com.nimbusds.jose.jwk

Class ECKey

java.lang.Object

com.nimbusds.jose.jwk.JWK

com.nimbusds.jose.jwk.ECKey

All Implemented Interfaces:

AsymmetricJWK, CurveBasedJWK, Serializable

@Immutable
public final class ECKey
extends JWK
implements AsymmetricJWK, CurveBasedJWK

Public and private Elliptic Curve JSON Web Key (JWK). This class is immutable.

Supported curves:

• P-256
• secp256k1
• P-384
• P-512

Provides EC JWK import from / export to the following standard Java interfaces and classes:

• ECPublicKey
• ECPrivateKey
• PrivateKey for an EC key in a PKCS#11 store
• KeyPair

Example JSON object representation of a public EC JWK:

 {
   "kty" : "EC",
   "crv" : "P-256",
   "x"   : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
   "y"   : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
   "use" : "enc",
   "kid" : "1"
 }
 

Example JSON object representation of a private EC JWK:

 {
   "kty" : "EC",
   "crv" : "P-256",
   "x"   : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
   "y"   : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
   "d"   : "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE",
   "use" : "enc",
   "kid" : "1"
 }
 

Use the builder to create a new EC JWK:

 ECKey key = new ECKey.Builder(Curve.P_256, x, y)
        .keyUse(KeyUse.SIGNATURE)
        .keyID("1")
        .build();
 

See http://en.wikipedia.org/wiki/Elliptic_curve_cryptography

Version:

2020-06-03

Author:

Vladimir Dzhuvinov, Justin Richer

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ECKey.Builder Builder for constructing Elliptic Curve JWKs.

Field Summary

Fields

Modifier and Type	Field and Description
static Set<Curve>	SUPPORTED_CURVES Supported EC curves.

Fields inherited from class com.nimbusds.jose.jwk.JWK

MIME_TYPE

Constructor Summary

Constructors

Constructor and Description
ECKey(Curve crv, Base64URL x, Base64URL y, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.
ECKey(Curve crv, Base64URL x, Base64URL y, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.
ECKey(Curve crv, Base64URL x, Base64URL y, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.
ECKey(Curve crv, ECPublicKey pub, ECPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.
ECKey(Curve crv, ECPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.
ECKey(Curve crv, ECPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks) Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.

Method Summary

Modifier and Type	Method and Description
static Base64URL	encodeCoordinate(int fieldSize, BigInteger coordinate) Returns the Base64URL encoding of the specified elliptic curve 'x', 'y' or 'd' coordinate, with leading zero padding up to the specified field size in bits.
boolean	equals(Object o)
Curve	getCurve() Returns the cryptographic curve.
Base64URL	getD() Gets the private 'd' coordinate for the elliptic curve point.
LinkedHashMap<String,?>	getRequiredParams() Returns the required JWK parameters.
Base64URL	getX() Gets the public 'x' coordinate for the elliptic curve point.
Base64URL	getY() Gets the public 'y' coordinate for the elliptic curve point.
int	hashCode()
boolean	isPrivate() Returns true if this JWK contains private or sensitive (non-public) parameters.
static ECKey	load(KeyStore keyStore, String alias, char[] pin) Loads a public / private Elliptic Curve JWK from the specified JCA key store.
boolean	matches(X509Certificate cert) Returns true if the public key material of this JWK matches the public subject key info of the specified X.509 certificate.
static ECKey	parse(Map<String,Object> jsonObject) Parses a public / private Elliptic Curve JWK from the specified JSON object representation.
static ECKey	parse(String s) Parses a public / private Elliptic Curve JWK from the specified JSON object string representation.
static ECKey	parse(X509Certificate cert) Parses a public Elliptic Curve JWK from the specified X.509 certificate.
int	size() Returns the size of this JWK.
ECPrivateKey	toECPrivateKey() Returns a standard java.security.interfaces.ECPrivateKey representation of this Elliptic Curve JWK.
ECPrivateKey	toECPrivateKey(Provider provider) Returns a standard java.security.interfaces.ECPrivateKey representation of this Elliptic Curve JWK.
ECPublicKey	toECPublicKey() Returns a standard java.security.interfaces.ECPublicKey representation of this Elliptic Curve JWK.
ECPublicKey	toECPublicKey(Provider provider) Returns a standard java.security.interfaces.ECPublicKey representation of this Elliptic Curve JWK.
Map<String,Object>	toJSONObject() Returns a JSON object representation of this JWK.
KeyPair	toKeyPair() Returns a standard java.security.KeyPair representation of this Elliptic Curve JWK.
KeyPair	toKeyPair(Provider provider) Returns a standard java.security.KeyPair representation of this Elliptic Curve JWK.
PrivateKey	toPrivateKey() Returns a Java private key representation of this JWK.
ECKey	toPublicJWK() Returns a copy of this Elliptic Curve JWK with any private values removed.
PublicKey	toPublicKey() Returns a Java public key representation of the JWK.

Methods inherited from class com.nimbusds.jose.jwk.JWK

computeThumbprint, computeThumbprint, getAlgorithm, getKeyID, getKeyOperations, getKeyStore, getKeyType, getKeyUse, getParsedX509CertChain, getX509CertChain, getX509CertSHA256Thumbprint, getX509CertThumbprint, getX509CertURL, parseFromPEMEncodedObjects, parseFromPEMEncodedX509Cert, toECKey, toJSONString, toOctetKeyPair, toOctetSequenceKey, toRSAKey, toString

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

SUPPORTED_CURVES

public static final Set<Curve> SUPPORTED_CURVES

Supported EC curves.

Constructor Detail

ECKey

public ECKey(Curve crv,
             Base64URL x,
             Base64URL y,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)

Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.

Parameters:

crv - The cryptographic curve. Must not be null.

x - The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.

y - The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID, null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

ECKey

public ECKey(Curve crv,
             Base64URL x,
             Base64URL y,
             Base64URL d,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)

Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.

Parameters:

crv - The cryptographic curve. Must not be null.

x - The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.

y - The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.

d - The private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID, null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

ECKey

public ECKey(Curve crv,
             Base64URL x,
             Base64URL y,
             PrivateKey priv,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)

Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.

Parameters:

crv - The cryptographic curve. Must not be null.

x - The public 'x' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.

y - The public 'y' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation. Must not be null.

priv - The private key as a PKCS#11 handle, null if not specified.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID, null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ECKey

public ECKey(Curve crv,
             ECPublicKey pub,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)

Creates a new public Elliptic Curve JSON Web Key (JWK) with the specified parameters.

Parameters:

crv - The cryptographic curve. Must not be null.

pub - The public EC key to represent. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID, null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

ECKey

public ECKey(Curve crv,
             ECPublicKey pub,
             ECPrivateKey priv,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)

Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters.

Parameters:

crv - The cryptographic curve. Must not be null.

pub - The public EC key to represent. Must not be null.

priv - The private EC key to represent. Must not be null.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID, null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

ECKey

public ECKey(Curve crv,
             ECPublicKey pub,
             PrivateKey priv,
             KeyUse use,
             Set<KeyOperation> ops,
             Algorithm alg,
             String kid,
             URI x5u,
             Base64URL x5t,
             Base64URL x5t256,
             List<Base64> x5c,
             KeyStore ks)

Creates a new public / private Elliptic Curve JSON Web Key (JWK) with the specified parameters. The private key is specified by its PKCS#11 handle.

Parameters:

crv - The cryptographic curve. Must not be null.

pub - The public EC key to represent. Must not be null.

priv - The private key as a PKCS#11 handle, null if not specified.

use - The key use, null if not specified or if the key is intended for signing as well as encryption.

ops - The key operations, null if not specified.

alg - The intended JOSE algorithm for the key, null if not specified.

kid - The key ID, null if not specified.

x5u - The X.509 certificate URL, null if not specified.

x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.

x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.

x5c - The X.509 certificate chain, null if not specified.

ks - Reference to the underlying key store, null if not specified.

Method Detail

encodeCoordinate

public static Base64URL encodeCoordinate(int fieldSize,
                                         BigInteger coordinate)

Returns the Base64URL encoding of the specified elliptic curve 'x', 'y' or 'd' coordinate, with leading zero padding up to the specified field size in bits.

Parameters:

fieldSize - The field size in bits.

coordinate - The elliptic curve coordinate. Must not be null.

Returns:

The Base64URL-encoded coordinate, with leading zero padding up to the curve's field size.

getCurve

public Curve getCurve()

Description copied from interface: CurveBasedJWK

Returns the cryptographic curve.

Specified by:

getCurve in interface CurveBasedJWK

Returns:

The cryptographic curve.

getX

public Base64URL getX()

Gets the public 'x' coordinate for the elliptic curve point.

Returns:

The 'x' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation.

getY

public Base64URL getY()

Gets the public 'y' coordinate for the elliptic curve point.

Returns:

The 'y' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation.

getD

public Base64URL getD()

Gets the private 'd' coordinate for the elliptic curve point. It is represented as the Base64URL encoding of the coordinate's big endian representation.

Returns:

The 'd' coordinate. It is represented as the Base64URL encoding of the coordinate's big endian representation. null if not specified (for a public key).

toECPublicKey

public ECPublicKey toECPublicKey()
                          throws JOSEException

Returns a standard java.security.interfaces.ECPublicKey representation of this Elliptic Curve JWK. Uses the default JCA provider.

Returns:

The public Elliptic Curve key.

Throws:

JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public EC key.

toECPublicKey

public ECPublicKey toECPublicKey(Provider provider)
                          throws JOSEException

Returns a standard java.security.interfaces.ECPublicKey representation of this Elliptic Curve JWK.

Parameters:

provider - The specific JCA provider to use, null implies the default one.

Returns:

The public Elliptic Curve key.

Throws:

JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public EC key.

toECPrivateKey

public ECPrivateKey toECPrivateKey()
                            throws JOSEException

Returns a standard java.security.interfaces.ECPrivateKey representation of this Elliptic Curve JWK. Uses the default JCA provider.

Returns:

The private Elliptic Curve key, null if not specified by this JWK.

Throws:

JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private EC key.

toECPrivateKey

public ECPrivateKey toECPrivateKey(Provider provider)
                            throws JOSEException

Returns a standard java.security.interfaces.ECPrivateKey representation of this Elliptic Curve JWK.

Parameters:

provider - The specific JCA provider to use, null implies the default one.

Returns:

The private Elliptic Curve key, null if not specified by this JWK.

Throws:

JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private EC key.

toPublicKey

public PublicKey toPublicKey()
                      throws JOSEException

Description copied from interface: AsymmetricJWK

Returns a Java public key representation of the JWK.

Specified by:

toPublicKey in interface AsymmetricJWK

Returns:

The Java public key.

Throws:

JOSEException - If conversion failed or is not supported.

toPrivateKey

public PrivateKey toPrivateKey()
                        throws JOSEException

Description copied from interface: AsymmetricJWK

Returns a Java private key representation of this JWK.

Specified by:

toPrivateKey in interface AsymmetricJWK

Returns:

The Java private key, null if not specified.

Throws:

JOSEException - If conversion failed or is not supported.

toKeyPair

public KeyPair toKeyPair()
                  throws JOSEException

Returns a standard java.security.KeyPair representation of this Elliptic Curve JWK. Uses the default JCA provider.

Specified by:

toKeyPair in interface AsymmetricJWK

Returns:

The Elliptic Curve key pair. The private Elliptic Curve key will be null if not specified.

Throws:

JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private EC key.

toKeyPair

public KeyPair toKeyPair(Provider provider)
                  throws JOSEException

Returns a standard java.security.KeyPair representation of this Elliptic Curve JWK.

Parameters:

provider - The specific JCA provider to use, null implies the default one.

Returns:

The Elliptic Curve key pair. The private Elliptic Curve key will be null if not specified.

Throws:

JOSEException - If EC is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private EC key.

matches

public boolean matches(X509Certificate cert)

Description copied from interface: AsymmetricJWK

Returns true if the public key material of this JWK matches the public subject key info of the specified X.509 certificate.

Specified by:

matches in interface AsymmetricJWK

Parameters:

cert - The X.509 certificate. Must not be null.

Returns:

true if the public key material of this JWK matches the public subject key info of the specified X.509 certificate, else false.

getRequiredParams

public LinkedHashMap<String,?> getRequiredParams()

Description copied from class: JWK

Returns the required JWK parameters. Intended as input for JWK thumbprint computation. See RFC 7638 for more information.

Specified by:

getRequiredParams in class JWK

Returns:

The required JWK parameters, sorted alphanumerically by key name and ready for JSON serialisation.

isPrivate

public boolean isPrivate()

Description copied from class: JWK

Returns true if this JWK contains private or sensitive (non-public) parameters.

Specified by:

isPrivate in class JWK

Returns:

true if this JWK contains private parameters, else false.

size

public int size()

Description copied from class: JWK

Returns the size of this JWK.

Specified by:

size in class JWK

Returns:

The JWK size, in bits.

toPublicJWK

public ECKey toPublicJWK()

Returns a copy of this Elliptic Curve JWK with any private values removed.

Specified by:

toPublicJWK in class JWK

Returns:

The copied public Elliptic Curve JWK.

toJSONObject

public Map<String,Object> toJSONObject()

Description copied from class: JWK

Returns a JSON object representation of this JWK. This method is intended to be called from extending classes.

Example:

 {
   "kty" : "RSA",
   "use" : "sig",
   "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b"
 }
 

Overrides:

toJSONObject in class JWK

Returns:

The JSON object representation.

parse

public static ECKey parse(String s)
                   throws ParseException

Parses a public / private Elliptic Curve JWK from the specified JSON object string representation.

Parameters:

s - The JSON object string to parse. Must not be null.

Returns:

The public / private Elliptic Curve JWK.

Throws:

ParseException - If the string couldn't be parsed to an Elliptic Curve JWK.

parse

public static ECKey parse(Map<String,Object> jsonObject)
                   throws ParseException

Parses a public / private Elliptic Curve JWK from the specified JSON object representation.

Parameters:

jsonObject - The JSON object to parse. Must not be null.

Returns:

The public / private Elliptic Curve JWK.

Throws:

ParseException - If the JSON object couldn't be parsed to an Elliptic Curve JWK.

parse

public static ECKey parse(X509Certificate cert)
                   throws JOSEException

Parses a public Elliptic Curve JWK from the specified X.509 certificate. Requires BouncyCastle.

Important: The X.509 certificate is not validated!

Sets the following JWK parameters:

• The curve is obtained from the subject public key info algorithm parameters.
• The JWK use inferred by KeyUse.from(java.security.cert.X509Certificate).
• The JWK ID from the X.509 serial number (in base 10).
• The JWK X.509 certificate chain (this certificate only).
• The JWK X.509 certificate SHA-256 thumbprint.

Parameters:

cert - The X.509 certificate. Must not be null.

Returns:

The public Elliptic Curve JWK.

Throws:

JOSEException - If parsing failed.

load

public static ECKey load(KeyStore keyStore,
                         String alias,
                         char[] pin)
                  throws KeyStoreException,
                         JOSEException

Loads a public / private Elliptic Curve JWK from the specified JCA key store. Requires BouncyCastle.

Important: The X.509 certificate is not validated!

Parameters:

keyStore - The key store. Must not be null.

alias - The alias. Must not be null.

pin - The pin to unlock the private key if any, empty or null if not required.

Returns:

The public / private Elliptic Curve JWK., null if no key with the specified alias was found.

Throws:

KeyStoreException - On a key store exception.

JOSEException - If EC key loading failed.

equals

public boolean equals(Object o)

Overrides:

equals in class JWK

hashCode

public int hashCode()

Overrides:

hashCode in class JWK