Package com.nimbusds.jose.crypto

Class ECDH1PUDecrypter

java.lang.Object

com.nimbusds.jose.crypto.impl.BaseJWEProvider

com.nimbusds.jose.crypto.impl.ECDH1PUCryptoProvider

com.nimbusds.jose.crypto.ECDH1PUDecrypter

All Implemented Interfaces:

CriticalHeaderParamsAware, JCAAware<JWEJCAContext>, JOSEProvider, JWEDecrypter, JWEProvider

@ThreadSafe
public class ECDH1PUDecrypter
extends ECDH1PUCryptoProvider
implements JWEDecrypter, CriticalHeaderParamsAware

Elliptic Curve Diffie-Hellman decrypter of JWE objects for curves using an EC JWK. Expects a private EC key (with a P-256, P-384 or P-521 curve).

Public Key Authenticated Encryption for JOSE ECDH-1PU for more information.

For Curve25519/X25519, see ECDH1PUX25519Decrypter instead.

This class is thread-safe.

Supports the following key management algorithms:

• JWEAlgorithm.ECDH_1PU
• JWEAlgorithm.ECDH_1PU_A128KW
• JWEAlgorithm.ECDH_1PU_A192KW
• JWEAlgorithm.ECDH_1PU_A256KW

Supports the following elliptic curves:

• Curve.P_256
• Curve.P_384
• Curve.P_521

Supports the following content encryption algorithms for Direct key agreement mode:

• EncryptionMethod.A128CBC_HS256
• EncryptionMethod.A192CBC_HS384
• EncryptionMethod.A256CBC_HS512
• EncryptionMethod.A128GCM
• EncryptionMethod.A192GCM
• EncryptionMethod.A256GCM
• EncryptionMethod.A128CBC_HS256_DEPRECATED
• EncryptionMethod.A256CBC_HS512_DEPRECATED
• EncryptionMethod.XC20P

Supports the following content encryption algorithms for Key wrapping mode:

• EncryptionMethod.A128CBC_HS256
• EncryptionMethod.A192CBC_HS384
• EncryptionMethod.A256CBC_HS512

Version:

2023-05-17

Author:

Alexander Martynov, Egor Puzanov

Field Summary

Fields

Modifier and Type	Field	Description
static Set<Curve>	SUPPORTED_ELLIPTIC_CURVES	The supported EC JWK curves by the ECDH crypto provider class.

Fields inherited from class com.nimbusds.jose.crypto.impl.ECDH1PUCryptoProvider

SUPPORTED_ALGORITHMS, SUPPORTED_ENCRYPTION_METHODS

Constructor Summary

Constructors

Constructor	Description
ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey)	Creates a new Elliptic Curve Diffie-Hellman decrypter.
ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders)	Creates a new Elliptic Curve Diffie-Hellman decrypter.
ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders, Curve curve)	Creates a new Elliptic Curve Diffie-Hellman decrypter.

Method Summary

Modifier and Type	Method	Description
byte[]	decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag)	Deprecated.
byte[]	decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad)	Decrypts the specified cipher text of a JWE Object.
Set<String>	getDeferredCriticalHeaderParams()	Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.
PrivateKey	getPrivateKey()	Returns the private EC key.
Set<String>	getProcessedCriticalHeaderParams()	Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.
ECPublicKey	getPublicKey()	Returns the public EC key.
Set<Curve>	supportedEllipticCurves()	Returns the names of the supported elliptic curves.

Methods inherited from class com.nimbusds.jose.crypto.impl.ECDH1PUCryptoProvider

decryptWithZ, encryptWithZ, getConcatKDF, getCurve

Methods inherited from class com.nimbusds.jose.crypto.impl.BaseJWEProvider

getCEK, getJCAContext, isCEKProvided, supportedEncryptionMethods, supportedJWEAlgorithms

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.nimbusds.jose.jca.JCAAware

getJCAContext

Methods inherited from interface com.nimbusds.jose.JWEProvider

supportedEncryptionMethods, supportedJWEAlgorithms

Field Detail

SUPPORTED_ELLIPTIC_CURVES

public static final Set<Curve> SUPPORTED_ELLIPTIC_CURVES

The supported EC JWK curves by the ECDH crypto provider class.

Constructor Detail

ECDH1PUDecrypter

public ECDH1PUDecrypter(ECPrivateKey privateKey,
                        ECPublicKey publicKey)
                 throws JOSEException

Creates a new Elliptic Curve Diffie-Hellman decrypter.

Parameters:

privateKey - The private EC key. Must not be null.

publicKey - The public EC key. Must not be null.

Throws:

JOSEException - If the elliptic curve is not supported.

ECDH1PUDecrypter

public ECDH1PUDecrypter(ECPrivateKey privateKey,
                        ECPublicKey publicKey,
                        Set<String> defCritHeaders)
                 throws JOSEException

Creates a new Elliptic Curve Diffie-Hellman decrypter.

Parameters:

privateKey - The private EC key. Must not be null.

publicKey - The public EC key. Must not be null.

defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.

Throws:

JOSEException - If the elliptic curve is not supported.

ECDH1PUDecrypter

public ECDH1PUDecrypter(ECPrivateKey privateKey,
                        ECPublicKey publicKey,
                        Set<String> defCritHeaders,
                        Curve curve)
                 throws JOSEException

Creates a new Elliptic Curve Diffie-Hellman decrypter. This constructor can also accept a private EC key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).

Parameters:

privateKey - The private EC key. Must not be null.

publicKey - The public EC key. Must not be null.

defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.

curve - The key curve. Must not be null.

Throws:

JOSEException - If the elliptic curve is not supported.

Method Detail

getPublicKey

public ECPublicKey getPublicKey()

Returns the public EC key.

Returns:

The public EC key.

getPrivateKey

public PrivateKey getPrivateKey()

Returns the private EC key.

Returns:

The private EC key. Casting to ECPrivateKey may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.

supportedEllipticCurves

public Set<Curve> supportedEllipticCurves()

Description copied from class: ECDH1PUCryptoProvider

Returns the names of the supported elliptic curves. These correspond to the crv JWK parameter.

Specified by:

supportedEllipticCurves in class ECDH1PUCryptoProvider

Returns:

The supported elliptic curves.

getProcessedCriticalHeaderParams

public Set<String> getProcessedCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.

Specified by:

getProcessedCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are understood and processed, empty set if none.

getDeferredCriticalHeaderParams

public Set<String> getDeferredCriticalHeaderParams()

Description copied from interface: CriticalHeaderParamsAware

Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.

Specified by:

getDeferredCriticalHeaderParams in interface CriticalHeaderParamsAware

Returns:

The names of the critical header parameters that are deferred to the application for processing, empty set if none.

decrypt

@Deprecated
public byte[] decrypt(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag)
               throws JOSEException

Deprecated.

Decrypts the specified cipher text of a JWE Object.

Parameters:

header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.

encryptedKey - The encrypted key, null if not required by the JWE algorithm.

iv - The initialisation vector, null if not required by the JWE algorithm.

cipherText - The cipher text to decrypt. Must not be null.

authTag - The authentication tag, null if not required.

Returns:

The clear text.

Throws:

JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

decrypt

public byte[] decrypt(JWEHeader header,
                      Base64URL encryptedKey,
                      Base64URL iv,
                      Base64URL cipherText,
                      Base64URL authTag,
                      byte[] aad)
               throws JOSEException

Description copied from interface: JWEDecrypter

Decrypts the specified cipher text of a JWE Object.

Specified by:

decrypt in interface JWEDecrypter

Parameters:

header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.

encryptedKey - The encrypted key, null if not required by the JWE algorithm.

iv - The initialisation vector, null if not required by the JWE algorithm.

cipherText - The cipher text to decrypt. Must not be null.

authTag - The authentication tag, null if not required.

aad - The additional authenticated data. Must not be null.

Returns:

The clear text.

Throws:

JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.