Package com.nimbusds.jose.jwk
Class ECKey
java.lang.Object
com.nimbusds.jose.jwk.JWK
com.nimbusds.jose.jwk.ECKey
- All Implemented Interfaces:
AsymmetricJWK
,CurveBasedJWK
,Serializable
Public and private
Elliptic Curve
JSON Web Key (JWK).
This class is immutable.
Supported curves:
Provides EC JWK import from / export to the following standard Java interfaces and classes:
ECPublicKey
ECPrivateKey
PrivateKey
for an EC key in a PKCS#11 storeKeyPair
Example JSON object representation of a public EC JWK:
{ "kty" : "EC", "crv" : "P-256", "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "use" : "enc", "kid" : "1" }
Example JSON object representation of a private EC JWK:
{ "kty" : "EC", "crv" : "P-256", "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", "d" : "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE", "use" : "enc", "kid" : "1" }
Use the builder to create a new EC JWK:
ECKey key = new ECKey.Builder(Curve.P_256, x, y) .keyUse(KeyUse.SIGNATURE) .keyID("1") .build();
- Version:
- 2024-10-31
- Author:
- Vladimir Dzhuvinov, Justin Richer
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Builder for constructing Elliptic Curve JWKs. -
Field Summary
-
Constructor Summary
ConstructorDescriptionECKey
(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.ECKey
(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.ECKey
(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.ECKey
(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.ECKey
(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.ECKey
(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.ECKey
(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.ECKey
(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.ECKey
(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.ECKey
(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.ECKey
(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.ECKey
(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.ECKey
(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.ECKey
(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.ECKey
(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.ECKey
(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.ECKey
(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.ECKey
(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated. -
Method Summary
Modifier and TypeMethodDescriptionstatic Base64URL
encodeCoordinate
(int fieldSize, BigInteger coordinate) Returns the Base64URL encoding of the specified elliptic curve 'x', 'y' or 'd' coordinate, with leading zero padding up to the specified field size in bits.boolean
getCurve()
Returns the cryptographic curve.getD()
Gets the private 'd' coordinate for the elliptic curve point.Returns the required JWK parameters.getX()
Gets the public 'x' coordinate for the elliptic curve point.getY()
Gets the public 'y' coordinate for the elliptic curve point.int
hashCode()
boolean
Returnstrue
if this JWK contains private or sensitive (non-public) parameters.static ECKey
Loads a public / private Elliptic Curve JWK from the specified JCA key store.boolean
matches
(X509Certificate cert) Returnstrue
if the public key material of this JWK matches the public subject key info of the specified X.509 certificate.static ECKey
Parses a public / private Elliptic Curve JWK from the specified JSON object string representation.static ECKey
parse
(X509Certificate cert) Parses a public Elliptic Curve JWK from the specified X.509 certificate.static ECKey
Parses a public / private Elliptic Curve JWK from the specified JSON object representation.int
size()
Returns the size of this JWK.Returns a standardjava.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK.toECPrivateKey
(Provider provider) Returns a standardjava.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK.Returns a standardjava.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK.toECPublicKey
(Provider provider) Returns a standardjava.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK.Returns a JSON object representation of this JWK.Returns a standardjava.security.KeyPair
representation of this Elliptic Curve JWK.Returns a standardjava.security.KeyPair
representation of this Elliptic Curve JWK.Returns a Java private key representation of this JWK.Returns a copy of this Elliptic Curve JWK with any private values removed.Returns a Java public key representation of the JWK.toRevokedJWK
(KeyRevocation keyRevocation) Creates a copy of this JWK with the specified key revocation.Methods inherited from class com.nimbusds.jose.jwk.JWK
computeThumbprint, computeThumbprint, computeThumbprintURI, getAlgorithm, getExpirationTime, getIssueTime, getKeyID, getKeyOperations, getKeyRevocation, getKeyStore, getKeyType, getKeyUse, getNotBeforeTime, getParsedX509CertChain, getX509CertChain, getX509CertSHA256Thumbprint, getX509CertThumbprint, getX509CertURL, parseFromPEMEncodedObjects, parseFromPEMEncodedX509Cert, toECKey, toJSONString, toOctetKeyPair, toOctetSequenceKey, toRSAKey, toString
-
Field Details
-
SUPPORTED_CURVES
Supported EC curves.
-
-
Constructor Details
-
ECKey
@Deprecated public ECKey(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.d
- The private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.priv
- The private key as a PKCS#11 handle,null
if not specified.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.priv
- The private EC key to represent. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.priv
- The private key as a PKCS#11 handle,null
if not specified.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
public ECKey(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.revocation
- The key revocation,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.d
- The private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
public ECKey(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.d
- The private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.revocation
- The key revocation,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.priv
- The private key as a PKCS#11 handle,null
if not specified.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
public ECKey(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.- Parameters:
crv
- The cryptographic curve. Must not benull
.x
- The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.y
- The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not benull
.priv
- The private key as a PKCS#11 handle,null
if not specified.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.revocation
- The key revocation,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
public ECKey(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.revocation
- The key revocation,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.priv
- The private EC key to represent. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
public ECKey(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.priv
- The private EC key to represent. Must not benull
.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.revocation
- The key revocation,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
@Deprecated public ECKey(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks) Deprecated.Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.priv
- The private key as a PKCS#11 handle,null
if not specified.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
ECKey
public ECKey(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyRevocation revocation, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.- Parameters:
crv
- The cryptographic curve. Must not benull
.pub
- The public EC key to represent. Must not benull
.priv
- The private key as a PKCS#11 handle,null
if not specified.use
- The key use,null
if not specified or if the key is intended for signing as well as encryption.ops
- The key operations,null
if not specified.alg
- The intended JOSE algorithm for the key,null
if not specified.kid
- The key ID,null
if not specified.x5u
- The X.509 certificate URL,null
if not specified.x5t
- The X.509 certificate SHA-1 thumbprint,null
if not specified.x5t256
- The X.509 certificate SHA-256 thumbprint,null
if not specified.x5c
- The X.509 certificate chain,null
if not specified.exp
- The key expiration time,null
if not specified.nbf
- The key not-before time,null
if not specified.iat
- The key issued-at time,null
if not specified.revocation
- The key revocation,null
if not specified.ks
- Reference to the underlying key store,null
if not specified.
-
-
Method Details
-
encodeCoordinate
Returns the Base64URL encoding of the specified elliptic curve 'x', 'y' or 'd' coordinate, with leading zero padding up to the specified field size in bits.- Parameters:
fieldSize
- The field size in bits.coordinate
- The elliptic curve coordinate. Must not benull
.- Returns:
- The Base64URL-encoded coordinate, with leading zero padding up to the curve's field size.
-
getCurve
Description copied from interface:CurveBasedJWK
Returns the cryptographic curve.- Specified by:
getCurve
in interfaceCurveBasedJWK
- Returns:
- The cryptographic curve.
-
getX
Gets the public 'x' coordinate for the elliptic curve point.- Returns:
- The 'x' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation.
-
getY
Gets the public 'y' coordinate for the elliptic curve point.- Returns:
- The 'y' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation.
-
getD
Gets the private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation.- Returns:
- The 'd' coordinate. It is represented as the Base64URL
encoding of the coordinate's big endian representation.
null
if not specified (for a public key).
-
toECPublicKey
Returns a standardjava.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK. Uses the default JCA provider.- Returns:
- The public Elliptic Curve key.
- Throws:
JOSEException
- If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public EC key.
-
toECPublicKey
Returns a standardjava.security.interfaces.ECPublicKey
representation of this Elliptic Curve JWK.- Parameters:
provider
- The JCA provider to use,null
implies the default.- Returns:
- The public Elliptic Curve key.
- Throws:
JOSEException
- If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public EC key.
-
toECPrivateKey
Returns a standardjava.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK. Uses the default JCA provider.- Returns:
- The private Elliptic Curve key,
null
if not specified by this JWK. - Throws:
JOSEException
- If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private EC key.
-
toECPrivateKey
Returns a standardjava.security.interfaces.ECPrivateKey
representation of this Elliptic Curve JWK.- Parameters:
provider
- The JCA provider to use,null
implies the default.- Returns:
- The private Elliptic Curve key,
null
if not specified by this JWK. - Throws:
JOSEException
- If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private EC key.
-
toPublicKey
Description copied from interface:AsymmetricJWK
Returns a Java public key representation of the JWK.- Specified by:
toPublicKey
in interfaceAsymmetricJWK
- Returns:
- The Java public key.
- Throws:
JOSEException
- If conversion failed or is not supported.
-
toPrivateKey
Description copied from interface:AsymmetricJWK
Returns a Java private key representation of this JWK.- Specified by:
toPrivateKey
in interfaceAsymmetricJWK
- Returns:
- The Java private key,
null
if not specified. - Throws:
JOSEException
- If conversion failed or is not supported.
-
toKeyPair
Returns a standardjava.security.KeyPair
representation of this Elliptic Curve JWK. Uses the default JCA provider.- Specified by:
toKeyPair
in interfaceAsymmetricJWK
- Returns:
- The Elliptic Curve key pair. The private Elliptic Curve key
will be
null
if not specified. - Throws:
JOSEException
- If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private EC key.
-
toKeyPair
Returns a standardjava.security.KeyPair
representation of this Elliptic Curve JWK.- Parameters:
provider
- The JCA provider to use,null
implies the default.- Returns:
- The Elliptic Curve key pair. The private Elliptic Curve key
will be
null
if not specified. - Throws:
JOSEException
- If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private EC key.
-
toRevokedJWK
Description copied from class:JWK
Creates a copy of this JWK with the specified key revocation.- Specified by:
toRevokedJWK
in classJWK
- Parameters:
keyRevocation
- The key revocation. Must not benull
.- Returns:
- The new JWK with the specified revocation.
-
matches
Description copied from interface:AsymmetricJWK
Returnstrue
if the public key material of this JWK matches the public subject key info of the specified X.509 certificate.- Specified by:
matches
in interfaceAsymmetricJWK
- Parameters:
cert
- The X.509 certificate. Must not benull
.- Returns:
true
if the public key material of this JWK matches the public subject key info of the specified X.509 certificate, elsefalse
.
-
getRequiredParams
Description copied from class:JWK
Returns the required JWK parameters. Intended as input for JWK thumbprint computation. See RFC 7638 for more information.- Specified by:
getRequiredParams
in classJWK
- Returns:
- The required JWK parameters, sorted alphanumerically by key name and ready for JSON serialisation.
-
isPrivate
Description copied from class:JWK
Returnstrue
if this JWK contains private or sensitive (non-public) parameters. -
size
Description copied from class:JWK
Returns the size of this JWK. -
toPublicJWK
Returns a copy of this Elliptic Curve JWK with any private values removed.- Specified by:
toPublicJWK
in classJWK
- Returns:
- The copied public Elliptic Curve JWK.
-
toJSONObject
Description copied from class:JWK
Returns a JSON object representation of this JWK. This method is intended to be called from extending classes.Example:
{ "kty" : "RSA", "use" : "sig", "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b" }
- Overrides:
toJSONObject
in classJWK
- Returns:
- The JSON object representation.
-
parse
Parses a public / private Elliptic Curve JWK from the specified JSON object string representation.- Parameters:
s
- The JSON object string to parse. Must not benull
.- Returns:
- The public / private Elliptic Curve JWK.
- Throws:
ParseException
- If the string couldn't be parsed to an Elliptic Curve JWK.
-
parse
Parses a public / private Elliptic Curve JWK from the specified JSON object representation.- Parameters:
jsonObject
- The JSON object to parse. Must not benull
.- Returns:
- The public / private Elliptic Curve JWK.
- Throws:
ParseException
- If the JSON object couldn't be parsed to an Elliptic Curve JWK.
-
parse
Parses a public Elliptic Curve JWK from the specified X.509 certificate. Requires BouncyCastle.Important: The X.509 certificate is not validated!
Sets the following JWK parameters:
- The curve is obtained from the subject public key info algorithm parameters.
- The JWK use inferred by
KeyUse.from(java.security.cert.X509Certificate)
. - The JWK ID from the X.509 serial number (in base 10).
- The JWK X.509 certificate chain (this certificate only).
- The JWK X.509 certificate SHA-256 thumbprint.
- Parameters:
cert
- The X.509 certificate. Must not benull
.- Returns:
- The public Elliptic Curve JWK.
- Throws:
JOSEException
- If parsing failed.
-
load
public static ECKey load(KeyStore keyStore, String alias, char[] pin) throws KeyStoreException, JOSEException Loads a public / private Elliptic Curve JWK from the specified JCA key store. Requires BouncyCastle.Important: The X.509 certificate is not validated!
- Parameters:
keyStore
- The key store. Must not benull
.alias
- The alias. Must not benull
.pin
- The pin to unlock the private key if any, empty ornull
if not required.- Returns:
- The public / private Elliptic Curve JWK.,
null
if no key with the specified alias was found. - Throws:
KeyStoreException
- On a key store exception.JOSEException
- If EC key loading failed.
-
equals
-
hashCode
-