EncryptedJWT jwt = new EncryptedJWT(new JWEHeader(alg, enc), claims.build());
/** * Creates a new JWE header builder with the parameters from * the specified header. * * @param jweHeader The JWE header to use. Must not not be * {@code null}. */ public Builder(final JWEHeader jweHeader) { this(jweHeader.getAlgorithm(), jweHeader.getEncryptionMethod()); typ = jweHeader.getType(); cty = jweHeader.getContentType(); crit = jweHeader.getCriticalParams(); customParams = jweHeader.getCustomParams(); jku = jweHeader.getJWKURL(); jwk = jweHeader.getJWK(); x5u = jweHeader.getX509CertURL(); x5t = jweHeader.getX509CertThumbprint(); x5t256 = jweHeader.getX509CertSHA256Thumbprint(); x5c = jweHeader.getX509CertChain(); kid = jweHeader.getKeyID(); epk = jweHeader.getEphemeralPublicKey(); zip = jweHeader.getCompressionAlgorithm(); apu = jweHeader.getAgreementPartyUInfo(); apv = jweHeader.getAgreementPartyVInfo(); p2s = jweHeader.getPBES2Salt(); p2c = jweHeader.getPBES2Count(); iv = jweHeader.getIV(); tag = jweHeader.getAuthTag(); customParams = jweHeader.getCustomParams(); }
/** * Ensures the specified JWE encrypter supports the algorithms of this * JWE object. * * @throws JOSEException If the JWE algorithms are not supported. */ private void ensureJWEEncrypterSupport(final JWEEncrypter encrypter) throws JOSEException { if (! encrypter.supportedJWEAlgorithms().contains(getHeader().getAlgorithm())) { throw new JOSEException("The \"" + getHeader().getAlgorithm() + "\" algorithm is not supported by the JWE encrypter: Supported algorithms: " + encrypter.supportedJWEAlgorithms()); } if (! encrypter.supportedEncryptionMethods().contains(getHeader().getEncryptionMethod())) { throw new JOSEException("The \"" + getHeader().getEncryptionMethod() + "\" encryption method or key size is not supported by the JWE encrypter: Supported methods: " + encrypter.supportedEncryptionMethods()); } }
String keyID = jweObject.getHeader().getKeyID(); Key key = keyProvider.getKeyForDecryption(keyID); if (key == null) {
if (! encs.contains(jweObject.getHeader().getEncryptionMethod())) return false; jku = ((JWSObject) joseObject).getHeader().getJWKURL(); } else if (joseObject instanceof JWEObject) { jku = ((JWEObject) joseObject).getHeader().getJWKURL(); } else { kid = ((JWSObject) joseObject).getHeader().getKeyID(); } else if (joseObject instanceof JWEObject) { kid = ((JWEObject) joseObject).getHeader().getKeyID(); } else {
/** * Returns a {@link JWKMatcher} based on the given {@link JWEHeader}. * * <p>The {@link JWKMatcher} is configured as follows: * * <ul> * <li>The key type to match is determined by the JWE algorithm * (alg). * <li>The key ID to match is set by the JWE header key ID (kid) * parameter (if set). * <li>The key uses to match are set to encryption or not * specified. * <li>The key algorithm to match is set to the JWE algorithm (alg) * or not specified. * </ul> * * <p>Other JWE header parameters are not taken into account. * * @param jweHeader The header to use. * * @return A {@code JWKMatcher} based on the given header. */ public static JWKMatcher forJWEHeader(final JWEHeader jweHeader) { return new JWKMatcher.Builder() .keyType(KeyType.forAlgorithm(jweHeader.getAlgorithm())) .keyID(jweHeader.getKeyID()) .keyUses(KeyUse.ENCRYPTION, null) .algorithms(jweHeader.getAlgorithm(), null) .build(); }
public static final void header2MetaInfo(final JWEHeader header, final ContentMetaInfo metaIno){ metaIno.setAddInfos(new HashMap<>()); Map<String, Object> customParams = header.getCustomParams(); if (customParams != null) { metaIno.getAddInfos().putAll(customParams); if(customParams.containsKey("exp")){ Object exp = customParams.get("exp"); if(exp instanceof Long)metaIno.setExp(new Date((Long)exp)); } } if(header.getCompressionAlgorithm()!=null)metaIno.setZip(header.getCompressionAlgorithm().getName()); if(header.getContentType()!=null)metaIno.setContentTrype(header.getContentType()); }
throws JOSEException { final int sharedKeyLength = sharedKeyLength(header.getAlgorithm(), header.getEncryptionMethod()); AlgorithmMode algMode = resolveAlgorithmMode(header.getAlgorithm()); algID = header.getEncryptionMethod().getName(); } else if (algMode == AlgorithmMode.KW) { algID = header.getAlgorithm().getName(); } else { throw new JOSEException("Unsupported JWE ECDH algorithm mode: " + algMode); sharedKeyLength, ConcatKDF.encodeDataWithLength(algID.getBytes(Charset.forName("ASCII"))), ConcatKDF.encodeDataWithLength(header.getAgreementPartyUInfo()), ConcatKDF.encodeDataWithLength(header.getAgreementPartyVInfo()), ConcatKDF.encodeIntData(sharedKeyLength), ConcatKDF.encodeNoData());
JWEAlgorithm alg = header.getAlgorithm(); int keyLength = header.getEncryptionMethod().cekBitLength(); alg.equals(JWEAlgorithm.A256GCMKW)) { if (header.getIV() == null) { throw new JOSEException("Missing JWE \"iv\" header parameter"); byte[] keyIV = header.getIV().decode(); if (header.getAuthTag() == null) { throw new JOSEException("Missing JWE \"tag\" header parameter"); byte[] keyTag = header.getAuthTag().decode();
if (header.getPBES2Salt() == null) { throw new JOSEException("Missing JWE \"p2s\" header parameter"); final byte[] salt = header.getPBES2Salt().decode(); if (header.getPBES2Count() < 1) { throw new JOSEException("Missing JWE \"p2c\" header parameter"); final int iterationCount = header.getPBES2Count(); final JWEAlgorithm alg = header.getAlgorithm(); final byte[] formattedSalt = PBKDF2.formatSalt(alg, salt); final PRFParams prfParams = PRFParams.resolve(alg, getJCAContext().getMACProvider());
/** * Applies compression to the specified plain text if requested. * * @param jweHeader The JWE header. Must not be {@code null}. * @param bytes The plain text bytes. Must not be {@code null}. * * @return The bytes to encrypt. * * @throws JOSEException If compression failed or the requested * compression algorithm is not supported. */ public static byte[] applyCompression(final JWEHeader jweHeader, final byte[] bytes) throws JOSEException { CompressionAlgorithm compressionAlg = jweHeader.getCompressionAlgorithm(); if (compressionAlg == null) { return bytes; } else if (compressionAlg.equals(CompressionAlgorithm.DEF)) { try { return DeflateUtils.compress(bytes); } catch (Exception e) { throw new JOSEException("Couldn't compress plain text: " + e.getMessage(), e); } } else { throw new JOSEException("Unsupported compression algorithm: " + compressionAlg); } }
JWEAlgorithm alg = header.getAlgorithm();
if ("JWT".equalsIgnoreCase(encryptedJWT.getHeader().getContentType())) {
jweHeader.getAlgorithm(), jweHeader.getEncryptionMethod(), jweHeader.getType(), jweHeader.getContentType(), jweHeader.getCriticalParams(), jweHeader.getJWKURL(), jweHeader.getJWK(), jweHeader.getX509CertURL(), jweHeader.getX509CertThumbprint(), jweHeader.getX509CertSHA256Thumbprint(), jweHeader.getX509CertChain(), jweHeader.getKeyID(), jweHeader.getEphemeralPublicKey(), jweHeader.getCompressionAlgorithm(), jweHeader.getAgreementPartyUInfo(), jweHeader.getAgreementPartyVInfo(), jweHeader.getPBES2Salt(), jweHeader.getPBES2Count(), jweHeader.getIV(), jweHeader.getAuthTag(), jweHeader.getCustomParams(), jweHeader.getParsedBase64URL() );
@Override public List<Key> selectJWEKeys(final JWEHeader jweHeader, final C context) throws KeySourceException { if (! jweAlg.equals(jweHeader.getAlgorithm()) || ! jweEnc.equals(jweHeader.getEncryptionMethod())) { // Unexpected JWE alg or enc return Collections.emptyList(); } JWKMatcher jwkMatcher = createJWKMatcher(jweHeader); List<JWK> jwkMatches = getJWKSource().get(new JWKSelector(jwkMatcher), context); List<Key> sanitizedKeyList = new LinkedList<>(); for (Key key: KeyConverter.toJavaKeys(jwkMatches)) { if (key instanceof PrivateKey || key instanceof SecretKey) { sanitizedKeyList.add(key); } // skip public keys } return sanitizedKeyList; } }
throw new IllegalStateException("Can not parse jwe object", e); String keyID = jweObject.getHeader().getKeyID(); Key key = keyMapProvider.getKey(keyID);
throws JOSEException { CompressionAlgorithm compressionAlg = jweHeader.getCompressionAlgorithm();
/** * Decrypts the encrypted JWE parts using the specified shared secret ("Z"). */ protected byte[] decryptWithZ(final JWEHeader header, final SecretKey Z, final Base64URL encryptedKey, final Base64URL iv, final Base64URL cipherText, final Base64URL authTag) throws JOSEException { final JWEAlgorithm alg = header.getAlgorithm(); final ECDH.AlgorithmMode algMode = ECDH.resolveAlgorithmMode(alg); // Derive shared key via concat KDF getConcatKDF().getJCAContext().setProvider(getJCAContext().getMACProvider()); // update before concat SecretKey sharedKey = ECDH.deriveSharedKey(header, Z, getConcatKDF()); final SecretKey cek; if (algMode.equals(ECDH.AlgorithmMode.DIRECT)) { cek = sharedKey; } else if (algMode.equals(ECDH.AlgorithmMode.KW)) { if (encryptedKey == null) { throw new JOSEException("Missing JWE encrypted key"); } cek = AESKW.unwrapCEK(sharedKey, encryptedKey.decode(), getJCAContext().getKeyEncryptionProvider()); } else { throw new JOSEException("Unexpected JWE ECDH algorithm mode: " + algMode); } return ContentCryptoProvider.decrypt(header, encryptedKey, iv, cipherText, authTag, cek, getJCAContext()); }
if ("JWT".equalsIgnoreCase(jweObject.getHeader().getContentType())) {
EncryptedJWT encrypted = new EncryptedJWT(new JWEHeader(client.getUserInfoEncryptedResponseAlg(), client.getUserInfoEncryptedResponseEnc()), claims);