001/* 002 * nimbus-jose-jwt 003 * 004 * Copyright 2012-2016, Connect2id Ltd. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.jose.crypto; 019 020 021import com.nimbusds.jose.*; 022import com.nimbusds.jose.crypto.impl.*; 023import com.nimbusds.jose.util.Base64URL; 024import com.nimbusds.jose.util.StandardCharset; 025import net.jcip.annotations.ThreadSafe; 026 027import javax.crypto.SecretKey; 028import java.util.Set; 029 030 031/** 032 * Password-based decrypter of {@link com.nimbusds.jose.JWEObject JWE objects}. 033 * Expects a password. 034 * 035 * <p>See RFC 7518 036 * <a href="https://tools.ietf.org/html/rfc7518#section-4.8">section 4.8</a> 037 * for more information. 038 * 039 * <p>This class is thread-safe. 040 * 041 * <p>Supports the following key management algorithms: 042 * 043 * <ul> 044 * <li>{@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS256_A128KW} 045 * <li>{@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS384_A192KW} 046 * <li>{@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS512_A256KW} 047 * </ul> 048 * 049 * <p>Supports the following content encryption algorithms: 050 * 051 * <ul> 052 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256} 053 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384} 054 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512} 055 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128GCM} 056 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192GCM} 057 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256GCM} 058 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED} 059 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED} 060 * <li>{@link com.nimbusds.jose.EncryptionMethod#XC20P} 061 * </ul> 062 * 063 * @author Vladimir Dzhuvinov 064 * @author Egor Puzanov 065 * @version 2026-02-19 066 */ 067@ThreadSafe 068public class PasswordBasedDecrypter extends PasswordBasedCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware { 069 070 071 /** 072 * The maximum allowed iteration count (1 million). 073 */ 074 public static final int MAX_ALLOWED_ITERATION_COUNT = 1_000_000; 075 076 077 /** 078 * The critical header policy. 079 */ 080 private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral(); 081 082 083 /** 084 * Creates a new password-based decrypter. 085 * 086 * @param password The password bytes. Must not be empty or 087 * {@code null}. 088 */ 089 public PasswordBasedDecrypter(final byte[] password) { 090 091 this(password, null); 092 } 093 094 095 /** 096 * Creates a new password-based decrypter. 097 * 098 * @param password The password, as a UTF-8 encoded string. Must not be 099 * empty or {@code null}. 100 */ 101 public PasswordBasedDecrypter(final String password) { 102 103 this(password.getBytes(StandardCharset.UTF_8), null); 104 } 105 106 107 /** 108 * Creates a new password-based decrypter. 109 * 110 * @param password The password bytes. Must not be empty or 111 * {@code null}. 112 * @param defCritHeaders The names of the critical header parameters 113 * that are deferred to the application for 114 * processing, empty set or {@code null} if none. 115 */ 116 public PasswordBasedDecrypter(final byte[] password, 117 final Set<String> defCritHeaders) { 118 119 super(password); 120 critPolicy.setDeferredCriticalHeaderParams(defCritHeaders); 121 } 122 123 124 @Override 125 public Set<String> getProcessedCriticalHeaderParams() { 126 127 return critPolicy.getProcessedCriticalHeaderParams(); 128 } 129 130 131 @Override 132 public Set<String> getDeferredCriticalHeaderParams() { 133 134 return critPolicy.getDeferredCriticalHeaderParams(); 135 } 136 137 138 /** 139 * Decrypts the specified cipher text of a {@link JWEObject JWE Object}. 140 * 141 * @param header The JSON Web Encryption (JWE) header. Must 142 * specify a supported JWE algorithm and method. 143 * Must not be {@code null}. 144 * @param encryptedKey The encrypted key, {@code null} if not required 145 * by the JWE algorithm. 146 * @param iv The initialisation vector, {@code null} if not 147 * required by the JWE algorithm. 148 * @param cipherText The cipher text to decrypt. Must not be 149 * {@code null}. 150 * @param authTag The authentication tag, {@code null} if not 151 * required. 152 * 153 * @return The clear text. 154 * 155 * @throws JOSEException If the JWE algorithm or method is not 156 * supported, if a critical header parameter is 157 * not supported or marked for deferral to the 158 * application, or if decryption failed for some 159 * other reason. 160 */ 161 @Deprecated 162 public byte[] decrypt(final JWEHeader header, 163 final Base64URL encryptedKey, 164 final Base64URL iv, 165 final Base64URL cipherText, 166 final Base64URL authTag) 167 throws JOSEException { 168 169 return decrypt(header, encryptedKey, iv, cipherText, authTag, AAD.compute(header)); 170 } 171 172 173 @Override 174 public byte[] decrypt(final JWEHeader header, 175 final Base64URL encryptedKey, 176 final Base64URL iv, 177 final Base64URL cipherText, 178 final Base64URL authTag, 179 final byte[] aad) 180 throws JOSEException { 181 182 // Validate required JWE parts 183 if (encryptedKey == null) { 184 throw new JOSEException("Missing JWE encrypted key"); 185 } 186 187 if (iv == null) { 188 throw new JOSEException("Missing JWE initialization vector (IV)"); 189 } 190 191 if (authTag == null) { 192 throw new JOSEException("Missing JWE authentication tag"); 193 } 194 195 if (header.getPBES2Salt() == null) { 196 throw new JOSEException("Missing JWE p2s header parameter"); 197 } 198 199 final byte[] salt = header.getPBES2Salt().decode(); 200 201 if (header.getPBES2Count() < 1) { 202 throw new JOSEException("Missing JWE p2c header parameter"); 203 } 204 205 final int iterationCount = header.getPBES2Count(); 206 207 if (iterationCount > MAX_ALLOWED_ITERATION_COUNT) { 208 throw new JOSEException("The JWE p2c header exceeds the maximum allowed " + MAX_ALLOWED_ITERATION_COUNT + " count"); 209 } 210 211 critPolicy.ensureHeaderPasses(header); 212 213 final JWEAlgorithm alg = JWEHeaderValidation.getAlgorithmAndEnsureNotNull(header); 214 final byte[] formattedSalt = PBKDF2.formatSalt(alg, salt); 215 final PRFParams prfParams = PRFParams.resolve(alg, getJCAContext().getMACProvider()); 216 final SecretKey psKey = PBKDF2.deriveKey(getPassword(), formattedSalt, iterationCount, prfParams, getJCAContext().getProvider()); 217 218 final SecretKey cek = AESKW.unwrapCEK(psKey, encryptedKey.decode(), getJCAContext().getKeyEncryptionProvider()); 219 220 return ContentCryptoProvider.decrypt(header, aad, encryptedKey, iv, cipherText, authTag, cek, getJCAContext()); 221 } 222}