Package org.forgerock.json.jose.jws

Class EncryptedThenSignedJwt

java.lang.Object

org.forgerock.json.jose.jws.SignedJwt

org.forgerock.json.jose.jws.EncryptedThenSignedJwt

All Implemented Interfaces:

Jwt, Payload

Direct Known Subclasses:

SignedEncryptedJwt

public class EncryptedThenSignedJwt
extends SignedJwt

An implementation of a JWS with a nested JWE as its payload.

Since:

2.0.0

See Also:

• SignedJwt
• EncryptedJwt
• SignedThenEncryptedJwt
• JSON Web Token (JWT) - Signing and Encryption Order

Constructor Summary

Constructors

Constructor	Description
EncryptedThenSignedJwt(JwsHeader header, EncryptedJwt nestedJwe, byte[] signingInput, byte[] signature)	Constructs a reconstructed SignedEncryptedJwt from its constituent parts, the JwsHeader, nested Encrypted JWT, signing input and signature.
EncryptedThenSignedJwt(JwsHeader header, EncryptedJwt nestedJwe, SigningHandler signingHandler)	Constructs a fresh, new SignedEncryptedJwt from the given JwsHeader and nested Encrypted JWT.

Method Summary

Modifier and Type	Method	Description
EncryptedThenSignedJwt	copy()	Create a copy of the current JWT.
void	decrypt(Key privateKey)	Deprecated. Prefer decrypt(SecretsProvider, Purpose) instead.
Promise<? extends EncryptedJwt,JweDecryptionCheckedException>	decrypt(SecretsProvider secretsProvider, Purpose<? extends CryptoKey> decryptionPurpose)	Decrypts the inner encrypted JWE so that the payload can be accessed.
Promise<? extends EncryptedJwt,JweDecryptionCheckedException>	decrypt(ValidSecretsReference<? extends CryptoKey,NeverThrowsException> secretsReference)	Decrypts the inner encrypted JWE so that the payload can be accessed.
JwtClaimsSet	getClaimsSet()	Gets the claims set object for the nested Encrypted JWT that is the payload of this JWS.
EncryptedJwt	getEncryptedJwt()	Gets the encrypted JWT.
JweHeader	getJweHeader()	Get the header of the encapsulated EncryptedJwt.

Methods inherited from class org.forgerock.json.jose.jws.SignedJwt

build, getHeader, getPayload, verify

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

EncryptedThenSignedJwt

public EncryptedThenSignedJwt(JwsHeader header,
 EncryptedJwt nestedJwe,
 SigningHandler signingHandler)

Constructs a fresh, new SignedEncryptedJwt from the given JwsHeader and nested Encrypted JWT.

The specified private key will be used in the creation of the JWS signature.

Parameters:

header - The JwsHeader containing the header parameters of the JWS.

nestedJwe - The nested Encrypted JWT that will be the payload of this JWS.

signingHandler - The SigningHandler instance used to sign the JWS.

EncryptedThenSignedJwt

public EncryptedThenSignedJwt(JwsHeader header,
 EncryptedJwt nestedJwe,
 byte[] signingInput,
 byte[] signature)

Constructs a reconstructed SignedEncryptedJwt from its constituent parts, the JwsHeader, nested Encrypted JWT, signing input and signature.

For use when a signed nested encrypted JWT has been reconstructed from its base64url encoded string representation and the signature needs verifying.

Parameters:

header - The JwsHeader containing the header parameters of the JWS.

nestedJwe - The nested Encrypted JWT that is the payload of the JWS.

signingInput - The original data that was signed, being the base64url encoding of the JWS header and payload concatenated using a "." character.

signature - The resulting signature of signing the signing input.

Method Details

getClaimsSet

public JwtClaimsSet getClaimsSet()

Gets the claims set object for the nested Encrypted JWT that is the payload of this JWS.

Specified by:

getClaimsSet in interface Jwt

Overrides:

getClaimsSet in class SignedJwt

Returns:

The JWTs Claims Set.

See Also:

• Jwt.getClaimsSet()

decrypt

@Deprecated
public void decrypt(Key privateKey)

Deprecated.

Prefer decrypt(SecretsProvider, Purpose) instead.

Decrypts the JWE so that it Claims Set can be accessed.

The same private key must be given here that is the pair to the public key that was used to encrypt the JWT.

Parameters:

privateKey - The private key pair to the public key that encrypted the JWT.

decrypt

public Promise<? extends EncryptedJwt,JweDecryptionCheckedException> decrypt(SecretsProvider secretsProvider,
 Purpose<? extends CryptoKey> decryptionPurpose)

Decrypts the inner encrypted JWE so that the payload can be accessed. If decryption is successful then a promise to the now-decrypted inner JWT is returned, otherwise the promise resolves to a JweDecryptionCheckedException.

Parameters:

secretsProvider - the secrets provider to retrieve candidate keys to decrypt the JWT.

decryptionPurpose - the purpose for which decryption is being performed. This purpose should typically be for a DataDecryptionKey, KeyDecryptionKey, or a KeyAgreementKey.

Returns:

a promise to either the decrypted inner JWT or a decryption failure exception.

decrypt

public Promise<? extends EncryptedJwt,JweDecryptionCheckedException> decrypt(ValidSecretsReference<? extends CryptoKey,NeverThrowsException> secretsReference)

Decrypts the inner encrypted JWE so that the payload can be accessed. If decryption is successful then a promise to the now-decrypted inner JWT is returned, otherwise the promise resolves to a JweDecryptionCheckedException.

Parameters:

secretsReference - the reference to valid keys to decrypt the JWT.

Returns:

a promise to either the decrypted inner JWT or a decryption failure exception.

getJweHeader

public JweHeader getJweHeader()

Get the header of the encapsulated EncryptedJwt.

Returns:

The JWE header.

getEncryptedJwt

public EncryptedJwt getEncryptedJwt()

Gets the encrypted JWT.

Returns:

the nested JWE.

copy

public EncryptedThenSignedJwt copy()

Description copied from interface: Jwt

Create a copy of the current JWT.

Specified by:

copy in interface Jwt

Specified by:

copy in interface Payload

Overrides:

copy in class SignedJwt

Returns:

a copy of the JWT.