@Override public PrivateKey toPrivateKey() throws JOSEException { throw new JOSEException("Export to java.security.PrivateKey not supported"); }
@Override public PublicKey toPublicKey() throws JOSEException { throw new JOSEException("Export to java.security.PublicKey not supported"); }
@Override public KeyPair toKeyPair() throws JOSEException { throw new JOSEException("Export to java.security.KeyPair not supported"); }
/** * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA) * provider. * * @param alg The EC-DSA algorithm. Must be supported and not * {@code null}. * * @throws JOSEException If JWS algorithm is not supported. */ protected ECDSAProvider(final JWSAlgorithm alg) throws JOSEException { super(new HashSet<>(Collections.singletonList(alg))); if (! SUPPORTED_ALGORITHMS.contains(alg)) { throw new JOSEException("Unsupported EC DSA algorithm: " + alg); } }
private static KeyPair twoKeysToKeyPair(final List<? extends KeyPair> keys) throws JOSEException { final KeyPair key1 = keys.get(0); final KeyPair key2 = keys.get(1); if (key1.getPublic() != null && key2.getPrivate() != null) { return new KeyPair(key1.getPublic(), key2.getPrivate()); } else if (key1.getPrivate() != null && key2.getPublic() != null) { return new KeyPair(key2.getPublic(), key1.getPrivate()); } else { throw new JOSEException("Not a public/private key pair"); } } }
private static List<KeyPair> toKeyPairList(final String pem) throws JOSEException { final List<KeyPair> keys = PEMEncodedKeyParser.parseKeys(pem); if (keys.isEmpty()) { throw new JOSEException("No PEM-encoded keys found"); } return keys; }
private static KeyPair mergeKeyPairs(final List<KeyPair> keys) throws JOSEException { final KeyPair pair; if (keys.size() == 1) { // Assume public key, or private key easy to convert to public, // otherwise not representable as a JWK pair = keys.get(0); } else if (keys.size() == 2) { // If two keys, assume public + private keys separated pair = twoKeysToKeyPair(keys); } else { throw new JOSEException("Expected key or pair of PEM-encoded keys"); } return pair; }
/** * Throws a JOSE exception if the specified JWE header doesn't pass the * critical header parameters check. * * @param header The JWE header to check. Must not be {@code null}. * * @throws JOSEException If the JWE header doesn't pass the check. */ public void ensureHeaderPasses(final JWEHeader header) throws JOSEException { if (! headerPasses(header)) { throw new JOSEException("Unsupported critical header parameter(s)"); } } }
public static Mac getInitMac(final SecretKey secretKey, final Provider provider) throws JOSEException { Mac mac; try { if (provider != null) { mac = Mac.getInstance(secretKey.getAlgorithm(), provider); } else { mac = Mac.getInstance(secretKey.getAlgorithm()); } mac.init(secretKey); } catch (NoSuchAlgorithmException e) { throw new JOSEException("Unsupported HMAC algorithm: " + e.getMessage(), e); } catch (InvalidKeyException e) { throw new JOSEException("Invalid HMAC key: " + e.getMessage(), e); } return mac; }
@Override public Base64URL sign(final JWSHeader header, final byte[] signingInput) throws JOSEException { // Check alg field in header final JWSAlgorithm alg = header.getAlgorithm(); if (! JWSAlgorithm.EdDSA.equals(alg)) { throw new JOSEException("Ed25519Signer requires alg=EdDSA in JWSHeader"); } final byte[] jwsSignature; try { jwsSignature = tinkSigner.sign(signingInput); } catch (GeneralSecurityException e) { throw new JOSEException(e.getMessage(), e); } return Base64URL.encode(jwsSignature); } }
/** * Enumeration of the Elliptic Curve Diffie-Hellman Ephemeral Static * algorithm modes. */ public enum AlgorithmMode { /** * Direct key agreement mode. */ DIRECT, /** * Key wrapping mode. */ KW }
@Override public JWTClaimsSet process(final JWT jwt, final C context) throws BadJOSEException, JOSEException { if (jwt instanceof SignedJWT) { return process((SignedJWT)jwt, context); } if (jwt instanceof EncryptedJWT) { return process((EncryptedJWT)jwt, context); } if (jwt instanceof PlainJWT) { return process((PlainJWT)jwt, context); } // Should never happen throw new JOSEException("Unexpected JWT object type: " + jwt.getClass()); }
/** * Returns the private RSA key of the specified RSA JWK. Supports * PKCS#11 keys stores. * * @param rsaJWK The RSA JWK. Must not be {@code null}. * * @return The private RSA key. * * @throws JOSEException If the RSA JWK doesn't contain a private part. */ public static PrivateKey toRSAPrivateKey(final RSAKey rsaJWK) throws JOSEException { if (! rsaJWK.isPrivate()) { throw new JOSEException("The RSA JWK doesn't contain a private part"); } return rsaJWK.toPrivateKey(); }
@Override public Payload process(final JOSEObject joseObject, final C context) throws BadJOSEException, JOSEException { if (joseObject instanceof JWSObject) { return process((JWSObject)joseObject, context); } if (joseObject instanceof JWEObject) { return process((JWEObject)joseObject, context); } if (joseObject instanceof PlainObject) { return process((PlainObject)joseObject, context); } // Should never happen throw new JOSEException("Unexpected JOSE object type: " + joseObject.getClass()); }
@Override public Base64URL sign(final JWSHeader header, final byte[] signingInput) throws JOSEException { Signature signer = RSASSA.getSignerAndVerifier(header.getAlgorithm(), getJCAContext().getProvider()); try { signer.initSign(privateKey); signer.update(signingInput); return Base64URL.encode(signer.sign()); } catch (InvalidKeyException e) { throw new JOSEException("Invalid private RSA key: " + e.getMessage(), e); } catch (SignatureException e) { throw new JOSEException("RSA signature exception: " + e.getMessage(), e); } } }
private static void validateEcCurves(ECPublicKey publicKey, ECPrivateKey privateKey) throws JOSEException { final ECParameterSpec pubParams = publicKey.getParams(); final ECParameterSpec privParams = privateKey.getParams(); if (!pubParams.getCurve().equals(privParams.getCurve())) { throw new JOSEException("Public/private EC key curve mismatch: " + publicKey); } if (pubParams.getCofactor() != privParams.getCofactor()) { throw new JOSEException("Public/private EC key cofactor mismatch: " + publicKey); } if (!pubParams.getGenerator().equals(privParams.getGenerator())) { throw new JOSEException("Public/private EC key generator mismatch: " + publicKey); } if (!pubParams.getOrder().equals(privParams.getOrder())) { throw new JOSEException("Public/private EC key order mismatch: " + publicKey); } }
/** * Creates a new Elliptic Curve Diffie-Hellman decrypter. * * @param ecJWK The EC JSON Web Key (JWK). Must contain a private * part. Must not be {@code null}. * * @throws JOSEException If the elliptic curve is not supported. */ public ECDHDecrypter(final ECKey ecJWK) throws JOSEException { super(ecJWK.getCurve()); if (! ecJWK.isPrivate()) { throw new JOSEException("The EC JWK doesn't contain a private part"); } this.privateKey = ecJWK.toECPrivateKey(); }
/** * Ensures the specified JWS signer supports the algorithm of this JWS * object. * * @throws JOSEException If the JWS algorithm is not supported. */ private void ensureJWSSignerSupport(final JWSSigner signer) throws JOSEException { if (! signer.supportedJWSAlgorithms().contains(getHeader().getAlgorithm())) { throw new JOSEException("The \"" + getHeader().getAlgorithm() + "\" algorithm is not allowed or supported by the JWS signer: Supported algorithms: " + signer.supportedJWSAlgorithms()); } }
/** * Ensures the specified JWE encrypter supports the algorithms of this * JWE object. * * @throws JOSEException If the JWE algorithms are not supported. */ private void ensureJWEEncrypterSupport(final JWEEncrypter encrypter) throws JOSEException { if (! encrypter.supportedJWEAlgorithms().contains(getHeader().getAlgorithm())) { throw new JOSEException("The \"" + getHeader().getAlgorithm() + "\" algorithm is not supported by the JWE encrypter: Supported algorithms: " + encrypter.supportedJWEAlgorithms()); } if (! encrypter.supportedEncryptionMethods().contains(getHeader().getEncryptionMethod())) { throw new JOSEException("The \"" + getHeader().getEncryptionMethod() + "\" encryption method or key size is not supported by the JWE encrypter: Supported methods: " + encrypter.supportedEncryptionMethods()); } }
@Override public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText) throws JOSEException { JWEAlgorithm alg = header.getAlgorithm(); if (! alg.equals(JWEAlgorithm.DIR)) { throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS)); } // Check key length matches encryption method EncryptionMethod enc = header.getEncryptionMethod(); if (enc.cekBitLength() != ByteUtils.safeBitLength(getKey().getEncoded())) { throw new KeyLengthException(enc.cekBitLength(), enc); } final Base64URL encryptedKey = null; // The second JWE part return ContentCryptoProvider.encrypt(header, clearText, getKey(), encryptedKey, getJCAContext()); } }