Class EcJWK
- All Implemented Interfaces:
EllipticCurveJwk
-
Nested Class Summary
-
Field Summary
Fields inherited from class org.forgerock.json.jose.jwk.JWK
JSON_KEY_ALG, JSON_KEY_KID, JSON_KEY_KTY, JSON_KEY_OPERATIONS, JSON_KEY_USE, JSON_KEY_X5C, JSON_KEY_X5T, JSON_KEY_X5T_S256, JSON_KEY_X5U
-
Constructor Summary
ConstructorDescriptionEcJWK
(String use, String alg, String kid, String x, String y, String d, String curve, String x5u, String x5t, List<String> x5c) Deprecated.Use the builder instead.EcJWK
(String use, String alg, String kid, String x, String y, String curve, String x5u, String x5t, List<String> x5c) Deprecated.Use the builder instead.EcJWK
(ECPublicKey publicKey, String use, String kid) Deprecated.Use the builder instead.EcJWK
(ECPublicKey publicKey, ECPrivateKey privateKey, String use, String kid) Deprecated.Use the builder instead. -
Method Summary
Modifier and TypeMethodDescriptionstatic EcJWK.Builder
Get the builder.static EcJWK.Builder
builder
(ECPublicKey publicKey) Get the builder.static EcJWK.Builder
builder
(SupportedEllipticCurve curve, String x, String y) Get the builder.static BigInteger
decodeCoordinate
(String encodedCoordinate) Decode the unsigned big-endian base64 url encoding of an elliptical curve point.static String
encodeCoordinate
(int fieldSize, BigInteger coordinate) Base64url encode the unsigned big-endian representation of an elliptical curve point.getCurve()
Deprecated.replaced bygetEllipticCurve()
.getD()
Gets the unsigned big-endian base64 url encoding of the d value for the elliptical curve private key.Gets the elliptic curve.protected Optional<JWK.Builder<?>>
Return a builder with all the values set for representing the public components of the JWK.getX()
Gets the unsigned big-endian base64 url encoding of the elliptical curve point x coordinate.getY()
Gets the unsigned big-endian base64 url encoding of the elliptical curve point y coordinate.boolean
Indicates if any private key attributes are present in the JWK.boolean
Checks for validity of the public key portion of this JWK as perisPublicKeyValid(ECPublicKey, SupportedEllipticCurve)
.static boolean
isPublicKeyValid
(ECPublicKey publicKey, SupportedEllipticCurve curve) Checks whether the public key actually lies on the curve it claims to be on.static EcJWK
Parses a JWK from a string json object.static EcJWK
Parses a JWK from a JsonValue json object.Converts the JWK to a ECPrivateKey.Converts the JWK to a ECPublicKey.Returns a json representation of the JWK.Converts the JWK to a KeyPair.Converts the public claims in the JWK into a public key.Methods inherited from class org.forgerock.json.jose.jwk.JWK
getAlgorithm, getAlgorithm, getJwaAlgorithm, getJwkThumbprint, getKeyId, getKeyOperations, getKeyType, getUse, getX509Chain, getX509Thumbnail, getX509Thumbprint, getX509ThumbprintS256, getX509URL, loadJWKFromJson, putField, toCryptoKey, toJsonString, toJsonValue, toPublicJwk, toSecretBuilder
-
Constructor Details
-
EcJWK
Deprecated.Use the builder instead.Creates a public EcJWK.- Parameters:
publicKey
- The public key for the JWKuse
- The value of the use JWK parameterkid
- The key id of the JWK
-
EcJWK
Deprecated.Use the builder instead.Creates a public and private EcJWK.- Parameters:
publicKey
- The public key for the JWKprivateKey
- The private key for the JWKuse
- The value of the use JWK parameterkid
- The key id of the JWK
-
EcJWK
@Deprecated public EcJWK(String use, String alg, String kid, String x, String y, String curve, String x5u, String x5t, List<String> x5c) Deprecated.Use the builder instead.Creates a public EcJWK.- Parameters:
use
- The value of the use JWK parameteralg
- The value of the alg JWK parameterkid
- The key id of the JWKx
- The unsigned big-endian base64 url encoding of the elliptical curve point x coordinatey
- The unsigned big-endian base64 url encoding of the elliptical curve point y coordinatecurve
- The known curve to use. For example "NIST P-256".x5u
- the x509 url for the keyx5t
- the x509 thumbnail for the keyx5c
- the x509 chain as a list of Base64 encoded strings
-
EcJWK
@Deprecated public EcJWK(String use, String alg, String kid, String x, String y, String d, String curve, String x5u, String x5t, List<String> x5c) Deprecated.Use the builder instead.Creates a public and private EcJWK.- Parameters:
use
- The value of the use JWK parameteralg
- The value of the alg JWK parameterkid
- The key id of the JWKx
- The unsigned big-endian base64 url encoding of the elliptical curve point x coordinatey
- The unsigned big-endian base64 url encoding of the elliptical curve point y coordinated
- The unsigned big-endian base64 url encoding of the d value for the elliptical curve private keycurve
- The known curve to use. For example "NIST P-256".x5u
- the x509 url for the keyx5t
- the x509 thumbnail for the keyx5c
- the x509 chain as a list of Base64 encoded strings
-
-
Method Details
-
builder
Get the builder.- Parameters:
curve
- The known curve to use. For example "NIST P-256".x
- The unsigned big-endian base64 url encoding of the elliptical curve point x coordinatey
- The unsigned big-endian base64 url encoding of the elliptical curve point y coordinate- Returns:
- the EC JWK builder
-
builder
Get the builder.- Parameters:
curve
- The known curve to use. For example "NIST P-256".x
- The unsigned big-endian base64 url encoding of the elliptical curve point x coordinatey
- The unsigned big-endian base64 url encoding of the elliptical curve point y coordinate- Returns:
- the EC JWK builder
-
builder
Get the builder.- Parameters:
publicKey
- The public key for the JWK- Returns:
- the EC JWK builder
-
getX
Gets the unsigned big-endian base64 url encoding of the elliptical curve point x coordinate.- Returns:
- unsigned big-endian base64 url encoding of the elliptical curve point x coordinate
-
getY
Gets the unsigned big-endian base64 url encoding of the elliptical curve point y coordinate.- Returns:
- the unsigned big-endian base64 url encoding of the elliptical curve point y coordinate
-
getD
Gets the unsigned big-endian base64 url encoding of the d value for the elliptical curve private key.- Returns:
- the unsigned big-endian base64 url encoding of the d value for the elliptical curve private key
-
getCurve
Deprecated.replaced bygetEllipticCurve()
.Gets the known curve to use. For example "NIST P-256".- Returns:
- the known curve of the JWK
-
getEllipticCurve
Gets the elliptic curve.- Specified by:
getEllipticCurve
in interfaceEllipticCurveJwk
- Returns:
- the elliptic curve of the JWK
-
parse
Parses a JWK from a string json object.- Parameters:
json
- string json object- Returns:
- a EcJWK object
-
parse
Parses a JWK from a JsonValue json object.- Parameters:
json
- JsonValue json object- Returns:
- a EcJWK object
-
toJsonValue
Description copied from class:JWK
Returns a json representation of the JWK.- Overrides:
toJsonValue
in classJWK
- Returns:
- A JSON representation.
-
toECPublicKey
Converts the JWK to a ECPublicKey.- Specified by:
toECPublicKey
in interfaceEllipticCurveJwk
- Returns:
- an ECPublicKey
-
toPublicKey
Description copied from interface:EllipticCurveJwk
Converts the public claims in the JWK into a public key. Note that the public key returned may not be an ECPublicKey. For instance, on Java 11 an OkpJWK may return a XECPrivateKey.- Specified by:
toPublicKey
in interfaceEllipticCurveJwk
- Returns:
- the public key.
-
toECPrivateKey
Converts the JWK to a ECPrivateKey.- Returns:
- an ECPrivateKey
-
toKeyPair
Converts the JWK to a KeyPair.- Specified by:
toKeyPair
in interfaceEllipticCurveJwk
- Returns:
- an KeyPair
-
decodeCoordinate
Decode the unsigned big-endian base64 url encoding of an elliptical curve point.- Parameters:
encodedCoordinate
- the unsigned big-endian base64 url encoding of a the elliptical curve point- Returns:
- the elliptical curve point
-
encodeCoordinate
Base64url encode the unsigned big-endian representation of an elliptical curve point.- Parameters:
fieldSize
- the EC field size in bits.coordinate
- the elliptical curve point- Returns:
- the unsigned big-endian base64 url encoding of the elliptical curve point
-
isPrivate
public boolean isPrivate()Description copied from class:JWK
Indicates if any private key attributes are present in the JWK. -
getPublicJwkBuilder
Description copied from class:JWK
Return a builder with all the values set for representing the public components of the JWK. Common JWK attributes will be added inJWK.toPublicJwk()
.- Specified by:
getPublicJwkBuilder
in classJWK
- Returns:
- The builder.
-
isPublicKeyValid
public boolean isPublicKeyValid()Checks for validity of the public key portion of this JWK as perisPublicKeyValid(ECPublicKey, SupportedEllipticCurve)
.- Specified by:
isPublicKeyValid
in interfaceEllipticCurveJwk
- Returns:
- true if the public key is on the curve it claims to be on and is valid.
-
isPublicKeyValid
Checks whether the public key actually lies on the curve it claims to be on. Checking this is critical in ECDH protocols where the other party may be malicious. In this case, the attacker can send public keys that force the shared secret to be chosen from a small group. If a long-lived ECDH key pair is being used, then this may eventually allow an attacker to recover the private key.NB: This bug has been fixed in the Oracle JRE/OpenJDK since 1.6.0_101, 1.7.0_85, and 1.8.0_51, but we include the check here for completeness and security when running on other JREs which may not implement the check.
The checks performed are those from NIST SP 800-56A (rev. 2), section 5.6.2.3.3 - ECC Partial Public-Key Validation Routine. This is a sufficient check for validating public keys used in "Cofactor Diffie Hellman" (ECC CDH), as defined in SP 800-56A. The JWA spec actually uses non-cofactor Diffie Hellman (ECDH), but because the cofactor for all of the NIST prime order curves in use here (P-256, P-384 and P-521) is 1 (i.e., h = 1), the two schemes are equivalent. This is confirmed by SEC 1: Elliptic Curve Cryptography, section 3.2.2.1 - Elliptic Curve Public Key Validation Primitive:
“In Step 4, it may not be necessary to compute the point nQ. For example, if h = 1, then nQ = O is implied by the checks in Steps 2 and 3, because this property holds for all points Q ∈ E”
- Parameters:
publicKey
- the public key to check.curve
- the supported elliptic curve parameters to check the public key against.- Returns:
- true if the public key is on the curve it claims to be on and is valid.
- See Also:
-
- Critical vulnerability in JSON Web Encryption (JWE) for background
- Bug report for CVE-2015-2613 - missing EC parameter validation in ECDH_Derive()
- NIST SP 800-56A (rev 2) sections 5.6.2.2 and 5.6.2.3 for detailed advice on what validations to perform on public keys and how.
- SEC 1: Elliptic Curve Cryptography, sections 3.2.2 and 3.2.3 for further guidance on public key validation.
-