com.nimbusds.jose.crypto

Class RSASSASigner

java.lang.Object

com.nimbusds.jose.crypto.impl.BaseJWSProvider

com.nimbusds.jose.crypto.impl.RSASSAProvider

com.nimbusds.jose.crypto.RSASSASigner

All Implemented Interfaces:

JCAAware<JCAContext>, JOSEProvider, JWSProvider, JWSSigner

@ThreadSafe
public class RSASSASigner
extends RSASSAProvider
implements JWSSigner

RSA Signature-Scheme-with-Appendix (RSASSA) signer of JWS objects. Expects a private RSA key.

See RFC 7518, sections 3.3 and 3.5 for more information.

This class is thread-safe.

Supports the following algorithms:

• JWSAlgorithm.RS256
• JWSAlgorithm.RS384
• JWSAlgorithm.RS512
• JWSAlgorithm.PS256
• JWSAlgorithm.PS384
• JWSAlgorithm.PS512

Version:

2018-10-11

Author:

Vladimir Dzhuvinov, Omer Levi Hevroni

Field Summary

Fields inherited from class com.nimbusds.jose.crypto.impl.RSASSAProvider

SUPPORTED_ALGORITHMS

Constructor Summary

Constructors

Constructor and Description
RSASSASigner(PrivateKey privateKey) Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
RSASSASigner(PrivateKey privateKey, boolean allowWeakKey) Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
RSASSASigner(RSAKey rsaJWK) Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
RSASSASigner(RSAKey rsaJWK, boolean allowWeakKey) Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.

Method Summary

Modifier and Type	Method and Description
PrivateKey	getPrivateKey() Gets the private RSA key.
Base64URL	sign(JWSHeader header, byte[] signingInput) Signs the specified input of a JWS object.

Methods inherited from class com.nimbusds.jose.crypto.impl.BaseJWSProvider

getJCAContext, supportedJWSAlgorithms

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.nimbusds.jose.JWSProvider

supportedJWSAlgorithms

Methods inherited from interface com.nimbusds.jose.jca.JCAAware

getJCAContext

Constructor Detail

RSASSASigner

public RSASSASigner(PrivateKey privateKey)

Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).

Parameters:

privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.

RSASSASigner

public RSASSASigner(PrivateKey privateKey,
                    boolean allowWeakKey)

Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer. This constructor can also accept a private RSA key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).

Parameters:

privateKey - The private RSA key. Its algorithm must be "RSA" and its length at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.

allowWeakKey - true to allow an RSA key shorter than 2048 bits.

RSASSASigner

public RSASSASigner(RSAKey rsaJWK)
             throws JOSEException

Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.

Parameters:

rsaJWK - The RSA JSON Web Key (JWK). Must contain or reference a private part. Its length must be at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.

Throws:

JOSEException - If the RSA JWK doesn't contain a private part or its extraction failed.

RSASSASigner

public RSASSASigner(RSAKey rsaJWK,
                    boolean allowWeakKey)
             throws JOSEException

Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.

Parameters:

rsaJWK - The RSA JSON Web Key (JWK). Must contain or reference a private part. Its length must be at least 2048 bits. Note that the length of an RSA key in a PKCS#11 store cannot be checked. Must not be null.

allowWeakKey - true to allow an RSA key shorter than 2048 bits.

Throws:

JOSEException - If the RSA JWK doesn't contain a private part or its extraction failed.

Method Detail

getPrivateKey

public PrivateKey getPrivateKey()

Gets the private RSA key.

Returns:

The private RSA key. Casting to RSAPrivateKey may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.

sign

public Base64URL sign(JWSHeader header,
                      byte[] signingInput)
               throws JOSEException

Description copied from interface: JWSSigner

Signs the specified input of a JWS object.

Specified by:

sign in interface JWSSigner

Parameters:

header - The JSON Web Signature (JWS) header. Must specify a supported JWS algorithm and must not be null.

signingInput - The input to sign. Must not be null.

Returns:

The resulting signature part (third part) of the JWS object.

Throws:

JOSEException - If the JWS algorithm is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if signing failed for some other internal reason.