Package org.forgerock.json.jose.jwe

Class SignedThenEncryptedJwt

java.lang.Object

org.forgerock.json.jose.jwe.EncryptedJwt

org.forgerock.json.jose.jwe.SignedThenEncryptedJwt

All Implemented Interfaces:

Jwt, Payload

public class SignedThenEncryptedJwt
extends EncryptedJwt

A nested signed-then-encrypted JWT.

Constructor Summary

Constructors

Constructor	Description
SignedThenEncryptedJwt(EncryptedJwt encryptedJwt)	Constructs a fresh signed-then-encrypted JWT from an encrypted JWT.
SignedThenEncryptedJwt(JweHeader header, String encodedHeader, byte[] encryptedContentEncryptionKey, byte[] initialisationVector, byte[] ciphertext, byte[] authenticationTag)	Reconstructs a signed-then-encrypted JWT from components parts of the encrypted JWT string.
SignedThenEncryptedJwt(JweHeader header, SignedJwt payload, Key publicKey)	Constructs a fresh signed-then-encrypted JWT with the given signed JWT payload, JWE headers and encryption key.

Method Summary

Modifier and Type	Method	Description
SignedThenEncryptedJwt	copy()	Create a copy of the current JWT.
Promise<SignedThenEncryptedJwt,JweDecryptionCheckedException>	decrypt(SecretsProvider secretsProvider, Purpose<? extends CryptoKey> purpose)	Attempts to decrypt the JWT using any available keys for the given Purpose from the given SecretsProvider.
boolean	decryptAndVerify(Key decryptionKey, SigningHandler signingHandler)	Deprecated. Prefer decryptAndVerify(SecretsProvider, Purpose, Purpose) instead.
Promise<SignedThenEncryptedJwt,JweDecryptionCheckedException>	decryptAndVerify(SecretsProvider secretsProvider, Purpose<? extends CryptoKey> decryptionPurpose, Purpose<VerificationKey> verificationPurpose)	Decrypts the outer JWT and then verifies the signature on the inner JWT using secrets from the supplied SecretsProvider.
JwtClaimsSet	getClaimsSet()	Gets the claims set object for the Jwt, which contains all of the claims (name value pairs) conveyed by the JWT.
SignedJwt	getSignedJwt()	Get the signed JWT.
boolean	verify(SigningHandler signingHandler)	Verifies that the signature is valid on the nested signed JWT.

Methods inherited from class org.forgerock.json.jose.jwe.EncryptedJwt

build, decrypt, decryptRawPayload, decryptRawPayload, getHeader

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SignedThenEncryptedJwt

public SignedThenEncryptedJwt(EncryptedJwt encryptedJwt)

Constructs a fresh signed-then-encrypted JWT from an encrypted JWT. To use if you know that the encrypted JWT is actually containing a JWS.

Parameters:

encryptedJwt - the encrypted JWT.

SignedThenEncryptedJwt

public SignedThenEncryptedJwt(JweHeader header,
                              SignedJwt payload,
                              Key publicKey)

Constructs a fresh signed-then-encrypted JWT with the given signed JWT payload, JWE headers and encryption key.

Parameters:

header - the JWE headers.

payload - the signed JWT payload.

publicKey - the encryption key.

SignedThenEncryptedJwt

public SignedThenEncryptedJwt(JweHeader header,
                              String encodedHeader,
                              byte[] encryptedContentEncryptionKey,
                              byte[] initialisationVector,
                              byte[] ciphertext,
                              byte[] authenticationTag)

Reconstructs a signed-then-encrypted JWT from components parts of the encrypted JWT string.

Parameters:

header - the decoded headers.

encodedHeader - the encoded headers.

encryptedContentEncryptionKey - the encrypted content encryption key (CEK), or null if not used.

initialisationVector - the initialisation vector (IV).

ciphertext - the encrypted ciphertext payload.

authenticationTag - the authentication MAC tag.

Method Detail

verify

public boolean verify(SigningHandler signingHandler)

Verifies that the signature is valid on the nested signed JWT.

Parameters:

signingHandler - the handler to use for verifying the signature.

Returns:

true if the signature is valid, otherwise false.

Throws:

JwsVerifyingException - if the outer JWT has not already been decrypted.

decryptAndVerify

@Deprecated
public boolean decryptAndVerify(Key decryptionKey,
                                SigningHandler signingHandler)

Deprecated.

Prefer decryptAndVerify(SecretsProvider, Purpose, Purpose) instead.

Decrypts the outer JWT and then verifies the signature on the inner JWT.

Parameters:

decryptionKey - the decryption key for the outer JWE.

signingHandler - the signing handler for verifying the nested JWS.

Returns:

true if the nested signature is valid, otherwise false.

Throws:

JweDecryptionException - if the JWE cannot be decrypted.

decrypt

public Promise<SignedThenEncryptedJwt,JweDecryptionCheckedException> decrypt(SecretsProvider secretsProvider,
                                                                                   Purpose<? extends CryptoKey> purpose)

Description copied from class: EncryptedJwt

Attempts to decrypt the JWT using any available keys for the given Purpose from the given SecretsProvider. Only keys that support the JWT algorithm will be considered. If decryption is successful then this returns a Promise for the same JWT with the payload decrypted, otherwise it returns a promise that resolves to a JweDecryptionCheckedException.

Overrides:

decrypt in class EncryptedJwt

Parameters:

secretsProvider - the secrets provider from which to retrieve keys.

purpose - the purpose for which decryption is being performed. Typically this purpose will be for a DataDecryptionKey, KeyDecryptionKey, or KeyAgreementKey.

Returns:

a promise to either the decrypted JWT or a failed promise indicating that decryption failed.

decryptAndVerify

public Promise<SignedThenEncryptedJwt,JweDecryptionCheckedException> decryptAndVerify(SecretsProvider secretsProvider,
                                                                                            Purpose<? extends CryptoKey> decryptionPurpose,
                                                                                            Purpose<VerificationKey> verificationPurpose)

Decrypts the outer JWT and then verifies the signature on the inner JWT using secrets from the supplied SecretsProvider. If decryption and verification are successful then it returns the decrypted and verified JWT as a promise, otherwise the promise will resolve to a JweDecryptionCheckedException.

Parameters:

secretsProvider - used to resolve secrets to decrypt and verify the JWT.

decryptionPurpose - the purpose to use for decrypting the outer JWT.

verificationPurpose - the purpose to use for verifying the signed inner JWT.

Returns:

a promise to the decrypted and verified JWT or to an exception indicating that either decryption or signature verification failed.

getClaimsSet

public JwtClaimsSet getClaimsSet()

Description copied from interface: Jwt

Gets the claims set object for the Jwt, which contains all of the claims (name value pairs) conveyed by the JWT.

Specified by:

getClaimsSet in interface Jwt

Overrides:

getClaimsSet in class EncryptedJwt

Returns:

The JWTs Claims Set.

getSignedJwt

public SignedJwt getSignedJwt()

Get the signed JWT. Note: you will need to call EncryptedJwt.decrypt(Key) first.

Returns:

the nested JWS.

copy

public SignedThenEncryptedJwt copy()

Description copied from interface: Jwt

Create a copy of the current JWT.

Specified by:

copy in interface Jwt

Specified by:

copy in interface Payload

Overrides:

copy in class EncryptedJwt

Returns:

a copy of the JWT.