Package com.nimbusds.jose.crypto

Class ECDH1PUDecrypter

java.lang.Object
com.nimbusds.jose.crypto.impl.BaseJWEProvider
com.nimbusds.jose.crypto.impl.ECDH1PUCryptoProvider
com.nimbusds.jose.crypto.ECDH1PUDecrypter
All Implemented Interfaces:
CriticalHeaderParamsAware, JCAAware<JWEJCAContext>, JOSEProvider, JWEDecrypter, JWEProvider
@ThreadSafe public class ECDH1PUDecrypter extends ECDH1PUCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware
Elliptic Curve Diffie-Hellman decrypter of JWE objects for curves using an EC JWK. Expects a private EC key (with a P-256, P-384 or P-521 curve).

Public Key Authenticated Encryption for JOSE ECDH-1PU for more information.

For Curve25519/X25519, see ECDH1PUX25519Decrypter instead.

This class is thread-safe.

Supports the following key management algorithms:

Supports the following elliptic curves:

Supports the following content encryption algorithms for Direct key agreement mode:

Supports the following content encryption algorithms for Key wrapping mode:

Version:
2023-05-17
Author:
Alexander Martynov, Egor Puzanov

  • Field Details

  • Constructor Details

    • ECDH1PUDecrypter

      public ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey) throws JOSEException
      Creates a new Elliptic Curve Diffie-Hellman decrypter.
      Parameters:
      privateKey - The private EC key. Must not be null.
      publicKey - The public EC key. Must not be null.
      Throws:
      JOSEException - If the elliptic curve is not supported.

    • ECDH1PUDecrypter

      public ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders) throws JOSEException
      Creates a new Elliptic Curve Diffie-Hellman decrypter.
      Parameters:
      privateKey - The private EC key. Must not be null.
      publicKey - The public EC key. Must not be null.
      defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
      Throws:
      JOSEException - If the elliptic curve is not supported.

    • ECDH1PUDecrypter

      public ECDH1PUDecrypter(ECPrivateKey privateKey, ECPublicKey publicKey, Set<String> defCritHeaders, Curve curve) throws JOSEException
      Creates a new Elliptic Curve Diffie-Hellman decrypter. This constructor can also accept a private EC key located in a PKCS#11 store that doesn't expose the private key parameters (such as a smart card or HSM).
      Parameters:
      privateKey - The private EC key. Must not be null.
      publicKey - The public EC key. Must not be null.
      defCritHeaders - The names of the critical header parameters that are deferred to the application for processing, empty set or null if none.
      curve - The key curve. Must not be null.
      Throws:
      JOSEException - If the elliptic curve is not supported.

  • Method Details

    • getPublicKey

      public ECPublicKey getPublicKey()
      Returns the public EC key.
      Returns:
      The public EC key.

    • getPrivateKey

      public PrivateKey getPrivateKey()
      Returns the private EC key.
      Returns:
      The private EC key. Casting to ECPrivateKey may not be possible if the key is located in a PKCS#11 store that doesn't expose the private key parameters.

    • supportedEllipticCurves

      public Set<Curve> supportedEllipticCurves()
      Description copied from class: ECDH1PUCryptoProvider
      Returns the names of the supported elliptic curves. These correspond to the crv JWK parameter.
      Specified by:
      supportedEllipticCurves in class ECDH1PUCryptoProvider
      Returns:
      The supported elliptic curves.

    • getProcessedCriticalHeaderParams

      public Set<String> getProcessedCriticalHeaderParams()
      Description copied from interface: CriticalHeaderParamsAware
      Returns the names of the critical (crit) header parameters that are understood and processed by the JWS verifier / JWE decrypter.
      Specified by:
      getProcessedCriticalHeaderParams in interface CriticalHeaderParamsAware
      Returns:
      The names of the critical header parameters that are understood and processed, empty set if none.

    • getDeferredCriticalHeaderParams

      public Set<String> getDeferredCriticalHeaderParams()
      Description copied from interface: CriticalHeaderParamsAware
      Returns the names of the critical (crit) header parameters that are deferred to the application for processing and will be ignored by the JWS verifier / JWE decrypter.
      Specified by:
      getDeferredCriticalHeaderParams in interface CriticalHeaderParamsAware
      Returns:
      The names of the critical header parameters that are deferred to the application for processing, empty set if none.

    • decrypt

      @Deprecated public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag) throws JOSEException
      Deprecated.
      Decrypts the specified cipher text of a JWE Object.
      Parameters:
      header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
      encryptedKey - The encrypted key, null if not required by the JWE algorithm.
      iv - The initialisation vector, null if not required by the JWE algorithm.
      cipherText - The cipher text to decrypt. Must not be null.
      authTag - The authentication tag, null if not required.
      Returns:
      The clear text.
      Throws:
      JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.

    • decrypt

      public byte[] decrypt(JWEHeader header, Base64URL encryptedKey, Base64URL iv, Base64URL cipherText, Base64URL authTag, byte[] aad) throws JOSEException
      Description copied from interface: JWEDecrypter
      Decrypts the specified cipher text of a JWE Object.
      Specified by:
      decrypt in interface JWEDecrypter
      Parameters:
      header - The JSON Web Encryption (JWE) header. Must specify a supported JWE algorithm and method. Must not be null.
      encryptedKey - The encrypted key, null if not required by the JWE algorithm.
      iv - The initialisation vector, null if not required by the JWE algorithm.
      cipherText - The cipher text to decrypt. Must not be null.
      authTag - The authentication tag, null if not required.
      aad - The additional authenticated data. Must not be null.
      Returns:
      The clear text.
      Throws:
      JOSEException - If the JWE algorithm or method is not supported, if a critical header parameter is not supported or marked for deferral to the application, or if decryption failed for some other reason.