Package com.nimbusds.jose.crypto

Class AESEncrypter

java.lang.Object
com.nimbusds.jose.crypto.impl.BaseJWEProvider
com.nimbusds.jose.crypto.impl.AESCryptoProvider
com.nimbusds.jose.crypto.AESEncrypter
All Implemented Interfaces:
JCAAware<JWEJCAContext>, JOSEProvider, JWEEncrypter, JWEProvider
@ThreadSafe public class AESEncrypter extends AESCryptoProvider implements JWEEncrypter
AES and AES GCM key wrap encrypter of JWE objects. Expects an AES key.

Encrypts the plain text with a generated AES key (the Content Encryption Key) according to the specified JOSE encryption method, then wraps the CEK with the specified AES key and returns it alongside the IV, cipher text and authentication tag. See RFC 7518, sections 4.4 and 4.7 for more information.

This class is thread-safe.

Supports the following key management algorithms:

Supports the following content encryption algorithms:

Version:
2023-09-10
Author:
Melisa Halsband, Vladimir Dzhuvinov, Dimitar A. Stoikov, Egor Puzanov

  • Constructor Details

    • AESEncrypter

      public AESEncrypter(SecretKey kek, SecretKey contentEncryptionKey) throws KeyLengthException
      Creates a new AES encrypter.
      Parameters:
      kek - The Key Encryption Key. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not be null.
      contentEncryptionKey - The content encryption key (CEK) to use. If specified its algorithm must be "AES" or "ChaCha20" and its length must match the expected for the JWE encryption method ("enc"). If null a CEK will be generated for each JWE.
      Throws:
      KeyLengthException - If the KEK length is invalid.

    • AESEncrypter

      public AESEncrypter(SecretKey kek) throws KeyLengthException
      Creates a new AES encrypter.
      Parameters:
      kek - The Key Encryption Key. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not be null.
      Throws:
      KeyLengthException - If the KEK length is invalid.

    • AESEncrypter

      public AESEncrypter(byte[] keyBytes) throws KeyLengthException
      Creates a new AES encrypter.
      Parameters:
      keyBytes - The Key Encryption Key, as a byte array. Must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes). Must not be null.
      Throws:
      KeyLengthException - If the KEK length is invalid.

    • AESEncrypter

      public AESEncrypter(OctetSequenceKey octJWK) throws KeyLengthException
      Creates a new AES encrypter.
      Parameters:
      octJWK - The Key Encryption Key, as a JWK. Must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long. Must not be null.
      Throws:
      KeyLengthException - If the KEK length is invalid.

  • Method Details

    • encrypt

      @Deprecated public JWECryptoParts encrypt(JWEHeader header, byte[] clearText) throws JOSEException
      Deprecated.
      Encrypts the specified clear text of a JWE object.
      Parameters:
      header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
      clearText - The clear text to encrypt. Must not be null.
      Returns:
      The resulting JWE crypto parts.
      Throws:
      JOSEException - If the JWE algorithm or method is not supported or if encryption failed for some other internal reason.

    • encrypt

      public JWECryptoParts encrypt(JWEHeader header, byte[] clearText, byte[] aad) throws JOSEException
      Description copied from interface: JWEEncrypter
      Encrypts the specified clear text of a JWE object.
      Specified by:
      encrypt in interface JWEEncrypter
      Parameters:
      header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
      clearText - The clear text to encrypt. Must not be null.
      aad - The additional authenticated data. Must not be null.
      Returns:
      The resulting JWE crypto parts.
      Throws:
      JOSEException - If the JWE algorithm or method is not supported or if encryption failed for some other internal reason.