Package com.nimbusds.jose.crypto

Class RSASSASigner

java.lang.Object
com.nimbusds.jose.crypto.impl.BaseJWSProvider
com.nimbusds.jose.crypto.impl.RSASSAProvider
com.nimbusds.jose.crypto.RSASSASigner
All Implemented Interfaces:
JCAAware<JCAContext>, JOSEProvider, JWSProvider, JWSSigner
@ThreadSafe public class RSASSASigner extends RSASSAProvider implements JWSSigner
RSA Signature-Scheme-with-Appendix (RSASSA) signer of JWS objects. Expects a private RSA key.

See RFC 7518, sections 3.3 and 3.5 for more information.

This class is thread-safe.

Supports the following algorithms:

Supports the following options:

  • UserAuthenticationRequired -- to prompt the user to authenticate in order to complete the signing operation. Android applications can use this option to trigger a biometric prompt that is required to unlock a private key created with setUserAuthenticationRequired(true).
  • AllowWeakRSAKey -- to allow weak RSA keys that are shorter than 2048 bits

Supports the BouncyCastle FIPS provider for the PSxxx family of JWS algorithms.

Version:
2023-01-31
Author:
Vladimir Dzhuvinov, Omer Levi Hevroni

  • Constructor Details

    • RSASSASigner

      public RSASSASigner(PrivateKey privateKey)
      Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
      Parameters:
      privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.

    • RSASSASigner

      @Deprecated public RSASSASigner(PrivateKey privateKey, boolean allowWeakKey)
      Deprecated.
      Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
      Parameters:
      privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
      allowWeakKey - true to allow an RSA key shorter than 2048 bits.

    • RSASSASigner

      public RSASSASigner(PrivateKey privateKey, Set<JWSSignerOption> opts)
      Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
      Parameters:
      privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
      opts - The signing options, empty or null if none.

    • RSASSASigner

      public RSASSASigner(RSAKey rsaJWK) throws JOSEException
      Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
      Parameters:
      rsaJWK - The RSA JSON Web Key (JWK). Must contain or reference a private part. Its length must be at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
      Throws:
      JOSEException - If the RSA JWK doesn't contain a private part or its extraction failed.

    • RSASSASigner

      @Deprecated public RSASSASigner(RSAKey rsaJWK, boolean allowWeakKey) throws JOSEException
      Deprecated.
      Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
      Parameters:
      rsaJWK - The RSA JSON Web Key (JWK). Must contain or reference a private part. Its length must be at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
      allowWeakKey - true to allow an RSA key shorter than 2048 bits.
      Throws:
      JOSEException - If the RSA JWK doesn't contain a private part or its extraction failed.

    • RSASSASigner

      public RSASSASigner(RSAKey rsaJWK, Set<JWSSignerOption> opts) throws JOSEException
      Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
      Parameters:
      rsaJWK - The RSA JSON Web Key (JWK). Must contain or reference a private part. Its length must be at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.
      opts - The signing options, empty or null if none.
      Throws:
      JOSEException - If the RSA JWK doesn't contain a private part or its extraction failed.

  • Method Details

    • getPrivateKey

      public PrivateKey getPrivateKey()
      Gets the private RSA key.
      Returns:
      The private RSA key. Casting to RSAPrivateKey may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.

    • sign

      public Base64URL sign(JWSHeader header, byte[] signingInput) throws JOSEException
      Description copied from interface: JWSSigner
      Signs the specified input of a JWS object.
      Specified by:
      sign in interface JWSSigner
      Parameters:
      header - The JSON Web Signature (JWS) header. Must specify a supported JWS algorithm and must not be null.
      signingInput - The input to sign. Must not be null.
      Returns:
      The resulting signature part (third part) of the JWS object.
      Throws:
      JOSEException - If the JWS algorithm is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if signing failed for some other internal reason.