new direct decrypter with the option to set it in promiscuous mode.DirectDecrypter(SecretKey key, Set<String> defCritHeaders)Creates a new direct decrypter with the option to set it in promiscuous mode.DirectDecrypter(SecretKey key, Set<String> defCritHeaders, boolean promiscuousMode)Creates a new direct decrypter.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description byte[]decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag)Deprecated.byte[]decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad)Decrypts the specified cipher text of aJWE Object.Set<String>getDeferredCriticalHeaderParams()Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.Set<String>getProcessedCriticalHeaderParams()Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.-
Methods inherited from class com.nimbusds.jose.crypto.impl.DirectCryptoProvider
getKey
-
Methods inherited from class com.nimbusds.jose.crypto.impl.BaseJWEProvider
getCEK, getJCAContext, isCEKProvided, supportedEncryptionMethods, supportedJWEAlgorithms
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface com.nimbusds.jose.jca.JCAAware
getJCAContext
-
Methods inherited from interface com.nimbusds.jose.JWEProvider
supportedEncryptionMethods, supportedJWEAlgorithms
-
-
-
-
Constructor Detail
-
DirectDecrypter
public DirectDecrypter(SecretKey key) throws KeyLengthException
Creates a new direct decrypter.- Parameters:
key- The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not benull.- Throws:
KeyLengthException- If the symmetric key length is not compatible.
-
DirectDecrypter
public DirectDecrypter(SecretKey key, boolean promiscuousMode) throws KeyLengthException
Creates a new direct decrypter with the option to set it in promiscuous mode.- Parameters:
key- The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not benull.promiscuousMode- Iftrueset the decrypter in promiscuous mode to permit decryption of any JWE with the supplied symmetric key. The that mode the JWE algorithm checks for ("alg":"dir") and encrypted key not being present will be skipped.- Throws:
KeyLengthException- If the symmetric key length is not compatible.
-
DirectDecrypter
public DirectDecrypter(byte[] keyBytes) throws KeyLengthException
Creates a new direct decrypter.- Parameters:
keyBytes- The symmetric key, as a byte array. Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not benull.- Throws:
KeyLengthException- If the symmetric key length is not compatible.
-
DirectDecrypter
public DirectDecrypter(OctetSequenceKey octJWK) throws KeyLengthException
Creates a new direct decrypter.- Parameters:
octJWK- The symmetric key, as a JWK. Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not benull.- Throws:
KeyLengthException- If the symmetric key length is not compatible.
-
DirectDecrypter
public DirectDecrypter(SecretKey key, Set<String> defCritHeaders) throws KeyLengthException
Creates a new direct decrypter with the option to set it in promiscuous mode.- Parameters:
key- The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not benull.defCritHeaders- The names of the critical header parameters that are deferred to the application for processing, empty set ornullif none.- Throws:
KeyLengthException- If the symmetric key length is not compatible.
-
DirectDecrypter
public DirectDecrypter(SecretKey key, Set<String> defCritHeaders, boolean promiscuousMode) throws KeyLengthException
Creates a new direct decrypter.- Parameters:
key- The symmetric key. Its algorithm should be "AES". Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not benull.defCritHeaders- The names of the critical header parameters that are deferred to the application for processing, empty set ornullif none.promiscuousMode- Iftrueset the decrypter in promiscuous mode to permit decryption of any JWE with the supplied symmetric key. The that mode the JWE algorithm checks for ("alg":"dir") and encrypted key not being present will be skipped.- Throws:
KeyLengthException- If the symmetric key length is not compatible.
-
-
Method Detail
-
getProcessedCriticalHeaderParams
public Set<String> getProcessedCriticalHeaderParams()
Description copied from interface:CriticalHeaderParamsAwareReturns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.- Specified by:
getProcessedCriticalHeaderParamsin interfaceCriticalHeaderParamsAware- Returns:
- The names of the critical header parameters that are understood and processed, empty set if none.
-
getDeferredCriticalHeaderParams
public Set<String> getDeferredCriticalHeaderParams()
Description copied from interface:CriticalHeaderParamsAwareReturns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.- Specified by:
getDeferredCriticalHeaderParamsin interfaceCriticalHeaderParamsAware- Returns:
- The names of the critical header parameters that are deferred to the application for processing, empty set if none.
-
decrypt
@Deprecated public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag) throws JOSEException
Deprecated.Decrypts the specified cipher text of aJWE Object.- Parameters:
header- The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not benull.encryptedKey- The encrypted key,nullif not required by the JWE algorithm.iv- The initialisation vector,nullif not required by the JWE algorithm.cipherText- The cipher text to decrypt. Must not benull.authTag- The authentication tag,nullif not required.- Returns:
- The clear text.
- Throws:
JOSEException- If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.
-
decrypt
public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad) throws JOSEException
Description copied from interface:JWEDecrypterDecrypts the specified cipher text of aJWE Object.- Specified by:
decryptin interfaceJWEDecrypter- Parameters:
header- The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not benull.encryptedKey- The encrypted key,nullif not required by the JWE algorithm.iv- The initialisation vector,nullif not required by the JWE algorithm.cipherText- The cipher text to decrypt. Must not benull.authTag- The authentication tag,nullif not required.aad- The additional authenticated data. Must not benull.- Returns:
- The clear text.
- Throws:
JOSEException- If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.
-
-