Package org.forgerock.json.jose.jwe

Class EncryptedJwt

java.lang.Object
org.forgerock.json.jose.jwe.EncryptedJwt
All Implemented Interfaces:
Jwt, Payload
Direct Known Subclasses:
SignedThenEncryptedJwt
public class EncryptedJwt extends Object implements Jwt, Payload
A JWE implementation of the Jwt interface.

JSON Web Encryption (JWE) is a representing encrypted content using JSON based data structures.

Since:
2.0.0
See Also:

  • Constructor Details

    • EncryptedJwt

      public EncryptedJwt(JweHeader header, JwtClaimsSet payload, Key publicKey)
      Constructs a fresh, new EncryptedJwt from the given JweHeader and JwtClaimsSet.

      The specified public key will be used to perform the encryption of the JWT.

      Parameters:
      header - The JweHeader containing the header parameters of the JWE.
      payload - The claimset of the JWE.
      publicKey - The public key to use to perform the encryption.

    • EncryptedJwt

      protected EncryptedJwt(EncryptedJwt encryptedJwt)
      Construct an encrypted JWT from an existent one.
      Parameters:
      encryptedJwt - the encrypted JWT

    • EncryptedJwt

      public EncryptedJwt(JweHeader header, String encodedHeader, byte[] encryptedContentEncryptionKey, byte[] initialisationVector, byte[] ciphertext, byte[] authenticationTag)
      Constructs a reconstructed EncryptedJwt from its constituent parts, the JweHeader, encrypted Content Encryption Key (CEK), initialisation vector, ciphertext and additional authentication data.

      For use when an encrypted JWT has been reconstructed from its base64url encoded string representation and the JWT needs decrypting.

      Parameters:
      header - The JweHeader containing the header parameters of the JWE.
      encodedHeader - The Base64url encoded JWE header.
      encryptedContentEncryptionKey - The encrypted Content Encryption Key (CEK).
      initialisationVector - The initialisation vector.
      ciphertext - The ciphertext.
      authenticationTag - The authentication tag.

  • Method Details

    • getHeader

      public JweHeader getHeader()
      Description copied from interface: Jwt
      Gets the header object for the JWT, which contains properties which describe the cryptographic operations applied to the JWT, among other properties.

      When the JWT is digitally signed or MACed, the JWT Header is a JWS Header. When the JWT is encrypted, the JWT Header is a JWE Header.

      Specified by:
      getHeader in interface Jwt
      Returns:
      The JWTs Header.

    • getClaimsSet

      public JwtClaimsSet getClaimsSet()
      Description copied from interface: Jwt
      Gets the claims set object for the Jwt, which contains all of the claims (name value pairs) conveyed by the JWT.
      Specified by:
      getClaimsSet in interface Jwt
      Returns:
      The JWTs Claims Set.

    • build

      public String build()
      Description copied from interface: Jwt
      Builds the JWT into a String by following the steps specified in the relevant specification according to whether the JWT is being signed and/or encrypted.

      Specified by:
      build in interface Jwt
      Specified by:
      build in interface Payload
      Returns:
      The base64url encoded UTF-8 parts of the JWT.
      See Also:

    • copy

      public EncryptedJwt copy()
      Description copied from interface: Jwt
      Create a copy of the current JWT.
      Specified by:
      copy in interface Jwt
      Specified by:
      copy in interface Payload
      Returns:
      a copy of the JWT.

    • decrypt

      @Deprecated public void decrypt(Key privateKey)
      Deprecated.
      Prefer decrypt(SecretsProvider, Purpose) instead.
      Decrypts the JWE ciphertext back into a JwtClaimsSet.

      The same private key must be given here that is the pair to the public key that was used to encrypt the JWT.

      Parameters:
      privateKey - The private key pair to the public key that encrypted the JWT.

    • decrypt

      public Promise<? extends EncryptedJwt,JweDecryptionCheckedException> decrypt(SecretsProvider secretsProvider, Purpose<? extends CryptoKey> purpose)
      Attempts to decrypt the JWT using any available keys for the given Purpose from the given SecretsProvider. Only keys that support the JWT algorithm will be considered. If decryption is successful then this returns a Promise for the same JWT with the payload decrypted, otherwise it returns a promise that resolves to a JweDecryptionCheckedException.
      Parameters:
      secretsProvider - the secrets provider from which to retrieve keys.
      purpose - the purpose for which decryption is being performed. Typically this purpose will be for a DataDecryptionKey, KeyDecryptionKey, or KeyAgreementKey.
      Returns:
      a promise to either the decrypted JWT or a failed promise indicating that decryption failed.

    • decrypt

      public Promise<? extends EncryptedJwt,JweDecryptionCheckedException> decrypt(ValidSecretsReference<? extends CryptoKey,NeverThrowsException> secretsReference)
      Attempts to decrypt the JWT using any available keys from the given ValidSecretsReference. Only keys that support the JWT algorithm will be considered. If decryption is successful then this returns a Promise for the same JWT with the payload decrypted, otherwise it returns a promise that resolves to a JweDecryptionCheckedException.
      Parameters:
      secretsReference - the reference to valid secrets.
      Returns:
      a promise to either the decrypted JWT or a failed promise indicating that decryption failed.

    • decryptRawPayload

      @Deprecated public byte[] decryptRawPayload(Key privateKey)
      Deprecated.
      Prefer decryptRawPayload(SecretsProvider, Purpose) instead.
      Decrypts and returns the raw bytes of the payload, without attempting to decode them in any way. The decrypted payload is not cached.

      The same private key must be given here that is the pair to the public key that was used to encrypt the JWT.

      Parameters:
      privateKey - The private key pair to the public key that encrypted the JWT.
      Returns:
      The raw bytes of the decrypted payload.

    • decryptRawPayload

      public Promise<byte[],JweDecryptionCheckedException> decryptRawPayload(SecretsProvider secretsProvider, Purpose<? extends CryptoKey> purpose)
      Attempts to decrypt the raw payload of the JWT using any keys from the given SecretsProvider that satisfy the supplied Purpose. Only keys that support the specified JWE algorithm will be considered by the decryption process. If decryption is successful then a promise for the decrypted payload will be returned, otherwise the promise will resolve to a JweDecryptionCheckedException.
      Parameters:
      secretsProvider - the secrets provider from which to retrieve keys.
      purpose - the purpose for which decryption is being performed. Typically this purpose will be for a DataDecryptionKey, KeyDecryptionKey, or KeyAgreementKey.
      Returns:
      a promise to either the decrypted JWT raw payload or a failed promise indicating that decryption failed.

    • decryptRawPayload

      public Promise<byte[],JweDecryptionCheckedException> decryptRawPayload(ValidSecretsReference<? extends CryptoKey,NeverThrowsException> secretsReference)
      Attempts to decrypt the raw payload of the JWT using any keys from the given the Secrets contained in the given ValidSecretsReference. Only secrets that support the specified JWE algorithm will be considered by the decryption process. If decryption is successful then a promise for the decrypted payload will be returned, otherwise the promise will resolve to a JweDecryptionCheckedException.
      Parameters:
      secretsReference - the reference to valid secrets.
      Returns:
      a promise to either the decrypted JWT raw payload or a failed promise indicating that decryption failed.