Package com.nimbusds.jose.crypto

Class ECDHDecrypter

java.lang.Object
com.nimbusds.jose.crypto.impl.BaseJWEProvider
com.nimbusds.jose.crypto.impl.ECDHCryptoProvider
com.nimbusds.jose.crypto.ECDHDecrypter
All Implemented Interfaces:
CriticalHeaderParamsAware, JCAAware<JWEJCAContext>, JOSEProvider, JWEDecrypter, JWEProvider
public class ECDHDecrypter extends ECDHCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware
Elliptic Curve Diffie-Hellman decrypter of JWE objects for curves using EC JWK keys. Expects a private EC key (with a P-256, P-384 or P-521 curve).

See RFC 7518 section 4.6 for more information.

For Curve25519/X25519, see X25519Decrypter instead.

This class is thread-safe.

Supports the following key management algorithms:

Supports the following elliptic curves:

Supports the following content encryption algorithms:

Version:
2023-05-17
Author:
Vladimir Dzhuvinov, Egor Puzanov

  • Field Details

  • Constructor Details

    • ECDHDecrypter

      public ECDHDecrypter(ECPrivateKey privateKey) throws JOSEException
      Creates a new Elliptic Curve Diffie-Hellman decrypter.
      Parameters:
      privateKey - The private EC key. Must not be null.
      Throws:
      JOSEException - If the elliptic curve is not supported.

    • ECDHDecrypter

      public ECDHDecrypter(ECKey ecJWK) throws JOSEException
      Creates a new Elliptic Curve Diffie-Hellman decrypter.
      Parameters:
      ecJWK - The EC JSON Web Key (JWK). Must contain a private part. Must not be null.
      Throws:
      JOSEException - If the elliptic curve is not supported.

    • ECDHDecrypter

      public ECDHDecrypter(ECPrivateKey privateKey, Set<String> defCritHeaders) throws JOSEException
      Creates a new Elliptic Curve Diffie-Hellman decrypter.
      Parameters:
      privateKey - The private EC key. Must not be null.
      defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
      Throws:
      JOSEException - If the elliptic curve is not supported.

    • ECDHDecrypter

      public ECDHDecrypter(PrivateKey privateKey, Set<String> defCritHeaders, Curve curve) throws JOSEException
      Creates a new Elliptic Curve Diffie-Hellman decrypter. This constructor can also accept a private EC key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
      Parameters:
      privateKey - The private EC key. Must not be null.
      defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
      curve - The key curve. Must not be null.
      Throws:
      JOSEException - If the elliptic curve is not supported.

  • Method Details

    • getPrivateKey

      public PrivateKey getPrivateKey()
      Returns the private EC key.
      Returns:
      The private EC key. Casting to ECPrivateKey may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.

    • supportedEllipticCurves

      public Set<Curve> supportedEllipticCurves()
      Description copied from class: ECDHCryptoProvider
      Returns the names of the supported elliptic curves. These correspond to the crv EC JWK parameter.
      Specified by:
      supportedEllipticCurves in class ECDHCryptoProvider
      Returns:
      The supported elliptic curves.

    • getProcessedCriticalHeaderParams

      public Set<String> getProcessedCriticalHeaderParams()
      Description copied from interface: CriticalHeaderParamsAware
      Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.
      Specified by:
      getProcessedCriticalHeaderParams in interface CriticalHeaderParamsAware
      Returns:
      The names of the critical header parameters that are understood and processed, empty set if none.

    • getDeferredCriticalHeaderParams

      public Set<String> getDeferredCriticalHeaderParams()
      Description copied from interface: CriticalHeaderParamsAware
      Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.
      Specified by:
      getDeferredCriticalHeaderParams in interface CriticalHeaderParamsAware
      Returns:
      The names of the critical header parameters that are deferred to the application for processing, empty set if none.

    • decrypt

      @Deprecated public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag) throws JOSEException
      Deprecated.
      Decrypts the specified cipher text of a JWE Object.
      Parameters:
      header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
      encryptedKey - The encrypted key, null if not required by the JWE algorithm.
      iv - The initialisation vector, null if not required by the JWE algorithm.
      cipherText - The cipher text to decrypt. Must not be null.
      authTag - The authentication tag, null if not required.
      Returns:
      The clear text.
      Throws:
      JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

    • decrypt

      public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad) throws JOSEException
      Description copied from interface: JWEDecrypter
      Decrypts the specified cipher text of a JWE Object.
      Specified by:
      decrypt in interface JWEDecrypter
      Parameters:
      header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
      encryptedKey - The encrypted key, null if not required by the JWE algorithm.
      iv - The initialisation vector, null if not required by the JWE algorithm.
      cipherText - The cipher text to decrypt. Must not be null.
      authTag - The authentication tag, null if not required.
      aad - The additional authenticated data. Must not be null.
      Returns:
      The clear text.
      Throws:
      JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.