includedParameters = super.getIncludedParams();
-
- if (jku != null) {
- includedParameters.add("jku");
- }
-
- if (jwk != null) {
- includedParameters.add("jwk");
- }
-
- if (x5u != null) {
- includedParameters.add("x5u");
- }
-
- if (x5t != null) {
- includedParameters.add("x5t");
- }
-
- if (x5t256 != null) {
- includedParameters.add("x5t#S256");
- }
-
- if (x5c != null && ! x5c.isEmpty()) {
- includedParameters.add("x5c");
- }
-
- if (kid != null) {
- includedParameters.add("kid");
- }
-
- return includedParameters;
- }
-
-
- @Override
- public JSONObject toJSONObject() {
-
- JSONObject o = super.toJSONObject();
-
- if (jku != null) {
- o.put("jku", jku.toString());
- }
-
- if (jwk != null) {
- o.put("jwk", jwk.toJSONObject());
- }
-
- if (x5u != null) {
- o.put("x5u", x5u.toString());
- }
-
- if (x5t != null) {
- o.put("x5t", x5t.toString());
- }
-
- if (x5t256 != null) {
- o.put("x5t#S256", x5t256.toString());
- }
-
- if (x5c != null && ! x5c.isEmpty()) {
- o.put("x5c", x5c);
- }
-
- if (kid != null) {
- o.put("kid", kid);
- }
-
- return o;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/CompressionAlgorithm.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/CompressionAlgorithm.java
deleted file mode 100644
index 2260be1e..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/CompressionAlgorithm.java
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.io.Serializable;
-
-import net.jcip.annotations.Immutable;
-import net.minidev.json.JSONAware;
-import net.minidev.json.JSONObject;
-
-
-/**
- * Compression algorithm name, represents the {@code zip} header parameter in
- * JSON Web Encryption (JWE) objects. This class is immutable.
- *
- * Includes a constant for the standard DEFLATE compression algorithm:
- *
- *
- *
- * Additional compression algorithm names can be defined using the
- * constructor.
- *
- * @author Vladimir Dzhuvinov
- * @version 2013-01-15
- */
-@Immutable
-public final class CompressionAlgorithm implements JSONAware, Serializable {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * DEFLATE Compressed Data Format Specification version 1.3, as
- * described in RFC 1951.
- */
- public static final CompressionAlgorithm DEF = new CompressionAlgorithm("DEF");
-
-
- /**
- * The algorithm name.
- */
- private final String name;
-
-
- /**
- * Creates a new compression algorithm with the specified name.
- *
- * @param name The compression algorithm name. Must not be {@code null}.
- */
- public CompressionAlgorithm(final String name) {
-
- if (name == null) {
- throw new IllegalArgumentException("The compression algorithm name must not be null");
- }
-
- this.name = name;
- }
-
-
- /**
- * Gets the name of this compression algorithm.
- *
- * @return The compression algorithm name.
- */
- public String getName() {
-
- return name;
- }
-
-
- /**
- * Overrides {@code Object.hashCode()}.
- *
- * @return The object hash code.
- */
- @Override
- public int hashCode() {
-
- return name.hashCode();
- }
-
-
- /**
- * Overrides {@code Object.equals()}.
- *
- * @param object The object to compare to.
- *
- * @return {@code true} if the objects have the same value, otherwise
- * {@code false}.
- */
- @Override
- public boolean equals(final Object object) {
-
- return object != null &&
- object instanceof CompressionAlgorithm &&
- this.toString().equals(object.toString());
- }
-
-
- /**
- * Returns the string representation of this compression algorithm.
- *
- * @see #getName
- *
- * @return The string representation.
- */
- @Override
- public String toString() {
-
- return name;
- }
-
-
- /**
- * Returns the JSON string representation of this compression algorithm.
- *
- * @return The JSON string representation.
- */
- @Override
- public String toJSONString() {
-
- return "\"" + JSONObject.escape(name) + '"';
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/CriticalHeaderParamsAware.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/CriticalHeaderParamsAware.java
deleted file mode 100644
index b3b2ee69..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/CriticalHeaderParamsAware.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.util.Set;
-
-
-/**
- * JSON Web Signature (JWS) verifier or JSON Web Encryption (JWE) decrypter
- * that supports processing and / or deferral of critical ({@code crit}) header
- * parameters.
- *
- *
JWS verification / JWE decryption will fail with a {@link JOSEException}
- * if a critical header is encountered that is neither processed by the
- * verifier / decrypter nor deferred to the application.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-04-21
- */
-public interface CriticalHeaderParamsAware {
-
-
- /**
- * Returns the names of the critical ({@code crit}) header parameters
- * that are understood and processed by the JWS verifier / JWE
- * decrypter.
- *
- * @return The names of the critical header parameters that are
- * understood and processed, empty set if none.
- */
- Set getProcessedCriticalHeaderParams();
-
-
- /**
- * Returns the names of the critical ({@code crit}) header parameters
- * that are deferred to the application for processing and will be
- * ignored by the JWS verifier / JWE decrypter.
- *
- * @return The names of the critical header parameters that are
- * deferred to the application for processing, empty set if
- * none.
- */
- Set getDeferredCriticalHeaderParams();
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/EncryptionMethod.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/EncryptionMethod.java
deleted file mode 100644
index 59d0c364..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/EncryptionMethod.java
+++ /dev/null
@@ -1,259 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import net.jcip.annotations.Immutable;
-
-
-/**
- * Encryption method name, represents the {@code enc} header parameter in JSON
- * Web Encryption (JWE) objects. This class is immutable.
- *
- * Includes constants for the following standard encryption method names:
- *
- *
- * - {@link #A128CBC_HS256 A128CBC-HS256}
- *
- {@link #A192CBC_HS384 A192CBC-HS384}
- *
- {@link #A256CBC_HS512 A256CBC-HS512}
- *
- {@link #A128GCM}
- *
- {@link #A192GCM}
- *
- {@link #A256GCM}
- *
- {@link #A128CBC_HS256_DEPRECATED A128CBC+HS256 (deprecated)}
- *
- {@link #A256CBC_HS512_DEPRECATED A256CBC+HS512 (deprecated)}
- *
- *
- * Additional encryption method names can be defined using the constructors.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-10-14
- */
-@Immutable
-public final class EncryptionMethod extends Algorithm {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The Content Encryption Key (CEK) bit length, zero if not specified.
- */
- private final int cekBitLength;
-
-
- /**
- * AES_128_CBC_HMAC_SHA_256 authenticated encryption using a 256 bit
- * key (required).
- */
- public static final EncryptionMethod A128CBC_HS256 =
- new EncryptionMethod("A128CBC-HS256", Requirement.REQUIRED, 256);
-
-
- /**
- * AES_192_CBC_HMAC_SHA_384 authenticated encryption using a 384 bit
- * key (optional).
- */
- public static final EncryptionMethod A192CBC_HS384 =
- new EncryptionMethod("A192CBC-HS384", Requirement.OPTIONAL, 384);
-
-
- /**
- * AES_256_CBC_HMAC_SHA_512 authenticated encryption using a 512 bit
- * key (required).
- */
- public static final EncryptionMethod A256CBC_HS512 =
- new EncryptionMethod("A256CBC-HS512", Requirement.REQUIRED, 512);
-
-
- /**
- * AES_128_CBC_HMAC_SHA_256 authenticated encryption using a 256 bit
- * key, deprecated in JOSE draft suite version 09.
- */
- public static final EncryptionMethod A128CBC_HS256_DEPRECATED =
- new EncryptionMethod("A128CBC+HS256", Requirement.OPTIONAL, 256);
-
-
- /**
- * AES_256_CBC_HMAC_SHA_512 authenticated encryption using a 512 bit
- * key, deprecated in JOSE draft suite version 09.
- */
- public static final EncryptionMethod A256CBC_HS512_DEPRECATED =
- new EncryptionMethod("A256CBC+HS512", Requirement.OPTIONAL, 512);
-
-
- /**
- * AES in Galois/Counter Mode (GCM) (NIST.800-38D) using a 128 bit key
- * (recommended).
- */
- public static final EncryptionMethod A128GCM =
- new EncryptionMethod("A128GCM", Requirement.RECOMMENDED, 128);
-
-
- /**
- * AES in Galois/Counter Mode (GCM) (NIST.800-38D) using a 192 bit key
- * (optional).
- */
- public static final EncryptionMethod A192GCM =
- new EncryptionMethod("A192GCM", Requirement.OPTIONAL, 192);
-
-
- /**
- * AES in Galois/Counter Mode (GCM) (NIST.800-38D) using a 256 bit key
- * (recommended).
- */
- public static final EncryptionMethod A256GCM =
- new EncryptionMethod("A256GCM", Requirement.RECOMMENDED, 256);
-
-
- /**
- * Encryption method family.
- */
- public static final class Family extends AlgorithmFamily {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * AES/CBC/HMAC with SHA-2.
- */
- public static final Family AES_CBC_HMAC_SHA = new Family(A128CBC_HS256, A192CBC_HS384, A256CBC_HS512);
-
-
- /**
- * AES/GCM.
- */
- public static final Family AES_GCM = new Family(A128GCM, A192GCM, A256GCM);
-
-
- /***
- * Creates a new encryption method family.
- *
- * @param encs The encryption methods of the family. Must not
- * be {@code null}.
- */
- public Family(final EncryptionMethod ... encs) {
- super(encs);
- }
- }
-
-
- /**
- * Creates a new encryption method.
- *
- * @param name The encryption method name. Must not be
- * {@code null}.
- * @param req The implementation requirement, {@code null} if
- * not known.
- * @param cekBitLength The Content Encryption Key (CEK) bit length,
- * zero if not specified.
- */
- public EncryptionMethod(final String name, final Requirement req, final int cekBitLength) {
-
- super(name, req);
-
- this.cekBitLength = cekBitLength;
- }
-
-
- /**
- * Creates a new encryption method. The Content Encryption Key (CEK)
- * bit length is not specified.
- *
- * @param name The encryption method name. Must not be {@code null}.
- * @param req The implementation requirement, {@code null} if not
- * known.
- */
- public EncryptionMethod(final String name, final Requirement req) {
-
- this(name, req, 0);
- }
-
-
- /**
- * Creates a new encryption method. The implementation requirement and
- * the Content Encryption Key (CEK) bit length are not specified.
- *
- * @param name The encryption method name. Must not be {@code null}.
- */
- public EncryptionMethod(final String name) {
-
- this(name, null, 0);
- }
-
-
- /**
- * Gets the length of the associated Content Encryption Key (CEK).
- *
- * @return The Content Encryption Key (CEK) bit length, zero if not
- * specified.
- */
- public int cekBitLength() {
-
- return cekBitLength;
- }
-
-
- /**
- * Parses an encryption method from the specified string.
- *
- * @param s The string to parse. Must not be {@code null}.
- *
- * @return The encryption method (matching standard algorithm
- * constant, else a newly created algorithm).
- */
- public static EncryptionMethod parse(final String s) {
-
- if (s.equals(A128CBC_HS256.getName())) {
-
- return A128CBC_HS256;
-
- } else if (s.equals(A192CBC_HS384.getName())) {
-
- return A192CBC_HS384;
-
- } else if (s.equals(A256CBC_HS512.getName())) {
-
- return A256CBC_HS512;
-
- } else if (s.equals(A128GCM.getName())) {
-
- return A128GCM;
-
- } else if (s.equals(A192GCM.getName())) {
-
- return A192GCM;
-
- } else if (s.equals(A256GCM.getName())) {
-
- return A256GCM;
-
- } else if (s.equals(A128CBC_HS256_DEPRECATED.getName())) {
-
- return A128CBC_HS256_DEPRECATED;
-
- } else if (s.equals(A256CBC_HS512_DEPRECATED.getName())) {
-
- return A256CBC_HS512_DEPRECATED;
-
- } else {
-
- return new EncryptionMethod(s);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Header.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Header.java
deleted file mode 100644
index 812ac8d5..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Header.java
+++ /dev/null
@@ -1,493 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.io.Serializable;
-import java.text.ParseException;
-import java.util.*;
-
-import net.minidev.json.JSONObject;
-
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.JSONObjectUtils;
-
-
-/**
- * The base abstract class for unsecured ({@code alg=none}), JSON Web Signature
- * (JWS) and JSON Web Encryption (JWE) headers.
- *
- * The header may also include {@link #getCustomParams custom
- * parameters}; these will be serialised and parsed along the registered ones.
- *
- * @author Vladimir Dzhuvinov
- * @version 2014-08-21
- */
-public abstract class Header implements Serializable {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The algorithm ({@code alg}) parameter.
- */
- private final Algorithm alg;
-
-
- /**
- * The JOSE object type ({@code typ}) parameter.
- */
- private final JOSEObjectType typ;
-
-
- /**
- * The content type ({@code cty}) parameter.
- */
- private final String cty;
-
-
- /**
- * The critical headers ({@code crit}) parameter.
- */
- private final Set crit;
-
-
- /**
- * Custom header parameters.
- */
- private final Map customParams;
-
-
- /**
- * Empty custom parameters constant.
- */
- private static final Map EMPTY_CUSTOM_PARAMS =
- Collections.unmodifiableMap(new HashMap());
-
-
- /**
- * The original parsed Base64URL, {@code null} if the header was
- * created from scratch.
- */
- private final Base64URL parsedBase64URL;
-
-
- /**
- * Creates a new abstract header.
- *
- * @param alg The algorithm ({@code alg}) parameter. Must
- * not be {@code null}.
- * @param typ The type ({@code typ}) parameter,
- * {@code null} if not specified.
- * @param cty The content type ({@code cty}) parameter,
- * {@code null} if not specified.
- * @param crit The names of the critical header
- * ({@code crit}) parameters, empty set or
- * {@code null} if none.
- * @param customParams The custom parameters, empty map or
- * {@code null} if none.
- * @param parsedBase64URL The parsed Base64URL, {@code null} if the
- * header is created from scratch.
- */
- protected Header(final Algorithm alg,
- final JOSEObjectType typ,
- final String cty, Set crit,
- final Map customParams,
- final Base64URL parsedBase64URL) {
-
- if (alg == null) {
- throw new IllegalArgumentException("The algorithm \"alg\" header parameter must not be null");
- }
-
- this.alg = alg;
-
- this.typ = typ;
- this.cty = cty;
-
- if (crit != null) {
- // Copy and make unmodifiable
- this.crit = Collections.unmodifiableSet(new HashSet<>(crit));
- } else {
- this.crit = null;
- }
-
- if (customParams != null) {
- // Copy and make unmodifiable
- this.customParams = Collections.unmodifiableMap(new HashMap<>(customParams));
- } else {
- this.customParams = EMPTY_CUSTOM_PARAMS;
- }
-
- this.parsedBase64URL = parsedBase64URL;
- }
-
-
- /**
- * Deep copy constructor.
- *
- * @param header The header to copy. Must not be {@code null}.
- */
- protected Header(final Header header) {
-
- this(
- header.getAlgorithm(),
- header.getType(),
- header.getContentType(),
- header.getCriticalParams(),
- header.getCustomParams(),
- header.getParsedBase64URL());
- }
-
-
- /**
- * Gets the algorithm ({@code alg}) parameter.
- *
- * @return The algorithm parameter.
- */
- public Algorithm getAlgorithm() {
-
- return alg;
- }
-
-
- /**
- * Gets the type ({@code typ}) parameter.
- *
- * @return The type parameter, {@code null} if not specified.
- */
- public JOSEObjectType getType() {
-
- return typ;
- }
-
-
- /**
- * Gets the content type ({@code cty}) parameter.
- *
- * @return The content type parameter, {@code null} if not specified.
- */
- public String getContentType() {
-
- return cty;
- }
-
-
- /**
- * Gets the critical header parameters ({@code crit}) parameter.
- *
- * @return The names of the critical header parameters, as a
- * unmodifiable set, {@code null} if not specified.
- */
- public Set getCriticalParams() {
-
- return crit;
- }
-
-
- /**
- * Gets a custom (non-registered) parameter.
- *
- * @param name The name of the custom parameter. Must not be
- * {@code null}.
- *
- * @return The custom parameter, {@code null} if not specified.
- */
- public Object getCustomParam(final String name) {
-
- return customParams.get(name);
- }
-
-
- /**
- * Gets the custom (non-registered) parameters.
- *
- * @return The custom parameters, as a unmodifiable map, empty map if
- * none.
- */
- public Map getCustomParams() {
-
- return customParams;
- }
-
-
- /**
- * Gets the original Base64URL used to create this header.
- *
- * @return The parsed Base64URL, {@code null} if the header was created
- * from scratch.
- */
- public Base64URL getParsedBase64URL() {
-
- return parsedBase64URL;
- }
-
-
- /**
- * Gets the names of all included parameters (registered and custom) in
- * the header instance.
- *
- * @return The included parameters.
- */
- public Set getIncludedParams() {
-
- Set includedParameters =
- new HashSet<>(getCustomParams().keySet());
-
- includedParameters.add("alg");
-
- if (getType() != null) {
- includedParameters.add("typ");
- }
-
- if (getContentType() != null) {
- includedParameters.add("cty");
- }
-
- if (getCriticalParams() != null && ! getCriticalParams().isEmpty()) {
- includedParameters.add("crit");
- }
-
- return includedParameters;
- }
-
-
- /**
- * Returns a JSON object representation of the header. All custom
- * parameters are included if they serialise to a JSON entity and
- * their names don't conflict with the registered ones.
- *
- * @return The JSON object representation of the header.
- */
- public JSONObject toJSONObject() {
-
- // Include custom parameters, they will be overwritten if their
- // names match specified registered ones
- JSONObject o = new JSONObject(customParams);
-
- // Alg is always defined
- o.put("alg", alg.toString());
-
- if (typ != null) {
- o.put("typ", typ.toString());
- }
-
- if (cty != null) {
- o.put("cty", cty);
- }
-
- if (crit != null && ! crit.isEmpty()) {
- o.put("crit", new ArrayList<>(crit));
- }
-
- return o;
- }
-
-
- /**
- * Returns a JSON string representation of the header. All custom
- * parameters will be included if they serialise to a JSON entity and
- * their names don't conflict with the registered ones.
- *
- * @return The JSON string representation of the header.
- */
- public String toString() {
-
- return toJSONObject().toString();
- }
-
-
- /**
- * Returns a Base64URL representation of the header. If the header was
- * parsed always returns the original Base64URL (required for JWS
- * validation and authenticated JWE decryption).
- *
- * @return The original parsed Base64URL representation of the header,
- * or a new Base64URL representation if the header was created
- * from scratch.
- */
- public Base64URL toBase64URL() {
-
- if (parsedBase64URL == null) {
-
- // Header was created from scratch, return new Base64URL
- return Base64URL.encode(toString());
-
- } else {
-
- // Header was parsed, return original Base64URL
- return parsedBase64URL;
- }
- }
-
-
- /**
- * Parses an algorithm ({@code alg}) parameter from the specified
- * header JSON object. Intended for initial parsing of unsecured
- * (plain), JWS and JWE headers.
- *
- * The algorithm type (none, JWS or JWE) is determined by inspecting
- * the algorithm name for "none" and the presence of an "enc"
- * parameter.
- *
- * @param json The JSON object to parse. Must not be {@code null}.
- *
- * @return The algorithm, an instance of {@link Algorithm#NONE},
- * {@link JWSAlgorithm} or {@link JWEAlgorithm}.
- *
- * @throws ParseException If the {@code alg} parameter couldn't be
- * parsed.
- */
- public static Algorithm parseAlgorithm(final JSONObject json)
- throws ParseException {
-
- String algName = JSONObjectUtils.getString(json, "alg");
-
- // Infer algorithm type
-
- if (algName.equals(Algorithm.NONE.getName())) {
- // Plain
- return Algorithm.NONE;
- } else if (json.containsKey("enc")) {
- // JWE
- return JWEAlgorithm.parse(algName);
- } else {
- // JWS
- return JWSAlgorithm.parse(algName);
- }
- }
-
-
- /**
- * Parses a {@link PlainHeader}, {@link JWSHeader} or {@link JWEHeader}
- * from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- *
- * @return The header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid header.
- */
- public static Header parse(final JSONObject jsonObject)
- throws ParseException {
-
- return parse(jsonObject, null);
- }
-
-
- /**
- * Parses a {@link PlainHeader}, {@link JWSHeader} or {@link JWEHeader}
- * from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid header.
- */
- public static Header parse(final JSONObject jsonObject,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- Algorithm alg = parseAlgorithm(jsonObject);
-
- if (alg.equals(Algorithm.NONE)) {
-
- return PlainHeader.parse(jsonObject, parsedBase64URL);
-
- } else if (alg instanceof JWSAlgorithm) {
-
- return JWSHeader.parse(jsonObject, parsedBase64URL);
-
- } else if (alg instanceof JWEAlgorithm) {
-
- return JWEHeader.parse(jsonObject, parsedBase64URL);
-
- } else {
-
- throw new AssertionError("Unexpected algorithm type: " + alg);
- }
- }
-
-
- /**
- * Parses a {@link PlainHeader}, {@link JWSHeader} or {@link JWEHeader}
- * from the specified JSON object string.
- *
- * @param jsonString The JSON object string to parse. Must not be
- * {@code null}.
- *
- * @return The header.
- *
- * @throws ParseException If the specified JSON object string doesn't
- * represent a valid header.
- */
- public static Header parse(final String jsonString)
- throws ParseException {
-
- return parse(jsonString, null);
- }
-
-
- /**
- * Parses a {@link PlainHeader}, {@link JWSHeader} or {@link JWEHeader}
- * from the specified JSON object string.
- *
- * @param jsonString The JSON object string to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The header.
- *
- * @throws ParseException If the specified JSON object string doesn't
- * represent a valid header.
- */
- public static Header parse(final String jsonString,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- JSONObject jsonObject = JSONObjectUtils.parse(jsonString);
-
- return parse(jsonObject, parsedBase64URL);
- }
-
-
- /**
- * Parses a {@link PlainHeader}, {@link JWSHeader} or {@link JWEHeader}
- * from the specified Base64URL.
- *
- * @param base64URL The Base64URL to parse. Must not be {@code null}.
- *
- * @return The header.
- *
- * @throws ParseException If the specified Base64URL doesn't represent
- * a valid header.
- */
- public static Header parse(final Base64URL base64URL)
- throws ParseException {
-
- return parse(base64URL.decodeToString(), base64URL);
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEException.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEException.java
deleted file mode 100644
index 3b491f1e..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEException.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * Javascript Object Signing and Encryption (JOSE) exception.
- *
- * @author Vladimir Dzhuvinov
- * @version 2012-09-15
- */
-public class JOSEException extends Exception {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * Creates a new JOSE exception with the specified message.
- *
- * @param message The exception message.
- */
- public JOSEException(final String message) {
-
- super(message);
- }
-
-
- /**
- * Creates a new JOSE exception with the specified message and cause.
- *
- * @param message The exception message.
- * @param cause The exception cause.
- */
- public JOSEException(final String message, final Throwable cause) {
-
- super(message, cause);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEObject.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEObject.java
deleted file mode 100644
index 8619bceb..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEObject.java
+++ /dev/null
@@ -1,304 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.io.Serializable;
-import java.text.ParseException;
-
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.JSONObjectUtils;
-import net.minidev.json.JSONObject;
-
-
-/**
- * The base abstract class for unsecured (plain / {@code alg=none}), JSON Web
- * Signature (JWS) secured and JSON Web Encryption (JWE) secured objects.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-07-11
- */
-public abstract class JOSEObject implements Serializable {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The MIME type of JOSE objects serialised to a compact form:
- * {@code application/jose; charset=UTF-8}
- */
- public static final String MIME_TYPE_COMPACT = "application/jose; charset=UTF-8";
-
-
- /**
- * The MIME type of JOSE objects serialised to a JSON object form:
- * {@code application/jose+json; charset=UTF-8}
- */
- public static final String MIME_TYPE_JS = "application/jose+json; charset=UTF-8";
-
-
- /**
- * The payload (message), {@code null} if not specified.
- */
- private Payload payload;
-
-
- /**
- * The original parsed Base64URL parts, {@code null} if the JOSE object
- * was created from scratch. The individual parts may be empty or
- * {@code null} to indicate a missing part.
- */
- private Base64URL[] parsedParts;
-
-
- /**
- * Creates a new JOSE object. The payload and the original parsed
- * Base64URL parts are not defined.
- */
- protected JOSEObject() {
-
- payload = null;
- parsedParts = null;
- }
-
-
- /**
- * Creates a new JOSE object with the specified payload.
- *
- * @param payload The payload, {@code null} if not available (e.g for
- * an encrypted JWE object).
- */
- protected JOSEObject(final Payload payload) {
-
- this.payload = payload;
- }
-
-
- /**
- * Returns the header of this JOSE object.
- *
- * @return The header.
- */
- public abstract Header getHeader();
-
-
- /**
- * Sets the payload of this JOSE object.
- *
- * @param payload The payload, {@code null} if not available (e.g. for
- * an encrypted JWE object).
- */
- protected void setPayload(final Payload payload) {
-
- this.payload = payload;
- }
-
-
- /**
- * Returns the payload of this JOSE object.
- *
- * @return The payload, {@code null} if not available (for an encrypted
- * JWE object that hasn't been decrypted).
- */
- public Payload getPayload() {
-
- return payload;
- }
-
-
- /**
- * Sets the original parsed Base64URL parts used to create this JOSE
- * object.
- *
- * @param parts The original Base64URL parts used to creates this JOSE
- * object, {@code null} if the object was created from
- * scratch. The individual parts may be empty or
- * {@code null} to indicate a missing part.
- */
- protected void setParsedParts(final Base64URL... parts) {
-
- parsedParts = parts;
- }
-
-
- /**
- * Returns the original parsed Base64URL parts used to create this JOSE
- * object.
- *
- * @return The original Base64URL parts used to creates this JOSE
- * object, {@code null} if the object was created from scratch.
- * The individual parts may be empty or {@code null} to
- * indicate a missing part.
- */
- public Base64URL[] getParsedParts() {
-
- return parsedParts;
- }
-
-
- /**
- * Returns the original parsed string used to create this JOSE object.
- *
- * @see #getParsedParts
- *
- * @return The parsed string used to create this JOSE object,
- * {@code null} if the object was creates from scratch.
- */
- public String getParsedString() {
-
- if (parsedParts == null) {
- return null;
- }
-
- StringBuilder sb = new StringBuilder();
-
- for (Base64URL part: parsedParts) {
-
- if (sb.length() > 0) {
- sb.append('.');
- }
-
- if (part != null) {
- sb.append(part.toString());
- }
- }
-
- return sb.toString();
- }
-
-
- /**
- * Serialises this JOSE object to its compact format consisting of
- * Base64URL-encoded parts delimited by period ('.') characters.
- *
- * @return The serialised JOSE object.
- *
- * @throws IllegalStateException If the JOSE object is not in a state
- * that permits serialisation.
- */
- public abstract String serialize();
-
-
- /**
- * Splits a compact serialised JOSE object into its Base64URL-encoded
- * parts.
- *
- * @param s The compact serialised JOSE object to split. Must not be
- * {@code null}.
- *
- * @return The JOSE Base64URL-encoded parts (three for unsecured and
- * JWS objects, five for JWE objects).
- *
- * @throws ParseException If the specified string couldn't be split
- * into three or five Base64URL-encoded parts.
- */
- public static Base64URL[] split(final String s)
- throws ParseException {
-
- final String t = s.trim();
-
- // We must have 2 (JWS) or 4 dots (JWE)
-
- // String.split() cannot handle empty parts
- final int dot1 = t.indexOf(".");
-
- if (dot1 == -1) {
- throw new ParseException("Invalid serialized unsecured/JWS/JWE object: Missing part delimiters", 0);
- }
-
- final int dot2 = t.indexOf(".", dot1 + 1);
-
- if (dot2 == -1) {
- throw new ParseException("Invalid serialized unsecured/JWS/JWE object: Missing second delimiter", 0);
- }
-
- // Third dot for JWE only
- final int dot3 = t.indexOf(".", dot2 + 1);
-
- if (dot3 == -1) {
-
- // Two dots only? -> We have a JWS
- Base64URL[] parts = new Base64URL[3];
- parts[0] = new Base64URL(t.substring(0, dot1));
- parts[1] = new Base64URL(t.substring(dot1 + 1, dot2));
- parts[2] = new Base64URL(t.substring(dot2 + 1));
- return parts;
- }
-
- // Fourth final dot for JWE
- final int dot4 = t.indexOf(".", dot3 + 1);
-
- if (dot4 == -1) {
- throw new ParseException("Invalid serialized JWE object: Missing fourth delimiter", 0);
- }
-
- if (dot4 != -1 && t.indexOf(".", dot4 + 1) != -1) {
- throw new ParseException("Invalid serialized unsecured/JWS/JWE object: Too many part delimiters", 0);
- }
-
- // Four dots -> five parts
- Base64URL[] parts = new Base64URL[5];
- parts[0] = new Base64URL(t.substring(0, dot1));
- parts[1] = new Base64URL(t.substring(dot1 + 1, dot2));
- parts[2] = new Base64URL(t.substring(dot2 + 1, dot3));
- parts[3] = new Base64URL(t.substring(dot3 + 1, dot4));
- parts[4] = new Base64URL(t.substring(dot4 + 1));
- return parts;
- }
-
-
- /**
- * Parses a JOSE object from the specified string in compact format.
- *
- * @param s The string to parse. Must not be {@code null}.
- *
- * @return The corresponding {@link PlainObject}, {@link JWSObject} or
- * {@link JWEObject} instance.
- *
- * @throws ParseException If the string couldn't be parsed to a valid
- * unsecured, JWS or JWE object.
- */
- public static JOSEObject parse(final String s)
- throws ParseException {
-
- Base64URL[] parts = split(s);
-
- JSONObject jsonObject;
-
- try {
- jsonObject = JSONObjectUtils.parse(parts[0].decodeToString());
-
- } catch (ParseException e) {
-
- throw new ParseException("Invalid unsecured/JWS/JWE header: " + e.getMessage(), 0);
- }
-
- Algorithm alg = Header.parseAlgorithm(jsonObject);
-
- if (alg.equals(Algorithm.NONE)) {
- return PlainObject.parse(s);
- } else if (alg instanceof JWSAlgorithm) {
- return JWSObject.parse(s);
- } else if (alg instanceof JWEAlgorithm) {
- return JWEObject.parse(s);
- } else {
- throw new AssertionError("Unexpected algorithm type: " + alg);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEObjectType.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEObjectType.java
deleted file mode 100644
index 611c5fea..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEObjectType.java
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.io.Serializable;
-
-import net.jcip.annotations.Immutable;
-
-import net.minidev.json.JSONAware;
-import net.minidev.json.JSONObject;
-
-
-/**
- * JOSE object type, represents the {@code typ} header parameter in unsecured,
- * JSON Web Signature (JWS) and JSON Web Encryption (JWE) objects. This class
- * is immutable.
- *
- *
Includes constants for the following standard types:
- *
- *
- * - {@link #JOSE}
- *
- {@link #JOSE_JSON JOSE+JSON}
- *
- {@link #JWT}
- *
- *
- * Additional types can be defined using the constructor.
- *
- * @author Vladimir Dzhuvinov
- * @version 2014-02-15
- */
-@Immutable
-public final class JOSEObjectType implements JSONAware, Serializable {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * Compact encoded JOSE object type.
- */
- public static final JOSEObjectType JOSE = new JOSEObjectType("JOSE");
-
-
- /**
- * JSON-encoded JOSE object type..
- */
- public static final JOSEObjectType JOSE_JSON = new JOSEObjectType("JOSE+JSON");
-
-
- /**
- * JSON Web Token (JWT) object type.
- */
- public static final JOSEObjectType JWT = new JOSEObjectType("JWT");
-
-
- /**
- * The object type.
- */
- private final String type;
-
-
- /**
- * Creates a new JOSE object type.
- *
- * @param type The object type. Must not be {@code null}.
- */
- public JOSEObjectType(final String type) {
-
- if (type == null) {
- throw new IllegalArgumentException("The object type must not be null");
- }
-
- this.type = type;
- }
-
-
- /**
- * Gets the JOSE object type.
- *
- * @return The JOSE object type.
- */
- public String getType() {
-
- return type;
- }
-
-
- /**
- * Overrides {@code Object.hashCode()}.
- *
- * @return The object hash code.
- */
- @Override
- public int hashCode() {
-
- return type.hashCode();
- }
-
-
- /**
- * Overrides {@code Object.equals()}.
- *
- * @param object The object to compare to.
- *
- * @return {@code true} if the objects have the same value, otherwise
- * {@code false}.
- */
- @Override
- public boolean equals(final Object object) {
-
- return object != null &&
- object instanceof JOSEObjectType &&
- this.toString().equals(object.toString());
- }
-
-
- /**
- * Returns the string representation of this JOSE object type.
- *
- * @see #getType
- *
- * @return The string representation.
- */
- @Override
- public String toString() {
-
- return type;
- }
-
-
- /**
- * Returns the JSON string representation of this JOSE object type.
- *
- * @return The JSON string representation.
- */
- @Override
- public String toJSONString() {
-
- return "\"" + JSONObject.escape(type) + '"';
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEProvider.java
deleted file mode 100644
index 9859059e..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JOSEProvider.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * JavaScript Object Signing and Encryption (JOSE) provider.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-26
- */
-public interface JOSEProvider { }
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEAlgorithm.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEAlgorithm.java
deleted file mode 100644
index 29017e20..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEAlgorithm.java
+++ /dev/null
@@ -1,334 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import com.nimbusds.jose.util.ArrayUtils;
-import net.jcip.annotations.Immutable;
-
-
-/**
- * JSON Web Encryption (JWE) algorithm name, represents the {@code alg} header
- * parameter in JWE objects. This class is immutable.
- *
- *
Includes constants for the following standard JWE algorithm names:
- *
- *
- * - {@link #RSA_OAEP_256 RSA-OAEP-256}
- *
- {@link #RSA_OAEP RSA-OAEP} (deprecated)
- *
- {@link #RSA1_5} (deprecated)
- *
- {@link #A128KW}
- *
- {@link #A192KW}
- *
- {@link #A256KW}
- *
- {@link #DIR dir}
- *
- {@link #ECDH_ES ECDH-ES}
- *
- {@link #ECDH_ES_A128KW ESDH-ES+A128KW}
- *
- {@link #ECDH_ES_A128KW ESDH-ES+A192KW}
- *
- {@link #ECDH_ES_A256KW ESDH-ES+A256KW}
- *
- {@link #PBES2_HS256_A128KW PBES2-HS256+A128KW}
- *
- {@link #PBES2_HS384_A192KW PBES2-HS256+A192KW}
- *
- {@link #PBES2_HS512_A256KW PBES2-HS256+A256KW}
- *
- *
- * Additional JWE algorithm names can be defined using the constructors.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-04-09
- */
-@Immutable
-public final class JWEAlgorithm extends Algorithm {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * RSAES-PKCS1-V1_5 (RFC 3447). Use of this RSA encryption algorithm is
- * no longer recommended, use {@link #RSA_OAEP_256} instead.
- */
- @Deprecated
- public static final JWEAlgorithm RSA1_5 = new JWEAlgorithm("RSA1_5", Requirement.REQUIRED);
-
-
- /**
- * RSAES using Optimal Asymmetric Encryption Padding (OAEP) (RFC 3447),
- * with the default parameters specified by RFC 3447 in section A.2.1.
- * Use of this encryption algorithm is no longer recommended, use
- * {@link #RSA_OAEP_256} instead.
- */
- @Deprecated
- public static final JWEAlgorithm RSA_OAEP = new JWEAlgorithm("RSA-OAEP", Requirement.OPTIONAL);
-
-
- /**
- * RSAES using Optimal Asymmetric Encryption Padding (OAEP) (RFC 3447),
- * with the SHA-256 hash function and the MGF1 with SHA-256 mask
- * generation function.
- */
- public static final JWEAlgorithm RSA_OAEP_256 = new JWEAlgorithm("RSA-OAEP-256", Requirement.OPTIONAL);
-
-
- /**
- * Advanced Encryption Standard (AES) Key Wrap Algorithm (RFC 3394)
- * using 128 bit keys.
- */
- public static final JWEAlgorithm A128KW = new JWEAlgorithm("A128KW", Requirement.RECOMMENDED);
-
-
- /**
- * Advanced Encryption Standard (AES) Key Wrap Algorithm (RFC 3394)
- * using 192 bit keys.
- */
- public static final JWEAlgorithm A192KW = new JWEAlgorithm("A192KW", Requirement.OPTIONAL);
-
-
- /**
- * Advanced Encryption Standard (AES) Key Wrap Algorithm (RFC 3394)
- * using 256 bit keys.
- */
- public static final JWEAlgorithm A256KW = new JWEAlgorithm("A256KW", Requirement.RECOMMENDED);
-
-
- /**
- * Direct use of a shared symmetric key as the Content Encryption Key
- * (CEK) for the block encryption step (rather than using the symmetric
- * key to wrap the CEK).
- */
- public static final JWEAlgorithm DIR = new JWEAlgorithm("dir", Requirement.RECOMMENDED);
-
-
- /**
- * Elliptic Curve Diffie-Hellman Ephemeral Static (RFC 6090) key
- * agreement using the Concat KDF, as defined in section 5.8.1 of
- * NIST.800-56A, with the agreed-upon key being used directly as the
- * Content Encryption Key (CEK) (rather than being used to wrap the
- * CEK).
- */
- public static final JWEAlgorithm ECDH_ES = new JWEAlgorithm("ECDH-ES", Requirement.RECOMMENDED);
-
-
- /**
- * Elliptic Curve Diffie-Hellman Ephemeral Static key agreement per
- * "ECDH-ES", but where the agreed-upon key is used to wrap the Content
- * Encryption Key (CEK) with the "A128KW" function (rather than being
- * used directly as the CEK).
- */
- public static final JWEAlgorithm ECDH_ES_A128KW = new JWEAlgorithm("ECDH-ES+A128KW", Requirement.RECOMMENDED);
-
-
- /**
- * Elliptic Curve Diffie-Hellman Ephemeral Static key agreement per
- * "ECDH-ES", but where the agreed-upon key is used to wrap the Content
- * Encryption Key (CEK) with the "A192KW" function (rather than being
- * used directly as the CEK).
- */
- public static final JWEAlgorithm ECDH_ES_A192KW = new JWEAlgorithm("ECDH-ES+A192KW", Requirement.OPTIONAL);
-
-
- /**
- * Elliptic Curve Diffie-Hellman Ephemeral Static key agreement per
- * "ECDH-ES", but where the agreed-upon key is used to wrap the Content
- * Encryption Key (CEK) with the "A256KW" function (rather than being
- * used directly as the CEK).
- */
- public static final JWEAlgorithm ECDH_ES_A256KW = new JWEAlgorithm("ECDH-ES+A256KW", Requirement.RECOMMENDED);
-
-
- /**
- * AES in Galois/Counter Mode (GCM) (NIST.800-38D) 128 bit keys.
- */
- public static final JWEAlgorithm A128GCMKW = new JWEAlgorithm("A128GCMKW", Requirement.OPTIONAL);
-
-
- /**
- * AES in Galois/Counter Mode (GCM) (NIST.800-38D) 192 bit keys.
- */
- public static final JWEAlgorithm A192GCMKW = new JWEAlgorithm("A192GCMKW", Requirement.OPTIONAL);
-
-
- /**
- * AES in Galois/Counter Mode (GCM) (NIST.800-38D) 256 bit keys.
- */
- public static final JWEAlgorithm A256GCMKW = new JWEAlgorithm("A256GCMKW", Requirement.OPTIONAL);
-
-
- /**
- * PBES2 (RFC 2898) with HMAC SHA-256 as the PRF and AES Key Wrap
- * (RFC 3394) using 128 bit keys for the encryption scheme.
- */
- public static final JWEAlgorithm PBES2_HS256_A128KW = new JWEAlgorithm("PBES2-HS256+A128KW", Requirement.OPTIONAL);
-
-
- /**
- * PBES2 (RFC 2898) with HMAC SHA-384 as the PRF and AES Key Wrap
- * (RFC 3394) using 192 bit keys for the encryption scheme.
- */
- public static final JWEAlgorithm PBES2_HS384_A192KW = new JWEAlgorithm("PBES2-HS384+A192KW", Requirement.OPTIONAL);
-
-
- /**
- * PBES2 (RFC 2898) with HMAC SHA-512 as the PRF and AES Key Wrap
- * (RFC 3394) using 256 bit keys for the encryption scheme.
- */
- public static final JWEAlgorithm PBES2_HS512_A256KW = new JWEAlgorithm("PBES2-HS512+A256KW", Requirement.OPTIONAL);
-
-
- /**
- * JWE algorithm family.
- */
- public static final class Family extends AlgorithmFamily {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * RSA key encryption.
- */
- public static final Family RSA = new Family(RSA1_5, RSA_OAEP, RSA_OAEP_256);
-
-
- /**
- * AES key wrap.
- */
- public static final Family AES_KW = new Family(A128KW, A192KW, A256KW);
-
-
- /**
- * Elliptic Curve Diffie-Hellman Ephemeral Static key
- * agreement.
- */
- public static final Family ECDH_ES = new Family(JWEAlgorithm.ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW);
-
-
- /**
- * AES GCM key wrap.
- */
- public static final Family AES_GCM_KW = new Family(A128GCMKW, A192GCMKW, A256GCMKW);
-
-
- /**
- * Password-Based Cryptography Specification Version 2.0
- */
- public static final Family PBES2 = new Family(PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW);
-
-
- /**
- * Super family of all asymmetric (public / private key based)
- * JWE algorithms.
- */
- public static final Family ASYMMETRIC = new Family(ArrayUtils.concat(
- RSA.toArray(new JWEAlgorithm[]{}),
- ECDH_ES.toArray(new JWEAlgorithm[]{})));
-
-
- /**
- * Super family of all symmetric (shared key based) JWE
- * algorithms.
- */
- public static final Family SYMMETRIC = new Family(ArrayUtils.concat(
- AES_KW.toArray(new JWEAlgorithm[]{}),
- AES_GCM_KW.toArray(new JWEAlgorithm[]{}),
- new JWEAlgorithm[]{JWEAlgorithm.DIR}));
-
-
- /***
- * Creates a new JWE algorithm family.
- *
- * @param algs The JWE algorithms of the family. Must not be
- * {@code null}.
- */
- public Family(final JWEAlgorithm ... algs) {
- super(algs);
- }
- }
-
-
- /**
- * Creates a new JSON Web Encryption (JWE) algorithm.
- *
- * @param name The algorithm name. Must not be {@code null}.
- * @param req The implementation requirement, {@code null} if not
- * known.
- */
- public JWEAlgorithm(final String name, final Requirement req) {
-
- super(name, req);
- }
-
-
- /**
- * Creates a new JSON Web Encryption (JWE) algorithm.
- *
- * @param name The algorithm name. Must not be {@code null}.
- */
- public JWEAlgorithm(final String name) {
-
- super(name, null);
- }
-
-
- /**
- * Parses a JWE algorithm from the specified string.
- *
- * @param s The string to parse. Must not be {@code null}.
- *
- * @return The JWE algorithm (matching standard algorithm constant, else
- * a newly created algorithm).
- */
- public static JWEAlgorithm parse(final String s) {
-
- if (s.equals(RSA1_5.getName())) {
- return RSA1_5;
- } else if (s.equals(RSA_OAEP.getName())) {
- return RSA_OAEP;
- } else if (s.equals(RSA_OAEP_256.getName())) {
- return RSA_OAEP_256;
- } else if (s.equals(A128KW.getName())) {
- return A128KW;
- } else if (s.equals(A192KW.getName())) {
- return A192KW;
- } else if (s.equals(A256KW.getName())) {
- return A256KW;
- } else if (s.equals(DIR.getName())) {
- return DIR;
- } else if (s.equals(ECDH_ES.getName())) {
- return ECDH_ES;
- } else if (s.equals(ECDH_ES_A128KW.getName())) {
- return ECDH_ES_A128KW;
- } else if (s.equals(ECDH_ES_A192KW.getName())) {
- return ECDH_ES_A192KW;
- } else if (s.equals(ECDH_ES_A256KW.getName())) {
- return ECDH_ES_A256KW;
- } else if (s.equals(A128GCMKW.getName())) {
- return A128GCMKW;
- } else if (s.equals(A192GCMKW.getName())) {
- return A192GCMKW;
- } else if (s.equals(A256GCMKW.getName())) {
- return A256GCMKW;
- } else if (s.equals(PBES2_HS256_A128KW.getName())) {
- return PBES2_HS256_A128KW;
- } else if (s.equals(PBES2_HS384_A192KW.getName())) {
- return PBES2_HS384_A192KW;
- } else if (s.equals(PBES2_HS512_A256KW.getName())) {
- return PBES2_HS512_A256KW;
- } else {
- return new JWEAlgorithm(s);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWECryptoParts.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWECryptoParts.java
deleted file mode 100644
index 672d6c0e..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWECryptoParts.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import net.jcip.annotations.Immutable;
-
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * The cryptographic parts of a JSON Web Encryption (JWE) object. This class is
- * an immutable wrapper for returning the cipher text, initialisation vector
- * (IV), encrypted key and authentication authTag from {@link JWEEncrypter}
- * implementations.
- *
- * @author Vladimir Dzhuvinov
- * @version 2014-07-11
- */
-@Immutable
-public final class JWECryptoParts {
-
-
- /**
- * The modified JWE header (optional).
- */
- private final JWEHeader header;
-
-
- /**
- * The encrypted key (optional).
- */
- private final Base64URL encryptedKey;
-
-
- /**
- * The initialisation vector (optional).
- */
- private final Base64URL iv;
-
-
- /**
- * The cipher text.
- */
- private final Base64URL cipherText;
-
-
- /**
- * The authentication tag (optional).
- */
- private final Base64URL authenticationTag;
-
-
- /**
- * Creates a new cryptographic JWE parts instance.
- *
- * @param encryptedKey The encrypted key, {@code null} if not
- * required by the encryption algorithm.
- * @param iv The initialisation vector (IV),
- * {@code null} if not required by the
- * encryption algorithm.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param authenticationTag The authentication tag, {@code null} if the
- * JWE algorithm provides built-in integrity
- * check.
- */
- public JWECryptoParts(final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authenticationTag) {
-
- this(null, encryptedKey, iv, cipherText, authenticationTag);
- }
-
-
- /**
- * Creates a new cryptographic JWE parts instance.
- *
- * @param header The modified JWE header, {@code null} if
- * not.
- * @param encryptedKey The encrypted key, {@code null} if not
- * required by the encryption algorithm.
- * @param iv The initialisation vector (IV),
- * {@code null} if not required by the
- * encryption algorithm.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param authenticationTag The authentication tag, {@code null} if the
- * JWE algorithm provides built-in integrity
- * check.
- */
- public JWECryptoParts(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authenticationTag) {
-
- this.header = header;
-
- this.encryptedKey = encryptedKey;
-
- this.iv = iv;
-
- if (cipherText == null) {
-
- throw new IllegalArgumentException("The cipher text must not be null");
- }
-
- this.cipherText = cipherText;
-
- this.authenticationTag = authenticationTag;
- }
-
-
- /**
- * Gets the modified JWE header.
- *
- * @return The modified JWE header, {@code null} of not.
- */
- public JWEHeader getHeader() {
-
- return header;
- }
-
-
- /**
- * Gets the encrypted key.
- *
- * @return The encrypted key, {@code null} if not required by
- * the JWE algorithm.
- */
- public Base64URL getEncryptedKey() {
-
- return encryptedKey;
- }
-
-
- /**
- * Gets the initialisation vector (IV).
- *
- * @return The initialisation vector (IV), {@code null} if not required
- * by the JWE algorithm.
- */
- public Base64URL getInitializationVector() {
-
- return iv;
- }
-
-
- /**
- * Gets the cipher text.
- *
- * @return The cipher text.
- */
- public Base64URL getCipherText() {
-
- return cipherText;
- }
-
-
- /**
- * Gets the authentication tag.
- *
- * @return The authentication tag, {@code null} if the encryption
- * algorithm provides built-in integrity checking.
- */
- public Base64URL getAuthenticationTag() {
-
- return authenticationTag;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEDecrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEDecrypter.java
deleted file mode 100644
index f8633d9f..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEDecrypter.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * JSON Web Encryption (JWE) decrypter.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-04-21
- */
-public interface JWEDecrypter extends JWEProvider {
-
-
- /**
- * Decrypts the specified cipher text of a {@link JWEObject JWE Object}.
- *
- * @param header The JSON Web Encryption (JWE) header. Must
- * specify a supported JWE algorithm and method.
- * Must not be {@code null}.
- * @param encryptedKey The encrypted key, {@code null} if not required
- * by the JWE algorithm.
- * @param iv The initialisation vector, {@code null} if not
- * required by the JWE algorithm.
- * @param cipherText The cipher text to decrypt. Must not be
- * {@code null}.
- * @param authTag The authentication tag, {@code null} if not
- * required.
- *
- * @return The clear text.
- *
- * @throws JOSEException If the JWE algorithm or method is not
- * supported, if a critical header parameter is
- * not supported or marked for deferral to the
- * application, or if decryption failed for some
- * other reason.
- */
- byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException;
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEEncrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEEncrypter.java
deleted file mode 100644
index 9cbdc018..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEEncrypter.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * JSON Web Encryption (JWE) encrypter.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-21
- */
-public interface JWEEncrypter extends JWEProvider {
-
-
- /**
- * Encrypts the specified clear text of a {@link JWEObject JWE object}.
- *
- * @param header The JSON Web Encryption (JWE) header. Must specify
- * a supported JWE algorithm and method. Must not be
- * {@code null}.
- * @param clearText The clear text to encrypt. Must not be {@code null}.
- *
- * @return The resulting JWE crypto parts.
- *
- * @throws JOSEException If the JWE algorithm or method is not
- * supported or if encryption failed for some
- * other internal reason.
- */
- JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText)
- throws JOSEException;
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEHeader.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEHeader.java
deleted file mode 100644
index 83533a49..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEHeader.java
+++ /dev/null
@@ -1,1290 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.net.URI;
-import java.text.ParseException;
-import java.util.*;
-
-import net.jcip.annotations.Immutable;
-
-import net.minidev.json.JSONObject;
-
-import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jose.util.Base64;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.JSONObjectUtils;
-import com.nimbusds.jose.util.X509CertChainUtils;
-
-
-/**
- * JSON Web Encryption (JWE) header. This class is immutable.
- *
- * Supports all {@link #getRegisteredParameterNames registered header
- * parameters} of the JWE specification:
- *
- *
- * - alg
- *
- enc
- *
- epk
- *
- zip
- *
- jku
- *
- jwk
- *
- x5u
- *
- x5t
- *
- x5t#S256
- *
- x5c
- *
- kid
- *
- typ
- *
- cty
- *
- crit
- *
- apu
- *
- apv
- *
- p2s
- *
- p2c
- *
- iv
- *
- authTag
- *
- *
- * The header may also include {@link #getCustomParams custom
- * parameters}; these will be serialised and parsed along the registered ones.
- *
- *
Example header:
- *
- *
- * {
- * "alg" : "RSA1_5",
- * "enc" : "A128CBC-HS256"
- * }
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-04-09
- */
-@Immutable
-public final class JWEHeader extends CommonSEHeader {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The registered parameter names.
- */
- private static final Set REGISTERED_PARAMETER_NAMES;
-
-
- /**
- * Initialises the registered parameter name set.
- */
- static {
- Set p = new HashSet<>();
-
- p.add("alg");
- p.add("enc");
- p.add("epk");
- p.add("zip");
- p.add("jku");
- p.add("jwk");
- p.add("x5u");
- p.add("x5t");
- p.add("x5t#S256");
- p.add("x5c");
- p.add("kid");
- p.add("typ");
- p.add("cty");
- p.add("crit");
- p.add("apu");
- p.add("apv");
- p.add("p2s");
- p.add("p2c");
- p.add("iv");
- p.add("authTag");
-
- REGISTERED_PARAMETER_NAMES = Collections.unmodifiableSet(p);
- }
-
-
- /**
- * Builder for constructing JSON Web Encryption (JWE) headers.
- *
- * Example usage:
- *
- *
- * JWEHeader header = new JWEHeader.Builder(JWEAlgorithm.RSA1_5, EncryptionMethod.A128GCM).
- * contentType("text/plain").
- * customParam("exp", new Date().getTime()).
- * build();
- *
- */
- public static class Builder {
-
-
- /**
- * The JWE algorithm.
- */
- private final JWEAlgorithm alg;
-
-
- /**
- * The encryption method.
- */
- private final EncryptionMethod enc;
-
-
- /**
- * The JOSE object type.
- */
- private JOSEObjectType typ;
-
-
- /**
- * The content type.
- */
- private String cty;
-
-
- /**
- * The critical headers.
- */
- private Set crit;
-
-
- /**
- * JWK Set URL.
- */
- private URI jku;
-
-
- /**
- * JWK.
- */
- private JWK jwk;
-
-
- /**
- * X.509 certificate URL.
- */
- private URI x5u;
-
-
- /**
- * X.509 certificate SHA-1 thumbprint.
- */
- @Deprecated
- private Base64URL x5t;
-
-
- /**
- * X.509 certificate SHA-256 thumbprint.
- */
- private Base64URL x5t256;
-
-
- /**
- * The X.509 certificate chain corresponding to the key used to
- * sign the JWS object.
- */
- private List x5c;
-
-
- /**
- * Key ID.
- */
- private String kid;
-
-
- /**
- * The ephemeral public key.
- */
- private JWK epk;
-
-
- /**
- * The compression algorithm.
- */
- private CompressionAlgorithm zip;
-
-
- /**
- * The agreement PartyUInfo.
- */
- private Base64URL apu;
-
-
- /**
- * The agreement PartyVInfo.
- */
- private Base64URL apv;
-
-
- /**
- * The PBES2 salt.
- */
- private Base64URL p2s;
-
-
- /**
- * The PBES2 count.
- */
- private int p2c;
-
-
- /**
- * The initialisation vector.
- */
- private Base64URL iv;
-
-
- /**
- * The authentication authTag.
- */
- private Base64URL tag;
-
-
- /**
- * Custom header parameters.
- */
- private Map customParams;
-
-
- /**
- * The parsed Base64URL.
- */
- private Base64URL parsedBase64URL;
-
-
- /**
- * Creates a new JWE header builder.
- *
- * @param alg The JWE algorithm ({@code alg}) parameter. Must
- * not be "none" or {@code null}.
- * @param enc The encryption method. Must not be {@code null}.
- */
- public Builder(final JWEAlgorithm alg, final EncryptionMethod enc) {
-
- if (alg.getName().equals(Algorithm.NONE.getName())) {
- throw new IllegalArgumentException("The JWE algorithm \"alg\" cannot be \"none\"");
- }
-
- this.alg = alg;
-
- if (enc == null) {
- throw new IllegalArgumentException("The encryption method \"enc\" parameter must not be null");
- }
-
- this.enc = enc;
- }
-
-
- /**
- * Creates a new JWE header builder with the parameters from
- * the specified header.
- *
- * @param jweHeader The JWE header to use. Must not not be
- * {@code null}.
- */
- public Builder(final JWEHeader jweHeader) {
-
- this(jweHeader.getAlgorithm(), jweHeader.getEncryptionMethod());
-
- typ = jweHeader.getType();
- cty = jweHeader.getContentType();
- crit = jweHeader.getCriticalParams();
- customParams = jweHeader.getCustomParams();
-
- jku = jweHeader.getJWKURL();
- jwk = jweHeader.getJWK();
- x5u = jweHeader.getX509CertURL();
- x5t = jweHeader.getX509CertThumbprint();
- x5t256 = jweHeader.getX509CertSHA256Thumbprint();
- x5c = jweHeader.getX509CertChain();
- kid = jweHeader.getKeyID();
-
- epk = jweHeader.getEphemeralPublicKey();
- zip = jweHeader.getCompressionAlgorithm();
- apu = jweHeader.getAgreementPartyUInfo();
- apv = jweHeader.getAgreementPartyVInfo();
- p2s = jweHeader.getPBES2Salt();
- p2c = jweHeader.getPBES2Count();
- iv = jweHeader.getIV();
- tag = jweHeader.getAuthTag();
-
- customParams = jweHeader.getCustomParams();
- }
-
-
- /**
- * Sets the type ({@code typ}) parameter.
- *
- * @param typ The type parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder type(final JOSEObjectType typ) {
-
- this.typ = typ;
- return this;
- }
-
-
- /**
- * Sets the content type ({@code cty}) parameter.
- *
- * @param cty The content type parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder contentType(final String cty) {
-
- this.cty = cty;
- return this;
- }
-
-
- /**
- * Sets the critical header parameters ({@code crit})
- * parameter.
- *
- * @param crit The names of the critical header parameters,
- * empty set or {@code null} if none.
- *
- * @return This builder.
- */
- public Builder criticalParams(final Set crit) {
-
- this.crit = crit;
- return this;
- }
-
-
- /**
- * Sets the JSON Web Key (JWK) Set URL ({@code jku}) parameter.
- *
- * @param jku The JSON Web Key (JWK) Set URL parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder jwkURL(final URI jku) {
-
- this.jku = jku;
- return this;
- }
-
-
- /**
- * Sets the JSON Web Key (JWK) ({@code jwk}) parameter.
- *
- * @param jwk The JSON Web Key (JWK) ({@code jwk}) parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder jwk(final JWK jwk) {
-
- this.jwk = jwk;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate URL ({@code x5u}) parameter.
- *
- * @param x5u The X.509 certificate URL parameter, {@code null}
- * if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertURL(final URI x5u) {
-
- this.x5u = x5u;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate SHA-1 thumbprint ({@code x5t})
- * parameter.
- *
- * @param x5t The X.509 certificate SHA-1 thumbprint parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- @Deprecated
- public Builder x509CertThumbprint(final Base64URL x5t) {
-
- this.x5t = x5t;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate SHA-256 thumbprint
- * ({@code x5t#s256}) parameter.
- *
- * @param x5t256 The X.509 certificate SHA-256 thumbprint
- * parameter, {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertSHA256Thumbprint(final Base64URL x5t256) {
-
- this.x5t256 = x5t256;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate chain parameter ({@code x5c})
- * corresponding to the key used to sign the JWS object.
- *
- * @param x5c The X.509 certificate chain parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertChain(final List x5c) {
-
- this.x5c = x5c;
- return this;
- }
-
-
- /**
- * Sets the key ID ({@code kid}) parameter.
- *
- * @param kid The key ID parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder keyID(final String kid) {
-
- this.kid = kid;
- return this;
- }
-
-
- /**
- * Sets the Ephemeral Public Key ({@code epk}) parameter.
- *
- * @param epk The Ephemeral Public Key parameter, {@code null}
- * if not specified.
- *
- * @return This builder.
- */
- public Builder ephemeralPublicKey(final JWK epk) {
-
- this.epk = epk;
- return this;
- }
-
-
- /**
- * Sets the compression algorithm ({@code zip}) parameter.
- *
- * @param zip The compression algorithm parameter, {@code null}
- * if not specified.
- *
- * @return This builder.
- */
- public Builder compressionAlgorithm(final CompressionAlgorithm zip) {
-
- this.zip = zip;
- return this;
- }
-
-
- /**
- * Sets the agreement PartyUInfo ({@code apu}) parameter.
- *
- * @param apu The agreement PartyUInfo parameter, {@code null}
- * if not specified.
- *
- * @return This builder.
- */
- public Builder agreementPartyUInfo(final Base64URL apu) {
-
- this.apu = apu;
- return this;
- }
-
-
- /**
- * Sets the agreement PartyVInfo ({@code apv}) parameter.
- *
- * @param apv The agreement PartyVInfo parameter, {@code null}
- * if not specified.
- *
- * @return This builder.
- */
- public Builder agreementPartyVInfo(final Base64URL apv) {
-
- this.apv = apv;
- return this;
- }
-
-
- /**
- * Sets the PBES2 salt ({@code p2s}) parameter.
- *
- * @param p2s The PBES2 salt parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder pbes2Salt(final Base64URL p2s) {
-
- this.p2s = p2s;
- return this;
- }
-
-
- /**
- * Sets the PBES2 count ({@code p2c}) parameter.
- *
- * @param p2c The PBES2 count parameter, zero if not specified.
- * Must not be negative.
- *
- * @return This builder.
- */
- public Builder pbes2Count(final int p2c) {
-
- if (p2c < 0)
- throw new IllegalArgumentException("The PBES2 count parameter must not be negative");
-
- this.p2c = p2c;
- return this;
- }
-
-
- /**
- * Sets the initialisation vector ({@code iv}) parameter.
- *
- * @param iv The initialisation vector, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder iv(final Base64URL iv) {
-
- this.iv = iv;
- return this;
- }
-
-
- /**
- * Sets the authentication tag ({@code tag}) parameter.
- *
- * @param tag The authentication tag, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder authTag(final Base64URL tag) {
-
- this.tag = tag;
- return this;
- }
-
-
- /**
- * Sets a custom (non-registered) parameter.
- *
- * @param name The name of the custom parameter. Must not
- * match a registered parameter name and must not
- * be {@code null}.
- * @param value The value of the custom parameter, should map
- * to a valid JSON entity, {@code null} if not
- * specified.
- *
- * @return This builder.
- *
- * @throws IllegalArgumentException If the specified parameter
- * name matches a registered
- * parameter name.
- */
- public Builder customParam(final String name, final Object value) {
-
- if (getRegisteredParameterNames().contains(name)) {
- throw new IllegalArgumentException("The parameter name \"" + name + "\" matches a registered name");
- }
-
- if (customParams == null) {
- customParams = new HashMap<>();
- }
-
- customParams.put(name, value);
-
- return this;
- }
-
-
- /**
- * Sets the custom (non-registered) parameters. The values must
- * be serialisable to a JSON entity, otherwise will be ignored.
- *
- * @param customParameters The custom parameters, empty map or
- * {@code null} if none.
- *
- * @return This builder.
- */
- public Builder customParams(final Map customParameters) {
-
- this.customParams = customParameters;
- return this;
- }
-
-
- /**
- * Sets the parsed Base64URL.
- *
- * @param base64URL The parsed Base64URL, {@code null} if the
- * header is created from scratch.
- *
- * @return This builder.
- */
- public Builder parsedBase64URL(final Base64URL base64URL) {
-
- this.parsedBase64URL = base64URL;
- return this;
- }
-
-
- /**
- * Builds a new JWE header.
- *
- * @return The JWE header.
- */
- public JWEHeader build() {
-
- return new JWEHeader(
- alg, enc, typ, cty, crit,
- jku, jwk, x5u, x5t, x5t256, x5c, kid,
- epk, zip, apu, apv, p2s, p2c,
- iv, tag,
- customParams, parsedBase64URL);
- }
- }
-
-
- /**
- * The encryption method ({@code enc}) parameter.
- */
- private final EncryptionMethod enc;
-
-
- /**
- * The ephemeral public key ({@code epk}) parameter.
- */
- private final JWK epk;
-
-
- /**
- * The compression algorithm ({@code zip}) parameter.
- */
- private final CompressionAlgorithm zip;
-
-
- /**
- * The agreement PartyUInfo ({@code apu}) parameter.
- */
- private final Base64URL apu;
-
-
- /**
- * The agreement PartyVInfo ({@code apv}) parameter.
- */
- private final Base64URL apv;
-
-
- /**
- * The PBES2 salt ({@code p2s}) parameter.
- */
- private final Base64URL p2s;
-
-
- /**
- * The PBES2 count ({@code p2c}) parameter.
- */
- private final int p2c;
-
-
- /**
- * The initialisation vector ({@code iv}) parameter.
- */
- private final Base64URL iv;
-
-
- /**
- * The authentication tag ({@code tag}) parameter.
- */
- private final Base64URL tag;
-
-
- /**
- * Creates a new minimal JSON Web Encryption (JWE) header.
- *
- * Note: Use {@link PlainHeader} to create a header with algorithm
- * {@link Algorithm#NONE none}.
- *
- * @param alg The JWE algorithm parameter. Must not be "none" or
- * {@code null}.
- * @param enc The encryption method parameter. Must not be
- * {@code null}.
- */
- public JWEHeader(final JWEAlgorithm alg, final EncryptionMethod enc) {
-
- this(
- alg, enc,
- null, null, null, null, null, null, null, null, null, null,
- null, null, null, null, null, 0,
- null, null,
- null, null);
- }
-
-
- /**
- * Creates a new JSON Web Encryption (JWE) header.
- *
- *
Note: Use {@link PlainHeader} to create a header with algorithm
- * {@link Algorithm#NONE none}.
- *
- * @param alg The JWE algorithm ({@code alg}) parameter.
- * Must not be "none" or {@code null}.
- * @param enc The encryption method parameter. Must not be
- * {@code null}.
- * @param typ The type ({@code typ}) parameter,
- * {@code null} if not specified.
- * @param cty The content type ({@code cty}) parameter,
- * {@code null} if not specified.
- * @param crit The names of the critical header
- * ({@code crit}) parameters, empty set or
- * {@code null} if none.
- * @param jku The JSON Web Key (JWK) Set URL ({@code jku})
- * parameter, {@code null} if not specified.
- * @param jwk The X.509 certificate URL ({@code jwk})
- * parameter, {@code null} if not specified.
- * @param x5u The X.509 certificate URL parameter
- * ({@code x5u}), {@code null} if not specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint
- * ({@code x5t}) parameter, {@code null} if not
- * specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint
- * ({@code x5t#S256}) parameter, {@code null} if
- * not specified.
- * @param x5c The X.509 certificate chain ({@code x5c})
- * parameter, {@code null} if not specified.
- * @param kid The key ID ({@code kid}) parameter,
- * {@code null} if not specified.
- * @param epk The Ephemeral Public Key ({@code epk})
- * parameter, {@code null} if not specified.
- * @param zip The compression algorithm ({@code zip})
- * parameter, {@code null} if not specified.
- * @param apu The agreement PartyUInfo ({@code apu})
- * parameter, {@code null} if not specified.
- * @param apv The agreement PartyVInfo ({@code apv})
- * parameter, {@code null} if not specified.
- * @param p2s The PBES2 salt ({@code p2s}) parameter,
- * {@code null} if not specified.
- * @param p2c The PBES2 count ({@code p2c}) parameter, zero
- * if not specified. Must not be negative.
- * @param iv The initialisation vector ({@code iv})
- * parameter, {@code null} if not specified.
- * @param tag The authentication tag ({@code tag})
- * parameter, {@code null} if not specified.
- * @param customParams The custom parameters, empty map or
- * {@code null} if none.
- * @param parsedBase64URL The parsed Base64URL, {@code null} if the
- * header is created from scratch.
- */
- public JWEHeader(final Algorithm alg,
- final EncryptionMethod enc,
- final JOSEObjectType typ,
- final String cty,
- final Set crit,
- final URI jku,
- final JWK jwk,
- final URI x5u,
- final Base64URL x5t,
- final Base64URL x5t256,
- final List x5c,
- final String kid,
- final JWK epk,
- final CompressionAlgorithm zip,
- final Base64URL apu,
- final Base64URL apv,
- final Base64URL p2s,
- final int p2c,
- final Base64URL iv,
- final Base64URL tag,
- final Map customParams,
- final Base64URL parsedBase64URL) {
-
- super(alg, typ, cty, crit, jku, jwk, x5u, x5t, x5t256, x5c, kid, customParams, parsedBase64URL);
-
- if (alg.getName().equals(Algorithm.NONE.getName())) {
- throw new IllegalArgumentException("The JWE algorithm cannot be \"none\"");
- }
-
- if (enc == null) {
- throw new IllegalArgumentException("The encryption method \"enc\" parameter must not be null");
- }
-
- if (epk != null && epk.isPrivate()) {
- throw new IllegalArgumentException("Ephemeral public key should not be a private key");
- }
-
- this.enc = enc;
-
- this.epk = epk;
- this.zip = zip;
- this.apu = apu;
- this.apv = apv;
- this.p2s = p2s;
- this.p2c = p2c;
- this.iv = iv;
- this.tag = tag;
- }
-
-
- /**
- * Deep copy constructor.
- *
- * @param jweHeader The JWE header to copy. Must not be {@code null}.
- */
- public JWEHeader(final JWEHeader jweHeader) {
-
- this(
- jweHeader.getAlgorithm(),
- jweHeader.getEncryptionMethod(),
- jweHeader.getType(),
- jweHeader.getContentType(),
- jweHeader.getCriticalParams(),
- jweHeader.getJWKURL(),
- jweHeader.getJWK(),
- jweHeader.getX509CertURL(),
- jweHeader.getX509CertThumbprint(),
- jweHeader.getX509CertSHA256Thumbprint(),
- jweHeader.getX509CertChain(),
- jweHeader.getKeyID(),
- jweHeader.getEphemeralPublicKey(),
- jweHeader.getCompressionAlgorithm(),
- jweHeader.getAgreementPartyUInfo(),
- jweHeader.getAgreementPartyVInfo(),
- jweHeader.getPBES2Salt(),
- jweHeader.getPBES2Count(),
- jweHeader.getIV(),
- jweHeader.getAuthTag(),
- jweHeader.getCustomParams(),
- jweHeader.getParsedBase64URL()
- );
- }
-
-
- /**
- * Gets the registered parameter names for JWE headers.
- *
- * @return The registered parameter names, as an unmodifiable set.
- */
- public static Set getRegisteredParameterNames() {
-
- return REGISTERED_PARAMETER_NAMES;
- }
-
-
- /**
- * Gets the algorithm ({@code alg}) parameter.
- *
- * @return The algorithm parameter.
- */
- public JWEAlgorithm getAlgorithm() {
-
- return (JWEAlgorithm)super.getAlgorithm();
- }
-
-
- /**
- * Gets the encryption method ({@code enc}) parameter.
- *
- * @return The encryption method parameter.
- */
- public EncryptionMethod getEncryptionMethod() {
-
- return enc;
- }
-
-
- /**
- * Gets the Ephemeral Public Key ({@code epk}) parameter.
- *
- * @return The Ephemeral Public Key parameter, {@code null} if not
- * specified.
- */
- public JWK getEphemeralPublicKey() {
-
- return epk;
- }
-
-
- /**
- * Gets the compression algorithm ({@code zip}) parameter.
- *
- * @return The compression algorithm parameter, {@code null} if not
- * specified.
- */
- public CompressionAlgorithm getCompressionAlgorithm() {
-
- return zip;
- }
-
-
- /**
- * Gets the agreement PartyUInfo ({@code apu}) parameter.
- *
- * @return The agreement PartyUInfo parameter, {@code null} if not
- * specified.
- */
- public Base64URL getAgreementPartyUInfo() {
-
- return apu;
- }
-
-
- /**
- * Gets the agreement PartyVInfo ({@code apv}) parameter.
- *
- * @return The agreement PartyVInfo parameter, {@code null} if not
- * specified.
- */
- public Base64URL getAgreementPartyVInfo() {
-
- return apv;
- }
-
-
- /**
- * Gets the PBES2 salt ({@code p2s}) parameter.
- *
- * @return The PBES2 salt parameter, {@code null} if not specified.
- */
- public Base64URL getPBES2Salt() {
-
- return p2s;
- }
-
-
- /**
- * Gets the PBES2 count ({@code p2c}) parameter.
- *
- * @return The PBES2 count parameter, zero if not specified.
- */
- public int getPBES2Count() {
-
- return p2c;
- }
-
-
- /**
- * Gets the initialisation vector ({@code iv}) parameter.
- *
- * @return The initialisation vector, {@code null} if not specified.
- */
- public Base64URL getIV() {
-
- return iv;
- }
-
-
- /**
- * Gets the authentication tag ({@code tag}) parameter.
- *
- * @return The authentication tag, {@code null} if not specified.
- */
- public Base64URL getAuthTag() {
-
- return tag;
- }
-
-
- @Override
- public Set getIncludedParams() {
-
- Set includedParameters = super.getIncludedParams();
-
- if (enc != null) {
- includedParameters.add("enc");
- }
-
- if (epk != null) {
- includedParameters.add("epk");
- }
-
- if (zip != null) {
- includedParameters.add("zip");
- }
-
- if (apu != null) {
- includedParameters.add("apu");
- }
-
- if (apv != null) {
- includedParameters.add("apv");
- }
-
- if (p2s != null) {
- includedParameters.add("p2s");
- }
-
- if (p2c > 0) {
- includedParameters.add("p2c");
- }
-
- if (iv != null) {
- includedParameters.add("iv");
- }
-
- if (tag != null) {
- includedParameters.add("tag");
- }
-
- return includedParameters;
- }
-
-
- @Override
- public JSONObject toJSONObject() {
-
- JSONObject o = super.toJSONObject();
-
- if (enc != null) {
- o.put("enc", enc.toString());
- }
-
- if (epk != null) {
- o.put("epk", epk.toJSONObject());
- }
-
- if (zip != null) {
- o.put("zip", zip.toString());
- }
-
- if (apu != null) {
- o.put("apu", apu.toString());
- }
-
- if (apv != null) {
- o.put("apv", apv.toString());
- }
-
- if (p2s != null) {
- o.put("p2s", p2s.toString());
- }
-
- if (p2c > 0) {
- o.put("p2c", p2c);
- }
-
- if (iv != null) {
- o.put("iv", iv.toString());
- }
-
- if (tag != null) {
- o.put("tag", tag.toString());
- }
-
- return o;
- }
-
-
- /**
- * Parses an encryption method ({@code enc}) parameter from the
- * specified JWE header JSON object.
- *
- * @param json The JSON object to parse. Must not be {@code null}.
- *
- * @return The encryption method.
- *
- * @throws ParseException If the {@code enc} parameter couldn't be
- * parsed.
- */
- private static EncryptionMethod parseEncryptionMethod(final JSONObject json)
- throws ParseException {
-
- return EncryptionMethod.parse(JSONObjectUtils.getString(json, "enc"));
- }
-
-
- /**
- * Parses a JWE header from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- *
- * @return The JWE header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid JWE header.
- */
- public static JWEHeader parse(final JSONObject jsonObject)
- throws ParseException {
-
- return parse(jsonObject, null);
- }
-
-
- /**
- * Parses a JWE header from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The JWE header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid JWE header.
- */
- public static JWEHeader parse(final JSONObject jsonObject,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- // Get the "alg" parameter
- Algorithm alg = Header.parseAlgorithm(jsonObject);
-
- if (! (alg instanceof JWEAlgorithm)) {
- throw new ParseException("The algorithm \"alg\" header parameter must be for encryption", 0);
- }
-
- // Get the "enc" parameter
- EncryptionMethod enc = parseEncryptionMethod(jsonObject);
-
- JWEHeader.Builder header = new Builder((JWEAlgorithm)alg, enc).parsedBase64URL(parsedBase64URL);
-
- // Parse optional + custom parameters
- for(final String name: jsonObject.keySet()) {
-
- if("alg".equals(name)) {
- // skip
- } else if("enc".equals(name)) {
- // skip
- } else if("typ".equals(name)) {
- header = header.type(new JOSEObjectType(JSONObjectUtils.getString(jsonObject, name)));
- } else if("cty".equals(name)) {
- header = header.contentType(JSONObjectUtils.getString(jsonObject, name));
- } else if("crit".equals(name)) {
- header = header.criticalParams(new HashSet<>(JSONObjectUtils.getStringList(jsonObject, name)));
- } else if("jku".equals(name)) {
- header = header.jwkURL(JSONObjectUtils.getURI(jsonObject, name));
- } else if("jwk".equals(name)) {
- header = header.jwk(JWK.parse(JSONObjectUtils.getJSONObject(jsonObject, name)));
- } else if("x5u".equals(name)) {
- header = header.x509CertURL(JSONObjectUtils.getURI(jsonObject, name));
- } else if("x5t".equals(name)) {
- header = header.x509CertThumbprint(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("x5t#S256".equals(name)) {
- header = header.x509CertSHA256Thumbprint(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("x5c".equals(name)) {
- header = header.x509CertChain(X509CertChainUtils.toBase64List(JSONObjectUtils.getJSONArray(jsonObject, name)));
- } else if("kid".equals(name)) {
- header = header.keyID(JSONObjectUtils.getString(jsonObject, name));
- } else if("epk".equals(name)) {
- header = header.ephemeralPublicKey(JWK.parse(JSONObjectUtils.getJSONObject(jsonObject, name)));
- } else if("zip".equals(name)) {
- header = header.compressionAlgorithm(new CompressionAlgorithm(JSONObjectUtils.getString(jsonObject, name)));
- } else if("apu".equals(name)) {
- header = header.agreementPartyUInfo(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("apv".equals(name)) {
- header = header.agreementPartyVInfo(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("p2s".equals(name)) {
- header = header.pbes2Salt(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("p2c".equals(name)) {
- header = header.pbes2Count(JSONObjectUtils.getInt(jsonObject, name));
- } else if("iv".equals(name)) {
- header = header.iv(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("tag".equals(name)) {
- header = header.authTag(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else {
- header = header.customParam(name, jsonObject.get(name));
- }
- }
-
- return header.build();
- }
-
-
- /**
- * Parses a JWE header from the specified JSON object string.
- *
- * @param jsonString The JSON object string to parse. Must not be {@code null}.
- *
- * @return The JWE header.
- *
- * @throws ParseException If the specified JSON object string doesn't
- * represent a valid JWE header.
- */
- public static JWEHeader parse(final String jsonString)
- throws ParseException {
-
- return parse(JSONObjectUtils.parse(jsonString), null);
- }
-
-
- /**
- * Parses a JWE header from the specified JSON object string.
- *
- * @param jsonString The JSON string to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The JWE header.
- *
- * @throws ParseException If the specified JSON object string doesn't
- * represent a valid JWE header.
- */
- public static JWEHeader parse(final String jsonString,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- return parse(JSONObjectUtils.parse(jsonString), parsedBase64URL);
- }
-
-
- /**
- * Parses a JWE header from the specified Base64URL.
- *
- * @param base64URL The Base64URL to parse. Must not be {@code null}.
- *
- * @return The JWE header.
- *
- * @throws ParseException If the specified Base64URL doesn't represent
- * a valid JWE header.
- */
- public static JWEHeader parse(final Base64URL base64URL)
- throws ParseException {
-
- return parse(base64URL.decodeToString(), base64URL);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEObject.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEObject.java
deleted file mode 100644
index 899d05b2..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEObject.java
+++ /dev/null
@@ -1,511 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.text.ParseException;
-
-import net.jcip.annotations.ThreadSafe;
-
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * JSON Web Encryption (JWE) secured object. This class is thread-safe.
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-04-13
- */
-@ThreadSafe
-public class JWEObject extends JOSEObject {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * Enumeration of the states of a JSON Web Encryption (JWE) object.
- */
- public enum State {
-
-
- /**
- * The JWE object is created but not encrypted yet.
- */
- UNENCRYPTED,
-
-
- /**
- * The JWE object is encrypted.
- */
- ENCRYPTED,
-
-
- /**
- * The JWE object is decrypted.
- */
- DECRYPTED
- }
-
-
- /**
- * The header.
- */
- private JWEHeader header;
-
-
- /**
- * The encrypted key, {@code null} if not computed or applicable.
- */
- private Base64URL encryptedKey;
-
-
- /**
- * The initialisation vector, {@code null} if not generated or
- * applicable.
- */
- private Base64URL iv;
-
-
- /**
- * The cipher text, {@code null} if not computed.
- */
- private Base64URL cipherText;
-
-
- /**
- * The authentication tag, {@code null} if not computed or applicable.
- */
- private Base64URL authTag;
-
-
- /**
- * The JWE object state.
- */
- private State state;
-
-
- /**
- * Creates a new to-be-encrypted JSON Web Encryption (JWE) object with
- * the specified header and payload. The initial state will be
- * {@link State#UNENCRYPTED unencrypted}.
- *
- * @param header The JWE header. Must not be {@code null}.
- * @param payload The payload. Must not be {@code null}.
- */
- public JWEObject(final JWEHeader header, final Payload payload) {
-
- if (header == null) {
-
- throw new IllegalArgumentException("The JWE header must not be null");
- }
-
- this.header = header;
-
- if (payload == null) {
-
- throw new IllegalArgumentException("The payload must not be null");
- }
-
- setPayload(payload);
-
- encryptedKey = null;
-
- cipherText = null;
-
- state = State.UNENCRYPTED;
- }
-
-
- /**
- * Creates a new encrypted JSON Web Encryption (JWE) object with the
- * specified serialised parts. The state will be {@link State#ENCRYPTED
- * encrypted}.
- *
- * @param firstPart The first part, corresponding to the JWE header.
- * Must not be {@code null}.
- * @param secondPart The second part, corresponding to the encrypted
- * key. Empty or {@code null} if none.
- * @param thirdPart The third part, corresponding to the
- * initialisation vector. Empty or {@code null} if
- * none.
- * @param fourthPart The fourth part, corresponding to the cipher text.
- * Must not be {@code null}.
- * @param fifthPart The fifth part, corresponding to the
- * authentication tag. Empty of {@code null} if none.
- *
- * @throws ParseException If parsing of the serialised parts failed.
- */
- public JWEObject(final Base64URL firstPart,
- final Base64URL secondPart,
- final Base64URL thirdPart,
- final Base64URL fourthPart,
- final Base64URL fifthPart)
- throws ParseException {
-
- if (firstPart == null) {
-
- throw new IllegalArgumentException("The first part must not be null");
- }
-
- try {
- this.header = JWEHeader.parse(firstPart);
-
- } catch (ParseException e) {
-
- throw new ParseException("Invalid JWE header: " + e.getMessage(), 0);
- }
-
- if (secondPart == null || secondPart.toString().isEmpty()) {
-
- encryptedKey = null;
-
- } else {
-
- encryptedKey = secondPart;
- }
-
- if (thirdPart == null || thirdPart.toString().isEmpty()) {
-
- iv = null;
-
- } else {
-
- iv = thirdPart;
- }
-
- if (fourthPart == null) {
-
- throw new IllegalArgumentException("The fourth part must not be null");
- }
-
- cipherText = fourthPart;
-
- if (fifthPart == null || fifthPart.toString().isEmpty()) {
-
- authTag = null;
-
- } else {
-
- authTag = fifthPart;
- }
-
- state = State.ENCRYPTED; // but not decrypted yet!
-
- setParsedParts(firstPart, secondPart, thirdPart, fourthPart, fifthPart);
- }
-
-
- @Override
- public JWEHeader getHeader() {
-
- return header;
- }
-
-
- /**
- * Returns the encrypted key of this JWE object.
- *
- * @return The encrypted key, {@code null} not applicable or the JWE
- * object has not been encrypted yet.
- */
- public Base64URL getEncryptedKey() {
-
- return encryptedKey;
- }
-
-
- /**
- * Returns the initialisation vector (IV) of this JWE object.
- *
- * @return The initialisation vector (IV), {@code null} if not
- * applicable or the JWE object has not been encrypted yet.
- */
- public Base64URL getIV() {
-
- return iv;
- }
-
-
- /**
- * Returns the cipher text of this JWE object.
- *
- * @return The cipher text, {@code null} if the JWE object has not been
- * encrypted yet.
- */
- public Base64URL getCipherText() {
-
- return cipherText;
- }
-
-
- /**
- * Returns the authentication tag of this JWE object.
- *
- * @return The authentication tag, {@code null} if not applicable or
- * the JWE object has not been encrypted yet.
- */
- public Base64URL getAuthTag() {
-
- return authTag;
- }
-
-
- /**
- * Returns the state of this JWE object.
- *
- * @return The state.
- */
- public State getState() {
-
- return state;
- }
-
-
- /**
- * Ensures the current state is {@link State#UNENCRYPTED unencrypted}.
- *
- * @throws IllegalStateException If the current state is not
- * unencrypted.
- */
- private void ensureUnencryptedState() {
-
- if (state != State.UNENCRYPTED) {
-
- throw new IllegalStateException("The JWE object must be in an unencrypted state");
- }
- }
-
-
- /**
- * Ensures the current state is {@link State#ENCRYPTED encrypted}.
- *
- * @throws IllegalStateException If the current state is not encrypted.
- */
- private void ensureEncryptedState() {
-
- if (state != State.ENCRYPTED) {
-
- throw new IllegalStateException("The JWE object must be in an encrypted state");
- }
- }
-
-
- /**
- * Ensures the current state is {@link State#ENCRYPTED encrypted} or
- * {@link State#DECRYPTED decrypted}.
- *
- * @throws IllegalStateException If the current state is not encrypted
- * or decrypted.
- */
- private void ensureEncryptedOrDecryptedState() {
-
- if (state != State.ENCRYPTED && state != State.DECRYPTED) {
-
- throw new IllegalStateException("The JWE object must be in an encrypted or decrypted state");
- }
- }
-
-
- /**
- * Ensures the specified JWE encrypter supports the algorithms of this
- * JWE object.
- *
- * @throws JOSEException If the JWE algorithms are not supported.
- */
- private void ensureJWEEncrypterSupport(final JWEEncrypter encrypter)
- throws JOSEException {
-
- if (! encrypter.supportedJWEAlgorithms().contains(getHeader().getAlgorithm())) {
-
- throw new JOSEException("The \"" + getHeader().getAlgorithm() +
- "\" algorithm is not supported by the JWE encrypter: Supported algorithms: " + encrypter.supportedJWEAlgorithms());
- }
-
- if (! encrypter.supportedEncryptionMethods().contains(getHeader().getEncryptionMethod())) {
-
- throw new JOSEException("The \"" + getHeader().getEncryptionMethod() +
- "\" encryption method or key size is not supported by the JWE encrypter: Supported methods: " + encrypter.supportedEncryptionMethods());
- }
- }
-
-
- /**
- * Encrypts this JWE object with the specified encrypter. The JWE
- * object must be in an {@link State#UNENCRYPTED unencrypted} state.
- *
- * @param encrypter The JWE encrypter. Must not be {@code null}.
- *
- * @throws IllegalStateException If the JWE object is not in an
- * {@link State#UNENCRYPTED unencrypted
- * state}.
- * @throws JOSEException If the JWE object couldn't be
- * encrypted.
- */
- public synchronized void encrypt(final JWEEncrypter encrypter)
- throws JOSEException {
-
- ensureUnencryptedState();
-
- ensureJWEEncrypterSupport(encrypter);
-
- JWECryptoParts parts;
-
- try {
- parts = encrypter.encrypt(getHeader(), getPayload().toBytes());
-
- } catch (JOSEException e) {
-
- throw e;
-
- } catch (Exception e) {
-
- // Prevent throwing unchecked exceptions at this point,
- // see issue #20
- throw new JOSEException(e.getMessage(), e);
- }
-
- // Check if the header has been modified
- if (parts.getHeader() != null) {
- header = parts.getHeader();
- }
-
- encryptedKey = parts.getEncryptedKey();
- iv = parts.getInitializationVector();
- cipherText = parts.getCipherText();
- authTag = parts.getAuthenticationTag();
-
- state = State.ENCRYPTED;
- }
-
-
- /**
- * Decrypts this JWE object with the specified decrypter. The JWE
- * object must be in a {@link State#ENCRYPTED encrypted} state.
- *
- * @param decrypter The JWE decrypter. Must not be {@code null}.
- *
- * @throws IllegalStateException If the JWE object is not in an
- * {@link State#ENCRYPTED encrypted
- * state}.
- * @throws JOSEException If the JWE object couldn't be
- * decrypted.
- */
- public synchronized void decrypt(final JWEDecrypter decrypter)
- throws JOSEException {
-
- ensureEncryptedState();
-
- try {
- setPayload(new Payload(decrypter.decrypt(getHeader(),
- getEncryptedKey(),
- getIV(),
- getCipherText(),
- getAuthTag())));
-
- } catch (JOSEException e) {
-
- throw e;
-
- } catch (Exception e) {
-
- // Prevent throwing unchecked exceptions at this point,
- // see issue #20
- throw new JOSEException(e.getMessage(), e);
- }
-
- state = State.DECRYPTED;
- }
-
-
- /**
- * Serialises this JWE object to its compact format consisting of
- * Base64URL-encoded parts delimited by period ('.') characters. It
- * must be in a {@link State#ENCRYPTED encrypted} or
- * {@link State#DECRYPTED decrypted} state.
- *
- *
- * [header-base64url].[encryptedKey-base64url].[iv-base64url].[cipherText-base64url].[authTag-base64url]
- *
- *
- * @return The serialised JWE object.
- *
- * @throws IllegalStateException If the JWE object is not in a
- * {@link State#ENCRYPTED encrypted} or
- * {@link State#DECRYPTED decrypted
- * state}.
- */
- @Override
- public String serialize() {
-
- ensureEncryptedOrDecryptedState();
-
- StringBuilder sb = new StringBuilder(header.toBase64URL().toString());
- sb.append('.');
-
- if (encryptedKey != null) {
-
- sb.append(encryptedKey.toString());
- }
-
- sb.append('.');
-
- if (iv != null) {
-
- sb.append(iv.toString());
- }
-
- sb.append('.');
-
- sb.append(cipherText.toString());
-
- sb.append('.');
-
- if (authTag != null) {
-
- sb.append(authTag.toString());
- }
-
- return sb.toString();
- }
-
-
- /**
- * Parses a JWE object from the specified string in compact form. The
- * parsed JWE object will be given an {@link State#ENCRYPTED} state.
- *
- * @param s The string to parse. Must not be {@code null}.
- *
- * @return The JWE object.
- *
- * @throws ParseException If the string couldn't be parsed to a valid
- * JWE object.
- */
- public static JWEObject parse(final String s)
- throws ParseException {
-
- Base64URL[] parts = JOSEObject.split(s);
-
- if (parts.length != 5) {
-
- throw new ParseException("Unexpected number of Base64URL parts, must be five", 0);
- }
-
- return new JWEObject(parts[0], parts[1], parts[2], parts[3], parts[4]);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEProvider.java
deleted file mode 100644
index f74ff7fb..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWEProvider.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.util.Set;
-
-import com.nimbusds.jose.jca.JCAAware;
-import com.nimbusds.jose.jca.JWEJCAContext;
-
-
-/**
- * JSON Web Encryption (JWE) provider.
- *
- * The JWE provider can be queried to determine its algorithm capabilities.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-26
- */
-public interface JWEProvider extends JOSEProvider, JCAAware {
-
-
- /**
- * Returns the names of the supported algorithms by the JWE provider
- * instance. These correspond to the {@code alg} JWE header parameter.
- *
- * @return The supported JWE algorithms, empty set if none.
- */
- Set supportedJWEAlgorithms();
-
-
- /**
- * Returns the names of the supported encryption methods by the JWE
- * provier. These correspond to the {@code enc} JWE header parameter.
- *
- * @return The supported encryption methods, empty set if none.
- */
- Set supportedEncryptionMethods();
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSAlgorithm.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSAlgorithm.java
deleted file mode 100644
index c8abdb1d..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSAlgorithm.java
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import com.nimbusds.jose.util.ArrayUtils;
-import net.jcip.annotations.Immutable;
-
-
-/**
- * JSON Web Signature (JWS) algorithm name, represents the {@code alg} header
- * parameter in JWS objects. Also used to represent integrity algorithm
- * ({@code ia}) header parameters in JWE objects. This class is immutable.
- *
- * Includes constants for the following standard JWS algorithm names:
- *
- *
- * - {@link #HS256}
- *
- {@link #HS384}
- *
- {@link #HS512}
- *
- {@link #RS256}
- *
- {@link #RS384}
- *
- {@link #RS512}
- *
- {@link #ES256}
- *
- {@link #ES384}
- *
- {@link #ES512}
- *
- {@link #PS256}
- *
- {@link #PS384}
- *
- {@link #PS512}
- *
- {@link #EdDSA}
- *
- {@link #ES256K} (non-standard)
- *
- *
- * Additional JWS algorithm names can be defined using the constructors.
- *
- * @author Vladimir Dzhuvinov
- * @author Aleksei Doroganov
- * @version 2018-03-28
- */
-@Immutable
-public final class JWSAlgorithm extends Algorithm {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * HMAC using SHA-256 hash algorithm (required).
- */
- public static final JWSAlgorithm HS256 = new JWSAlgorithm("HS256", Requirement.REQUIRED);
-
-
- /**
- * HMAC using SHA-384 hash algorithm (optional).
- */
- public static final JWSAlgorithm HS384 = new JWSAlgorithm("HS384", Requirement.OPTIONAL);
-
-
- /**
- * HMAC using SHA-512 hash algorithm (optional).
- */
- public static final JWSAlgorithm HS512 = new JWSAlgorithm("HS512", Requirement.OPTIONAL);
-
-
- /**
- * RSASSA-PKCS-v1_5 using SHA-256 hash algorithm (recommended).
- */
- public static final JWSAlgorithm RS256 = new JWSAlgorithm("RS256", Requirement.RECOMMENDED);
-
-
- /**
- * RSASSA-PKCS-v1_5 using SHA-384 hash algorithm (optional).
- */
- public static final JWSAlgorithm RS384 = new JWSAlgorithm("RS384", Requirement.OPTIONAL);
-
-
- /**
- * RSASSA-PKCS-v1_5 using SHA-512 hash algorithm (optional).
- */
- public static final JWSAlgorithm RS512 = new JWSAlgorithm("RS512", Requirement.OPTIONAL);
-
-
- /**
- * ECDSA using P-256 (secp256r1) curve and SHA-256 hash algorithm
- * (recommended).
- */
- public static final JWSAlgorithm ES256 = new JWSAlgorithm("ES256", Requirement.RECOMMENDED);
-
-
- /**
- * ECDSA using P-256K (secp256k1) curve and SHA-256 hash algorithm
- * (optional).
- */
- public static final JWSAlgorithm ES256K = new JWSAlgorithm("ES256K", Requirement.OPTIONAL);
-
-
- /**
- * ECDSA using P-384 curve and SHA-384 hash algorithm (optional).
- */
- public static final JWSAlgorithm ES384 = new JWSAlgorithm("ES384", Requirement.OPTIONAL);
-
-
- /**
- * ECDSA using P-521 curve and SHA-512 hash algorithm (optional).
- */
- public static final JWSAlgorithm ES512 = new JWSAlgorithm("ES512", Requirement.OPTIONAL);
-
-
- /**
- * RSASSA-PSS using SHA-256 hash algorithm and MGF1 mask generation
- * function with SHA-256 (optional).
- */
- public static final JWSAlgorithm PS256 = new JWSAlgorithm("PS256", Requirement.OPTIONAL);
-
-
- /**
- * RSASSA-PSS using SHA-384 hash algorithm and MGF1 mask generation
- * function with SHA-384 (optional).
- */
- public static final JWSAlgorithm PS384 = new JWSAlgorithm("PS384", Requirement.OPTIONAL);
-
-
- /**
- * RSASSA-PSS using SHA-512 hash algorithm and MGF1 mask generation
- * function with SHA-512 (optional).
- */
- public static final JWSAlgorithm PS512 = new JWSAlgorithm("PS512", Requirement.OPTIONAL);
-
-
- /**
- * EdDSA signature algorithms (optional).
- */
- public static final JWSAlgorithm EdDSA = new JWSAlgorithm("EdDSA", Requirement.OPTIONAL);
-
-
- /**
- * JWS algorithm family.
- */
- public static final class Family extends AlgorithmFamily {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * HMAC using a SHA-2 hash.
- */
- public static final Family HMAC_SHA = new Family(HS256, HS384, HS512);
-
-
- /**
- * RSA signature (RSASSA-PKCS-v1_5 or RSASSA-PSS) using a SHA-2
- * hash.
- */
- public static final Family RSA = new Family(RS256, RS384, RS512, PS256, PS384, PS512);
-
-
- /**
- * Elliptic Curve signature (ECDSA) using a SHA-2 hash.
- */
- public static final Family EC = new Family(ES256, ES256K, ES384, ES512);
-
-
- /**
- * Edwards Curve signature (EdDSA).
- */
- public static final Family ED = new Family(EdDSA);
-
-
- /**
- * Super family of all digital signature based JWS algorithms.
- */
- public static final Family SIGNATURE = new Family(ArrayUtils
- .concat(
- RSA.toArray(new JWSAlgorithm[]{}),
- EC.toArray(new JWSAlgorithm[]{}),
- ED.toArray(new JWSAlgorithm[]{})
- )
- );
-
-
- /***
- * Creates a new JWS algorithm family.
- *
- * @param algs The JWS algorithms of the family. Must not be
- * {@code null}.
- */
- public Family(final JWSAlgorithm ... algs) {
- super(algs);
- }
- }
-
-
- /**
- * Creates a new JSON Web Signature (JWS) algorithm name.
- *
- * @param name The algorithm name. Must not be {@code null}.
- * @param req The implementation requirement, {@code null} if not
- * known.
- */
- public JWSAlgorithm(final String name, final Requirement req) {
-
- super(name, req);
- }
-
-
- /**
- * Creates a new JSON Web Signature (JWS) algorithm name.
- *
- * @param name The algorithm name. Must not be {@code null}.
- */
- public JWSAlgorithm(final String name) {
-
- super(name, null);
- }
-
-
- /**
- * Parses a JWS algorithm from the specified string.
- *
- * @param s The string to parse. Must not be {@code null}.
- *
- * @return The JWS algorithm (matching standard algorithm constant, else
- * a newly created algorithm).
- */
- public static JWSAlgorithm parse(final String s) {
-
- if (s.equals(HS256.getName())) {
- return HS256;
- } else if (s.equals(HS384.getName())) {
- return HS384;
- } else if (s.equals(HS512.getName())) {
- return HS512;
- } else if (s.equals(RS256.getName())) {
- return RS256;
- } else if (s.equals(RS384.getName())) {
- return RS384;
- } else if (s.equals(RS512.getName())) {
- return RS512;
- } else if (s.equals(ES256.getName())) {
- return ES256;
- } else if (s.equals(ES256K.getName())) {
- return ES256K;
- } else if (s.equals(ES384.getName())) {
- return ES384;
- } else if (s.equals(ES512.getName())) {
- return ES512;
- } else if (s.equals(PS256.getName())) {
- return PS256;
- } else if (s.equals(PS384.getName())) {
- return PS384;
- } else if (s.equals(PS512.getName())) {
- return PS512;
- } else if (s.equals(EdDSA.getName())) {
- return EdDSA;
- } else {
- return new JWSAlgorithm(s);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSHeader.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSHeader.java
deleted file mode 100644
index 13abc3fd..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSHeader.java
+++ /dev/null
@@ -1,727 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.net.URI;
-import java.text.ParseException;
-import java.util.*;
-
-import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jose.util.Base64;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.JSONObjectUtils;
-import com.nimbusds.jose.util.X509CertChainUtils;
-import net.jcip.annotations.Immutable;
-import net.minidev.json.JSONObject;
-
-
-/**
- * JSON Web Signature (JWS) header. This class is immutable.
- *
- * Supports all {@link #getRegisteredParameterNames registered header
- * parameters} of the JWS specification:
- *
- *
- * - alg
- *
- jku
- *
- jwk
- *
- x5u
- *
- x5t
- *
- x5t#S256
- *
- x5c
- *
- kid
- *
- typ
- *
- cty
- *
- crit
- *
- *
- * The header may also include {@link #getCustomParams custom
- * parameters}; these will be serialised and parsed along the registered ones.
- *
- *
Example header of a JSON Web Signature (JWS) object using the
- * {@link JWSAlgorithm#HS256 HMAC SHA-256 algorithm}:
- *
- *
- * {
- * "alg" : "HS256"
- * }
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-04-09
- */
-@Immutable
-public final class JWSHeader extends CommonSEHeader {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The registered parameter names.
- */
- private static final Set REGISTERED_PARAMETER_NAMES;
-
-
- /**
- * Initialises the registered parameter name set.
- */
- static {
- Set p = new HashSet<>();
-
- p.add("alg");
- p.add("jku");
- p.add("jwk");
- p.add("x5u");
- p.add("x5t");
- p.add("x5t#S256");
- p.add("x5c");
- p.add("kid");
- p.add("typ");
- p.add("cty");
- p.add("crit");
-
- REGISTERED_PARAMETER_NAMES = Collections.unmodifiableSet(p);
- }
-
-
- /**
- * Builder for constructing JSON Web Signature (JWS) headers.
- *
- * Example usage:
- *
- *
- * JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.HS256).
- * contentType("text/plain").
- * customParam("exp", new Date().getTime()).
- * build();
- *
- */
- public static class Builder {
-
-
- /**
- * The JWS algorithm.
- */
- private final JWSAlgorithm alg;
-
-
- /**
- * The JOSE object type.
- */
- private JOSEObjectType typ;
-
-
- /**
- * The content type.
- */
- private String cty;
-
-
- /**
- * The critical headers.
- */
- private Set crit;
-
-
- /**
- * JWK Set URL.
- */
- private URI jku;
-
-
- /**
- * JWK.
- */
- private JWK jwk;
-
-
- /**
- * X.509 certificate URL.
- */
- private URI x5u;
-
-
- /**
- * X.509 certificate SHA-1 thumbprint.
- */
- @Deprecated
- private Base64URL x5t;
-
-
- /**
- * X.509 certificate SHA-256 thumbprint.
- */
- private Base64URL x5t256;
-
-
- /**
- * The X.509 certificate chain corresponding to the key used to
- * sign the JWS object.
- */
- private List x5c;
-
-
- /**
- * Key ID.
- */
- private String kid;
-
-
- /**
- * Custom header parameters.
- */
- private Map customParams;
-
-
- /**
- * The parsed Base64URL.
- */
- private Base64URL parsedBase64URL;
-
-
- /**
- * Creates a new JWS header builder.
- *
- * @param alg The JWS algorithm ({@code alg}) parameter. Must
- * not be "none" or {@code null}.
- */
- public Builder(final JWSAlgorithm alg) {
-
- if (alg.getName().equals(Algorithm.NONE.getName())) {
- throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
- }
-
- this.alg = alg;
- }
-
-
- /**
- * Creates a new JWS header builder with the parameters from
- * the specified header.
- *
- * @param jwsHeader The JWS header to use. Must not not be
- * {@code null}.
- */
- public Builder(final JWSHeader jwsHeader) {
-
- this(jwsHeader.getAlgorithm());
-
- typ = jwsHeader.getType();
- cty = jwsHeader.getContentType();
- crit = jwsHeader.getCriticalParams();
-
- jku = jwsHeader.getJWKURL();
- jwk = jwsHeader.getJWK();
- x5u = jwsHeader.getX509CertURL();
- x5t = jwsHeader.getX509CertThumbprint();
- x5t256 = jwsHeader.getX509CertSHA256Thumbprint();
- x5c = jwsHeader.getX509CertChain();
- kid = jwsHeader.getKeyID();
- customParams = jwsHeader.getCustomParams();
- }
-
-
- /**
- * Sets the type ({@code typ}) parameter.
- *
- * @param typ The type parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder type(final JOSEObjectType typ) {
-
- this.typ = typ;
- return this;
- }
-
-
- /**
- * Sets the content type ({@code cty}) parameter.
- *
- * @param cty The content type parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder contentType(final String cty) {
-
- this.cty = cty;
- return this;
- }
-
-
- /**
- * Sets the critical header parameters ({@code crit})
- * parameter.
- *
- * @param crit The names of the critical header parameters,
- * empty set or {@code null} if none.
- *
- * @return This builder.
- */
- public Builder criticalParams(final Set crit) {
-
- this.crit = crit;
- return this;
- }
-
-
- /**
- * Sets the JSON Web Key (JWK) Set URL ({@code jku}) parameter.
- *
- * @param jku The JSON Web Key (JWK) Set URL parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder jwkURL(final URI jku) {
-
- this.jku = jku;
- return this;
- }
-
-
- /**
- * Sets the JSON Web Key (JWK) ({@code jwk}) parameter.
- *
- * @param jwk The JSON Web Key (JWK) ({@code jwk}) parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder jwk(final JWK jwk) {
-
- this.jwk = jwk;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate URL ({@code x5u}) parameter.
- *
- * @param x5u The X.509 certificate URL parameter, {@code null}
- * if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertURL(final URI x5u) {
-
- this.x5u = x5u;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate SHA-1 thumbprint ({@code x5t})
- * parameter.
- *
- * @param x5t The X.509 certificate SHA-1 thumbprint parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- @Deprecated
- public Builder x509CertThumbprint(final Base64URL x5t) {
-
- this.x5t = x5t;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate SHA-256 thumbprint
- * ({@code x5t#S256}) parameter.
- *
- * @param x5t256 The X.509 certificate SHA-256 thumbprint
- * parameter, {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertSHA256Thumbprint(final Base64URL x5t256) {
-
- this.x5t256 = x5t256;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate chain parameter ({@code x5c})
- * corresponding to the key used to sign the JWS object.
- *
- * @param x5c The X.509 certificate chain parameter,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertChain(final List x5c) {
-
- this.x5c = x5c;
- return this;
- }
-
-
- /**
- * Sets the key ID ({@code kid}) parameter.
- *
- * @param kid The key ID parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder keyID(final String kid) {
-
- this.kid = kid;
- return this;
- }
-
-
- /**
- * Sets a custom (non-registered) parameter.
- *
- * @param name The name of the custom parameter. Must not
- * match a registered parameter name and must not
- * be {@code null}.
- * @param value The value of the custom parameter, should map
- * to a valid JSON entity, {@code null} if not
- * specified.
- *
- * @return This builder.
- *
- * @throws IllegalArgumentException If the specified parameter
- * name matches a registered
- * parameter name.
- */
- public Builder customParam(final String name, final Object value) {
-
- if (getRegisteredParameterNames().contains(name)) {
- throw new IllegalArgumentException("The parameter name \"" + name + "\" matches a registered name");
- }
-
- if (customParams == null) {
- customParams = new HashMap<>();
- }
-
- customParams.put(name, value);
-
- return this;
- }
-
-
- /**
- * Sets the custom (non-registered) parameters. The values must
- * be serialisable to a JSON entity, otherwise will be ignored.
- *
- * @param customParameters The custom parameters, empty map or
- * {@code null} if none.
- *
- * @return This builder.
- */
- public Builder customParams(final Map customParameters) {
-
- this.customParams = customParameters;
- return this;
- }
-
-
- /**
- * Sets the parsed Base64URL.
- *
- * @param base64URL The parsed Base64URL, {@code null} if the
- * header is created from scratch.
- *
- * @return This builder.
- */
- public Builder parsedBase64URL(final Base64URL base64URL) {
-
- this.parsedBase64URL = base64URL;
- return this;
- }
-
-
- /**
- * Builds a new JWS header.
- *
- * @return The JWS header.
- */
- public JWSHeader build() {
-
- return new JWSHeader(
- alg, typ, cty, crit,
- jku, jwk, x5u, x5t, x5t256, x5c, kid,
- customParams, parsedBase64URL);
- }
- }
-
-
- /**
- * Creates a new minimal JSON Web Signature (JWS) header.
- *
- * Note: Use {@link PlainHeader} to create a header with algorithm
- * {@link Algorithm#NONE none}.
- *
- * @param alg The JWS algorithm ({@code alg}) parameter. Must not be
- * "none" or {@code null}.
- */
- public JWSHeader(final JWSAlgorithm alg) {
-
- this(alg, null, null, null, null, null, null, null, null, null, null, null, null);
- }
-
-
- /**
- * Creates a new JSON Web Signature (JWS) header.
- *
- *
Note: Use {@link PlainHeader} to create a header with algorithm
- * {@link Algorithm#NONE none}.
- *
- * @param alg The JWS algorithm ({@code alg}) parameter.
- * Must not be "none" or {@code null}.
- * @param typ The type ({@code typ}) parameter,
- * {@code null} if not specified.
- * @param cty The content type ({@code cty}) parameter,
- * {@code null} if not specified.
- * @param crit The names of the critical header
- * ({@code crit}) parameters, empty set or
- * {@code null} if none.
- * @param jku The JSON Web Key (JWK) Set URL ({@code jku})
- * parameter, {@code null} if not specified.
- * @param jwk The X.509 certificate URL ({@code jwk})
- * parameter, {@code null} if not specified.
- * @param x5u The X.509 certificate URL parameter
- * ({@code x5u}), {@code null} if not specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint
- * ({@code x5t}) parameter, {@code null} if not
- * specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint
- * ({@code x5t#S256}) parameter, {@code null} if
- * not specified.
- * @param x5c The X.509 certificate chain ({@code x5c})
- * parameter, {@code null} if not specified.
- * @param kid The key ID ({@code kid}) parameter,
- * {@code null} if not specified.
- * @param customParams The custom parameters, empty map or
- * {@code null} if none.
- * @param parsedBase64URL The parsed Base64URL, {@code null} if the
- * header is created from scratch.
- */
- public JWSHeader(final JWSAlgorithm alg,
- final JOSEObjectType typ,
- final String cty,
- final Set crit,
- final URI jku,
- final JWK jwk,
- final URI x5u,
- final Base64URL x5t,
- final Base64URL x5t256,
- final List x5c,
- final String kid,
- final Map customParams,
- final Base64URL parsedBase64URL) {
-
- super(alg, typ, cty, crit, jku, jwk, x5u, x5t, x5t256, x5c, kid, customParams, parsedBase64URL);
-
- if (alg.getName().equals(Algorithm.NONE.getName())) {
- throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
- }
- }
-
-
- /**
- * Deep copy constructor.
- *
- * @param jwsHeader The JWS header to copy. Must not be {@code null}.
- */
- public JWSHeader(final JWSHeader jwsHeader) {
-
- this(
- jwsHeader.getAlgorithm(),
- jwsHeader.getType(),
- jwsHeader.getContentType(),
- jwsHeader.getCriticalParams(),
- jwsHeader.getJWKURL(),
- jwsHeader.getJWK(),
- jwsHeader.getX509CertURL(),
- jwsHeader.getX509CertThumbprint(),
- jwsHeader.getX509CertSHA256Thumbprint(),
- jwsHeader.getX509CertChain(),
- jwsHeader.getKeyID(),
- jwsHeader.getCustomParams(),
- jwsHeader.getParsedBase64URL()
- );
- }
-
-
- /**
- * Gets the registered parameter names for JWS headers.
- *
- * @return The registered parameter names, as an unmodifiable set.
- */
- public static Set getRegisteredParameterNames() {
-
- return REGISTERED_PARAMETER_NAMES;
- }
-
-
- /**
- * Gets the algorithm ({@code alg}) parameter.
- *
- * @return The algorithm parameter.
- */
- @Override
- public JWSAlgorithm getAlgorithm() {
-
- return (JWSAlgorithm)super.getAlgorithm();
- }
-
-
- /**
- * Parses a JWS header from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- *
- * @return The JWS header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid JWS header.
- */
- public static JWSHeader parse(final JSONObject jsonObject)
- throws ParseException {
-
- return parse(jsonObject, null);
- }
-
-
- /**
- * Parses a JWS header from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The JWS header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid JWS header.
- */
- public static JWSHeader parse(final JSONObject jsonObject,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- // Get the "alg" parameter
- Algorithm alg = Header.parseAlgorithm(jsonObject);
-
- if (! (alg instanceof JWSAlgorithm)) {
- throw new ParseException("The algorithm \"alg\" header parameter must be for signatures", 0);
- }
-
- JWSHeader.Builder header = new Builder((JWSAlgorithm)alg).parsedBase64URL(parsedBase64URL);
-
- // Parse optional + custom parameters
- for (final String name: jsonObject.keySet()) {
-
- if("alg".equals(name)) {
- // skip
- } else if("typ".equals(name)) {
- header = header.type(new JOSEObjectType(JSONObjectUtils.getString(jsonObject, name)));
- } else if("cty".equals(name)) {
- header = header.contentType(JSONObjectUtils.getString(jsonObject, name));
- } else if("crit".equals(name)) {
- header = header.criticalParams(new HashSet<>(JSONObjectUtils.getStringList(jsonObject, name)));
- } else if("jku".equals(name)) {
- header = header.jwkURL(JSONObjectUtils.getURI(jsonObject, name));
- } else if("jwk".equals(name)) {
- header = header.jwk(JWK.parse(JSONObjectUtils.getJSONObject(jsonObject, name)));
- } else if("x5u".equals(name)) {
- header = header.x509CertURL(JSONObjectUtils.getURI(jsonObject, name));
- } else if("x5t".equals(name)) {
- header = header.x509CertThumbprint(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("x5t#S256".equals(name)) {
- header = header.x509CertSHA256Thumbprint(new Base64URL(JSONObjectUtils.getString(jsonObject, name)));
- } else if("x5c".equals(name)) {
- header = header.x509CertChain(X509CertChainUtils.toBase64List(JSONObjectUtils.getJSONArray(jsonObject, name)));
- } else if("kid".equals(name)) {
- header = header.keyID(JSONObjectUtils.getString(jsonObject, name));
- } else {
- header = header.customParam(name, jsonObject.get(name));
- }
- }
-
- return header.build();
- }
-
-
- /**
- * Parses a JWS header from the specified JSON object string.
- *
- * @param jsonString The JSON string to parse. Must not be
- * {@code null}.
- *
- * @return The JWS header.
- *
- * @throws ParseException If the specified JSON object string doesn't
- * represent a valid JWS header.
- */
- public static JWSHeader parse(final String jsonString)
- throws ParseException {
-
- return parse(jsonString, null);
- }
-
-
- /**
- * Parses a JWS header from the specified JSON object string.
- *
- * @param jsonString The JSON string to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The JWS header.
- *
- * @throws ParseException If the specified JSON object string doesn't
- * represent a valid JWS header.
- */
- public static JWSHeader parse(final String jsonString,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- return parse(JSONObjectUtils.parse(jsonString), parsedBase64URL);
- }
-
-
- /**
- * Parses a JWS header from the specified Base64URL.
- *
- * @param base64URL The Base64URL to parse. Must not be {@code null}.
- *
- * @return The JWS header.
- *
- * @throws ParseException If the specified Base64URL doesn't represent
- * a valid JWS header.
- */
- public static JWSHeader parse(final Base64URL base64URL)
- throws ParseException {
-
- return parse(base64URL.decodeToString(), base64URL);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSObject.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSObject.java
deleted file mode 100644
index 004837ff..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSObject.java
+++ /dev/null
@@ -1,423 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.text.ParseException;
-
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.StandardCharset;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * JSON Web Signature (JWS) secured object. This class is thread-safe.
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-07-26
- */
-@ThreadSafe
-public class JWSObject extends JOSEObject {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * Enumeration of the states of a JSON Web Signature (JWS) object.
- */
- public enum State {
-
-
- /**
- * The JWS object is created but not signed yet.
- */
- UNSIGNED,
-
-
- /**
- * The JWS object is signed but its signature is not verified.
- */
- SIGNED,
-
-
- /**
- * The JWS object is signed and its signature was successfully verified.
- */
- VERIFIED
- }
-
-
- /**
- * The header.
- */
- private final JWSHeader header;
-
-
- /**
- * The signing input for this JWS object.
- *
- * Format:
- *
- *
- * [header-base64url].[payload-base64url]
- *
- */
- private final String signingInputString;
-
-
- /**
- * The signature, {@code null} if not signed.
- */
- private Base64URL signature;
-
-
- /**
- * The JWS object state.
- */
- private State state;
-
-
- /**
- * Creates a new to-be-signed JSON Web Signature (JWS) object with the
- * specified header and payload. The initial state will be
- * {@link State#UNSIGNED unsigned}.
- *
- * @param header The JWS header. Must not be {@code null}.
- * @param payload The payload. Must not be {@code null}.
- */
- public JWSObject(final JWSHeader header, final Payload payload) {
-
- if (header == null) {
-
- throw new IllegalArgumentException("The JWS header must not be null");
- }
-
- this.header = header;
-
- if (payload == null) {
-
- throw new IllegalArgumentException("The payload must not be null");
- }
-
- setPayload(payload);
-
- signingInputString = composeSigningInput(header.toBase64URL(), payload.toBase64URL());
-
- signature = null;
-
- state = State.UNSIGNED;
- }
-
-
- /**
- * Creates a new signed JSON Web Signature (JWS) object with the
- * specified serialised parts. The state will be
- * {@link State#SIGNED signed}.
- *
- * @param firstPart The first part, corresponding to the JWS header.
- * Must not be {@code null}.
- * @param secondPart The second part, corresponding to the payload. Must
- * not be {@code null}.
- * @param thirdPart The third part, corresponding to the signature.
- * Must not be {@code null}.
- *
- * @throws ParseException If parsing of the serialised parts failed.
- */
- public JWSObject(final Base64URL firstPart, final Base64URL secondPart, final Base64URL thirdPart)
- throws ParseException {
-
- if (firstPart == null) {
-
- throw new IllegalArgumentException("The first part must not be null");
- }
-
- try {
- this.header = JWSHeader.parse(firstPart);
-
- } catch (ParseException e) {
-
- throw new ParseException("Invalid JWS header: " + e.getMessage(), 0);
- }
-
- if (secondPart == null) {
-
- throw new IllegalArgumentException("The second part must not be null");
- }
-
- setPayload(new Payload(secondPart));
-
- signingInputString = composeSigningInput(firstPart, secondPart);
-
- if (thirdPart == null) {
- throw new IllegalArgumentException("The third part must not be null");
- }
-
- signature = thirdPart;
-
- state = State.SIGNED; // but signature not verified yet!
-
- setParsedParts(firstPart, secondPart, thirdPart);
- }
-
-
- @Override
- public JWSHeader getHeader() {
-
- return header;
- }
-
-
- /**
- * Composes the signing input for the specified JWS object parts.
- *
- * Format:
- *
- *
- * [header-base64url].[payload-base64url]
- *
- *
- * @param firstPart The first part, corresponding to the JWS header.
- * Must not be {@code null}.
- * @param secondPart The second part, corresponding to the payload.
- * Must not be {@code null}.
- *
- * @return The signing input string.
- */
- private static String composeSigningInput(final Base64URL firstPart, final Base64URL secondPart) {
-
- return firstPart.toString() + '.' + secondPart.toString();
- }
-
-
- /**
- * Returns the signing input for this JWS object.
- *
- * Format:
- *
- *
- * [header-base64url].[payload-base64url]
- *
- *
- * @return The signing input, to be passed to a JWS signer or verifier.
- */
- public byte[] getSigningInput() {
-
- return signingInputString.getBytes(StandardCharset.UTF_8);
- }
-
-
- /**
- * Returns the signature of this JWS object.
- *
- * @return The signature, {@code null} if the JWS object is not signed
- * yet.
- */
- public Base64URL getSignature() {
-
- return signature;
- }
-
-
- /**
- * Returns the state of this JWS object.
- *
- * @return The state.
- */
- public State getState() {
-
- return state;
- }
-
-
- /**
- * Ensures the current state is {@link State#UNSIGNED unsigned}.
- *
- * @throws IllegalStateException If the current state is not unsigned.
- */
- private void ensureUnsignedState() {
-
- if (state != State.UNSIGNED) {
-
- throw new IllegalStateException("The JWS object must be in an unsigned state");
- }
- }
-
-
- /**
- * Ensures the current state is {@link State#SIGNED signed} or
- * {@link State#VERIFIED verified}.
- *
- * @throws IllegalStateException If the current state is not signed or
- * verified.
- */
- private void ensureSignedOrVerifiedState() {
-
- if (state != State.SIGNED && state != State.VERIFIED) {
-
- throw new IllegalStateException("The JWS object must be in a signed or verified state");
- }
- }
-
-
- /**
- * Ensures the specified JWS signer supports the algorithm of this JWS
- * object.
- *
- * @throws JOSEException If the JWS algorithm is not supported.
- */
- private void ensureJWSSignerSupport(final JWSSigner signer)
- throws JOSEException {
-
- if (! signer.supportedJWSAlgorithms().contains(getHeader().getAlgorithm())) {
-
- throw new JOSEException("The \"" + getHeader().getAlgorithm() +
- "\" algorithm is not allowed or supported by the JWS signer: Supported algorithms: " + signer.supportedJWSAlgorithms());
- }
- }
-
-
- /**
- * Signs this JWS object with the specified signer. The JWS object must
- * be in a {@link State#UNSIGNED unsigned} state.
- *
- * @param signer The JWS signer. Must not be {@code null}.
- *
- * @throws IllegalStateException If the JWS object is not in an
- * {@link State#UNSIGNED unsigned state}.
- * @throws JOSEException If the JWS object couldn't be signed.
- */
- public synchronized void sign(final JWSSigner signer)
- throws JOSEException {
-
- ensureUnsignedState();
-
- ensureJWSSignerSupport(signer);
-
- try {
- signature = signer.sign(getHeader(), getSigningInput());
-
- } catch (JOSEException e) {
-
- throw e;
-
- } catch (Exception e) {
-
- // Prevent throwing unchecked exceptions at this point,
- // see issue #20
- throw new JOSEException(e.getMessage(), e);
- }
-
- state = State.SIGNED;
- }
-
-
- /**
- * Checks the signature of this JWS object with the specified verifier.
- * The JWS object must be in a {@link State#SIGNED signed} state.
- *
- * @param verifier The JWS verifier. Must not be {@code null}.
- *
- * @return {@code true} if the signature was successfully verified,
- * else {@code false}.
- *
- * @throws IllegalStateException If the JWS object is not in a
- * {@link State#SIGNED signed} or
- * {@link State#VERIFIED verified state}.
- * @throws JOSEException If the JWS object couldn't be
- * verified.
- */
- public synchronized boolean verify(final JWSVerifier verifier)
- throws JOSEException {
-
- ensureSignedOrVerifiedState();
-
- boolean verified;
-
- try {
- verified = verifier.verify(getHeader(), getSigningInput(), getSignature());
-
- } catch (JOSEException e) {
-
- throw e;
-
- } catch (Exception e) {
-
- // Prevent throwing unchecked exceptions at this point,
- // see issue #20
- throw new JOSEException(e.getMessage(), e);
- }
-
- if (verified) {
-
- state = State.VERIFIED;
- }
-
- return verified;
- }
-
-
- /**
- * Serialises this JWS object to its compact format consisting of
- * Base64URL-encoded parts delimited by period ('.') characters. It
- * must be in a {@link State#SIGNED signed} or
- * {@link State#VERIFIED verified} state.
- *
- *
- * [header-base64url].[payload-base64url].[signature-base64url]
- *
- *
- * @return The serialised JWS object.
- *
- * @throws IllegalStateException If the JWS object is not in a
- * {@link State#SIGNED signed} or
- * {@link State#VERIFIED verified} state.
- */
- @Override
- public String serialize() {
-
- ensureSignedOrVerifiedState();
-
- return signingInputString + '.' + signature.toString();
- }
-
-
- /**
- * Parses a JWS object from the specified string in compact format. The
- * parsed JWS object will be given a {@link State#SIGNED} state.
- *
- * @param s The string to parse. Must not be {@code null}.
- *
- * @return The JWS object.
- *
- * @throws ParseException If the string couldn't be parsed to a valid
- * JWS object.
- */
- public static JWSObject parse(final String s)
- throws ParseException {
-
- Base64URL[] parts = JOSEObject.split(s);
-
- if (parts.length != 3) {
-
- throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
- }
-
- return new JWSObject(parts[0], parts[1], parts[2]);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSProvider.java
deleted file mode 100644
index 268e9745..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSProvider.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.util.Set;
-
-import com.nimbusds.jose.jca.JCAAware;
-import com.nimbusds.jose.jca.JCAContext;
-
-
-/**
- * JSON Web Signature (JWS) provider
- *
- * The JWS provider can be queried to determine its algorithm capabilities.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-11-16
- */
-public interface JWSProvider extends JOSEProvider, JCAAware {
-
-
- /**
- * Returns the names of the supported algorithms by the JWS provider
- * instance. These correspond to the {@code alg} JWS header parameter.
- *
- * @return The supported JWS algorithms, empty set if none.
- */
- Set supportedJWSAlgorithms();
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSSigner.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSSigner.java
deleted file mode 100644
index fcf4cad3..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSSigner.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * JSON Web Signature (JWS) signer.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-04-21
- */
-public interface JWSSigner extends JWSProvider {
-
-
- /**
- * Signs the specified {@link JWSObject#getSigningInput input} of a
- * {@link JWSObject JWS object}.
- *
- * @param header The JSON Web Signature (JWS) header. Must
- * specify a supported JWS algorithm and must not
- * be {@code null}.
- * @param signingInput The input to sign. Must not be {@code null}.
- *
- * @return The resulting signature part (third part) of the JWS object.
- *
- * @throws JOSEException If the JWS algorithm is not supported, if a
- * critical header parameter is not supported or
- * marked for deferral to the application, or if
- * signing failed for some other internal reason.
- */
- Base64URL sign(final JWSHeader header, final byte[] signingInput)
- throws JOSEException;
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSVerifier.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSVerifier.java
deleted file mode 100644
index 34e02303..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/JWSVerifier.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * JSON Web Signature (JWS) verifier.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-04-21
- */
-public interface JWSVerifier extends JWSProvider {
-
-
- /**
- * Verifies the specified {@link JWSObject#getSignature signature} of a
- * {@link JWSObject JWS object}.
- *
- * @param header The JSON Web Signature (JWS) header. Must
- * specify a supported JWS algorithm and must not
- * be {@code null}.
- * @param signingInput The signing input. Must not be {@code null}.
- * @param signature The signature part of the JWS object. Must not
- * be {@code null}.
- *
- * @return {@code true} if the signature was successfully verified,
- * {@code false} if the signature is invalid or if a critical
- * header is neither supported nor marked for deferral to the
- * application.
- *
- * @throws JOSEException If the JWS algorithm is not supported, or if
- * signature verification failed for some other
- * internal reason.
- */
- boolean verify(final JWSHeader header, final byte[] signingInput, final Base64URL signature)
- throws JOSEException;
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyException.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyException.java
deleted file mode 100644
index 901fa023..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * Key exception.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-06-29
- */
-public class KeyException extends JOSEException {
-
-
- /**
- * Creates a new key exception with the specified message.
- *
- * @param message The exception message.
- */
- public KeyException(final String message) {
-
- super(message);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyLengthException.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyLengthException.java
deleted file mode 100644
index 20ea6077..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyLengthException.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * Key length exception.
- *
- * @author Vladimir Dzhuvinov
- * @version 205-06-29
- */
-public class KeyLengthException extends KeyException {
-
-
- /**
- * The expected key length.
- */
- private final int expectedLength;
-
-
- /**
- * The algorithm.
- */
- private final Algorithm alg;
-
-
- /**
- * Creates a new key length exception.
- *
- * @param message The exception message.
- */
- public KeyLengthException(final String message) {
-
- super(message);
- expectedLength = 0;
- alg = null;
- }
-
-
- /**
- * Creates a new key length exception.
- *
- * @param alg The JOSE algorithm, {@code null} if not specified.
- */
- public KeyLengthException(final Algorithm alg) {
-
- this(0, alg);
- }
-
-
- /**
- * Creates a new key length exception.
- *
- * @param expectedLength The expected key length in bits, zero if not
- * specified.
- * @param alg The JOSE algorithm, {@code null} if not
- * specified.
- */
- public KeyLengthException(final int expectedLength, final Algorithm alg) {
-
- super((
- (expectedLength > 0) ? "The expected key length is " + expectedLength + " bits" : "Unexpected key length") +
- ((alg != null) ? " (for " + alg + " algorithm)" : "")
- );
-
- this.expectedLength = expectedLength;
- this.alg = alg;
- }
-
-
- /**
- * Returns the expected key length.
- *
- * @return The expected key length in bits, zero if not specified.
- */
- public int getExpectedKeyLength() {
-
- return expectedLength;
- }
-
-
- /**
- * Returns the algorithm.
- *
- * @return The JOSE algorithm, {@code null} if not specified.
- */
- public Algorithm getAlgorithm() {
-
- return alg;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeySourceException.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeySourceException.java
deleted file mode 100644
index 868e4269..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeySourceException.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * Key source exception.
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-06-21
- */
-public class KeySourceException extends JOSEException {
-
-
- /**
- * Creates a new key source exception.
- *
- * @param message The message.
- */
- public KeySourceException(final String message) {
- super(message);
- }
-
-
- /**
- * Creates a new key source exception.
- *
- * @param message The message.
- * @param cause The cause.
- */
- public KeySourceException(final String message, final Throwable cause) {
- super(message, cause);
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyTypeException.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyTypeException.java
deleted file mode 100644
index bbb4b748..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/KeyTypeException.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.security.Key;
-
-
-/**
- * Key type exception.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-06-29
- */
-public class KeyTypeException extends KeyException {
-
-
- /**
- * Creates a new key type exception.
- *
- * @param expectedKeyClass The expected key class. Should not be
- * {@code null}.
- */
- public KeyTypeException(final Class expectedKeyClass) {
-
- super("Invalid key: Must be an instance of " + expectedKeyClass);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Payload.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Payload.java
deleted file mode 100644
index 482dd56c..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Payload.java
+++ /dev/null
@@ -1,497 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.io.Serializable;
-import java.text.ParseException;
-
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.JSONObjectUtils;
-import com.nimbusds.jose.util.StandardCharset;
-import com.nimbusds.jwt.SignedJWT;
-import net.jcip.annotations.Immutable;
-import net.minidev.json.JSONObject;
-
-
-/**
- * Payload of an unsecured (plain), JSON Web Signature (JWS) or JSON Web
- * Encryption (JWE) object. Supports JSON object, string, byte array,
- * Base64URL, JWS object and signed JWT payload representations. This class is
- * immutable.
- *
- * UTF-8 is the character set for all conversions between strings and byte
- * arrays.
- *
- *
Conversion relations:
- *
- *
- * JSONObject <=> String <=> Base64URL
- * <=> byte[]
- * <=> JWSObject
- * <=> SignedJWT
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-07-26
- */
-@Immutable
-public final class Payload implements Serializable {
-
-
- /**
- * Enumeration of the original data types used to create a
- * {@link Payload}.
- */
- public enum Origin {
-
-
- /**
- * The payload was created from a JSON object.
- */
- JSON,
-
-
- /**
- * The payload was created from a string.
- */
- STRING,
-
-
- /**
- * The payload was created from a byte array.
- */
- BYTE_ARRAY,
-
-
- /**
- * The payload was created from a Base64URL-encoded object.
- */
- BASE64URL,
-
-
- /**
- * The payload was created from a JWS object.
- */
- JWS_OBJECT,
-
-
- /**
- * The payload was created from a signed JSON Web Token (JWT).
- */
- SIGNED_JWT
- }
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The original payload data type.
- */
- private final Origin origin;
-
-
- /**
- * The JSON object representation.
- */
- private final JSONObject jsonObject;
-
-
- /**
- * The string representation.
- */
- private final String string;
-
-
- /**
- * The byte array representation.
- */
- private final byte[] bytes;
-
-
- /**
- * The Base64URL representation.
- */
- private final Base64URL base64URL;
-
-
- /**
- * The JWS object representation.
- */
- private final JWSObject jwsObject;
-
-
- /**
- * The signed JWT representation.
- */
- private final SignedJWT signedJWT;
-
-
- /**
- * Converts a byte array to a string using {@code UTF-8}.
- *
- * @param bytes The byte array to convert. May be {@code null}.
- *
- * @return The resulting string, {@code null} if conversion failed.
- */
- private static String byteArrayToString(final byte[] bytes) {
-
- return bytes != null ? new String(bytes, StandardCharset.UTF_8) : null;
- }
-
-
- /**
- * Converts a string to a byte array using {@code UTF-8}.
- *
- * @param string The string to convert. May be {@code null}.
- *
- * @return The resulting byte array, {@code null} if conversion failed.
- */
- private static byte[] stringToByteArray(final String string) {
-
- return string != null ? string.getBytes(StandardCharset.UTF_8) : null;
- }
-
-
- /**
- * Creates a new payload from the specified JSON object.
- *
- * @param jsonObject The JSON object representing the payload. Must not
- * be {@code null}.
- */
- public Payload(final JSONObject jsonObject) {
-
- if (jsonObject == null) {
- throw new IllegalArgumentException("The JSON object must not be null");
- }
-
- this.jsonObject = jsonObject;
- string = null;
- bytes = null;
- base64URL = null;
- jwsObject = null;
- signedJWT = null;
-
- origin = Origin.JSON;
- }
-
-
- /**
- * Creates a new payload from the specified string.
- *
- * @param string The string representing the payload. Must not be
- * {@code null}.
- */
- public Payload(final String string) {
-
- if (string == null) {
- throw new IllegalArgumentException("The string must not be null");
- }
-
- jsonObject = null;
- this.string = string;
- bytes = null;
- base64URL = null;
- jwsObject = null;
- signedJWT = null;
-
- origin = Origin.STRING;
- }
-
-
- /**
- * Creates a new payload from the specified byte array.
- *
- * @param bytes The byte array representing the payload. Must not be
- * {@code null}.
- */
- public Payload(final byte[] bytes) {
-
- if (bytes == null) {
- throw new IllegalArgumentException("The byte array must not be null");
- }
-
- jsonObject = null;
- string = null;
- this.bytes = bytes;
- base64URL = null;
- jwsObject = null;
- signedJWT = null;
-
- origin = Origin.BYTE_ARRAY;
- }
-
-
- /**
- * Creates a new payload from the specified Base64URL-encoded object.
- *
- * @param base64URL The Base64URL-encoded object representing the
- * payload. Must not be {@code null}.
- */
- public Payload(final Base64URL base64URL) {
-
- if (base64URL == null) {
- throw new IllegalArgumentException("The Base64URL-encoded object must not be null");
- }
-
- jsonObject = null;
- string = null;
- bytes = null;
- this.base64URL = base64URL;
- jwsObject = null;
- signedJWT = null;
-
- origin = Origin.BASE64URL;
- }
-
-
- /**
- * Creates a new payload from the specified JWS object. Intended for
- * signed then encrypted JOSE objects.
- *
- * @param jwsObject The JWS object representing the payload. Must be in
- * a signed state and not {@code null}.
- */
- public Payload(final JWSObject jwsObject) {
-
- if (jwsObject == null) {
- throw new IllegalArgumentException("The JWS object must not be null");
- }
-
- if (jwsObject.getState() == JWSObject.State.UNSIGNED) {
- throw new IllegalArgumentException("The JWS object must be signed");
- }
-
- jsonObject = null;
- string = null;
- bytes = null;
- base64URL = null;
- this.jwsObject = jwsObject;
- signedJWT = null;
-
- origin = Origin.JWS_OBJECT;
- }
-
-
- /**
- * Creates a new payload from the specified signed JSON Web Token
- * (JWT). Intended for signed then encrypted JWTs.
- *
- * @param signedJWT The signed JWT representing the payload. Must be in
- * a signed state and not {@code null}.
- */
- public Payload(final SignedJWT signedJWT) {
-
- if (signedJWT == null) {
- throw new IllegalArgumentException("The signed JWT must not be null");
- }
-
- if (signedJWT.getState() == JWSObject.State.UNSIGNED) {
- throw new IllegalArgumentException("The JWT must be signed");
- }
-
- jsonObject = null;
- string = null;
- bytes = null;
- base64URL = null;
- this.signedJWT = signedJWT;
- jwsObject = signedJWT; // The signed JWT is also a JWS
-
- origin = Origin.SIGNED_JWT;
- }
-
-
- /**
- * Gets the original data type used to create this payload.
- *
- * @return The payload origin.
- */
- public Origin getOrigin() {
-
- return origin;
- }
-
-
- /**
- * Returns a JSON object representation of this payload.
- *
- * @return The JSON object representation, {@code null} if the payload
- * couldn't be converted to a JSON object.
- */
- public JSONObject toJSONObject() {
-
- if (jsonObject != null) {
- return jsonObject;
- }
-
- // Convert
-
- String s = toString();
-
- if (s == null) {
- // to string conversion failed
- return null;
- }
-
- try {
- return JSONObjectUtils.parse(s);
-
- } catch (ParseException e) {
- // Payload not a JSON object
- return null;
- }
- }
-
-
- /**
- * Returns a string representation of this payload.
- *
- * @return The string representation.
- */
- @Override
- public String toString() {
-
- if (string != null) {
-
- return string;
- }
-
- // Convert
- if (jwsObject != null) {
-
- if (jwsObject.getParsedString() != null) {
- return jwsObject.getParsedString();
- } else {
- return jwsObject.serialize();
- }
-
- } else if (jsonObject != null) {
-
- return jsonObject.toString();
-
- } else if (bytes != null) {
-
- return byteArrayToString(bytes);
-
- } else if (base64URL != null) {
-
- return base64URL.decodeToString();
- } else {
- return null; // should never happen
- }
- }
-
-
- /**
- * Returns a byte array representation of this payload.
- *
- * @return The byte array representation.
- */
- public byte[] toBytes() {
-
- if (bytes != null) {
- return bytes;
- }
-
- // Convert
- if (base64URL != null) {
- return base64URL.decode();
-
- }
-
- return stringToByteArray(toString());
- }
-
-
- /**
- * Returns a Base64URL representation of this payload.
- *
- * @return The Base64URL representation.
- */
- public Base64URL toBase64URL() {
-
- if (base64URL != null) {
- return base64URL;
- }
-
- // Convert
- return Base64URL.encode(toBytes());
- }
-
-
- /**
- * Returns a JWS object representation of this payload. Intended for
- * signed then encrypted JOSE objects.
- *
- * @return The JWS object representation, {@code null} if the payload
- * couldn't be converted to a JWS object.
- */
- public JWSObject toJWSObject() {
-
- if (jwsObject != null) {
- return jwsObject;
- }
-
- try {
- return JWSObject.parse(toString());
-
- } catch (ParseException e) {
-
- return null;
- }
- }
-
-
- /**
- * Returns a signed JSON Web Token (JWT) representation of this
- * payload. Intended for signed then encrypted JWTs.
- *
- * @return The signed JWT representation, {@code null} if the payload
- * couldn't be converted to a signed JWT.
- */
- public SignedJWT toSignedJWT() {
-
- if (signedJWT != null) {
- return signedJWT;
- }
-
- try {
- return SignedJWT.parse(toString());
-
- } catch (ParseException e) {
-
- return null;
- }
- }
-
-
- /**
- * Returns a transformation of this payload.
- *
- * @param Type of the result.
- * @param transformer The payload transformer. Must not be
- * {@code null}.
- *
- * @return The transformed payload.
- */
- public T toType(final PayloadTransformer transformer) {
-
- return transformer.transform(this);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PayloadTransformer.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PayloadTransformer.java
deleted file mode 100644
index 864c811d..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PayloadTransformer.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * Generic payload type transformer. Implementations should be tread-safe.
- */
-public interface PayloadTransformer {
-
-
- /**
- * Transforms the specified payload into the desired type.
- *
- * @param payload The payload. Not {@code null}.
- *
- * @return The desired type.
- */
- T transform(final Payload payload);
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PlainHeader.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PlainHeader.java
deleted file mode 100644
index 302537a4..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PlainHeader.java
+++ /dev/null
@@ -1,477 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.text.ParseException;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
-import net.jcip.annotations.Immutable;
-
-import net.minidev.json.JSONObject;
-
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.JSONObjectUtils;
-
-
-/**
- * Unsecured ({@code alg=none}) JOSE header. This class is immutable.
- *
- * Supports all {@link #getRegisteredParameterNames registered header
- * parameters} of the unsecured JOSE object specification:
- *
- *
- * - alg (set to {@link Algorithm#NONE "none"}).
- *
- typ
- *
- cty
- *
- crit
- *
- *
- * The header may also carry {@link #getCustomParams custom parameters};
- * these will be serialised and parsed along the registered ones.
- *
- *
Example:
- *
- *
- * {
- * "alg" : "none"
- * }
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2014-08-20
- */
-@Immutable
-public final class PlainHeader extends Header {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The registered parameter names.
- */
- private static final Set REGISTERED_PARAMETER_NAMES;
-
-
- /**
- * Initialises the registered parameter name set.
- */
- static {
- Set p = new HashSet<>();
-
- p.add("alg");
- p.add("typ");
- p.add("cty");
- p.add("crit");
-
- REGISTERED_PARAMETER_NAMES = Collections.unmodifiableSet(p);
- }
-
-
- /**
- * Builder for constructing unsecured (plain) headers.
- *
- * Example usage:
- *
- *
- * PlainHeader header = new PlainHeader.Builder().
- * contentType("text/plain").
- * customParam("exp", new Date().getTime()).
- * build();
- *
- */
- public static class Builder {
-
-
- /**
- * The JOSE object type.
- */
- private JOSEObjectType typ;
-
-
- /**
- * The content type.
- */
- private String cty;
-
-
- /**
- * The critical headers.
- */
- private Set crit;
-
-
- /**
- * Custom header parameters.
- */
- private Map customParams;
-
-
- /**
- * The parsed Base64URL.
- */
- private Base64URL parsedBase64URL;
-
-
- /**
- * Creates a new unsecured (plain) header builder.
- */
- public Builder() {
-
- }
-
-
- /**
- * Creates a new unsecured (plain) header builder with the
- * parameters from the specified header.
- *
- * @param plainHeader The unsecured header to use. Must not be
- * {@code null}.
- */
- public Builder(final PlainHeader plainHeader) {
-
- typ = plainHeader.getType();
- cty = plainHeader.getContentType();
- crit = plainHeader.getCriticalParams();
- customParams = plainHeader.getCustomParams();
- }
-
-
- /**
- * Sets the type ({@code typ}) parameter.
- *
- * @param typ The type parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder type(final JOSEObjectType typ) {
-
- this.typ = typ;
- return this;
- }
-
-
- /**
- * Sets the content type ({@code cty}) parameter.
- *
- * @param cty The content type parameter, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder contentType(final String cty) {
-
- this.cty = cty;
- return this;
- }
-
-
- /**
- * Sets the critical header parameters ({@code crit})
- * parameter.
- *
- * @param crit The names of the critical header parameters,
- * empty set or {@code null} if none.
- *
- * @return This builder.
- */
- public Builder criticalParams(final Set crit) {
-
- this.crit = crit;
- return this;
- }
-
-
- /**
- * Sets a custom (non-registered) parameter.
- *
- * @param name The name of the custom parameter. Must not
- * match a registered parameter name and must not
- * be {@code null}.
- * @param value The value of the custom parameter, should map
- * to a valid JSON entity, {@code null} if not
- * specified.
- *
- * @return This builder.
- *
- * @throws IllegalArgumentException If the specified parameter
- * name matches a registered
- * parameter name.
- */
- public Builder customParam(final String name, final Object value) {
-
- if (getRegisteredParameterNames().contains(name)) {
- throw new IllegalArgumentException("The parameter name \"" + name + "\" matches a registered name");
- }
-
- if (customParams == null) {
- customParams = new HashMap<>();
- }
-
- customParams.put(name, value);
-
- return this;
- }
-
-
- /**
- * Sets the custom (non-registered) parameters. The values must
- * be serialisable to a JSON entity, otherwise will be ignored.
- *
- * @param customParameters The custom parameters, empty map or
- * {@code null} if none.
- *
- * @return This builder.
- */
- public Builder customParams(final Map customParameters) {
-
- this.customParams = customParameters;
- return this;
- }
-
-
- /**
- * Sets the parsed Base64URL.
- *
- * @param base64URL The parsed Base64URL, {@code null} if the
- * header is created from scratch.
- *
- * @return This builder.
- */
- public Builder parsedBase64URL(final Base64URL base64URL) {
-
- this.parsedBase64URL = base64URL;
- return this;
- }
-
-
- /**
- * Builds a new unsecured (plain) header.
- *
- * @return The unsecured header.
- */
- public PlainHeader build() {
-
- return new PlainHeader(typ, cty, crit, customParams, parsedBase64URL);
- }
- }
-
-
- /**
- * Creates a new minimal unsecured (plain) header with algorithm
- * {@link Algorithm#NONE none}.
- */
- public PlainHeader() {
-
- this(null, null, null, null, null);
- }
-
-
- /**
- * Creates a new unsecured (plain) header with algorithm
- * {@link Algorithm#NONE none}.
- *
- * @param typ The type ({@code typ}) parameter,
- * {@code null} if not specified.
- * @param cty The content type ({@code cty}) parameter,
- * {@code null} if not specified.
- * @param crit The names of the critical header
- * ({@code crit}) parameters, empty set or
- * {@code null} if none.
- * @param customParams The custom parameters, empty map or
- * {@code null} if none.
- * @param parsedBase64URL The parsed Base64URL, {@code null} if the
- * header is created from scratch.
- */
- public PlainHeader(final JOSEObjectType typ,
- final String cty,
- final Set crit,
- final Map customParams,
- final Base64URL parsedBase64URL) {
-
- super(Algorithm.NONE, typ, cty, crit, customParams, parsedBase64URL);
- }
-
-
- /**
- * Deep copy constructor.
- *
- * @param plainHeader The unsecured header to copy. Must not be
- * {@code null}.
- */
- public PlainHeader(final PlainHeader plainHeader) {
-
- this(
- plainHeader.getType(),
- plainHeader.getContentType(),
- plainHeader.getCriticalParams(),
- plainHeader.getCustomParams(),
- plainHeader.getParsedBase64URL()
- );
- }
-
-
- /**
- * Gets the registered parameter names for unsecured headers.
- *
- * @return The registered parameter names, as an unmodifiable set.
- */
- public static Set getRegisteredParameterNames() {
-
- return REGISTERED_PARAMETER_NAMES;
- }
-
-
- /**
- * Gets the algorithm ({@code alg}) parameter.
- *
- * @return {@link Algorithm#NONE}.
- */
- @Override
- public Algorithm getAlgorithm() {
-
- return Algorithm.NONE;
- }
-
-
- /**
- * Parses an unsecured header from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be {@code null}.
- *
- * @return The unsecured header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid unsecured header.
- */
- public static PlainHeader parse(final JSONObject jsonObject)
- throws ParseException {
-
- return parse(jsonObject, null);
- }
-
-
- /**
- * Parses an unsecured header from the specified JSON object.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The unsecured header.
- *
- * @throws ParseException If the specified JSON object doesn't
- * represent a valid unsecured header.
- */
- public static PlainHeader parse(final JSONObject jsonObject,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- // Get the "alg" parameter
- Algorithm alg = Header.parseAlgorithm(jsonObject);
-
- if (alg != Algorithm.NONE) {
- throw new ParseException("The algorithm \"alg\" header parameter must be \"none\"", 0);
- }
-
- PlainHeader.Builder header = new Builder().parsedBase64URL(parsedBase64URL);
-
- // Parse optional + custom parameters
- for(final String name: jsonObject.keySet()) {
-
-
-
- if("alg".equals(name)) {
- // skip
- } else if("typ".equals(name)) {
- header = header.type(new JOSEObjectType(JSONObjectUtils.getString(jsonObject, name)));
- } else if("cty".equals(name)) {
- header = header.contentType(JSONObjectUtils.getString(jsonObject, name));
- } else if("crit".equals(name)) {
- header = header.criticalParams(new HashSet<>(JSONObjectUtils.getStringList(jsonObject, name)));
- } else {
- header = header.customParam(name, jsonObject.get(name));
- }
- }
-
- return header.build();
- }
-
-
- /**
- * Parses an unsecured header from the specified JSON string.
- *
- * @param jsonString The JSON string to parse. Must not be
- * {@code null}.
- *
- * @return The unsecured header.
- *
- * @throws ParseException If the specified JSON string doesn't
- * represent a valid unsecured header.
- */
- public static PlainHeader parse(final String jsonString)
- throws ParseException {
-
- return parse(jsonString, null);
- }
-
-
- /**
- * Parses an unsecured header from the specified JSON string.
- *
- * @param jsonString The JSON string to parse. Must not be
- * {@code null}.
- * @param parsedBase64URL The original parsed Base64URL, {@code null}
- * if not applicable.
- *
- * @return The unsecured header.
- *
- * @throws ParseException If the specified JSON string doesn't
- * represent a valid unsecured header.
- */
- public static PlainHeader parse(final String jsonString,
- final Base64URL parsedBase64URL)
- throws ParseException {
-
- return parse(JSONObjectUtils.parse(jsonString), parsedBase64URL);
- }
-
-
- /**
- * Parses an unsecured header from the specified Base64URL.
- *
- * @param base64URL The Base64URL to parse. Must not be {@code null}.
- *
- * @return The unsecured header.
- *
- * @throws ParseException If the specified Base64URL doesn't represent
- * a valid unsecured header.
- */
- public static PlainHeader parse(final Base64URL base64URL)
- throws ParseException {
-
- return parse(base64URL.decodeToString(), base64URL);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PlainObject.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PlainObject.java
deleted file mode 100644
index 2e595291..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/PlainObject.java
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-import java.text.ParseException;
-
-import net.jcip.annotations.ThreadSafe;
-
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * Unsecured (plain / {@code alg=none}) JOSE object. This class is thread-safe.
- *
- * @author Vladimir Dzhuvinov
- * @version 2014-04-08
- */
-@ThreadSafe
-public class PlainObject extends JOSEObject {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The header.
- */
- private final PlainHeader header;
-
-
- /**
- * Creates a new unsecured JOSE object with a default {@link
- * PlainHeader} and the specified payload.
- *
- * @param payload The payload. Must not be {@code null}.
- */
- public PlainObject(final Payload payload) {
-
- if (payload == null) {
- throw new IllegalArgumentException("The payload must not be null");
- }
-
- setPayload(payload);
-
- header = new PlainHeader();
- }
-
-
- /**
- * Creates a new unsecured JOSE object with the specified header and
- * payload.
- *
- * @param header The unsecured header. Must not be {@code null}.
- * @param payload The payload. Must not be {@code null}.
- */
- public PlainObject(final PlainHeader header, final Payload payload) {
-
- if (header == null) {
-
- throw new IllegalArgumentException("The unsecured header must not be null");
- }
-
- this.header = header;
-
- if (payload == null) {
-
- throw new IllegalArgumentException("The payload must not be null");
- }
-
- setPayload(payload);
- }
-
-
- /**
- * Creates a new unsecured JOSE object with the specified
- * Base64URL-encoded parts.
- *
- * @param firstPart The first part, corresponding to the unsecured
- * header. Must not be {@code null}.
- * @param secondPart The second part, corresponding to the payload.
- * Must not be {@code null}.
- *
- * @throws ParseException If parsing of the serialised parts failed.
- */
- public PlainObject(final Base64URL firstPart, final Base64URL secondPart)
- throws ParseException {
-
- if (firstPart == null) {
-
- throw new IllegalArgumentException("The first part must not be null");
- }
-
- try {
- header = PlainHeader.parse(firstPart);
-
- } catch (ParseException e) {
-
- throw new ParseException("Invalid unsecured header: " + e.getMessage(), 0);
- }
-
- if (secondPart == null) {
-
- throw new IllegalArgumentException("The second part must not be null");
- }
-
- setPayload(new Payload(secondPart));
-
- setParsedParts(firstPart, secondPart, null);
- }
-
-
- @Override
- public PlainHeader getHeader() {
-
- return header;
- }
-
-
- /**
- * Serialises this unsecured JOSE object to its compact format
- * consisting of Base64URL-encoded parts delimited by period ('.')
- * characters.
- *
- *
- * [header-base64url].[payload-base64url].[]
- *
- *
- * @return The serialised unsecured JOSE object.
- */
- @Override
- public String serialize() {
-
- return header.toBase64URL().toString() + '.' + getPayload().toBase64URL().toString() + '.';
- }
-
-
- /**
- * Parses an unsecured JOSE object from the specified string in compact
- * format.
- *
- * @param s The string to parse. Must not be {@code null}.
- *
- * @return The unsecured JOSE object.
- *
- * @throws ParseException If the string couldn't be parsed to a valid
- * unsecured JOSE object.
- */
- public static PlainObject parse(final String s)
- throws ParseException {
-
- Base64URL[] parts = JOSEObject.split(s);
-
- if (! parts[2].toString().isEmpty()) {
-
- throw new ParseException("Unexpected third Base64URL part", 0);
- }
-
- return new PlainObject(parts[0], parts[1]);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/RemoteKeySourceException.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/RemoteKeySourceException.java
deleted file mode 100644
index 5fac88fb..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/RemoteKeySourceException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * Remote key source exception.
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-06-21
- */
-public class RemoteKeySourceException extends KeySourceException {
-
-
- /**
- * Creates a new remote key source exception.
- *
- * @param message The message.
- * @param cause The cause.
- */
- public RemoteKeySourceException(final String message, final Throwable cause) {
- super(message, cause);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Requirement.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Requirement.java
deleted file mode 100644
index 20ff384b..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/Requirement.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose;
-
-
-/**
- * Enumeration of JOSE algorithm implementation requirements. Refers to the
- * requirement levels defined in RFC 2119.
- *
- * @author Vladimir Dzhuvinov
- * @version 2012-09-17
- */
-public enum Requirement {
-
-
- /**
- * The implementation of the algorithm is required.
- */
- REQUIRED,
-
-
- /**
- * The implementation of the algorithm is recommended.
- */
- RECOMMENDED,
-
-
- /**
- * The implementation of the algorithm is optional.
- */
- OPTIONAL
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/AESDecrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/AESDecrypter.java
deleted file mode 100644
index dc853d3c..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/AESDecrypter.java
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.util.Set;
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.crypto.impl.*;
-import net.jcip.annotations.ThreadSafe;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.jwk.OctetSequenceKey;
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * AES and AES GCM key wrap decrypter of {@link com.nimbusds.jose.JWEObject JWE
- * objects}. Expects an AES key.
- *
- * Unwraps the encrypted Content Encryption Key (CEK) with the specified AES
- * key, and then uses the CEK along with the IV and authentication tag to
- * decrypt the cipher text. See RFC 7518, sections
- * 4.4 and
- * 4.7 for more
- * information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A256KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A128GCMKW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A192GCMKW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A256GCMKW}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Melisa Halsband
- * @author Vladimir Dzhuvinov
- * @version 2015-06-29
- */
-@ThreadSafe
-public class AESDecrypter extends AESCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * Creates a new AES decrypter.
- *
- * @param kek The Key Encrypting Key. Must be 128 bits (16 bytes), 192
- * bits (24 bytes) or 256 bits (32 bytes). Must not be
- * {@code null}.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- public AESDecrypter(final SecretKey kek)
- throws KeyLengthException {
-
- this(kek, null);
- }
-
-
- /**
- * Creates a new AES decrypter.
- *
- * @param keyBytes The Key Encrypting Key, as a byte array. Must be 128
- * bits (16 bytes), 192 bits (24 bytes) or 256 bits (32
- * bytes). Must not be {@code null}.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- public AESDecrypter(final byte[] keyBytes)
- throws KeyLengthException {
-
- this(new SecretKeySpec(keyBytes, "AES"));
- }
-
-
- /**
- * Creates a new AES decrypter.
- *
- * @param octJWK The Key Encryption Key, as a JWK. Must be 128 bits (16
- * bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384
- * bits (48 bytes) or 512 bits (64 bytes) long. Must not
- * be {@code null}.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- public AESDecrypter(final OctetSequenceKey octJWK)
- throws KeyLengthException {
-
- this(octJWK.toSecretKey("AES"));
- }
-
-
- /**
- * Creates a new AES decrypter.
- *
- * @param kek The Key Encrypting Key. Must be 128 bits (16
- * bytes), 192 bits (24 bytes) or 256 bits (32
- * bytes). Must not be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- public AESDecrypter(final SecretKey kek, final Set defCritHeaders)
- throws KeyLengthException {
-
- super(kek);
-
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException {
-
- // Validate required JWE parts
- if (encryptedKey == null) {
- throw new JOSEException("Missing JWE encrypted key");
- }
-
- if (iv == null) {
- throw new JOSEException("Missing JWE initialization vector (IV)");
- }
-
- if (authTag == null) {
- throw new JOSEException("Missing JWE authentication tag");
- }
-
- critPolicy.ensureHeaderPasses(header);
-
- // Derive the content encryption key
- JWEAlgorithm alg = header.getAlgorithm();
- int keyLength = header.getEncryptionMethod().cekBitLength();
-
- final SecretKey cek;
-
- if (alg.equals(JWEAlgorithm.A128KW) ||
- alg.equals(JWEAlgorithm.A192KW) ||
- alg.equals(JWEAlgorithm.A256KW)) {
-
- cek = AESKW.unwrapCEK(getKey(), encryptedKey.decode(), getJCAContext().getKeyEncryptionProvider());
-
- } else if (alg.equals(JWEAlgorithm.A128GCMKW) ||
- alg.equals(JWEAlgorithm.A192GCMKW) ||
- alg.equals(JWEAlgorithm.A256GCMKW)) {
-
- if (header.getIV() == null) {
- throw new JOSEException("Missing JWE \"iv\" header parameter");
- }
-
- byte[] keyIV = header.getIV().decode();
-
- if (header.getAuthTag() == null) {
- throw new JOSEException("Missing JWE \"tag\" header parameter");
- }
-
- byte[] keyTag = header.getAuthTag().decode();
-
- AuthenticatedCipherText authEncrCEK = new AuthenticatedCipherText(encryptedKey.decode(), keyTag);
- cek = AESGCMKW.decryptCEK(getKey(), keyIV, authEncrCEK, keyLength, getJCAContext().getKeyEncryptionProvider());
-
- } else {
-
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS));
- }
-
- return ContentCryptoProvider.decrypt(header, encryptedKey, iv, cipherText, authTag, cek, getJCAContext());
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/AESEncrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/AESEncrypter.java
deleted file mode 100644
index ded923a8..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/AESEncrypter.java
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.*;
-import com.nimbusds.jose.jwk.OctetSequenceKey;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.Container;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * AES and AES GCM key wrap encrypter of {@link com.nimbusds.jose.JWEObject JWE
- * objects}. Expects an AES key.
- *
- * Encrypts the plain text with a generated AES key (the Content Encryption
- * Key) according to the specified JOSE encryption method, then wraps the CEK
- * with the specified AES key and returns it alongside the IV, cipher text and
- * authentication tag. See RFC 7518, sections
- * 4.4 and
- * 4.7 for more
- * information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A256KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A128GCMKW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A192GCMKW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A256GCMKW}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Melisa Halsband
- * @author Vladimir Dzhuvinov
- * @author Dimitar A. Stoikov
- * @version 2017-06-01
- */
-@ThreadSafe
-public class AESEncrypter extends AESCryptoProvider implements JWEEncrypter {
-
-
- /**
- * Algorithm family constants.
- */
- private enum AlgFamily {
-
- AESKW, AESGCMKW
- }
-
-
- /**
- * Creates a new AES encrypter.
- *
- * @param kek The Key Encryption Key. Must be 128 bits (16 bytes), 192
- * bits (24 bytes) or 256 bits (32 bytes). Must not be
- * {@code null}.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- public AESEncrypter(final SecretKey kek)
- throws KeyLengthException {
-
- super(kek);
- }
-
- /**
- * Creates a new AES encrypter.
- *
- * @param keyBytes The Key Encryption Key, as a byte array. Must be 128
- * bits (16 bytes), 192 bits (24 bytes) or 256 bits (32
- * bytes). Must not be {@code null}.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- public AESEncrypter(final byte[] keyBytes)
- throws KeyLengthException {
-
- this(new SecretKeySpec(keyBytes, "AES"));
- }
-
-
- /**
- * Creates a new AES encrypter.
- *
- * @param octJWK The Key Encryption Key, as a JWK. Must be 128 bits (16
- * bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384
- * bits (48 bytes) or 512 bits (64 bytes) long. Must not
- * be {@code null}.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- public AESEncrypter(final OctetSequenceKey octJWK)
- throws KeyLengthException {
-
- this(octJWK.toSecretKey("AES"));
- }
-
-
- @Override
- public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText)
- throws JOSEException {
-
- final JWEAlgorithm alg = header.getAlgorithm();
-
- // Check the AES key size and determine the algorithm family
- final AlgFamily algFamily;
-
- if (alg.equals(JWEAlgorithm.A128KW)) {
-
- if(ByteUtils.safeBitLength(getKey().getEncoded()) != 128){
- throw new KeyLengthException("The Key Encryption Key (KEK) length must be 128 bits for A128KW encryption");
- }
- algFamily = AlgFamily.AESKW;
-
- } else if (alg.equals(JWEAlgorithm.A192KW)) {
-
- if(ByteUtils.safeBitLength(getKey().getEncoded()) != 192){
- throw new KeyLengthException("The Key Encryption Key (KEK) length must be 192 bits for A192KW encryption");
- }
- algFamily = AlgFamily.AESKW;
-
- } else if (alg.equals(JWEAlgorithm.A256KW)) {
-
- if (ByteUtils.safeBitLength(getKey().getEncoded()) != 256) {
- throw new KeyLengthException("The Key Encryption Key (KEK) length must be 256 bits for A256KW encryption");
- }
- algFamily = AlgFamily.AESKW;
-
- } else if (alg.equals(JWEAlgorithm.A128GCMKW)) {
-
- if(ByteUtils.safeBitLength(getKey().getEncoded()) != 128){
- throw new KeyLengthException("The Key Encryption Key (KEK) length must be 128 bits for A128GCMKW encryption");
- }
- algFamily = AlgFamily.AESGCMKW;
-
- } else if (alg.equals(JWEAlgorithm.A192GCMKW)) {
-
- if(ByteUtils.safeBitLength(getKey().getEncoded()) != 192){
- throw new KeyLengthException("The Key Encryption Key (KEK) length must be 192 bits for A192GCMKW encryption");
- }
- algFamily = AlgFamily.AESGCMKW;
-
- } else if (alg.equals(JWEAlgorithm.A256GCMKW)) {
-
- if(ByteUtils.safeBitLength(getKey().getEncoded()) != 256){
- throw new KeyLengthException("The Key Encryption Key (KEK) length must be 256 bits for A256GCMKW encryption");
- }
- algFamily = AlgFamily.AESGCMKW;
-
- } else {
-
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS));
- }
-
-
- final JWEHeader updatedHeader; // We need to work on the header
- final Base64URL encryptedKey; // The second JWE part
-
- // Generate and encrypt the CEK according to the enc method
- final EncryptionMethod enc = header.getEncryptionMethod();
- final SecretKey cek = ContentCryptoProvider.generateCEK(enc, getJCAContext().getSecureRandom());
-
- if(AlgFamily.AESKW.equals(algFamily)) {
-
- encryptedKey = Base64URL.encode(AESKW.wrapCEK(cek, getKey(), getJCAContext().getKeyEncryptionProvider()));
- updatedHeader = header; // simply copy ref
-
- } else if(AlgFamily.AESGCMKW.equals(algFamily)) {
-
- final Container keyIV = new Container<>(AESGCM.generateIV(getJCAContext().getSecureRandom()));
- final AuthenticatedCipherText authCiphCEK = AESGCMKW.encryptCEK(cek, keyIV, getKey(), getJCAContext().getKeyEncryptionProvider());
- encryptedKey = Base64URL.encode(authCiphCEK.getCipherText());
-
- // Add iv and tag to the header
- updatedHeader = new JWEHeader.Builder(header).
- iv(Base64URL.encode(keyIV.get())).
- authTag(Base64URL.encode(authCiphCEK.getAuthenticationTag())).
- build();
- } else {
- // This should never happen
- throw new JOSEException("Unexpected JWE algorithm: " + alg);
- }
-
- return ContentCryptoProvider.encrypt(updatedHeader, clearText, cek, encryptedKey, getJCAContext());
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/DirectDecrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/DirectDecrypter.java
deleted file mode 100644
index d453f4a6..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/DirectDecrypter.java
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.util.Set;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.AlgorithmSupportMessage;
-import com.nimbusds.jose.crypto.impl.ContentCryptoProvider;
-import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
-import com.nimbusds.jose.crypto.impl.DirectCryptoProvider;
-import com.nimbusds.jose.jwk.OctetSequenceKey;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Direct decrypter of {@link com.nimbusds.jose.JWEObject JWE objects} with a
- * shared symmetric key.
- *
- * See RFC 7518
- * section 4.5
- * for more information.
- *
- * This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#DIR}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256} (requires 256 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384} (requires 384 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512} (requires 512 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM} (requires 128 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM} (requires 192 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM} (requires 256 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED} (requires 256 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED} (requires 512 bit key)
- *
- *
- * Also supports a promiscuous mode to decrypt any JWE by passing the
- * content encryption key (CEK) directly. The that mode the JWE algorithm
- * checks for ("alg":"dir") and encrypted key not being present will be
- * skipped.
- *
- * @author Vladimir Dzhuvinov
- * @version 2018-07-16
- */
-@ThreadSafe
-public class DirectDecrypter extends DirectCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
-
-
- /**
- * If set skips the checks for alg "dir" and encrypted key not present.
- */
- private final boolean promiscuousMode;
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * Creates a new direct decrypter.
- *
- * @param key The symmetric key. Its algorithm should be "AES". Must be
- * 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32
- * bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long.
- * Must not be {@code null}.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectDecrypter(final SecretKey key)
- throws KeyLengthException {
-
- this(key, false);
- }
-
-
- /**
- * Creates a new direct decrypter with the option to set it in
- * promiscuous mode.
- *
- * @param key The symmetric key. Its algorithm should be
- * "AES". Must be 128 bits (16 bytes), 192 bits
- * (24 bytes), 256 bits (32 bytes), 384 bits (48
- * bytes) or 512 bits (64 bytes) long. Must not
- * be {@code null}.
- * @param promiscuousMode If {@code true} set the decrypter in
- * promiscuous mode to permit decryption of any
- * JWE with the supplied symmetric key. The that
- * mode the JWE algorithm checks for
- * ("alg":"dir") and encrypted key not being
- * present will be skipped.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectDecrypter(final SecretKey key, final boolean promiscuousMode)
- throws KeyLengthException {
-
- super(key);
-
- this.promiscuousMode = promiscuousMode;
- }
-
-
- /**
- * Creates a new direct decrypter.
- *
- * @param keyBytes The symmetric key, as a byte array. Must be 128 bits
- * (16 bytes), 192 bits (24 bytes), 256 bits (32
- * bytes), 384 bits (48 bytes) or 512 bits (64 bytes)
- * long. Must not be {@code null}.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectDecrypter(final byte[] keyBytes)
- throws KeyLengthException {
-
- this(new SecretKeySpec(keyBytes, "AES"), false);
- }
-
-
- /**
- * Creates a new direct decrypter.
- *
- * @param octJWK The symmetric key, as a JWK. Must be 128 bits (16
- * bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384
- * bits (48 bytes) or 512 bits (64 bytes) long. Must not
- * be {@code null}.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectDecrypter(final OctetSequenceKey octJWK)
- throws KeyLengthException {
-
- this(octJWK.toSecretKey("AES"));
- }
-
-
- /**
- * Creates a new direct decrypter with the option to set it in
- * promiscuous mode.
- *
- * @param key The symmetric key. Its algorithm should be
- * "AES". Must be 128 bits (16 bytes), 192 bits
- * (24 bytes), 256 bits (32 bytes), 384 bits (48
- * bytes) or 512 bits (64 bytes) long. Must not
- * be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectDecrypter(final SecretKey key, final Set defCritHeaders)
- throws KeyLengthException {
-
- this(key, defCritHeaders, false);
- }
-
-
- /**
- * Creates a new direct decrypter.
- *
- * @param key The symmetric key. Its algorithm should be
- * "AES". Must be 128 bits (16 bytes), 192 bits
- * (24 bytes), 256 bits (32 bytes), 384 bits (48
- * bytes) or 512 bits (64 bytes) long. Must not
- * be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *@param promiscuousMode If {@code true} set the decrypter in
- * promiscuous mode to permit decryption of any
- * JWE with the supplied symmetric key. The that
- * mode the JWE algorithm checks for
- * ("alg":"dir") and encrypted key not being
- * present will be skipped.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectDecrypter(final SecretKey key,
- final Set defCritHeaders,
- final boolean promiscuousMode)
- throws KeyLengthException {
-
- super(key);
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- this.promiscuousMode = promiscuousMode;
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException {
-
- // Validate required JWE parts
- if (! promiscuousMode) {
-
- JWEAlgorithm alg = header.getAlgorithm();
-
- if (!alg.equals(JWEAlgorithm.DIR)) {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS));
- }
-
- if (encryptedKey != null) {
- throw new JOSEException("Unexpected present JWE encrypted key");
- }
- }
-
- if (iv == null) {
- throw new JOSEException("Unexpected present JWE initialization vector (IV)");
- }
-
- if (authTag == null) {
- throw new JOSEException("Missing JWE authentication tag");
- }
-
- critPolicy.ensureHeaderPasses(header);
-
- return ContentCryptoProvider.decrypt(header, null, iv, cipherText, authTag, getKey(), getJCAContext());
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/DirectEncrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/DirectEncrypter.java
deleted file mode 100644
index cbaf6327..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/DirectEncrypter.java
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.crypto.impl.AlgorithmSupportMessage;
-import com.nimbusds.jose.crypto.impl.ContentCryptoProvider;
-import com.nimbusds.jose.crypto.impl.DirectCryptoProvider;
-import net.jcip.annotations.ThreadSafe;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.jwk.OctetSequenceKey;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.ByteUtils;
-
-
-/**
- * Direct encrypter of {@link com.nimbusds.jose.JWEObject JWE objects} with a
- * shared symmetric key.
- *
- * See RFC 7518
- * section 4.5
- * for more information.
- *
- * This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#DIR}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256} (requires 256 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384} (requires 384 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512} (requires 512 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM} (requires 128 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM} (requires 192 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM} (requires 256 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED} (requires 256 bit key)
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED} (requires 512 bit key)
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-06-01
- */
-@ThreadSafe
-public class DirectEncrypter extends DirectCryptoProvider implements JWEEncrypter {
-
-
- /**
- * Creates a new direct encrypter.
- *
- * @param key The symmetric key. Its algorithm should be "AES". Must be
- * 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32
- * bytes), 384 bits (48 bytes) or 512 bits (64 bytes) long.
- * Must not be {@code null}.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectEncrypter(final SecretKey key)
- throws KeyLengthException {
-
- super(key);
- }
-
-
- /**
- * Creates a new direct encrypter.
- *
- * @param keyBytes The symmetric key, as a byte array. Must be 128 bits
- * (16 bytes), 192 bits (24 bytes), 256 bits (32
- * bytes), 384 bits (48 bytes) or 512 bits (64 bytes)
- * long. Must not be {@code null}.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectEncrypter(final byte[] keyBytes)
- throws KeyLengthException {
-
- this(new SecretKeySpec(keyBytes, "AES"));
- }
-
-
- /**
- * Creates a new direct encrypter.
- *
- * @param octJWK The symmetric key, as a JWK. Must be 128 bits (16
- * bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384
- * bits (48 bytes) or 512 bits (64 bytes) long. Must not
- * be {@code null}.
- *
- * @throws KeyLengthException If the symmetric key length is not
- * compatible.
- */
- public DirectEncrypter(final OctetSequenceKey octJWK)
- throws KeyLengthException {
-
- this(octJWK.toSecretKey("AES"));
- }
-
-
- @Override
- public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText)
- throws JOSEException {
-
- JWEAlgorithm alg = header.getAlgorithm();
-
- if (! alg.equals(JWEAlgorithm.DIR)) {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS));
- }
-
- // Check key length matches encryption method
- EncryptionMethod enc = header.getEncryptionMethod();
-
- if (enc.cekBitLength() != ByteUtils.safeBitLength(getKey().getEncoded())) {
- throw new KeyLengthException(enc.cekBitLength(), enc);
- }
-
- final Base64URL encryptedKey = null; // The second JWE part
-
- return ContentCryptoProvider.encrypt(header, clearText, getKey(), encryptedKey, getJCAContext());
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDHDecrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDHDecrypter.java
deleted file mode 100644
index dcc493f9..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDHDecrypter.java
+++ /dev/null
@@ -1,271 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.PrivateKey;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.CriticalHeaderParamsAware;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEDecrypter;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
-import com.nimbusds.jose.crypto.impl.ECDH;
-import com.nimbusds.jose.crypto.impl.ECDHCryptoProvider;
-import com.nimbusds.jose.crypto.utils.ECChecks;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.ECKey;
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * Elliptic Curve Diffie-Hellman decrypter of
- * {@link com.nimbusds.jose.JWEObject JWE objects} for curves using EC JWK
- * keys. Expects a private EC key (with a P-256, P-384 or P-521 curve).
- *
- * See RFC 7518
- * section 4.6
- * for more information.
- *
- *
For Curve25519/X25519, see {@link X25519Decrypter} instead.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A256KW}
- *
- *
- * Supports the following elliptic curves:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#P_256}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_384}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_521}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2018-12-12
- */
-public class ECDHDecrypter extends ECDHCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
-
-
- /**
- * The supported EC JWK curves by the ECDH crypto provider class.
- */
- public static final Set SUPPORTED_ELLIPTIC_CURVES;
-
-
- static {
- Set curves = new LinkedHashSet<>();
- curves.add(Curve.P_256);
- curves.add(Curve.P_384);
- curves.add(Curve.P_521);
- SUPPORTED_ELLIPTIC_CURVES = Collections.unmodifiableSet(curves);
- }
-
-
- /**
- * The private EC key.
- */
- private final PrivateKey privateKey;
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman decrypter.
- *
- * @param privateKey The private EC key. Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve is not supported.
- */
- public ECDHDecrypter(final ECPrivateKey privateKey)
- throws JOSEException {
-
- this(privateKey, null);
- }
-
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman decrypter.
- *
- * @param ecJWK The EC JSON Web Key (JWK). Must contain a private
- * part. Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve is not supported.
- */
- public ECDHDecrypter(final ECKey ecJWK)
- throws JOSEException {
-
- super(ecJWK.getCurve());
-
- if (! ecJWK.isPrivate()) {
- throw new JOSEException("The EC JWK doesn't contain a private part");
- }
-
- this.privateKey = ecJWK.toECPrivateKey();
- }
-
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman decrypter.
- *
- * @param privateKey The private EC key. Must not be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *
- * @throws JOSEException If the elliptic curve is not supported.
- */
- public ECDHDecrypter(final ECPrivateKey privateKey, final Set defCritHeaders)
- throws JOSEException {
-
- this(privateKey, defCritHeaders, Curve.forECParameterSpec(privateKey.getParams()));
- }
-
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman decrypter. This
- * constructor can also accept a private EC key located in a PKCS#11
- * store that doesn't expose the private key parameters (such as a
- * smart card or HSM).
- *
- * @param privateKey The private EC key. Must not be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- * @param curve The key curve. Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve is not supported.
- */
- public ECDHDecrypter(final PrivateKey privateKey,
- final Set defCritHeaders,
- final Curve curve)
- throws JOSEException {
-
- super(curve);
-
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
-
- this.privateKey = privateKey;
- }
-
-
- /**
- * Returns the private EC key.
- *
- * @return The private EC key. Casting to
- * {@link java.security.interfaces.ECPrivateKey} may not be
- * possible if the key is located in a PKCS#11 store that
- * doesn't expose the private key parameters.
- */
- public PrivateKey getPrivateKey() {
-
- return privateKey;
- }
-
-
- @Override
- public Set supportedEllipticCurves() {
-
- return SUPPORTED_ELLIPTIC_CURVES;
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException {
-
- critPolicy.ensureHeaderPasses(header);
-
- // Get ephemeral EC key
- ECKey ephemeralKey = (ECKey) header.getEphemeralPublicKey();
-
- if (ephemeralKey == null) {
- throw new JOSEException("Missing ephemeral public EC key \"epk\" JWE header parameter");
- }
-
- ECPublicKey ephemeralPublicKey = ephemeralKey.toECPublicKey();
-
- // Curve check
- if (getPrivateKey() instanceof ECPrivateKey) {
- ECPrivateKey ecPrivateKey = (ECPrivateKey)getPrivateKey();
- if (!ECChecks.isPointOnCurve(ephemeralPublicKey, ecPrivateKey)) {
- throw new JOSEException("Invalid ephemeral public EC key: Point(s) not on the expected curve");
- }
- } else {
- if (!ECChecks.isPointOnCurve(ephemeralPublicKey, getCurve().toECParameterSpec())) {
- throw new JOSEException("Invalid ephemeral public EC key: Point(s) not on the expected curve");
- }
- }
-
- // Derive 'Z'
- SecretKey Z = ECDH.deriveSharedSecret(
- ephemeralPublicKey,
- privateKey,
- getJCAContext().getKeyEncryptionProvider());
-
- return decryptWithZ(header, Z, encryptedKey, iv, cipherText, authTag);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDHEncrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDHEncrypter.java
deleted file mode 100644
index c3279e6f..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDHEncrypter.java
+++ /dev/null
@@ -1,259 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2019, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.security.spec.ECParameterSpec;
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWECryptoParts;
-import com.nimbusds.jose.JWEEncrypter;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.crypto.impl.ECDH;
-import com.nimbusds.jose.crypto.impl.ECDHCryptoProvider;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.ECKey;
-
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Elliptic Curve Diffie-Hellman encrypter of
- * {@link com.nimbusds.jose.JWEObject JWE objects} for curves using EC JWK keys.
- * Expects a public EC key (with a P-256, P-384 or P-521 curve).
- *
- * See RFC 7518
- * section 4.6
- * for more information.
- *
- *
For Curve25519/X25519, see {@link X25519Encrypter} instead.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A256KW}
- *
- *
- * Supports the following elliptic curves:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#P_256}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_384}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_521}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Tim McLean
- * @author Vladimir Dzhuvinov
- * @author Fernando González Callejas
- * @version 2019-01-24
- */
-@ThreadSafe
-public class ECDHEncrypter extends ECDHCryptoProvider implements JWEEncrypter {
-
-
- /**
- * The supported EC JWK curves by the ECDH crypto provider class.
- */
- public static final Set SUPPORTED_ELLIPTIC_CURVES;
-
-
- static {
- Set curves = new LinkedHashSet<>();
- curves.add(Curve.P_256);
- curves.add(Curve.P_384);
- curves.add(Curve.P_521);
- SUPPORTED_ELLIPTIC_CURVES = Collections.unmodifiableSet(curves);
- }
-
-
- /**
- * The public EC key.
- */
- private final ECPublicKey publicKey;
-
- /**
- * The externally supplied AES content encryption key (CEK) to use,
- * {@code null} to generate a CEK for each JWE.
- */
- private final SecretKey contentEncryptionKey;
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman encrypter.
- *
- * @param publicKey The public EC key. Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve is not supported.
- */
- public ECDHEncrypter(final ECPublicKey publicKey)
- throws JOSEException {
-
- this(publicKey, null);
- }
-
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman encrypter.
- *
- * @param ecJWK The EC JSON Web Key (JWK). Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve is not supported.
- */
- public ECDHEncrypter(final ECKey ecJWK) throws
- JOSEException {
-
- super(ecJWK.getCurve());
-
- publicKey = ecJWK.toECPublicKey();
- contentEncryptionKey = null;
- }
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman encrypter with an
- * optionally specified content encryption key (CEK).
- *
- * @param publicKey The public EC key. Must not be
- * {@code null}.
- * @param contentEncryptionKey The content encryption key (CEK) to use.
- * If specified its algorithm must be "AES"
- * and its length must match the expected
- * for the JWE encryption method ("enc").
- * If {@code null} a CEK will be generated
- * for each JWE.
- * @throws JOSEException If the elliptic curve is not supported.
- */
- public ECDHEncrypter(final ECPublicKey publicKey, final SecretKey contentEncryptionKey)
- throws JOSEException {
-
- super(Curve.forECParameterSpec(publicKey.getParams()));
-
- this.publicKey = publicKey;
-
- if (contentEncryptionKey != null) {
- if (contentEncryptionKey.getAlgorithm() == null || !contentEncryptionKey.getAlgorithm().equals("AES")) {
- throw new IllegalArgumentException("The algorithm of the content encryption key (CEK) must be AES");
- } else {
- this.contentEncryptionKey = contentEncryptionKey;
- }
- } else {
- this.contentEncryptionKey = null;
- }
- }
-
-
- /**
- * Returns the public EC key.
- *
- * @return The public EC key.
- */
- public ECPublicKey getPublicKey() {
-
- return publicKey;
- }
-
-
- @Override
- public Set supportedEllipticCurves() {
-
- return SUPPORTED_ELLIPTIC_CURVES;
- }
-
-
- @Override
- public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText)
- throws JOSEException {
-
- // Generate ephemeral EC key pair on the same curve as the consumer's public key
- KeyPair ephemeralKeyPair = generateEphemeralKeyPair(publicKey.getParams());
- ECPublicKey ephemeralPublicKey = (ECPublicKey)ephemeralKeyPair.getPublic();
- ECPrivateKey ephemeralPrivateKey = (ECPrivateKey)ephemeralKeyPair.getPrivate();
-
- // Add the ephemeral public EC key to the header
- JWEHeader updatedHeader = new JWEHeader.Builder(header).
- ephemeralPublicKey(new ECKey.Builder(getCurve(), ephemeralPublicKey).build()).
- build();
-
- // Derive 'Z'
- SecretKey Z = ECDH.deriveSharedSecret(
- publicKey,
- ephemeralPrivateKey,
- getJCAContext().getKeyEncryptionProvider());
-
- return encryptWithZ(updatedHeader, Z, clearText, contentEncryptionKey);
- }
-
-
- /**
- * Generates a new ephemeral EC key pair with the specified curve.
- *
- * @param ecParameterSpec The EC key spec. Must not be {@code null}.
- *
- * @return The EC key pair.
- *
- * @throws JOSEException If the EC key pair couldn't be generated.
- */
- private KeyPair generateEphemeralKeyPair(final ECParameterSpec ecParameterSpec)
- throws JOSEException {
-
- Provider keProvider = getJCAContext().getKeyEncryptionProvider();
-
- try {
- KeyPairGenerator generator;
-
- if (keProvider != null) {
- generator = KeyPairGenerator.getInstance("EC", keProvider);
- } else {
- generator = KeyPairGenerator.getInstance("EC");
- }
-
- generator.initialize(ecParameterSpec);
- return generator.generateKeyPair();
- } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) {
- throw new JOSEException("Couldn't generate ephemeral EC key pair: " + e.getMessage(), e);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDSASigner.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDSASigner.java
deleted file mode 100644
index d42b2d57..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDSASigner.java
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.InvalidKeyException;
-import java.security.PrivateKey;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.interfaces.ECPrivateKey;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSSigner;
-import com.nimbusds.jose.crypto.impl.AlgorithmSupportMessage;
-import com.nimbusds.jose.crypto.impl.ECDSA;
-import com.nimbusds.jose.crypto.impl.ECDSAProvider;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.ECKey;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Elliptic Curve Digital Signature Algorithm (ECDSA) signer of
- * {@link com.nimbusds.jose.JWSObject JWS objects}. Expects a private EC key
- * (with a P-256, P-384 or P-521 curve).
- *
- * See RFC 7518
- * section 3.4
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#ES256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#ES384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#ES512}
- *
- *
- * @author Axel Nennker
- * @author Vladimir Dzhuvinov
- * @version 2016-11-30
- */
-@ThreadSafe
-public class ECDSASigner extends ECDSAProvider implements JWSSigner {
-
-
- /**
- * The private EC key. Represented by generic private key interface to
- * support key stores that prevent exposure of the private key
- * parameters via the {@link java.security.interfaces.RSAPrivateKey}
- * API.
- *
- * See https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/169
- */
- private final PrivateKey privateKey;
-
-
- /**
- * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA)
- * signer.
- *
- * @param privateKey The private EC key. Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve of key is not supported.
- */
- public ECDSASigner(final ECPrivateKey privateKey)
- throws JOSEException {
-
- super(ECDSA.resolveAlgorithm(privateKey));
-
- this.privateKey = privateKey;
- }
-
-
- /**
- * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA)
- * signer. This constructor is intended for a private EC key located
- * in a PKCS#11 store that doesn't expose the private key parameters
- * (such as a smart card or HSM).
- *
- * @param privateKey The private EC key. Its algorithm must be "EC".
- * Must not be {@code null}.
- * @param curve The elliptic curve for the key. Must not be
- * {@code null}.
- *
- * @throws JOSEException If the elliptic curve of key is not supported.
- */
- public ECDSASigner(final PrivateKey privateKey, final Curve curve)
- throws JOSEException {
-
- super(ECDSA.resolveAlgorithm(curve));
-
- if (! "EC".equalsIgnoreCase(privateKey.getAlgorithm())) {
- throw new IllegalArgumentException("The private key algorithm must be EC");
- }
-
- this.privateKey = privateKey;
- }
-
-
- /**
- * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA)
- * signer.
- *
- * @param ecJWK The EC JSON Web Key (JWK). Must contain a private part.
- * Must not be {@code null}.
- *
- * @throws JOSEException If the EC JWK doesn't contain a private part,
- * its extraction failed, or the elliptic curve
- * is not supported.
- */
- public ECDSASigner(final ECKey ecJWK)
- throws JOSEException {
-
- super(ECDSA.resolveAlgorithm(ecJWK.getCurve()));
-
- if (! ecJWK.isPrivate()) {
- throw new JOSEException("The EC JWK doesn't contain a private part");
- }
-
- privateKey = ecJWK.toPrivateKey();
- }
-
-
- /**
- * Gets the private EC key.
- *
- * @return The private EC key. Casting to
- * {@link java.security.interfaces.ECPrivateKey} may not be
- * possible if the key is located in a PKCS#11 store that
- * doesn't expose the private key parameters.
- */
- public PrivateKey getPrivateKey() {
-
- return privateKey;
- }
-
-
- @Override
- public Base64URL sign(final JWSHeader header, final byte[] signingInput)
- throws JOSEException {
-
- final JWSAlgorithm alg = header.getAlgorithm();
-
- if (! supportedJWSAlgorithms().contains(alg)) {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(alg, supportedJWSAlgorithms()));
- }
-
- // DER-encoded signature, according to JCA spec
- // (sequence of two integers - R + S)
- final byte[] jcaSignature;
-
- try {
- Signature dsa = ECDSA.getSignerAndVerifier(alg, getJCAContext().getProvider());
- dsa.initSign(privateKey, getJCAContext().getSecureRandom());
- dsa.update(signingInput);
- jcaSignature = dsa.sign();
-
- } catch (InvalidKeyException | SignatureException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- final int rsByteArrayLength = ECDSA.getSignatureByteArrayLength(header.getAlgorithm());
- final byte[] jwsSignature = ECDSA.transcodeSignatureToConcat(jcaSignature, rsByteArrayLength);
- return Base64URL.encode(jwsSignature);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDSAVerifier.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDSAVerifier.java
deleted file mode 100644
index 54978893..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/ECDSAVerifier.java
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.InvalidKeyException;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.interfaces.ECPublicKey;
-import java.util.Set;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.AlgorithmSupportMessage;
-import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
-import com.nimbusds.jose.crypto.impl.ECDSA;
-import com.nimbusds.jose.crypto.impl.ECDSAProvider;
-import com.nimbusds.jose.crypto.utils.ECChecks;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.ECKey;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Elliptic Curve Digital Signature Algorithm (ECDSA) verifier of
- * {@link com.nimbusds.jose.JWSObject JWS objects}. Expects a public EC key
- * (with a P-256, P-384 or P-521 curve).
- *
- * See RFC 7518
- * section 3.4
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#ES256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#ES384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#ES512}
- *
- *
- * @author Axel Nennker
- * @author Vladimir Dzhuvinov
- * @version 2017-04-13
- */
-@ThreadSafe
-public class ECDSAVerifier extends ECDSAProvider implements JWSVerifier, CriticalHeaderParamsAware {
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * The public EC key.
- */
- private final ECPublicKey publicKey;
-
-
- /**
- * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA)
- * verifier.
- *
- * @param publicKey The public EC key. Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve of key is not supported.
- */
- public ECDSAVerifier(final ECPublicKey publicKey)
- throws JOSEException {
-
- this(publicKey, null);
- }
-
-
- /**
- * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA)
- * verifier.
- *
- * @param ecJWK The EC JSON Web Key (JWK). Must not be {@code null}.
- *
- * @throws JOSEException If the elliptic curve of key is not supported.
- */
- public ECDSAVerifier(final ECKey ecJWK)
- throws JOSEException {
-
- this(ecJWK.toECPublicKey());
- }
-
-
- /**
- * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA)
- * verifier.
- *
- * @param publicKey The public EC key. Must not be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *
- * @throws JOSEException If the elliptic curve of key is not supported.
- */
- public ECDSAVerifier(final ECPublicKey publicKey, final Set defCritHeaders)
- throws JOSEException {
-
- super(ECDSA.resolveAlgorithm(publicKey));
-
- this.publicKey = publicKey;
-
- if (! ECChecks.isPointOnCurve(
- publicKey,
- Curve.forJWSAlgorithm(supportedECDSAAlgorithm()).iterator().next().toECParameterSpec())) {
- throw new JOSEException("Curve / public key parameters mismatch");
- }
-
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- }
-
-
- /**
- * Returns the public EC key.
- *
- * @return The public EC key.
- */
- public ECPublicKey getPublicKey() {
-
- return publicKey;
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public boolean verify(final JWSHeader header,
- final byte[] signedContent,
- final Base64URL signature)
- throws JOSEException {
-
- final JWSAlgorithm alg = header.getAlgorithm();
-
- if (! supportedJWSAlgorithms().contains(alg)) {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(alg, supportedJWSAlgorithms()));
- }
-
- if (! critPolicy.headerPasses(header)) {
- return false;
- }
-
- final byte[] jwsSignature = signature.decode();
-
- final byte[] derSignature;
-
- try {
- derSignature = ECDSA.transcodeSignatureToDER(jwsSignature);
- } catch (JOSEException e) {
- // Invalid signature format
- return false;
- }
-
- Signature sig = ECDSA.getSignerAndVerifier(alg, getJCAContext().getProvider());
-
- try {
- sig.initVerify(publicKey);
- sig.update(signedContent);
- return sig.verify(derSignature);
-
- } catch (InvalidKeyException e) {
- throw new JOSEException("Invalid EC public key: " + e.getMessage(), e);
- } catch (SignatureException e) {
- return false;
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/Ed25519Signer.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/Ed25519Signer.java
deleted file mode 100644
index 165c70a1..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/Ed25519Signer.java
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2018, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.GeneralSecurityException;
-
-import com.google.crypto.tink.subtle.Ed25519Sign;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSSigner;
-import com.nimbusds.jose.crypto.impl.EdDSAProvider;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.OctetKeyPair;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Ed25519 signer of {@link com.nimbusds.jose.JWSObject JWS objects}.
- * Expects an {@link OctetKeyPair} with {@code "crv"} Ed25519.
- * Uses the Edwards-curve Digital Signature Algorithm (EdDSA).
- *
- * See RFC 8037
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithm:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#EdDSA}
- *
- *
- * with the following curve:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#Ed25519}
- *
- *
- * @author Tim McLean
- * @version 2018-07-11
- */
-@ThreadSafe
-public class Ed25519Signer extends EdDSAProvider implements JWSSigner {
-
-
- private final OctetKeyPair privateKey;
-
-
- private final Ed25519Sign tinkSigner;
-
-
- /**
- * Creates a new Ed25519 signer.
- *
- * @param privateKey The private key. Must be non-{@code null}, and must
- * be of type Ed25519 ({@code "crv": "Ed25519"}).
- *
- * @throws JOSEException If the key subtype is not supported or if the key is not a private key
- */
- public Ed25519Signer(final OctetKeyPair privateKey)
- throws JOSEException {
-
- super();
-
- if (! Curve.Ed25519.equals(privateKey.getCurve())) {
- throw new JOSEException("Ed25519Signer only supports OctetKeyPairs with crv=Ed25519");
- }
-
- if (! privateKey.isPrivate()) {
- throw new JOSEException("The OctetKeyPair doesn't contain a private part");
- }
-
- this.privateKey = privateKey;
-
- try {
- tinkSigner = new Ed25519Sign(privateKey.getDecodedD());
-
- } catch (GeneralSecurityException e) {
- // If Tink failed to initialize; generally should not happen
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Gets the Ed25519 private key as an {@code OctetKeyPair}.
- *
- * @return The private key.
- */
- public OctetKeyPair getPrivateKey() {
-
- return privateKey;
- }
-
-
- @Override
- public Base64URL sign(final JWSHeader header, final byte[] signingInput)
- throws JOSEException {
-
- // Check alg field in header
- final JWSAlgorithm alg = header.getAlgorithm();
- if (! JWSAlgorithm.EdDSA.equals(alg)) {
- throw new JOSEException("Ed25519Signer requires alg=EdDSA in JWSHeader");
- }
-
- final byte[] jwsSignature;
-
- try {
- jwsSignature = tinkSigner.sign(signingInput);
-
- } catch (GeneralSecurityException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- return Base64URL.encode(jwsSignature);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/Ed25519Verifier.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/Ed25519Verifier.java
deleted file mode 100644
index 8fabab9f..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/Ed25519Verifier.java
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2018, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.GeneralSecurityException;
-import java.util.Set;
-
-import com.google.crypto.tink.subtle.Ed25519Verify;
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
-import com.nimbusds.jose.crypto.impl.EdDSAProvider;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.OctetKeyPair;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Ed25519 verifier of {@link com.nimbusds.jose.JWSObject JWS objects}.
- * Expects a public {@link OctetKeyPair} with {@code "crv"} Ed25519.
- * Uses the Edwards-curve Digital Signature Algorithm (EdDSA).
- *
- * See RFC 8037
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithm:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#EdDSA}
- *
- *
- * with the following curve:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#Ed25519}
- *
- *
- * @author Tim McLean
- * @version 2018-07-11
- */
-@ThreadSafe
-public class Ed25519Verifier extends EdDSAProvider implements JWSVerifier, CriticalHeaderParamsAware {
-
-
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- private final OctetKeyPair publicKey;
-
-
- private final Ed25519Verify tinkVerifier;
-
-
- /**
- * Creates a new Ed25519 verifier.
- *
- * @param publicKey The public Ed25519 key. Must not be {@code null}.
- *
- * @throws JOSEException If the key subtype is not supported
- */
- public Ed25519Verifier(final OctetKeyPair publicKey)
- throws JOSEException {
-
- this(publicKey, null);
- }
-
-
- /**
- * Creates a Ed25519 verifier.
- *
- * @param publicKey The public Ed25519 key. Must not be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *
- * @throws JOSEException If the key subtype is not supported.
- */
- public Ed25519Verifier(final OctetKeyPair publicKey, final Set defCritHeaders)
- throws JOSEException {
-
- super();
-
- if (! Curve.Ed25519.equals(publicKey.getCurve())) {
- throw new JOSEException("Ed25519Verifier only supports OctetKeyPairs with crv=Ed25519");
- }
-
- if (publicKey.isPrivate()) {
- throw new JOSEException("Ed25519Verifier requires a public key, use OctetKeyPair.toPublicJWK()");
- }
-
- this.publicKey = publicKey;
- tinkVerifier = new Ed25519Verify(publicKey.getDecodedX());
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- }
-
-
- /**
- * Returns the public key.
- *
- * @return An OctetKeyPair without the private part
- */
- public OctetKeyPair getPublicKey() {
-
- return publicKey;
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public boolean verify(final JWSHeader header,
- final byte[] signedContent,
- final Base64URL signature)
- throws JOSEException {
-
- // Check alg field in header
- final JWSAlgorithm alg = header.getAlgorithm();
- if (! JWSAlgorithm.EdDSA.equals(alg)) {
- throw new JOSEException("Ed25519Verifier requires alg=EdDSA in JWSHeader");
- }
-
- // Check for unrecognized "crit" properties
- if (! critPolicy.headerPasses(header)) {
- return false;
- }
-
- final byte[] jwsSignature = signature.decode();
-
- try {
- tinkVerifier.verify(jwsSignature, signedContent);
- return true;
-
- } catch (GeneralSecurityException e) {
- return false;
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/MACSigner.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/MACSigner.java
deleted file mode 100644
index 13f92e90..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/MACSigner.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.AlgorithmSupportMessage;
-import com.nimbusds.jose.crypto.impl.HMAC;
-import com.nimbusds.jose.crypto.impl.MACProvider;
-import com.nimbusds.jose.jwk.OctetSequenceKey;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.StandardCharset;
-import net.jcip.annotations.ThreadSafe;
-
-
-
-/**
- * Message Authentication Code (MAC) signer of
- * {@link com.nimbusds.jose.JWSObject JWS objects}. Expects a secret key.
- *
- * See RFC 7518
- * section 3.2
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#HS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#HS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#HS512}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-07-27
- */
-@ThreadSafe
-public class MACSigner extends MACProvider implements JWSSigner {
-
-
- /**
- * Returns the minimal required secret length for the specified HMAC
- * JWS algorithm.
- *
- * @param alg The HMAC JWS algorithm. Must be
- * {@link #SUPPORTED_ALGORITHMS supported} and not
- * {@code null}.
- *
- * @return The minimal required secret length, in bits.
- *
- * @throws JOSEException If the algorithm is not supported.
- */
- public static int getMinRequiredSecretLength(final JWSAlgorithm alg)
- throws JOSEException {
-
- if (JWSAlgorithm.HS256.equals(alg)) {
- return 256;
- } else if (JWSAlgorithm.HS384.equals(alg)) {
- return 384;
- } else if (JWSAlgorithm.HS512.equals(alg)) {
- return 512;
- } else {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(
- alg,
- SUPPORTED_ALGORITHMS));
- }
- }
-
-
- /**
- * Returns the compatible JWS HMAC algorithms for the specified secret
- * length.
- *
- * @param secretLength The secret length in bits. Must not be negative.
- *
- * @return The compatible HMAC algorithms, empty set if the secret
- * length is too short for any algorithm.
- */
- public static Set getCompatibleAlgorithms(final int secretLength) {
-
- Set hmacAlgs = new LinkedHashSet<>();
-
- if (secretLength >= 256)
- hmacAlgs.add(JWSAlgorithm.HS256);
-
- if (secretLength >= 384)
- hmacAlgs.add(JWSAlgorithm.HS384);
-
- if (secretLength >= 512)
- hmacAlgs.add(JWSAlgorithm.HS512);
-
- return Collections.unmodifiableSet(hmacAlgs);
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) signer.
- *
- * @param secret The secret. Must be at least 256 bits long and not
- * {@code null}.
- *
- * @throws KeyLengthException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACSigner(final byte[] secret)
- throws KeyLengthException {
-
- super(secret, getCompatibleAlgorithms(ByteUtils.bitLength(secret.length)));
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) signer.
- *
- * @param secretString The secret as a UTF-8 encoded string. Must be at
- * least 256 bits long and not {@code null}.
- *
- * @throws KeyLengthException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACSigner(final String secretString)
- throws KeyLengthException {
-
- this(secretString.getBytes(StandardCharset.UTF_8));
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) signer.
- *
- * @param secretKey The secret key. Must be at least 256 bits long and
- * not {@code null}.
- *
- * @throws KeyLengthException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACSigner(final SecretKey secretKey)
- throws KeyLengthException {
-
- this(secretKey.getEncoded());
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) signer.
- *
- * @param jwk The secret as a JWK. Must be at least 256 bits long and
- * not {@code null}.
- *
- * @throws KeyLengthException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACSigner(final OctetSequenceKey jwk)
- throws KeyLengthException {
-
- this(jwk.toByteArray());
- }
-
-
- @Override
- public Base64URL sign(final JWSHeader header, final byte[] signingInput)
- throws JOSEException {
-
- final int minRequiredLength = getMinRequiredSecretLength(header.getAlgorithm());
-
- if (getSecret().length < ByteUtils.byteLength(minRequiredLength)) {
- throw new KeyLengthException("The secret length for " + header.getAlgorithm() + " must be at least " + minRequiredLength + " bits");
- }
-
- String jcaAlg = getJCAAlgorithmName(header.getAlgorithm());
- byte[] hmac = HMAC.compute(jcaAlg, getSecret(), signingInput, getJCAContext().getProvider());
- return Base64URL.encode(hmac);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/MACVerifier.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/MACVerifier.java
deleted file mode 100644
index efac68c1..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/MACVerifier.java
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.CriticalHeaderParamsAware;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSVerifier;
-import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
-import com.nimbusds.jose.crypto.impl.HMAC;
-import com.nimbusds.jose.crypto.impl.MACProvider;
-import com.nimbusds.jose.crypto.utils.ConstantTimeUtils;
-import com.nimbusds.jose.jwk.OctetSequenceKey;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.StandardCharset;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Message Authentication Code (MAC) verifier of
- * {@link com.nimbusds.jose.JWSObject JWS objects}. Expects a secret key.
- *
- * See RFC 7518
- * section 3.2
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#HS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#HS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#HS512}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-06-26
- */
-@ThreadSafe
-public class MACVerifier extends MACProvider implements JWSVerifier, CriticalHeaderParamsAware {
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * Creates a new Message Authentication (MAC) verifier.
- *
- * @param secret The secret. Must be at least 256 bits long and not
- * {@code null}.
- *
- * @throws JOSEException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACVerifier(final byte[] secret)
- throws JOSEException {
-
- this(secret, null);
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) verifier.
- *
- * @param secretString The secret as a UTF-8 encoded string. Must be at
- * least 256 bits long and not {@code null}.
- *
- * @throws JOSEException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACVerifier(final String secretString)
- throws JOSEException {
-
- this(secretString.getBytes(StandardCharset.UTF_8));
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) verifier.
- *
- * @param secretKey The secret key. Must be at least 256 bits long and
- * not {@code null}.
- *
- * @throws JOSEException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACVerifier(final SecretKey secretKey)
- throws JOSEException {
-
- this(secretKey.getEncoded());
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) verifier.
- *
- * @param jwk The secret as a JWK. Must be at least 256 bits long and
- * not {@code null}.
- *
- * @throws JOSEException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACVerifier(final OctetSequenceKey jwk)
- throws JOSEException {
-
- this(jwk.toByteArray());
- }
-
-
- /**
- * Creates a new Message Authentication (MAC) verifier.
- *
- * @param secret The secret. Must be at least 256 bits long
- * and not {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *
- * @throws JOSEException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- public MACVerifier(final byte[] secret,
- final Set defCritHeaders)
- throws JOSEException {
-
- super(secret, SUPPORTED_ALGORITHMS);
-
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public boolean verify(final JWSHeader header,
- final byte[] signedContent,
- final Base64URL signature)
- throws JOSEException {
-
- if (! critPolicy.headerPasses(header)) {
- return false;
- }
-
- String jcaAlg = getJCAAlgorithmName(header.getAlgorithm());
- byte[] expectedHMAC = HMAC.compute(jcaAlg, getSecret(), signedContent, getJCAContext().getProvider());
- return ConstantTimeUtils.areEqual(expectedHMAC, signature.decode());
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/PasswordBasedDecrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/PasswordBasedDecrypter.java
deleted file mode 100644
index 406a2fe8..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/PasswordBasedDecrypter.java
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.*;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.StandardCharset;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Password-based decrypter of {@link com.nimbusds.jose.JWEObject JWE objects}.
- * Expects a password.
- *
- * See RFC 7518
- * section 4.8
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS256_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS384_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS512_A256KW}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-07-26
- */
-@ThreadSafe
-public class PasswordBasedDecrypter extends PasswordBasedCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * Creates a new password-based decrypter.
- *
- * @param password The password bytes. Must not be empty or
- * {@code null}.
- */
- public PasswordBasedDecrypter(final byte[] password) {
-
- super(password);
- }
-
-
- /**
- * Creates a new password-based decrypter.
- *
- * @param password The password, as a UTF-8 encoded string. Must not be
- * empty or {@code null}.
- */
- public PasswordBasedDecrypter(final String password) {
-
- super(password.getBytes(StandardCharset.UTF_8));
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException {
-
- // Validate required JWE parts
- if (encryptedKey == null) {
- throw new JOSEException("Missing JWE encrypted key");
- }
-
- if (iv == null) {
- throw new JOSEException("Missing JWE initialization vector (IV)");
- }
-
- if (authTag == null) {
- throw new JOSEException("Missing JWE authentication tag");
- }
-
- if (header.getPBES2Salt() == null) {
- throw new JOSEException("Missing JWE \"p2s\" header parameter");
- }
-
- final byte[] salt = header.getPBES2Salt().decode();
-
- if (header.getPBES2Count() < 1) {
- throw new JOSEException("Missing JWE \"p2c\" header parameter");
- }
-
- final int iterationCount = header.getPBES2Count();
-
- critPolicy.ensureHeaderPasses(header);
-
- final JWEAlgorithm alg = header.getAlgorithm();
- final byte[] formattedSalt = PBKDF2.formatSalt(alg, salt);
- final PRFParams prfParams = PRFParams.resolve(alg, getJCAContext().getMACProvider());
- final SecretKey psKey = PBKDF2.deriveKey(getPassword(), formattedSalt, iterationCount, prfParams);
-
- final SecretKey cek = AESKW.unwrapCEK(psKey, encryptedKey.decode(), getJCAContext().getKeyEncryptionProvider());
-
- return ContentCryptoProvider.decrypt(header, encryptedKey, iv, cipherText, authTag, cek, getJCAContext());
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/PasswordBasedEncrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/PasswordBasedEncrypter.java
deleted file mode 100644
index 9da35ee3..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/PasswordBasedEncrypter.java
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.*;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.StandardCharset;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Password-based encrypter of {@link com.nimbusds.jose.JWEObject JWE objects}.
- * Expects a password.
- *
- * See RFC 7518
- * section 4.8
- * for more information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS256_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS384_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS512_A256KW}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-07-26
- */
-@ThreadSafe
-public class PasswordBasedEncrypter extends PasswordBasedCryptoProvider implements JWEEncrypter {
-
-
- /**
- * The minimum salt length (8 bytes).
- */
- public static final int MIN_SALT_LENGTH = 8;
-
-
- /**
- * The cryptographic salt length, in bytes.
- */
- private final int saltLength;
-
-
- /**
- * The minimum recommended iteration count (1000).
- */
- public static final int MIN_RECOMMENDED_ITERATION_COUNT = 1000;
-
-
- /**
- * The iteration count.
- */
- private final int iterationCount;
-
-
- /**
- * Creates a new password-based encrypter.
- *
- * @param password The password bytes. Must not be empty or
- * {@code null}.
- * @param saltLength The length of the generated cryptographic
- * salts, in bytes. Must be at least 8 bytes.
- * @param iterationCount The pseudo-random function (PRF) iteration
- * count. Must be at least 1000.
- */
- public PasswordBasedEncrypter(final byte[] password,
- final int saltLength,
- final int iterationCount) {
-
- super(password);
-
- if (saltLength < MIN_SALT_LENGTH) {
- throw new IllegalArgumentException("The minimum salt length (p2s) is " + MIN_SALT_LENGTH + " bytes");
- }
-
- this.saltLength = saltLength;
-
- if (iterationCount < MIN_RECOMMENDED_ITERATION_COUNT) {
- throw new IllegalArgumentException("The minimum recommended iteration count (p2c) is " + MIN_RECOMMENDED_ITERATION_COUNT);
- }
-
- this.iterationCount = iterationCount;
- }
-
-
- /**
- * Creates a new password-based encrypter.
- *
- * @param password The password, as a UTF-8 encoded string. Must
- * not be empty or {@code null}.
- * @param saltLength The length of the generated cryptographic
- * salts, in bytes. Must be at least 8 bytes.
- * @param iterationCount The pseudo-random function (PRF) iteration
- * count. Must be at least 1000.
- */
- public PasswordBasedEncrypter(final String password,
- final int saltLength,
- final int iterationCount) {
-
- this(password.getBytes(StandardCharset.UTF_8), saltLength, iterationCount);
- }
-
-
- @Override
- public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText)
- throws JOSEException {
-
- final JWEAlgorithm alg = header.getAlgorithm();
- final EncryptionMethod enc = header.getEncryptionMethod();
-
- final byte[] salt = new byte[saltLength];
- getJCAContext().getSecureRandom().nextBytes(salt);
- final byte[] formattedSalt = PBKDF2.formatSalt(alg, salt);
- final PRFParams prfParams = PRFParams.resolve(alg, getJCAContext().getMACProvider());
- final SecretKey psKey = PBKDF2.deriveKey(getPassword(), formattedSalt, iterationCount, prfParams);
-
- // We need to work on the header
- final JWEHeader updatedHeader = new JWEHeader.Builder(header).
- pbes2Salt(Base64URL.encode(salt)).
- pbes2Count(iterationCount).
- build();
-
- final SecretKey cek = ContentCryptoProvider.generateCEK(enc, getJCAContext().getSecureRandom());
-
- // The second JWE part
- final Base64URL encryptedKey = Base64URL.encode(AESKW.wrapCEK(cek, psKey, getJCAContext().getKeyEncryptionProvider()));
-
- return ContentCryptoProvider.encrypt(updatedHeader, clearText, cek, encryptedKey, getJCAContext());
- }
-
-
- /**
- * Returns the length of the generated cryptographic salts.
- *
- * @return The length of the generated cryptographic salts, in bytes.
- */
- public int getSaltLength() {
-
- return saltLength;
- }
-
-
- /**
- * Returns the pseudo-random function (PRF) iteration count.
- *
- * @return The iteration count.
- */
- public int getIterationCount() {
-
- return iterationCount;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSADecrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSADecrypter.java
deleted file mode 100644
index a98e400e..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSADecrypter.java
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.PrivateKey;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import static com.nimbusds.jose.jwk.gen.RSAKeyGenerator.MIN_KEY_SIZE_BITS;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.*;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * RSA decrypter of {@link com.nimbusds.jose.JWEObject JWE objects}. Expects a
- * private RSA key.
- *
- * Decrypts the encrypted Content Encryption Key (CEK) with the private RSA
- * key, and then uses the CEK along with the IV and authentication tag to
- * decrypt the cipher text. See RFC 7518, sections
- * 4.2 and
- * 4.3 for more
- * information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#RSA_OAEP_256}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#RSA_OAEP} (deprecated)
- *
- {@link com.nimbusds.jose.JWEAlgorithm#RSA1_5} (deprecated)
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author David Ortiz
- * @author Vladimir Dzhuvinov
- * @author Dimitar A. Stoikov
- * @version 2018-10-11
- */
-@ThreadSafe
-public class RSADecrypter extends RSACryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * The private RSA key.
- */
- private final PrivateKey privateKey;
-
-
- /**
- * Stores a CEK decryption exception is one was encountered during the
- * last {@link #decrypt} run.
- */
- private Exception cekDecryptionException;
-
-
- /**
- * Creates a new RSA decrypter. This constructor can also accept a
- * private RSA key located in a PKCS#11 store that doesn't expose the
- * private key parameters (such as a smart card or HSM).
- *
- * @param privateKey The private RSA key. Its algorithm must be "RSA"
- * and its length at least 2048 bits. Note that the
- * length of an RSA key in a PKCS#11 store cannot be
- * checked. Must not be {@code null}.
- */
- public RSADecrypter(final PrivateKey privateKey) {
-
- this(privateKey, null, false);
- }
-
-
- /**
- * Creates a new RSA decrypter.
- *
- * @param rsaJWK The RSA JSON Web Key (JWK). Must contain or reference
- * a private part. Its length must be at least 2048 bits.
- * Note that the length of an RSA key in a PKCS#11 store
- * cannot be checked. Must not be {@code null}.
- *
- * @throws JOSEException If the RSA JWK doesn't contain a private part
- * or its extraction failed.
- */
- public RSADecrypter(final RSAKey rsaJWK)
- throws JOSEException {
-
- this(RSAKeyUtils.toRSAPrivateKey(rsaJWK));
- }
-
-
- /**
- * Creates a new RSA decrypter. This constructor can also accept a
- * private RSA key located in a PKCS#11 store that doesn't expose the
- * private key parameters (such as a smart card or HSM).
- *
- * @param privateKey The private RSA key. Its algorithm must be
- * "RSA" and its length at least 2048 bits. Note
- * that the length of an RSA key in a PKCS#11
- * store cannot be checked. Must not be
- * {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- */
- public RSADecrypter(final PrivateKey privateKey,
- final Set defCritHeaders) {
-
- this(privateKey, defCritHeaders, false);
- }
-
-
- /**
- * Creates a new RSA decrypter. This constructor can also accept a
- * private RSA key located in a PKCS#11 store that doesn't expose the
- * private key parameters (such as a smart card or HSM).
- *
- * @param privateKey The private RSA key. Its algorithm must be
- * "RSA" and its length at least 2048 bits. Note
- * that the length of an RSA key in a PKCS#11
- * store cannot be checked. Must not be
- * {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- * @param allowWeakKey {@code true} to allow an RSA key shorter than
- * 2048 bits.
- */
- public RSADecrypter(final PrivateKey privateKey,
- final Set defCritHeaders,
- final boolean allowWeakKey) {
-
- if (! privateKey.getAlgorithm().equalsIgnoreCase("RSA")) {
- throw new IllegalArgumentException("The private key algorithm must be RSA");
- }
-
- if (! allowWeakKey) {
-
- int keyBitLength = RSAKeyUtils.keyBitLength(privateKey);
-
- if (keyBitLength > 0 && keyBitLength < MIN_KEY_SIZE_BITS) {
- throw new IllegalArgumentException("The RSA key size must be at least " + MIN_KEY_SIZE_BITS + " bits");
- }
- }
-
- this.privateKey = privateKey;
-
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- }
-
-
- /**
- * Gets the private RSA key.
- *
- * @return The private RSA key. Casting to
- * {@link java.security.interfaces.RSAPrivateKey} may not be
- * possible if the key is located in a PKCS#11 store that
- * doesn't expose the private key parameters.
- */
- public PrivateKey getPrivateKey() {
-
- return privateKey;
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException {
-
- // Validate required JWE parts
- if (encryptedKey == null) {
- throw new JOSEException("Missing JWE encrypted key");
- }
-
- if (iv == null) {
- throw new JOSEException("Missing JWE initialization vector (IV)");
- }
-
- if (authTag == null) {
- throw new JOSEException("Missing JWE authentication tag");
- }
-
- critPolicy.ensureHeaderPasses(header);
-
-
- // Derive the content encryption key
- JWEAlgorithm alg = header.getAlgorithm();
-
- SecretKey cek;
-
- if (alg.equals(JWEAlgorithm.RSA1_5)) {
-
- int keyLength = header.getEncryptionMethod().cekBitLength();
-
- // Protect against MMA attack by generating random CEK to be used on decryption failure,
- // see http://www.ietf.org/mail-archive/web/jose/current/msg01832.html
- final SecretKey randomCEK = ContentCryptoProvider.generateCEK(header.getEncryptionMethod(), getJCAContext().getSecureRandom());
-
- try {
- cek = RSA1_5.decryptCEK(privateKey, encryptedKey.decode(), keyLength, getJCAContext().getKeyEncryptionProvider());
-
- if (cek == null) {
- // CEK length mismatch, signalled by null instead of
- // exception to prevent MMA attack
- cek = randomCEK;
- }
-
- } catch (Exception e) {
- // continue
- cekDecryptionException = e;
- cek = randomCEK;
- }
-
- cekDecryptionException = null;
-
- } else if (alg.equals(JWEAlgorithm.RSA_OAEP)) {
-
- cek = RSA_OAEP.decryptCEK(privateKey, encryptedKey.decode(), getJCAContext().getKeyEncryptionProvider());
-
- } else if (alg.equals(JWEAlgorithm.RSA_OAEP_256)) {
-
- cek = RSA_OAEP_256.decryptCEK(privateKey, encryptedKey.decode(), getJCAContext().getKeyEncryptionProvider());
-
- } else {
-
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS));
- }
-
- return ContentCryptoProvider.decrypt(header, encryptedKey, iv, cipherText, authTag, cek, getJCAContext());
- }
-
-
- /**
- * Returns the Content Encryption Key (CEK) decryption exception if one
- * was encountered during the last {@link #decrypt} run. Intended for
- * logging and debugging purposes.
- *
- * @return The recorded exception, {@code null} if none.
- */
- public Exception getCEKDecryptionException() {
-
- return cekDecryptionException;
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSAEncrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSAEncrypter.java
deleted file mode 100644
index e0fc9e67..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSAEncrypter.java
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.interfaces.RSAPublicKey;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.crypto.impl.*;
-import net.jcip.annotations.ThreadSafe;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.JWECryptoParts;
-import com.nimbusds.jose.JWEEncrypter;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * RSA encrypter of {@link com.nimbusds.jose.JWEObject JWE objects}. Expects a
- * public RSA key.
- *
- * Encrypts the plain text with a generated AES key (the Content Encryption
- * Key) according to the specified JOSE encryption method, then encrypts the
- * CEK with the public RSA key and returns it alongside the IV, cipher text and
- * authentication tag. See RFC 7518, sections
- * 4.2 and
- * 4.3 for more
- * information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#RSA_OAEP_256}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#RSA_OAEP} (deprecated)
- *
- {@link com.nimbusds.jose.JWEAlgorithm#RSA1_5} (deprecated)
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author David Ortiz
- * @author Vladimir Dzhuvinov
- * @author Jun Yu
- * @version 2018-07-17
- */
-@ThreadSafe
-public class RSAEncrypter extends RSACryptoProvider implements JWEEncrypter {
-
-
- /**
- * The public RSA key.
- */
- private final RSAPublicKey publicKey;
-
-
- /**
- * The externally supplied AES content encryption key (CEK) to use,
- * {@code null} to generate a CEK for each JWE.
- */
- private final SecretKey contentEncryptionKey;
-
-
- /**
- * Creates a new RSA encrypter.
- *
- * @param publicKey The public RSA key. Must not be {@code null}.
- */
- public RSAEncrypter(final RSAPublicKey publicKey) {
-
- this(publicKey, null);
- }
-
-
- /**
- * Creates a new RSA encrypter.
- *
- * @param rsaJWK The RSA JSON Web Key (JWK). Must not be {@code null}.
- *
- * @throws JOSEException If the RSA JWK extraction failed.
- */
- public RSAEncrypter(final RSAKey rsaJWK)
- throws JOSEException {
-
- this(rsaJWK.toRSAPublicKey());
- }
-
-
- /**
- * Creates a new RSA encrypter with an optionally specified content
- * encryption key (CEK).
- *
- * @param publicKey The public RSA key. Must not be
- * {@code null}.
- * @param contentEncryptionKey The content encryption key (CEK) to use.
- * If specified its algorithm must be "AES"
- * and its length must match the expected
- * for the JWE encryption method ("enc").
- * If {@code null} a CEK will be generated
- * for each JWE.
- */
- public RSAEncrypter(final RSAPublicKey publicKey, final SecretKey contentEncryptionKey) {
-
- if (publicKey == null) {
- throw new IllegalArgumentException("The public RSA key must not be null");
- }
- this.publicKey = publicKey;
-
- if (contentEncryptionKey != null) {
- if (contentEncryptionKey.getAlgorithm() == null || !contentEncryptionKey.getAlgorithm().equals("AES")) {
- throw new IllegalArgumentException("The algorithm of the content encryption key (CEK) must be AES");
- } else {
- this.contentEncryptionKey = contentEncryptionKey;
- }
- } else {
- this.contentEncryptionKey = null;
- }
- }
-
-
- /**
- * Gets the public RSA key.
- *
- * @return The public RSA key.
- */
- public RSAPublicKey getPublicKey() {
-
- return publicKey;
- }
-
-
- @Override
- public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText)
- throws JOSEException {
-
- final JWEAlgorithm alg = header.getAlgorithm();
- final EncryptionMethod enc = header.getEncryptionMethod();
-
- // Generate and encrypt the CEK according to the enc method
- final SecretKey cek;
- if (contentEncryptionKey != null) {
- // Use externally supplied CEK
- cek = contentEncryptionKey;
- } else {
- // Generate and encrypt the CEK according to the enc method
- cek = ContentCryptoProvider.generateCEK(enc, getJCAContext().getSecureRandom());
- }
-
- final Base64URL encryptedKey; // The second JWE part
-
- if (alg.equals(JWEAlgorithm.RSA1_5)) {
-
- encryptedKey = Base64URL.encode(RSA1_5.encryptCEK(publicKey, cek, getJCAContext().getKeyEncryptionProvider()));
-
- } else if (alg.equals(JWEAlgorithm.RSA_OAEP)) {
-
- encryptedKey = Base64URL.encode(RSA_OAEP.encryptCEK(publicKey, cek, getJCAContext().getKeyEncryptionProvider()));
-
- } else if (alg.equals(JWEAlgorithm.RSA_OAEP_256)) {
-
- encryptedKey = Base64URL.encode(RSA_OAEP_256.encryptCEK(publicKey, cek, getJCAContext().getKeyEncryptionProvider()));
-
- } else {
-
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS));
- }
-
- return ContentCryptoProvider.encrypt(header, clearText, cek, encryptedKey, getJCAContext());
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSASSASigner.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSASSASigner.java
deleted file mode 100644
index bdae07fa..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSASSASigner.java
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.InvalidKeyException;
-import java.security.PrivateKey;
-import java.security.Signature;
-import java.security.SignatureException;
-
-import static com.nimbusds.jose.jwk.gen.RSAKeyGenerator.MIN_KEY_SIZE_BITS;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSSigner;
-import com.nimbusds.jose.crypto.impl.RSAKeyUtils;
-import com.nimbusds.jose.crypto.impl.RSASSA;
-import com.nimbusds.jose.crypto.impl.RSASSAProvider;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-
-/**
- * RSA Signature-Scheme-with-Appendix (RSASSA) signer of
- * {@link com.nimbusds.jose.JWSObject JWS objects}. Expects a private RSA key.
- *
- * See RFC 7518, sections
- * 3.3 and
- * 3.5 for more
- * information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#RS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#RS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#RS512}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS512}
- *
- *
- * @author Vladimir Dzhuvinov
- * @author Omer Levi Hevroni
- * @version 2018-10-11
- */
-@ThreadSafe
-public class RSASSASigner extends RSASSAProvider implements JWSSigner {
-
-
- /**
- * The private RSA key. Represented by generic private key interface to
- * support key stores that prevent exposure of the private key
- * parameters via the {@link java.security.interfaces.RSAPrivateKey}
- * API.
- *
- * See https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/169
- */
- private final PrivateKey privateKey;
-
-
- /**
- * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
- * This constructor can also accept a private RSA key located in a
- * PKCS#11 store that doesn't expose the private key parameters (such
- * as a smart card or HSM).
- *
- * @param privateKey The private RSA key. Its algorithm must be "RSA"
- * and its length at least 2048 bits. Note that the
- * length of an RSA key in a PKCS#11 store cannot be
- * checked. Must not be {@code null}.
- */
- public RSASSASigner(final PrivateKey privateKey) {
-
- this(privateKey, false);
- }
-
-
- /**
- * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
- * This constructor can also accept a private RSA key located in a
- * PKCS#11 store that doesn't expose the private key parameters (such
- * as a smart card or HSM).
- *
- * @param privateKey The private RSA key. Its algorithm must be
- * "RSA" and its length at least 2048 bits. Note
- * that the length of an RSA key in a PKCS#11 store
- * cannot be checked. Must not be {@code null}.
- * @param allowWeakKey {@code true} to allow an RSA key shorter than
- * 2048 bits.
- */
- public RSASSASigner(final PrivateKey privateKey, final boolean allowWeakKey) {
-
- if (! "RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
- throw new IllegalArgumentException("The private key algorithm must be RSA");
- }
-
- if (! allowWeakKey) {
-
- int keyBitLength = RSAKeyUtils.keyBitLength(privateKey);
-
- if (keyBitLength > 0 && keyBitLength < MIN_KEY_SIZE_BITS) {
- throw new IllegalArgumentException("The RSA key size must be at least " + MIN_KEY_SIZE_BITS + " bits");
- }
- }
-
- this.privateKey = privateKey;
- }
-
-
- /**
- * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
- *
- * @param rsaJWK The RSA JSON Web Key (JWK). Must contain or reference
- * a private part. Its length must be at least 2048 bits.
- * Note that the length of an RSA key in a PKCS#11 store
- * cannot be checked. Must not be {@code null}.
- *
- * @throws JOSEException If the RSA JWK doesn't contain a private part
- * or its extraction failed.
- */
- public RSASSASigner(final RSAKey rsaJWK)
- throws JOSEException {
-
- this(rsaJWK, false);
- }
-
-
- /**
- * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) signer.
- *
- * @param rsaJWK The RSA JSON Web Key (JWK). Must contain or
- * reference a private part. Its length must be at
- * least 2048 bits. Note that the length of an RSA
- * key in a PKCS#11 store cannot be checked. Must
- * not be {@code null}.
- * @param allowWeakKey {@code true} to allow an RSA key shorter than
- * 2048 bits.
- *
- * @throws JOSEException If the RSA JWK doesn't contain a private part
- * or its extraction failed.
- */
- public RSASSASigner(final RSAKey rsaJWK, final boolean allowWeakKey)
- throws JOSEException {
-
- this(RSAKeyUtils.toRSAPrivateKey(rsaJWK), allowWeakKey);
- }
-
-
- /**
- * Gets the private RSA key.
- *
- * @return The private RSA key. Casting to
- * {@link java.security.interfaces.RSAPrivateKey} may not be
- * possible if the key is located in a PKCS#11 store that
- * doesn't expose the private key parameters.
- */
- public PrivateKey getPrivateKey() {
-
- return privateKey;
- }
-
-
- @Override
- public Base64URL sign(final JWSHeader header, final byte[] signingInput)
- throws JOSEException {
-
- Signature signer = RSASSA.getSignerAndVerifier(header.getAlgorithm(), getJCAContext().getProvider());
-
- try {
- signer.initSign(privateKey);
- signer.update(signingInput);
- return Base64URL.encode(signer.sign());
-
- } catch (InvalidKeyException e) {
- throw new JOSEException("Invalid private RSA key: " + e.getMessage(), e);
-
- } catch (SignatureException e) {
- throw new JOSEException("RSA signature exception: " + e.getMessage(), e);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSASSAVerifier.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSASSAVerifier.java
deleted file mode 100644
index 88e9ffa5..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/RSASSAVerifier.java
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.InvalidKeyException;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.interfaces.RSAPublicKey;
-import java.util.Set;
-
-import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
-import com.nimbusds.jose.crypto.impl.RSASSA;
-import com.nimbusds.jose.crypto.impl.RSASSAProvider;
-import net.jcip.annotations.ThreadSafe;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * RSA Signature-Scheme-with-Appendix (RSASSA) verifier of
- * {@link com.nimbusds.jose.JWSObject JWS objects}. Expects a public RSA key.
- *
- * See RFC 7518, sections
- * 3.3 and
- * 3.5 for more
- * information.
- *
- *
This class is thread-safe.
- *
- *
Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#RS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#RS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#RS512}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS512}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-06-02
- */
-@ThreadSafe
-public class RSASSAVerifier extends RSASSAProvider implements JWSVerifier, CriticalHeaderParamsAware {
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * The public RSA key.
- */
- private final RSAPublicKey publicKey;
-
-
- /**
- * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) verifier.
- *
- * @param publicKey The public RSA key. Must not be {@code null}.
- */
- public RSASSAVerifier(final RSAPublicKey publicKey) {
-
- this(publicKey, null);
- }
-
-
- /**
- * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) verifier.
- *
- * @param rsaJWK The RSA JSON Web Key (JWK). Must not be {@code null}.
- *
- * @throws JOSEException If the RSA JWK extraction failed.
- */
- public RSASSAVerifier(final RSAKey rsaJWK)
- throws JOSEException {
-
- this(rsaJWK.toRSAPublicKey(), null);
- }
-
-
- /**
- * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) verifier.
- *
- * @param publicKey The public RSA key. Must not be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- */
- public RSASSAVerifier(final RSAPublicKey publicKey,
- final Set defCritHeaders) {
-
- if (publicKey == null) {
- throw new IllegalArgumentException("The public RSA key must not be null");
- }
-
- this.publicKey = publicKey;
-
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- }
-
-
- /**
- * Gets the public RSA key.
- *
- * @return The public RSA key.
- */
- public RSAPublicKey getPublicKey() {
-
- return publicKey;
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public boolean verify(final JWSHeader header,
- final byte[] signedContent,
- final Base64URL signature)
- throws JOSEException {
-
- if (! critPolicy.headerPasses(header)) {
- return false;
- }
-
- final Signature verifier = RSASSA.getSignerAndVerifier(header.getAlgorithm(), getJCAContext().getProvider());
-
- try {
- verifier.initVerify(publicKey);
-
- } catch (InvalidKeyException e) {
- throw new JOSEException("Invalid public RSA key: " + e.getMessage(), e);
- }
-
- try {
- verifier.update(signedContent);
- return verifier.verify(signature.decode());
-
- } catch (SignatureException e) {
- return false;
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/X25519Decrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/X25519Decrypter.java
deleted file mode 100644
index 253388a7..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/X25519Decrypter.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2018, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.util.Collections;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral;
-import com.nimbusds.jose.crypto.impl.ECDH;
-import com.nimbusds.jose.crypto.impl.ECDHCryptoProvider;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.OctetKeyPair;
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * Curve25519 Elliptic Curve Diffie-Hellman decrypter of
- * {@link com.nimbusds.jose.JWEObject JWE objects}.
- * Expects a private {@link OctetKeyPair} key with {@code "crv"} X25519.
- *
- * See RFC 8037
- * for more information.
- *
- *
See also {@link ECDHDecrypter} for ECDH on other curves.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A256KW}
- *
- *
- * Supports the following elliptic curve:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#X25519} (Curve25519)
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Tim McLean
- * @version 2018-07-12
- */
-public class X25519Decrypter extends ECDHCryptoProvider implements JWEDecrypter, CriticalHeaderParamsAware {
-
-
- /**
- * The private key.
- */
- private final OctetKeyPair privateKey;
-
-
- /**
- * The critical header policy.
- */
- private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral();
-
-
- /**
- * Creates a new Curve25519 Elliptic Curve Diffie-Hellman decrypter.
- *
- * @param privateKey The private key. Must not be {@code null}.
- *
- * @throws JOSEException If the key subtype is not supported.
- */
- public X25519Decrypter(final OctetKeyPair privateKey)
- throws JOSEException {
-
- this(privateKey, null);
- }
-
-
- /**
- * Creates a new Curve25519 Elliptic Curve Diffie-Hellman decrypter.
- *
- * @param privateKey The private key. Must not be {@code null}.
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- *
- * @throws JOSEException If the key subtype is not supported.
- */
- public X25519Decrypter(final OctetKeyPair privateKey, final Set defCritHeaders)
- throws JOSEException {
-
- super(privateKey.getCurve());
-
- if (! Curve.X25519.equals(privateKey.getCurve())) {
- throw new JOSEException("X25519Decrypter only supports OctetKeyPairs with crv=X25519");
- }
-
- if (! privateKey.isPrivate()) {
- throw new JOSEException("The OctetKeyPair doesn't contain a private part");
- }
-
- this.privateKey = privateKey;
-
- critPolicy.setDeferredCriticalHeaderParams(defCritHeaders);
- }
-
-
- @Override
- public Set supportedEllipticCurves() {
-
- return Collections.singleton(Curve.X25519);
- }
-
-
- /**
- * Returns the private key.
- *
- * @return The private key.
- */
- public OctetKeyPair getPrivateKey() {
-
- return privateKey;
- }
-
-
- @Override
- public Set getProcessedCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public Set getDeferredCriticalHeaderParams() {
-
- return critPolicy.getProcessedCriticalHeaderParams();
- }
-
-
- @Override
- public byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException {
-
- // Check for unrecognizable "crit" properties
- critPolicy.ensureHeaderPasses(header);
-
- // Get ephemeral key from header
- OctetKeyPair ephemeralPublicKey = (OctetKeyPair) header.getEphemeralPublicKey();
-
- if (ephemeralPublicKey == null) {
- throw new JOSEException("Missing ephemeral public key \"epk\" JWE header parameter");
- }
-
- if (! privateKey.getCurve().equals(ephemeralPublicKey.getCurve())) {
- throw new JOSEException("Curve of ephemeral public key does not match curve of private key");
- }
-
- // Derive 'Z'
- // Note: X25519 does not require public key validation
- // See https://cr.yp.to/ecdh.html#validate
- SecretKey Z = ECDH.deriveSharedSecret(ephemeralPublicKey, privateKey);
-
- return decryptWithZ(header, Z, encryptedKey, iv, cipherText, authTag);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/X25519Encrypter.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/X25519Encrypter.java
deleted file mode 100644
index ddb69154..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/X25519Encrypter.java
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto;
-
-
-import java.security.*;
-import java.util.Collections;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.google.crypto.tink.subtle.X25519;
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.impl.ECDH;
-import com.nimbusds.jose.crypto.impl.ECDHCryptoProvider;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.OctetKeyPair;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Curve25519 Elliptic Curve Diffie-Hellman encrypter of
- * {@link com.nimbusds.jose.JWEObject JWE objects}.
- * Expects a public {@link OctetKeyPair} key with {@code "crv"} X25519.
- *
- * See RFC 8037
- * for more information.
- *
- *
See also {@link ECDHEncrypter} for ECDH on other curves.
- *
- *
This class is thread-safe.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A256KW}
- *
- *
- * Supports the following elliptic curve:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#X25519} (Curve25519)
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Tim McLean
- * @version 2018-07-12
- */
-@ThreadSafe
-public class X25519Encrypter extends ECDHCryptoProvider implements JWEEncrypter {
-
-
- /**
- * The public key.
- */
- private final OctetKeyPair publicKey;
-
-
- /**
- * Creates a new Curve25519 Elliptic Curve Diffie-Hellman encrypter.
- *
- * @param publicKey The public key. Must not be {@code null}.
- *
- * @throws JOSEException If the key subtype is not supported.
- */
- public X25519Encrypter(final OctetKeyPair publicKey)
- throws JOSEException {
-
- super(publicKey.getCurve());
-
- if (! Curve.X25519.equals(publicKey.getCurve())) {
- throw new JOSEException("X25519Encrypter only supports OctetKeyPairs with crv=X25519");
- }
-
- if (publicKey.isPrivate()) {
- throw new JOSEException("X25519Encrypter requires a public key, use OctetKeyPair.toPublicJWK()");
- }
-
- this.publicKey = publicKey;
- }
-
-
- @Override
- public Set supportedEllipticCurves() {
-
- return Collections.singleton(Curve.X25519);
- }
-
-
- /**
- * Returns the public key.
- *
- * @return The public key.
- */
- public OctetKeyPair getPublicKey() {
-
- return publicKey;
- }
-
-
- @Override
- public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText)
- throws JOSEException {
-
- // Generate ephemeral X25519 key pair
- final byte[] ephemeralPrivateKeyBytes = X25519.generatePrivateKey();
- final byte[] ephemeralPublicKeyBytes;
- try {
- ephemeralPublicKeyBytes = X25519.publicFromPrivate(ephemeralPrivateKeyBytes);
-
- } catch (InvalidKeyException e) {
- // Should never happen since we just generated this private key
- throw new JOSEException(e.getMessage(), e);
- }
-
- final OctetKeyPair ephemeralPrivateKey =
- new OctetKeyPair.Builder(getCurve(), Base64URL.encode(ephemeralPublicKeyBytes)).
- d(Base64URL.encode(ephemeralPrivateKeyBytes)).
- build();
- final OctetKeyPair ephemeralPublicKey = ephemeralPrivateKey.toPublicJWK();
-
- // Add the ephemeral public EC key to the header
- JWEHeader updatedHeader = new JWEHeader.Builder(header).
- ephemeralPublicKey(ephemeralPublicKey).
- build();
-
- // Derive 'Z'
- SecretKey Z = ECDH.deriveSharedSecret(publicKey, ephemeralPrivateKey);
-
- return encryptWithZ(updatedHeader, Z, clearText);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/bc/BouncyCastleProviderSingleton.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/bc/BouncyCastleProviderSingleton.java
deleted file mode 100644
index ee592fee..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/bc/BouncyCastleProviderSingleton.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.bc;
-
-
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-
-
-/**
- * BouncyCastle JCA provider singleton, intended to prevent memory leaks by
- * ensuring a single instance is loaded at all times. Application code that
- * needs a BouncyCastle JCA provider should use the {@link #getInstance()}
- * method to obtain an instance.
- *
- * @author Vladimir Dzhuvinov
- */
-public final class BouncyCastleProviderSingleton {
-
-
- /**
- * The BouncyCastle provider, lazily instantiated.
- */
- private static BouncyCastleProvider bouncyCastleProvider;
-
-
- /**
- * Prevents external instantiation.
- */
- private BouncyCastleProviderSingleton() { }
-
-
- /**
- * Returns a BouncyCastle JCA provider instance.
- *
- * @return The BouncyCastle JCA provider instance.
- */
- public static BouncyCastleProvider getInstance() {
-
- if (bouncyCastleProvider != null) {
-
- return bouncyCastleProvider;
-
- } else {
- bouncyCastleProvider = new BouncyCastleProvider();
- return bouncyCastleProvider;
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/bc/package-info.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/bc/package-info.java
deleted file mode 100644
index 8f71dd69..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/bc/package-info.java
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-/**
- * BouncyCastle JCA provider singleton.
- */
-package com.nimbusds.jose.crypto.bc;
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/DefaultJWEDecrypterFactory.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/DefaultJWEDecrypterFactory.java
deleted file mode 100644
index d0358bf6..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/DefaultJWEDecrypterFactory.java
+++ /dev/null
@@ -1,190 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.factories;
-
-
-import java.security.Key;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.RSAPrivateKey;
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.*;
-import com.nimbusds.jose.jca.JWEJCAContext;
-import com.nimbusds.jose.proc.JWEDecrypterFactory;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Default JSON Web Encryption (JWE) decrypter factory.
- *
- * Supports all standard JWE algorithms implemented in the
- * {@link com.nimbusds.jose.crypto} package.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-11-16
- */
-@ThreadSafe
-public class DefaultJWEDecrypterFactory implements JWEDecrypterFactory {
-
-
- /**
- * The supported JWE algorithms.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- /**
- * The supported encryption methods.
- */
- public static final Set SUPPORTED_ENCRYPTION_METHODS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.addAll(RSADecrypter.SUPPORTED_ALGORITHMS);
- algs.addAll(ECDHDecrypter.SUPPORTED_ALGORITHMS);
- algs.addAll(DirectDecrypter.SUPPORTED_ALGORITHMS);
- algs.addAll(AESDecrypter.SUPPORTED_ALGORITHMS);
- algs.addAll(PasswordBasedDecrypter.SUPPORTED_ALGORITHMS);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
-
- Set encs = new LinkedHashSet<>();
- encs.addAll(RSADecrypter.SUPPORTED_ENCRYPTION_METHODS);
- encs.addAll(ECDHDecrypter.SUPPORTED_ENCRYPTION_METHODS);
- encs.addAll(DirectDecrypter.SUPPORTED_ENCRYPTION_METHODS);
- encs.addAll(AESDecrypter.SUPPORTED_ENCRYPTION_METHODS);
- encs.addAll(PasswordBasedDecrypter.SUPPORTED_ENCRYPTION_METHODS);
- SUPPORTED_ENCRYPTION_METHODS = Collections.unmodifiableSet(encs);
- }
-
-
- /**
- * The JWE JCA context.
- */
- private final JWEJCAContext jcaContext = new JWEJCAContext();
-
-
- @Override
- public Set supportedJWEAlgorithms() {
-
- return SUPPORTED_ALGORITHMS;
- }
-
-
- @Override
- public Set supportedEncryptionMethods() {
-
- return SUPPORTED_ENCRYPTION_METHODS;
- }
-
-
- @Override
- public JWEJCAContext getJCAContext() {
-
- return jcaContext;
- }
-
-
- @Override
- public JWEDecrypter createJWEDecrypter(final JWEHeader header, final Key key)
- throws JOSEException {
-
- final JWEDecrypter decrypter;
-
- if (RSADecrypter.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm()) &&
- RSADecrypter.SUPPORTED_ENCRYPTION_METHODS.contains(header.getEncryptionMethod())) {
-
- if (!(key instanceof RSAPrivateKey)) {
- throw new KeyTypeException(RSAPrivateKey.class);
- }
-
- RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)key;
-
- decrypter = new RSADecrypter(rsaPrivateKey);
-
- } else if (ECDHDecrypter.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm()) &&
- ECDHDecrypter.SUPPORTED_ENCRYPTION_METHODS.contains(header.getEncryptionMethod())) {
-
- if (!(key instanceof ECPrivateKey)) {
- throw new KeyTypeException(ECPrivateKey.class);
- }
-
- ECPrivateKey ecPrivateKey = (ECPrivateKey)key;
- decrypter = new ECDHDecrypter(ecPrivateKey);
-
- } else if (DirectDecrypter.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm()) &&
- DirectDecrypter.SUPPORTED_ENCRYPTION_METHODS.contains(header.getEncryptionMethod())) {
-
- if (!(key instanceof SecretKey)) {
- throw new KeyTypeException(SecretKey.class);
- }
-
- SecretKey aesKey = (SecretKey)key;
- DirectDecrypter directDecrypter = new DirectDecrypter(aesKey);
-
- if (! directDecrypter.supportedEncryptionMethods().contains(header.getEncryptionMethod())) {
- throw new KeyLengthException(header.getEncryptionMethod().cekBitLength(), header.getEncryptionMethod());
- }
-
- decrypter = directDecrypter;
-
- } else if (AESDecrypter.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm()) &&
- AESDecrypter.SUPPORTED_ENCRYPTION_METHODS.contains(header.getEncryptionMethod())) {
-
- if (!(key instanceof SecretKey)) {
- throw new KeyTypeException(SecretKey.class);
- }
-
- SecretKey aesKey = (SecretKey)key;
- AESDecrypter aesDecrypter = new AESDecrypter(aesKey);
-
- if (! aesDecrypter.supportedJWEAlgorithms().contains(header.getAlgorithm())) {
- throw new KeyLengthException(header.getAlgorithm());
- }
-
- decrypter = aesDecrypter;
-
- } else if (PasswordBasedDecrypter.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm()) &&
- PasswordBasedDecrypter.SUPPORTED_ENCRYPTION_METHODS.contains(header.getEncryptionMethod())) {
-
- if (!(key instanceof SecretKey)) {
- throw new KeyTypeException(SecretKey.class);
- }
-
- byte[] password = key.getEncoded();
- decrypter = new PasswordBasedDecrypter(password);
-
- } else {
-
- throw new JOSEException("Unsupported JWE algorithm or encryption method");
- }
-
- // Apply JCA context
- decrypter.getJCAContext().setSecureRandom(jcaContext.getSecureRandom());
- decrypter.getJCAContext().setProvider(jcaContext.getProvider());
- decrypter.getJCAContext().setKeyEncryptionProvider(jcaContext.getKeyEncryptionProvider());
- decrypter.getJCAContext().setMACProvider(jcaContext.getMACProvider());
- decrypter.getJCAContext().setContentEncryptionProvider(jcaContext.getContentEncryptionProvider());
-
- return decrypter;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/DefaultJWSVerifierFactory.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/DefaultJWSVerifierFactory.java
deleted file mode 100644
index 7129abd5..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/DefaultJWSVerifierFactory.java
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.factories;
-
-
-import java.security.Key;
-import java.security.interfaces.ECPublicKey;
-import java.security.interfaces.RSAPublicKey;
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.crypto.ECDSAVerifier;
-import com.nimbusds.jose.crypto.MACVerifier;
-import com.nimbusds.jose.crypto.RSASSAVerifier;
-import com.nimbusds.jose.jca.JCAContext;
-import com.nimbusds.jose.proc.JWSVerifierFactory;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Default JSON Web Signature (JWS) verifier factory.
- *
- * Supports all standard JWS algorithms implemented in the
- * {@link com.nimbusds.jose.crypto} package.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-11-16
- */
-@ThreadSafe
-public class DefaultJWSVerifierFactory implements JWSVerifierFactory {
-
-
- /**
- * The supported JWS algorithms.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.addAll(MACVerifier.SUPPORTED_ALGORITHMS);
- algs.addAll(RSASSAVerifier.SUPPORTED_ALGORITHMS);
- algs.addAll(ECDSAVerifier.SUPPORTED_ALGORITHMS);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * The JCA context.
- */
- private final JCAContext jcaContext = new JCAContext();
-
-
- @Override
- public Set supportedJWSAlgorithms() {
-
- return SUPPORTED_ALGORITHMS;
- }
-
-
- @Override
- public JCAContext getJCAContext() {
-
- return jcaContext;
- }
-
-
- @Override
- public JWSVerifier createJWSVerifier(final JWSHeader header, final Key key)
- throws JOSEException {
-
- JWSVerifier verifier;
-
- if (MACVerifier.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm())) {
-
- if (!(key instanceof SecretKey)) {
- throw new KeyTypeException(SecretKey.class);
- }
-
- SecretKey macKey = (SecretKey)key;
-
- verifier = new MACVerifier(macKey);
-
- } else if (RSASSAVerifier.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm())) {
-
- if (!(key instanceof RSAPublicKey)) {
- throw new KeyTypeException(RSAPublicKey.class);
- }
-
- RSAPublicKey rsaPublicKey = (RSAPublicKey)key;
-
- verifier = new RSASSAVerifier(rsaPublicKey);
-
- } else if (ECDSAVerifier.SUPPORTED_ALGORITHMS.contains(header.getAlgorithm())) {
-
- if (!(key instanceof ECPublicKey)) {
- throw new KeyTypeException(ECPublicKey.class);
- }
-
- ECPublicKey ecPublicKey = (ECPublicKey)key;
-
- verifier = new ECDSAVerifier(ecPublicKey);
-
- } else {
-
- throw new JOSEException("Unsupported JWS algorithm: " + header.getAlgorithm());
- }
-
- // Apply JCA context
- verifier.getJCAContext().setSecureRandom(jcaContext.getSecureRandom());
- verifier.getJCAContext().setProvider(jcaContext.getProvider());
-
- return verifier;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/package-info.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/package-info.java
deleted file mode 100644
index 4be4110a..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/factories/package-info.java
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-/**
- * JWS verifier and JWE decrypter factories for use by the JOSE / JWT processor
- * framework.
- */
-package com.nimbusds.jose.crypto.factories;
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AAD.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AAD.java
deleted file mode 100644
index 30bac8a2..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AAD.java
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.nio.ByteBuffer;
-import java.nio.charset.Charset;
-
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.IntegerOverflowException;
-
-
-/**
- * Additional authenticated data (AAD).
- *
- * See RFC 7518 (JWA), section 5.1, point 14.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-06-01
- */
-public class AAD {
-
-
- /**
- * Computes the Additional Authenticated Data (AAD) for the specified
- * JWE header.
- *
- * @param jweHeader The JWE header. Must not be {@code null}.
- *
- * @return The AAD.
- */
- public static byte[] compute(final JWEHeader jweHeader) {
-
- return compute(jweHeader.toBase64URL());
- }
-
-
- /**
- * Computes the Additional Authenticated Data (AAD) for the specified
- * BASE64URL-encoded JWE header.
- *
- * @param encodedJWEHeader The BASE64URL-encoded JWE header. Must not
- * be {@code null}.
- *
- * @return The AAD.
- */
- public static byte[] compute(final Base64URL encodedJWEHeader) {
-
- return encodedJWEHeader.toString().getBytes(Charset.forName("ASCII"));
- }
-
-
- /**
- * Computes the bit length of the specified Additional Authenticated
- * Data (AAD). Used in AES/CBC/PKCS5Padding/HMAC-SHA2 encryption.
- *
- * @param aad The Additional Authenticated Data (AAD). Must not be
- * {@code null}.
- *
- * @return The computed AAD bit length, as a 64 bit big-endian
- * representation (8 byte array).
- *
- * @throws IntegerOverflowException On a integer overflow.
- */
- public static byte[] computeLength(final byte[] aad)
- throws IntegerOverflowException {
-
- final int bitLength = ByteUtils.safeBitLength(aad);
- return ByteBuffer.allocate(8).putLong(bitLength).array();
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESCBC.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESCBC.java
deleted file mode 100644
index 4e876625..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESCBC.java
+++ /dev/null
@@ -1,432 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.nio.ByteBuffer;
-import java.security.Provider;
-import java.security.SecureRandom;
-import java.util.Arrays;
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.crypto.*;
-import com.nimbusds.jose.crypto.utils.ConstantTimeUtils;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.StandardCharset;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * AES/CBC/PKCS5Padding and AES/CBC/PKCS5Padding/HMAC-SHA2 encryption and
- * decryption methods. This class is thread-safe.
- *
- *
Also supports the deprecated AES/CBC/HMAC encryption using a custom
- * concat KDF (JOSE draft suite 08).
- *
- *
See RFC 7518 (JWA), section 5.2.
- *
- * @author Vladimir Dzhuvinov
- * @author Axel Nennker
- * @version 2018-01-04
- */
-@ThreadSafe
-public class AESCBC {
-
-
- /**
- * The standard Initialisation Vector (IV) length (128 bits).
- */
- public static final int IV_BIT_LENGTH = 128;
-
-
- /**
- * Generates a random 128 bit (16 byte) Initialisation Vector(IV) for
- * use in AES-CBC encryption.
- *
- * @param randomGen The secure random generator to use. Must be
- * correctly initialised and not {@code null}.
- *
- * @return The random 128 bit IV, as 16 byte array.
- */
- public static byte[] generateIV(final SecureRandom randomGen) {
-
- byte[] bytes = new byte[ByteUtils.byteLength(IV_BIT_LENGTH)];
- randomGen.nextBytes(bytes);
- return bytes;
- }
-
-
- /**
- * Creates a new AES/CBC/PKCS5Padding cipher.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param forEncryption If {@code true} creates an encryption cipher,
- * else creates a decryption cipher.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return The AES/CBC/PKCS5Padding cipher.
- */
- private static Cipher createAESCBCCipher(final SecretKey secretKey,
- final boolean forEncryption,
- final byte[] iv,
- final Provider provider)
- throws JOSEException {
-
- Cipher cipher;
-
- try {
- cipher = CipherHelper.getInstance("AES/CBC/PKCS5Padding", provider);
-
- SecretKeySpec keyspec = new SecretKeySpec(secretKey.getEncoded(), "AES");
-
- IvParameterSpec ivSpec = new IvParameterSpec(iv);
-
- if (forEncryption) {
-
- cipher.init(Cipher.ENCRYPT_MODE, keyspec, ivSpec);
-
- } else {
-
- cipher.init(Cipher.DECRYPT_MODE, keyspec, ivSpec);
- }
-
- } catch (Exception e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- return cipher;
- }
-
-
- /**
- * Encrypts the specified plain text using AES/CBC/PKCS5Padding.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param plainText The plain text. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return The cipher text.
- *
- * @throws JOSEException If encryption failed.
- */
- public static byte[] encrypt(final SecretKey secretKey,
- final byte[] iv,
- final byte[] plainText,
- final Provider provider)
- throws JOSEException {
-
- Cipher cipher = createAESCBCCipher(secretKey, true, iv, provider);
-
- try {
- return cipher.doFinal(plainText);
-
- } catch (Exception e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Encrypts the specified plain text using AES/CBC/PKCS5Padding/
- * HMAC-SHA2.
- *
- *
See RFC 7518 (JWA), section 5.2.2.1
- *
- *
See draft-mcgrew-aead-aes-cbc-hmac-sha2-01
- *
- * @param secretKey The secret key. Must be 256 or 512 bits long.
- * Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param plainText The plain text. Must not be {@code null}.
- * @param aad The additional authenticated data. Must not be
- * {@code null}.
- * @param ceProvider The JCA provider for the content encryption, or
- * {@code null} to use the default one.
- * @param macProvider The JCA provider for the MAC computation, or
- * {@code null} to use the default one.
- *
- * @return The authenticated cipher text.
- *
- * @throws JOSEException If encryption failed.
- */
- public static AuthenticatedCipherText encryptAuthenticated(final SecretKey secretKey,
- final byte[] iv,
- final byte[] plainText,
- final byte[] aad,
- final Provider ceProvider,
- final Provider macProvider)
- throws JOSEException {
-
- // Extract MAC + AES/CBC keys from input secret key
- CompositeKey compositeKey = new CompositeKey(secretKey);
-
- // Encrypt plain text
- byte[] cipherText = encrypt(compositeKey.getAESKey(), iv, plainText, ceProvider);
-
- // AAD length to 8 byte array
- byte[] al = AAD.computeLength(aad);
-
- // Do MAC
- int hmacInputLength = aad.length + iv.length + cipherText.length + al.length;
- byte[] hmacInput = ByteBuffer.allocate(hmacInputLength).put(aad).put(iv).put(cipherText).put(al).array();
- byte[] hmac = HMAC.compute(compositeKey.getMACKey(), hmacInput, macProvider);
- byte[] authTag = Arrays.copyOf(hmac, compositeKey.getTruncatedMACByteLength());
-
- return new AuthenticatedCipherText(cipherText, authTag);
- }
-
-
- /**
- * Encrypts the specified plain text using the deprecated concat KDF
- * from JOSE draft suite 09.
- *
- * @param header The JWE header. Must not be {@code null}.
- * @param secretKey The secret key. Must be 256 or 512 bits long.
- * Must not be {@code null}.
- * @param encryptedKey The encrypted key. Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param plainText The plain text. Must not be {@code null}.
- * @param ceProvider The JCA provider for the content encryption, or
- * {@code null} to use the default one.
- * @param macProvider The JCA provider for the MAC computation, or
- * {@code null} to use the default one.
- *
- * @return The authenticated cipher text.
- *
- * @throws JOSEException If encryption failed.
- */
- public static AuthenticatedCipherText encryptWithConcatKDF(final JWEHeader header,
- final SecretKey secretKey,
- final Base64URL encryptedKey,
- final byte[] iv,
- final byte[] plainText,
- final Provider ceProvider,
- final Provider macProvider)
- throws JOSEException {
-
- byte[] epu = null;
-
- if (header.getCustomParam("epu") instanceof String) {
-
- epu = new Base64URL((String)header.getCustomParam("epu")).decode();
- }
-
- byte[] epv = null;
-
- if (header.getCustomParam("epv") instanceof String) {
-
- epv = new Base64URL((String)header.getCustomParam("epv")).decode();
- }
-
- // Generate alternative CEK using concat-KDF
- SecretKey altCEK = LegacyConcatKDF.generateCEK(secretKey, header.getEncryptionMethod(), epu, epv);
-
- byte[] cipherText = AESCBC.encrypt(altCEK, iv, plainText, ceProvider);
-
- // Generate content integrity key for HMAC
- SecretKey cik = LegacyConcatKDF.generateCIK(secretKey, header.getEncryptionMethod(), epu, epv);
-
- String macInput = header.toBase64URL().toString() + "." +
- encryptedKey.toString() + "." +
- Base64URL.encode(iv).toString() + "." +
- Base64URL.encode(cipherText);
-
- byte[] mac = HMAC.compute(cik, macInput.getBytes(StandardCharset.UTF_8), macProvider);
-
- return new AuthenticatedCipherText(cipherText, mac);
- }
-
-
- /**
- * Decrypts the specified cipher text using AES/CBC/PKCS5Padding.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return The decrypted plain text.
- *
- * @throws JOSEException If decryption failed.
- */
- public static byte[] decrypt(final SecretKey secretKey,
- final byte[] iv,
- final byte[] cipherText,
- final Provider provider)
- throws JOSEException {
-
- Cipher cipher = createAESCBCCipher(secretKey, false, iv, provider);
-
- try {
- return cipher.doFinal(cipherText);
-
- } catch (Exception e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Decrypts the specified cipher text using AES/CBC/PKCS5Padding/
- * HMAC-SHA2.
- *
- *
See RFC 7518 (JWA), section 5.2.2.2
- *
- *
See draft-mcgrew-aead-aes-cbc-hmac-sha2-01
- *
- * @param secretKey The secret key. Must be 256 or 512 bits long.
- * Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param aad The additional authenticated data. Must not be
- * {@code null}.
- * @param authTag The authentication tag. Must not be {@code null}.
- * @param ceProvider The JCA provider for the content encryption, or
- * {@code null} to use the default one.
- * @param macProvider The JCA provider for the MAC computation, or
- * {@code null} to use the default one.
- *
- * @return The decrypted plain text.
- *
- * @throws JOSEException If decryption failed.
- */
- public static byte[] decryptAuthenticated(final SecretKey secretKey,
- final byte[] iv,
- final byte[] cipherText,
- final byte[] aad,
- final byte[] authTag,
- final Provider ceProvider,
- final Provider macProvider)
- throws JOSEException {
-
-
- // Extract MAC + AES/CBC keys from input secret key
- CompositeKey compositeKey = new CompositeKey(secretKey);
-
- // AAD length to 8 byte array
- byte[] al = AAD.computeLength(aad);
-
- // Check MAC
- int hmacInputLength = aad.length + iv.length + cipherText.length + al.length;
- byte[] hmacInput = ByteBuffer.allocate(hmacInputLength).
- put(aad).
- put(iv).
- put(cipherText).
- put(al).
- array();
- byte[] hmac = HMAC.compute(compositeKey.getMACKey(), hmacInput, macProvider);
-
- byte[] expectedAuthTag = Arrays.copyOf(hmac, compositeKey.getTruncatedMACByteLength());
-
- if (! ConstantTimeUtils.areEqual(expectedAuthTag, authTag)) {
- throw new JOSEException("MAC check failed");
- }
-
- return decrypt(compositeKey.getAESKey(), iv, cipherText, ceProvider);
- }
-
-
- /**
- * Decrypts the specified cipher text using the deprecated concat KDF
- * from JOSE draft suite 09.
- *
- * @param header The JWE header. Must not be {@code null}.
- * @param secretKey The secret key. Must be 256 or 512 bits long.
- * Must not be {@code null}.
- * @param encryptedKey The encrypted key. Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param authTag The authentication tag. Must not be {@code null}.
- * @param ceProvider The JCA provider for the content encryption, or
- * {@code null} to use the default one.
- * @param macProvider The JCA provider for the MAC computation, or
- * {@code null} to use the default one.
- *
- * @return The decrypted plain text.
- *
- * @throws JOSEException If decryption failed.
- */
- public static byte[] decryptWithConcatKDF(final JWEHeader header,
- final SecretKey secretKey,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag,
- final Provider ceProvider,
- final Provider macProvider)
- throws JOSEException {
-
- byte[] epu = null;
-
- if (header.getCustomParam("epu") instanceof String) {
-
- epu = new Base64URL((String)header.getCustomParam("epu")).decode();
- }
-
- byte[] epv = null;
-
- if (header.getCustomParam("epv") instanceof String) {
-
- epv = new Base64URL((String)header.getCustomParam("epv")).decode();
- }
-
- SecretKey cik = LegacyConcatKDF.generateCIK(secretKey, header.getEncryptionMethod(), epu, epv);
-
- String macInput = header.toBase64URL().toString() + "." +
- encryptedKey.toString() + "." +
- iv.toString() + "." +
- cipherText.toString();
-
- byte[] mac = HMAC.compute(cik, macInput.getBytes(StandardCharset.UTF_8), macProvider);
-
- if (! ConstantTimeUtils.areEqual(authTag.decode(), mac)) {
- throw new JOSEException("MAC check failed");
- }
-
- SecretKey cekAlt = LegacyConcatKDF.generateCEK(secretKey, header.getEncryptionMethod(), epu, epv);
-
- return AESCBC.decrypt(cekAlt, iv.decode(), cipherText.decode(), ceProvider);
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private AESCBC() { }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESCryptoProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESCryptoProvider.java
deleted file mode 100644
index 898e4390..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESCryptoProvider.java
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.*;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.KeyLengthException;
-import com.nimbusds.jose.util.ByteUtils;
-
-
-/**
- * The base abstract class for AES and AES GCM key wrap encrypters and
- * decrypters of {@link com.nimbusds.jose.JWEObject JWE objects}.
- *
- *
Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A256KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A128GCMKW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A192GCMKW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#A256GCMKW}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Melisa Halsband
- * @author Vladimir Dzhuvinov
- * @version 2015-06-29
- */
-public abstract class AESCryptoProvider extends BaseJWEProvider {
-
-
- /**
- * The supported JWE algorithms by the AES crypto provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- /**
- * The supported encryption methods by the AES crypto provider class.
- */
- public static final Set SUPPORTED_ENCRYPTION_METHODS = ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS;
-
-
- /**
- * The JWE algorithms compatible with each key size in bits.
- */
- public static final Map> COMPATIBLE_ALGORITHMS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWEAlgorithm.A128KW);
- algs.add(JWEAlgorithm.A192KW);
- algs.add(JWEAlgorithm.A256KW);
- algs.add(JWEAlgorithm.A128GCMKW);
- algs.add(JWEAlgorithm.A192GCMKW);
- algs.add(JWEAlgorithm.A256GCMKW);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
-
- Map> algsMap = new HashMap<>();
- Set bit128Algs = new HashSet<>();
- Set bit192Algs = new HashSet<>();
- Set bit256Algs = new HashSet<>();
- bit128Algs.add(JWEAlgorithm.A128GCMKW);
- bit128Algs.add(JWEAlgorithm.A128KW);
- bit192Algs.add(JWEAlgorithm.A192GCMKW);
- bit192Algs.add(JWEAlgorithm.A192KW);
- bit256Algs.add(JWEAlgorithm.A256GCMKW);
- bit256Algs.add(JWEAlgorithm.A256KW);
- algsMap.put(128,Collections.unmodifiableSet(bit128Algs));
- algsMap.put(192,Collections.unmodifiableSet(bit192Algs));
- algsMap.put(256,Collections.unmodifiableSet(bit256Algs));
- COMPATIBLE_ALGORITHMS = Collections.unmodifiableMap(algsMap);
- }
-
-
- /**
- * The Key Encryption Key (KEK).
- */
- private final SecretKey kek;
-
-
- /**
- * Returns the compatible JWE algorithms for the specified Key
- * Encryption Key (CEK) length.
- *
- * @param kekLength The KEK length in bits.
- *
- * @return The compatible JWE algorithms.
- *
- * @throws KeyLengthException If the KEK length is not compatible.
- */
- private static Set getCompatibleJWEAlgorithms(final int kekLength)
- throws KeyLengthException {
-
- Set algs = COMPATIBLE_ALGORITHMS.get(kekLength);
-
- if (algs == null) {
- throw new KeyLengthException("The Key Encryption Key length must be 128 bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 bytes)");
- }
-
- return algs;
- }
-
-
- /**
- * Creates a new AES encryption / decryption provider.
- *
- * @param kek The Key Encryption Key. Must be 128 bits (16 bytes), 192
- * bits (24 bytes) or 256 bits (32 bytes). Must not be
- * {@code null}.
- *
- * @throws KeyLengthException If the KEK length is invalid.
- */
- protected AESCryptoProvider(final SecretKey kek)
- throws KeyLengthException {
-
- super(getCompatibleJWEAlgorithms(ByteUtils.bitLength(kek.getEncoded())), ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
-
- this.kek = kek;
- }
-
-
- /**
- * Gets the Key Encryption Key (KEK).
- *
- * @return The Key Encryption Key.
- */
- public SecretKey getKey() {
-
- return kek;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESGCM.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESGCM.java
deleted file mode 100644
index e2ae4554..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESGCM.java
+++ /dev/null
@@ -1,310 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.*;
-import java.security.spec.InvalidParameterSpecException;
-import javax.crypto.*;
-import javax.crypto.spec.GCMParameterSpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.Container;
-import com.nimbusds.jose.util.KeyUtils;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * AES/GSM/NoPadding encryption and decryption methods. Falls back to the
- * BouncyCastle.org provider on Java 6. This class is thread-safe.
- *
- * See RFC 7518 (JWA), section 5.1 and appendix 3.
- *
- * @author Vladimir Dzhuvinov
- * @author Axel Nennker
- * @author Dimitar A. Stoikov
- * @version 2018-01-11
- */
-@ThreadSafe
-public class AESGCM {
-
-
- /**
- * The standard Initialisation Vector (IV) length (96 bits).
- */
- public static final int IV_BIT_LENGTH = 96;
-
-
- /**
- * The standard authentication tag length (128 bits).
- */
- public static final int AUTH_TAG_BIT_LENGTH = 128;
-
-
- /**
- * Generates a random 96 bit (12 byte) Initialisation Vector(IV) for
- * use in AES-GCM encryption.
- *
- *
See RFC 7518 (JWA), section 5.3.
- *
- * @param randomGen The secure random generator to use. Must be
- * correctly initialised and not {@code null}.
- *
- * @return The random 96 bit IV, as 12 byte array.
- */
- public static byte[] generateIV(final SecureRandom randomGen) {
-
- byte[] bytes = new byte[IV_BIT_LENGTH / 8];
- randomGen.nextBytes(bytes);
- return bytes;
- }
-
-
- /**
- * Encrypts the specified plain text using AES/GCM/NoPadding.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param plainText The plain text. Must not be {@code null}.
- * @param ivContainer The initialisation vector (IV). Must not be
- * {@code null}. This is both input and output
- * parameter. On input, it carries externally
- * generated IV; on output, it carries the IV the
- * cipher actually used. JCA/JCE providers may
- * prefer to use an internally generated IV, e.g. as
- * described in
- * NIST
- * Special Publication 800-38D .
- * @param authData The authenticated data. Must not be {@code null}.
- *
- * @return The authenticated cipher text.
- *
- * @throws JOSEException If encryption failed.
- */
- public static AuthenticatedCipherText encrypt(final SecretKey secretKey,
- final Container ivContainer,
- final byte[] plainText,
- final byte[] authData,
- final Provider provider)
- throws JOSEException {
-
- // Key alg must be "AES"
- final SecretKey aesKey = KeyUtils.toAESKey(secretKey);
-
- Cipher cipher;
-
- byte[] iv = ivContainer.get();
-
- try {
- if (provider != null) {
- cipher = Cipher.getInstance("AES/GCM/NoPadding", provider);
- } else {
- cipher = Cipher.getInstance("AES/GCM/NoPadding");
- }
-
- GCMParameterSpec gcmSpec = new GCMParameterSpec(AUTH_TAG_BIT_LENGTH, iv);
- cipher.init(Cipher.ENCRYPT_MODE, aesKey, gcmSpec);
-
- } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | InvalidAlgorithmParameterException e) {
-
- throw new JOSEException("Couldn't create AES/GCM/NoPadding cipher: " + e.getMessage(), e);
-
- } catch (NoClassDefFoundError e) {
- // We have Java 6, GCMParameterSpec not available,
- // switch to BouncyCastle API
- return LegacyAESGCM.encrypt(aesKey, iv, plainText, authData);
- }
-
- cipher.updateAAD(authData);
-
- byte[] cipherOutput;
-
- try {
- cipherOutput = cipher.doFinal(plainText);
-
- } catch (IllegalBlockSizeException | BadPaddingException e) {
-
- throw new JOSEException("Couldn't encrypt with AES/GCM/NoPadding: " + e.getMessage(), e);
- }
-
- final int tagPos = cipherOutput.length - ByteUtils.byteLength(AUTH_TAG_BIT_LENGTH);
-
- byte[] cipherText = ByteUtils.subArray(cipherOutput, 0, tagPos);
- byte[] authTag = ByteUtils.subArray(cipherOutput, tagPos, ByteUtils.byteLength(AUTH_TAG_BIT_LENGTH));
-
- // retrieve the actual IV used by the cipher -- it may be internally-generated.
- ivContainer.set(actualIVOf(cipher));
-
- return new AuthenticatedCipherText(cipherText, authTag);
- }
-
-
- /**
- * Retrieves the actual algorithm parameters and validates them.
- *
- * @param cipher The cipher to interrogate for the parameters it
- * actually used.
- *
- * @return The IV used by the specified cipher.
- *
- * @throws JOSEException If retrieval of the algorithm parameters from
- * the cipher failed, or the parameters are
- * deemed unusable.
- *
- * @see {@link #actualParamsOf(Cipher)}
- * @see #validate(byte[], int)
- */
- private static byte[] actualIVOf(final Cipher cipher)
- throws JOSEException {
-
- GCMParameterSpec actualParams = actualParamsOf(cipher);
-
- byte[] iv = actualParams.getIV();
- int tLen = actualParams.getTLen();
-
- validate(iv, tLen);
-
- return iv;
- }
-
-
- /**
- * Validates the specified IV and authentication tag according to the
- * AES GCM requirements in
- * JWA RFC.
- *
- * @param iv The IV to check for compliance.
- * @param authTagLength The authentication tag length to check for
- * compliance.
- *
- * @throws JOSEException If the parameters don't match the JWA
- * requirements.
- *
- * @see #IV_BIT_LENGTH
- * @see #AUTH_TAG_BIT_LENGTH
- */
- private static void validate(final byte[] iv, final int authTagLength)
- throws JOSEException {
-
- if (ByteUtils.safeBitLength(iv) != IV_BIT_LENGTH) {
- throw new JOSEException(String.format("IV length of %d bits is required, got %d", IV_BIT_LENGTH, ByteUtils.safeBitLength(iv)));
- }
-
- if (authTagLength != AUTH_TAG_BIT_LENGTH) {
- throw new JOSEException(String.format("Authentication tag length of %d bits is required, got %d", AUTH_TAG_BIT_LENGTH, authTagLength));
- }
- }
-
-
- /**
- * Retrieves the actual AES GCM parameters used by the specified
- * cipher.
- *
- * @param cipher The cipher to interrogate. Non-{@code null}.
- *
- * @return The AES GCM parameters. Non-{@code null}.
- *
- * @throws JOSEException If the parameters cannot be retrieved, are
- * uninitialized, or are not in the correct form. We want to have the
- * actual parameters used by the cipher and not rely on the assumption
- * that they were the same as those we supplied it with. If at runtime
- * the assumption is incorrect, the ciphertext would not be
- * decryptable.
- */
- private static GCMParameterSpec actualParamsOf(final Cipher cipher)
- throws JOSEException {
-
- AlgorithmParameters algorithmParameters = cipher.getParameters();
-
- if (algorithmParameters == null) {
- throw new JOSEException("AES GCM ciphers are expected to make use of algorithm parameters");
- }
-
- try {
- // Note: GCMParameterSpec appears in Java 7
- return algorithmParameters.getParameterSpec(GCMParameterSpec.class);
- } catch (InvalidParameterSpecException shouldNotHappen) {
- throw new JOSEException(shouldNotHappen.getMessage(), shouldNotHappen);
- }
- }
-
-
- /**
- * Decrypts the specified cipher text using AES/GCM/NoPadding.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param authData The authenticated data. Must not be {@code null}.
- * @param authTag The authentication tag. Must not be {@code null}.
- *
- * @return The decrypted plain text.
- *
- * @throws JOSEException If decryption failed.
- */
- public static byte[] decrypt(final SecretKey secretKey,
- final byte[] iv,
- final byte[] cipherText,
- final byte[] authData,
- final byte[] authTag,
- final Provider provider)
- throws JOSEException {
-
- // Key alg must be "AES"
- final SecretKey aesKey = KeyUtils.toAESKey(secretKey);
-
- Cipher cipher;
-
- try {
- if (provider != null) {
- cipher = Cipher.getInstance("AES/GCM/NoPadding", provider);
- } else {
- cipher = Cipher.getInstance("AES/GCM/NoPadding");
- }
-
- GCMParameterSpec gcmSpec = new GCMParameterSpec(AUTH_TAG_BIT_LENGTH, iv);
- cipher.init(Cipher.DECRYPT_MODE, aesKey, gcmSpec);
-
- } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | InvalidAlgorithmParameterException e) {
-
- throw new JOSEException("Couldn't create AES/GCM/NoPadding cipher: " + e.getMessage(), e);
-
- } catch (NoClassDefFoundError e) {
- // We have Java 6, GCMParameterSpec not available,
- // switch to BouncyCastle API
- return LegacyAESGCM.decrypt(aesKey, iv, cipherText, authData, authTag);
- }
-
- cipher.updateAAD(authData);
-
- try {
- return cipher.doFinal(ByteUtils.concat(cipherText, authTag));
-
- } catch (IllegalBlockSizeException | BadPaddingException e) {
-
- throw new JOSEException("AES/GCM/NoPadding decryption failed: " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private AESGCM() { }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESGCMKW.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESGCMKW.java
deleted file mode 100644
index 72a870bb..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESGCMKW.java
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.Provider;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.KeyLengthException;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.Container;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * AES GCM methods for Content Encryption Key (CEK) encryption and
- * decryption. This class is thread-safe.
- *
- * See RFC 7518 (JWA), section 4.7.
- *
- * @author Melisa Halsband
- * @author Vladimir Dzhuvinov
- * @version 2017-06-01
- */
-@ThreadSafe
-public class AESGCMKW {
-
-
- /**
- * Encrypts the specified Content Encryption Key (CEK).
- *
- * @param cek The Content Encryption Key (CEK) to encrypt. Must
- * not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}. The contained IV must not be
- * {@code null} either.
- * @param kek The AES Key Encryption Key (KEK). Must not be
- * {@code null}.
- * @param provider The specific JCA provider to use, {@code null}
- * implies the default system one.
- *
- * @return The encrypted Content Encryption Key (CEK).
- *
- * @throws JOSEException If encryption failed.
- */
- public static AuthenticatedCipherText encryptCEK(final SecretKey cek,
- final Container iv,
- final SecretKey kek,
- Provider provider)
- throws JOSEException {
-
- return AESGCM.encrypt(kek, iv, cek.getEncoded(), new byte[0], provider);
- }
-
-
- /**
- * Decrypts the specified encrypted Content Encryption Key (CEK).
- *
- * @param kek The AES Key Encription Key. Must not be
- * {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param authEncrCEK The encrypted Content Encryption Key (CEK) to
- * decrypt and authentication tag. Must not be
- * {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return The decrypted Content Encryption Key (CEK).
- *
- * @throws JOSEException If decryption failed.
- */
- public static SecretKey decryptCEK(final SecretKey kek,
- final byte[] iv,
- final AuthenticatedCipherText authEncrCEK,
- final int keyLength,
- final Provider provider)
- throws JOSEException {
-
- byte[] keyBytes = AESGCM.decrypt(kek, iv, authEncrCEK.getCipherText(), new byte[0], authEncrCEK.getAuthenticationTag(), provider);
-
- if (ByteUtils.safeBitLength(keyBytes) != keyLength) {
-
- throw new KeyLengthException("CEK key length mismatch: " + ByteUtils.safeBitLength(keyBytes) + " != " + keyLength);
- }
-
- return new SecretKeySpec(keyBytes, "AES");
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private AESGCMKW() { }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESKW.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESKW.java
deleted file mode 100644
index cd119d3b..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AESKW.java
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.util.KeyUtils;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * AES key Wrapping methods for Content Encryption Key (CEK) encryption and
- * decryption. This class is thread-safe.
- *
- * See RFC 7518 (JWA), section 4.4.
- *
- * @author Melisa Halsband
- * @author Vladimir Dzhuvinov
- * @version 2018-03-09
- */
-@ThreadSafe
-public class AESKW {
-
-
- /**
- * Wraps the specified Content Encryption Key (CEK).
- *
- * @param cek The Content Encryption Key (CEK) to wrap. Must not
- * be {@code null}.
- * @param kek The AES Key Encryption Key (KEK) (wrapping key).
- * Must not be {@code null}.
- * @param provider The specific JCA provider to use, {@code null}
- * implies the default system one.
- *
- * @return The wrapped Content Encryption Key (CEK).
- *
- * @throws JOSEException If wrapping failed.
- */
- public static byte[] wrapCEK(final SecretKey cek,
- final SecretKey kek,
- final Provider provider)
- throws JOSEException {
-
- try {
- Cipher cipher;
-
- if (provider != null) {
- cipher = Cipher.getInstance("AESWrap", provider);
- } else {
- cipher = Cipher.getInstance("AESWrap");
- }
-
- cipher.init(Cipher.WRAP_MODE, kek);
- return cipher.wrap(cek);
-
- } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException | IllegalBlockSizeException e) {
- throw new JOSEException("Couldn't wrap AES key: " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Unwraps the specified encrypted Content Encryption Key (CEK).
- *
- * @param kek The AES Key Encryption Key (KEK) (wrapping key).
- * Must not be {@code null}.
- * @param encryptedCEK The wrapped Content Encryption Key (CEK) with
- * authentication tag. Must not be {@code null}.
- * @param provider The specific JCA provider to use, {@code null}
- * implies the default system one.
- *
- * @return The unwrapped Content Encryption Key (CEK).
- *
- * @throws JOSEException If unwrapping failed.
- */
- public static SecretKey unwrapCEK(final SecretKey kek,
- final byte[] encryptedCEK,
- final Provider provider)
- throws JOSEException {
-
- try {
- Cipher cipher;
-
- if (provider != null) {
- cipher = Cipher.getInstance("AESWrap", provider);
- } else {
- cipher = Cipher.getInstance("AESWrap");
- }
-
- cipher.init(Cipher.UNWRAP_MODE, KeyUtils.toAESKey(kek)); // Make sure key alg is "AES"
- return (SecretKey)cipher.unwrap(encryptedCEK, "AES", Cipher.SECRET_KEY);
-
- } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeyException e) {
-
- throw new JOSEException("Couldn't unwrap AES key: " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private AESKW() {
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AlgorithmParametersHelper.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AlgorithmParametersHelper.java
deleted file mode 100644
index 1c12d675..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AlgorithmParametersHelper.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.AlgorithmParameters;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-
-
-/**
- * Utility for creating {@link java.security.AlgorithmParameters} objects with
- * an optional JCA provider.
- *
- * @author Justin Richer
- */
-public class AlgorithmParametersHelper {
-
-
- /**
- * Creates a new {@link java.security.AlgorithmParameters} instance.
- *
- * @param name The name of the requested algorithm. Must not be
- * {@code null}.
- * @param provider The JCA provider, or {@code null} to use the default
- * one.
- *
- * @return The AlgorithmParameters instance.
- *
- * @throws NoSuchAlgorithmException If an AlgorithmParameterGeneratorSpi
- * implementation for the specified
- * algorithm is not available from the
- * specified Provider object.
- */
- public static AlgorithmParameters getInstance(final String name, final Provider provider)
- throws NoSuchAlgorithmException {
-
- if (provider == null) {
- return AlgorithmParameters.getInstance(name);
- } else {
- return AlgorithmParameters.getInstance(name, provider);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AlgorithmSupportMessage.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AlgorithmSupportMessage.java
deleted file mode 100644
index 856d6147..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AlgorithmSupportMessage.java
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collection;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.jwk.Curve;
-
-
-/**
- * Algorithm support messages, intended for JOSE exceptions.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-20
- */
-public class AlgorithmSupportMessage {
-
-
- /**
- * Itemises the specified collection to human readable string.
- *
- * @param collection The collection, with valid {@code toString}
- * methods. Must not be {@code null}.
- *
- * @return The string.
- */
- private static String itemize(final Collection collection) {
-
- StringBuilder sb = new StringBuilder();
-
- Object[] items = collection.toArray();
-
- for (int i=0; i < items.length; i++) {
-
- if (i == 0) {
- // no delimiter
- } else if (i < items.length - 1) {
- sb.append(", ");
- } else if (i == items.length - 1) {
- sb.append(" or ");
- }
-
- sb.append(items[i].toString());
- }
-
- return sb.toString();
- }
-
-
- /**
- * Returns a message that the specified JWS algorithm is not supported.
- *
- * @param unsupported The unsupported JWS algorithm. Must not be
- * {@code null}.
- * @param supported The supported JWS algorithms. Must not be
- * {@code null}.
- *
- * @return The message.
- */
- public static String unsupportedJWSAlgorithm(final JWSAlgorithm unsupported,
- final Collection supported) {
-
- return "Unsupported JWS algorithm " + unsupported + ", must be " + itemize(supported);
- }
-
-
- /**
- * Returns a message that the specified JWE algorithm is not supported.
- *
- * @param unsupported The unsupported JWE algorithm. Must not be
- * {@code null}.
- * @param supported The supported JWE algorithms. Must not be
- * {@code null}.
- *
- * @return The message.
- */
- public static String unsupportedJWEAlgorithm(final JWEAlgorithm unsupported,
- final Collection supported) {
-
- return "Unsupported JWE algorithm " + unsupported + ", must be " + itemize(supported);
- }
-
-
- /**
- * Returns a message that the specified JWE encryption method is not
- * supported.
- *
- * @param unsupported The unsupported JWE encryption method. Must not
- * be {@code null}.
- * @param supported The supported JWE encryption methods. Must not be
- * {@code null}.
- *
- * @return The message.
- */
- public static String unsupportedEncryptionMethod(final EncryptionMethod unsupported,
- final Collection supported) {
-
- return "Unsupported JWE encryption method " + unsupported + ", must be " + itemize(supported);
- }
-
-
- /**
- * Returns a message that the specified elliptic curve is not
- * supported.
- *
- * @param unsupported The unsupported elliptic curve. Must not be
- * {@code null}.
- * @param supported The supported elliptic curves. Must not be
- * {@code null}.
- *
- * @return The message.
- */
- public static String unsupportedEllipticCurve(final Curve unsupported,
- final Collection supported) {
-
- return "Unsupported elliptic curve " + unsupported + ", must be " + itemize(supported);
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private AlgorithmSupportMessage() {
-
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AuthenticatedCipherText.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AuthenticatedCipherText.java
deleted file mode 100644
index 1951b458..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/AuthenticatedCipherText.java
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import net.jcip.annotations.Immutable;
-
-
-/**
- * Authenticated cipher text. This class is immutable.
- *
- * @author Vladimir Dzhuvinov
- * @version 2013-05-06
- */
-@Immutable
-public final class AuthenticatedCipherText {
-
-
- /**
- * The cipher text.
- */
- private final byte[] cipherText;
-
-
- /**
- * The authentication tag.
- */
- private final byte[] authenticationTag;
-
-
- /**
- * Creates a new authenticated cipher text.
- *
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param authenticationTag The authentication tag. Must not be
- * {@code null}.
- */
- public AuthenticatedCipherText(final byte[] cipherText, final byte[] authenticationTag) {
-
- if (cipherText == null)
- throw new IllegalArgumentException("The cipher text must not be null");
-
- this.cipherText = cipherText;
-
-
- if (authenticationTag == null)
- throw new IllegalArgumentException("The authentication tag must not be null");
-
- this.authenticationTag = authenticationTag;
- }
-
-
- /**
- * Gets the cipher text.
- *
- * @return The cipher text.
- */
- public byte[] getCipherText() {
-
- return cipherText;
- }
-
-
- /**
- * Gets the authentication tag.
- *
- * @return The authentication tag.
- */
- public byte[] getAuthenticationTag() {
-
- return authenticationTag;
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/BaseJWEProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/BaseJWEProvider.java
deleted file mode 100644
index 87c8e056..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/BaseJWEProvider.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.Set;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.JWEProvider;
-import com.nimbusds.jose.jca.JWEJCAContext;
-
-
-/**
- * The base abstract class for JSON Web Encryption (JWE) encrypters and
- * decrypters.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-11-16
- */
-abstract class BaseJWEProvider implements JWEProvider {
-
-
- /**
- * The supported algorithms by the JWE provider instance.
- */
- private final Set algs;
-
-
- /**
- * The supported encryption methods by the JWE provider instance.
- */
- private final Set encs;
-
-
- /**
- * The JWE JCA context.
- */
- private final JWEJCAContext jcaContext = new JWEJCAContext();
-
-
- /**
- * Creates a new base JWE provider.
- *
- * @param algs The supported algorithms by the JWE provider instance.
- * Must not be {@code null}.
- * @param encs The supported encryption methods by the JWE provider
- * instance. Must not be {@code null}.
- */
- public BaseJWEProvider(final Set algs,
- final Set encs) {
-
- if (algs == null) {
- throw new IllegalArgumentException("The supported JWE algorithm set must not be null");
- }
-
- this.algs = Collections.unmodifiableSet(algs);
-
-
- if (encs == null) {
- throw new IllegalArgumentException("The supported encryption methods must not be null");
- }
-
- this.encs = encs;
- }
-
-
- @Override
- public Set supportedJWEAlgorithms() {
-
- return algs;
- }
-
-
- @Override
- public Set supportedEncryptionMethods() {
-
- return encs;
- }
-
-
- @Override
- public JWEJCAContext getJCAContext() {
-
- return jcaContext;
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/BaseJWSProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/BaseJWSProvider.java
deleted file mode 100644
index 9ac5e8a6..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/BaseJWSProvider.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.Set;
-
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSProvider;
-import com.nimbusds.jose.jca.JCAContext;
-
-
-/**
- * The base abstract class for JSON Web Signature (JWS) signers and verifiers.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-11-16
- */
-public abstract class BaseJWSProvider implements JWSProvider {
-
-
- /**
- * The supported algorithms by the JWS provider instance.
- */
- private final Set algs;
-
-
- /**
- * The JCA context.
- */
- private final JCAContext jcaContext = new JCAContext();
-
-
- /**
- * Creates a new base JWS provider.
- *
- * @param algs The supported algorithms by the JWS provider instance.
- * Must not be {@code null}.
- */
- public BaseJWSProvider(final Set algs) {
-
- if (algs == null) {
- throw new IllegalArgumentException("The supported JWS algorithm set must not be null");
- }
-
- this.algs = Collections.unmodifiableSet(algs);
- }
-
-
- @Override
- public Set supportedJWSAlgorithms() {
-
- return algs;
- }
-
-
- @Override
- public JCAContext getJCAContext() {
-
- return jcaContext;
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CipherHelper.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CipherHelper.java
deleted file mode 100644
index dae14701..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CipherHelper.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import javax.crypto.Cipher;
-import javax.crypto.NoSuchPaddingException;
-
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Helper utilities for instantiating ciphers.
- *
- * @author Cedric Staub
- * @version 2014-01-22
- */
-@ThreadSafe
-public class CipherHelper {
-
-
- /**
- * Instantiates a cipher with an (optional) JCA provider.
- *
- * @param name The name of the cipher. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the default
- * one.
- */
- public static Cipher getInstance(String name, Provider provider)
- throws NoSuchAlgorithmException, NoSuchPaddingException {
-
- if (provider == null) {
- return Cipher.getInstance(name);
- } else {
- return Cipher.getInstance(name, provider);
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CompositeKey.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CompositeKey.java
deleted file mode 100644
index 0f599b2b..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CompositeKey.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.KeyLengthException;
-import net.jcip.annotations.Immutable;
-
-
-/**
- * Composite key used in AES/CBC/PKCS5Padding/HMAC-SHA2 encryption. This class
- * is immutable.
- *
- * See RFC 7518 (JWA), section 5.2.
- *
- *
See draft-mcgrew-aead-aes-cbc-hmac-sha2-01
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-06-29
- */
-@Immutable
-public final class CompositeKey {
-
-
- /**
- * The input key.
- */
- private final SecretKey inputKey;
-
-
- /**
- * The extracted MAC key.
- */
- private final SecretKey macKey;
-
-
- /**
- * The extracted AES key.
- */
- private final SecretKey encKey;
-
-
- /**
- * The expected truncated MAC output length.
- */
- private final int truncatedMacLength;
-
-
- /**
- * Creates a new composite key from the specified secret key.
- *
- * @param inputKey The input key. Must be 256, 384 or 512 bits long.
- * Must not be {@code null}.
- *
- * @throws KeyLengthException If the input key length is not supported.
- */
- public CompositeKey(final SecretKey inputKey)
- throws KeyLengthException {
-
- this.inputKey = inputKey;
-
- byte[] secretKeyBytes = inputKey.getEncoded();
-
- if (secretKeyBytes.length == 32) {
-
- // AES_128_CBC_HMAC_SHA_256
- // 256 bit key -> 128 bit MAC key + 128 bit AES key
- macKey = new SecretKeySpec(secretKeyBytes, 0, 16, "HMACSHA256");
- encKey = new SecretKeySpec(secretKeyBytes, 16, 16, "AES");
- truncatedMacLength = 16;
-
- } else if (secretKeyBytes.length == 48) {
-
- // AES_192_CBC_HMAC_SHA_384
- // 384 bit key -> 129 bit MAC key + 192 bit AES key
- macKey = new SecretKeySpec(secretKeyBytes, 0, 24, "HMACSHA384");
- encKey = new SecretKeySpec(secretKeyBytes, 24, 24, "AES");
- truncatedMacLength = 24;
-
-
- } else if (secretKeyBytes.length == 64) {
-
- // AES_256_CBC_HMAC_SHA_512
- // 512 bit key -> 256 bit MAC key + 256 bit AES key
- macKey = new SecretKeySpec(secretKeyBytes, 0, 32, "HMACSHA512");
- encKey = new SecretKeySpec(secretKeyBytes, 32, 32, "AES");
- truncatedMacLength = 32;
-
- } else {
-
- throw new KeyLengthException("Unsupported AES/CBC/PKCS5Padding/HMAC-SHA2 key length, must be 256, 384 or 512 bits");
- }
- }
-
-
- /**
- * Gets the input key.
- *
- * @return The input key.
- */
- public SecretKey getInputKey() {
-
- return inputKey;
- }
-
-
- /**
- * Gets the extracted MAC key.
- *
- * @return The extracted MAC key.
- */
- public SecretKey getMACKey() {
-
- return macKey;
- }
-
-
- /**
- * Gets the expected truncated MAC length.
- *
- * @return The expected truncated MAC length, in bytes.
- */
- public int getTruncatedMACByteLength() {
-
- return truncatedMacLength;
- }
-
-
- /**
- * Gets the extracted encryption key.
- *
- * @return The extracted encryption key.
- */
- public SecretKey getAESKey() {
-
- return encKey;
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ConcatKDF.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ConcatKDF.java
deleted file mode 100644
index 94cdebb9..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ConcatKDF.java
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.jca.JCAAware;
-import com.nimbusds.jose.jca.JCAContext;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.IntegerUtils;
-import com.nimbusds.jose.util.StandardCharset;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Concatenation Key Derivation Function (KDF). This class is thread-safe.
- *
- *
See NIST.800-56A.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-06-01
- */
-@ThreadSafe
-public class ConcatKDF implements JCAAware {
-
-
- /**
- * The JCA name of the hash algorithm.
- */
- private final String jcaHashAlg;
-
-
- /**
- * The JCA context..
- */
- private final JCAContext jcaContext = new JCAContext();
-
-
- /**
- * Creates a new concatenation Key Derivation Function (KDF) with the
- * specified hash algorithm.
- *
- * @param jcaHashAlg The JCA name of the hash algorithm. Must be
- * supported and not {@code null}.
- */
- public ConcatKDF(final String jcaHashAlg) {
-
- if (jcaHashAlg == null) {
- throw new IllegalArgumentException("The JCA hash algorithm must not be null");
- }
-
- this.jcaHashAlg = jcaHashAlg;
- }
-
-
- /**
- * Returns the JCA name of the hash algorithm.
- *
- * @return The JCA name of the hash algorithm.
- */
- public String getHashAlgorithm() {
-
- return jcaHashAlg;
- }
-
-
- @Override
- public JCAContext getJCAContext() {
-
- return jcaContext;
- }
-
-
- /**
- * Derives a key from the specified inputs.
- *
- * @param sharedSecret The shared secret. Must not be {@code null}.
- * @param keyLengthBits The length of the key to derive, in bits.
- * @param otherInfo Other info, {@code null} if not specified.
- *
- * @return The derived key, with algorithm set to "AES".
- *
- * @throws JOSEException If the key derivation failed.
- */
- public SecretKey deriveKey(final SecretKey sharedSecret,
- final int keyLengthBits,
- final byte[] otherInfo)
- throws JOSEException {
-
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
- final MessageDigest md = getMessageDigest();
-
- for (int i=1; i <= computeDigestCycles(ByteUtils.safeBitLength(md.getDigestLength()), keyLengthBits); i++) {
-
- byte[] counterBytes = IntegerUtils.toBytes(i);
-
- md.update(counterBytes);
- md.update(sharedSecret.getEncoded());
-
- if (otherInfo != null) {
- md.update(otherInfo);
- }
-
- try {
- baos.write(md.digest());
- } catch (IOException e) {
- throw new JOSEException("Couldn't write derived key: " + e.getMessage(), e);
- }
- }
-
- byte[] derivedKeyMaterial = baos.toByteArray();
-
- final int keyLengthBytes = ByteUtils.byteLength(keyLengthBits);
-
- if (derivedKeyMaterial.length == keyLengthBytes) {
- // Return immediately
- return new SecretKeySpec(derivedKeyMaterial, "AES");
- }
-
- return new SecretKeySpec(ByteUtils.subArray(derivedKeyMaterial, 0, keyLengthBytes), "AES");
- }
-
-
- /**
- * Derives a key from the specified inputs.
- *
- * @param sharedSecret The shared secret. Must not be {@code null}.
- * @param keyLength The length of the key to derive, in bits.
- * @param algID The algorithm identifier, {@code null} if not
- * specified.
- * @param partyUInfo The partyUInfo, {@code null} if not specified.
- * @param partyVInfo The partyVInfo {@code null} if not specified.
- * @param suppPubInfo The suppPubInfo, {@code null} if not specified.
- * @param suppPrivInfo The suppPrivInfo, {@code null} if not specified.
- *
- * @return The derived key, with algorithm set to "AES".
- *
- * @throws JOSEException If the key derivation failed.
- */
- public SecretKey deriveKey(final SecretKey sharedSecret,
- final int keyLength,
- final byte[] algID,
- final byte[] partyUInfo,
- final byte[] partyVInfo,
- final byte[] suppPubInfo,
- final byte[] suppPrivInfo)
- throws JOSEException {
-
- final byte[] otherInfo = composeOtherInfo(algID, partyUInfo, partyVInfo, suppPubInfo, suppPrivInfo);
-
- return deriveKey(sharedSecret, keyLength, otherInfo);
- }
-
-
- /**
- * Composes the other info as {@code algID || partyUInfo || partyVInfo
- * || suppPubInfo || suppPrivInfo}.
- *
- * @param algID The algorithm identifier, {@code null} if not
- * specified.
- * @param partyUInfo The partyUInfo, {@code null} if not specified.
- * @param partyVInfo The partyVInfo {@code null} if not specified.
- * @param suppPubInfo The suppPubInfo, {@code null} if not specified.
- * @param suppPrivInfo The suppPrivInfo, {@code null} if not specified.
- *
- * @return The resulting other info.
- */
- public static byte[] composeOtherInfo(final byte[] algID,
- final byte[] partyUInfo,
- final byte[] partyVInfo,
- final byte[] suppPubInfo,
- final byte[] suppPrivInfo) {
-
- return ByteUtils.concat(algID, partyUInfo, partyVInfo, suppPubInfo, suppPrivInfo);
- }
-
-
- /**
- * Returns a message digest instance for the configured
- * {@link #jcaHashAlg hash algorithm}.
- *
- * @return The message digest instance.
- *
- * @throws JOSEException If the message digest algorithm is not
- * supported by the underlying JCA provider.
- */
- private MessageDigest getMessageDigest()
- throws JOSEException {
-
- final Provider provider = getJCAContext().getProvider();
-
- try {
- if (provider == null)
- return MessageDigest.getInstance(jcaHashAlg);
- else
- return MessageDigest.getInstance(jcaHashAlg, provider);
- } catch (NoSuchAlgorithmException e) {
- throw new JOSEException("Couldn't get message digest for KDF: " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Computes the required digest (hashing) cycles for the specified
- * message digest length and derived key length.
- *
- * @param digestLengthBits The length of the message digest, in bits.
- * @param keyLengthBits The length of the derived key, in bits.
- *
- * @return The digest cycles.
- */
- public static int computeDigestCycles(final int digestLengthBits, final int keyLengthBits) {
-
- // return the ceiling of keyLength / digestLength
-
- return (keyLengthBits + digestLengthBits - 1) / digestLengthBits;
- }
-
-
- /**
- * Encodes no / empty data as an empty byte array.
- *
- * @return The encoded data.
- */
- public static byte[] encodeNoData() {
-
- return new byte[0];
- }
-
-
- /**
- * Encodes the specified integer data as a four byte array.
- *
- * @param data The integer data to encode.
- *
- * @return The encoded data.
- */
- public static byte[] encodeIntData(final int data) {
-
- return IntegerUtils.toBytes(data);
- }
-
-
- /**
- * Encodes the specified string data as {@code data.length || data}.
- *
- * @param data The string data, UTF-8 encoded. May be {@code null}.
- *
- * @return The encoded data.
- */
- public static byte[] encodeStringData(final String data) {
-
- byte[] bytes = data != null ? data.getBytes(StandardCharset.UTF_8) : null;
- return encodeDataWithLength(bytes);
- }
-
-
- /**
- * Encodes the specified data as {@code data.length || data}.
- *
- * @param data The data to encode, may be {@code null}.
- *
- * @return The encoded data.
- */
- public static byte[] encodeDataWithLength(final byte[] data) {
-
- byte[] bytes = data != null ? data : new byte[0];
- byte[] length = IntegerUtils.toBytes(bytes.length);
- return ByteUtils.concat(length, bytes);
- }
-
-
- /**
- * Encodes the specified BASE64URL encoded data
- * {@code data.length || data}.
- *
- * @param data The data to encode, may be {@code null}.
- *
- * @return The encoded data.
- */
- public static byte[] encodeDataWithLength(final Base64URL data) {
-
- byte[] bytes = data != null ? data.decode() : null;
- return encodeDataWithLength(bytes);
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ContentCryptoProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ContentCryptoProvider.java
deleted file mode 100644
index 75dd5c9c..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ContentCryptoProvider.java
+++ /dev/null
@@ -1,310 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.SecureRandom;
-import java.util.*;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.*;
-import com.nimbusds.jose.jca.JWEJCAContext;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.Container;
-import com.nimbusds.jose.util.IntegerOverflowException;
-
-
-/**
- * JWE content encryption / decryption provider.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-06-01
- */
-public class ContentCryptoProvider {
-
-
- /**
- * The supported encryption methods.
- */
- public static final Set SUPPORTED_ENCRYPTION_METHODS;
-
-
- /**
- * The encryption methods compatible with each key size in bits.
- */
- public static final Map> COMPATIBLE_ENCRYPTION_METHODS;
-
-
- static {
- Set methods = new LinkedHashSet<>();
- methods.add(EncryptionMethod.A128CBC_HS256);
- methods.add(EncryptionMethod.A192CBC_HS384);
- methods.add(EncryptionMethod.A256CBC_HS512);
- methods.add(EncryptionMethod.A128GCM);
- methods.add(EncryptionMethod.A192GCM);
- methods.add(EncryptionMethod.A256GCM);
- methods.add(EncryptionMethod.A128CBC_HS256_DEPRECATED);
- methods.add(EncryptionMethod.A256CBC_HS512_DEPRECATED);
- SUPPORTED_ENCRYPTION_METHODS = Collections.unmodifiableSet(methods);
-
- Map> encsMap = new HashMap<>();
- Set bit128Encs = new HashSet<>();
- Set bit192Encs = new HashSet<>();
- Set bit256Encs = new HashSet<>();
- Set bit384Encs = new HashSet<>();
- Set bit512Encs = new HashSet<>();
- bit128Encs.add(EncryptionMethod.A128GCM);
- bit192Encs.add(EncryptionMethod.A192GCM);
- bit256Encs.add(EncryptionMethod.A256GCM);
- bit256Encs.add(EncryptionMethod.A128CBC_HS256);
- bit256Encs.add(EncryptionMethod.A128CBC_HS256_DEPRECATED);
- bit384Encs.add(EncryptionMethod.A192CBC_HS384);
- bit512Encs.add(EncryptionMethod.A256CBC_HS512);
- bit512Encs.add(EncryptionMethod.A256CBC_HS512_DEPRECATED);
- encsMap.put(128,Collections.unmodifiableSet(bit128Encs));
- encsMap.put(192,Collections.unmodifiableSet(bit192Encs));
- encsMap.put(256,Collections.unmodifiableSet(bit256Encs));
- encsMap.put(384,Collections.unmodifiableSet(bit384Encs));
- encsMap.put(512, Collections.unmodifiableSet(bit512Encs));
- COMPATIBLE_ENCRYPTION_METHODS = Collections.unmodifiableMap(encsMap);
- }
-
-
- /**
- * Generates a Content Encryption Key (CEK) for the specified JOSE
- * encryption method.
- *
- * @param enc The encryption method. Must not be {@code null}.
- * @param randomGen The secure random generator to use. Must not be
- * {@code null}.
- *
- * @return The generated CEK (with algorithm "AES").
- *
- * @throws JOSEException If the encryption method is not supported.
- */
- public static SecretKey generateCEK(final EncryptionMethod enc, final SecureRandom randomGen)
- throws JOSEException {
-
- if (! SUPPORTED_ENCRYPTION_METHODS.contains(enc)) {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedEncryptionMethod(enc, SUPPORTED_ENCRYPTION_METHODS));
- }
-
- final byte[] cekMaterial = new byte[ByteUtils.byteLength(enc.cekBitLength())];
-
- randomGen.nextBytes(cekMaterial);
-
- return new SecretKeySpec(cekMaterial, "AES");
- }
-
-
- /**
- * Checks the length of the Content Encryption Key (CEK) according to
- * the encryption method.
- *
- * @param cek The CEK. Must not be {@code null}.
- * @param enc The encryption method. Must not be {@code null}.
- *
- * @throws KeyLengthException If the CEK length doesn't match the
- * encryption method.
- */
- private static void checkCEKLength(final SecretKey cek, final EncryptionMethod enc)
- throws KeyLengthException {
-
- try {
- if (enc.cekBitLength() != ByteUtils.safeBitLength(cek.getEncoded())) {
- throw new KeyLengthException("The Content Encryption Key (CEK) length for " + enc + " must be " + enc.cekBitLength() + " bits");
- }
- } catch (IntegerOverflowException e) {
- throw new KeyLengthException("The Content Encryption Key (CEK) is too long: " + e.getMessage());
- }
- }
-
-
- /**
- * Encrypts the specified clear text (content).
- *
- * @param header The final JWE header. Must not be {@code null}.
- * @param clearText The clear text to encrypt and optionally
- * compress. Must not be {@code null}.
- * @param cek The Content Encryption Key (CEK). Must not be
- * {@code null}.
- * @param encryptedKey The encrypted CEK, {@code null} if not required.
- * @param jcaProvider The JWE JCA provider specification. Must not be
- * {@code null}.
- *
- * @return The JWE crypto parts.
- *
- * @throws JOSEException If encryption failed.
- */
- public static JWECryptoParts encrypt(final JWEHeader header,
- final byte[] clearText,
- final SecretKey cek,
- final Base64URL encryptedKey,
- final JWEJCAContext jcaProvider)
- throws JOSEException {
-
- checkCEKLength(cek, header.getEncryptionMethod());
-
- // Apply compression if instructed
- final byte[] plainText = DeflateHelper.applyCompression(header, clearText);
-
- // Compose the AAD
- final byte[] aad = AAD.compute(header);
-
- // Encrypt the plain text according to the JWE enc
- final byte[] iv;
- final AuthenticatedCipherText authCipherText;
-
- if ( header.getEncryptionMethod().equals(EncryptionMethod.A128CBC_HS256) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A192CBC_HS384) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A256CBC_HS512) ) {
-
- iv = AESCBC.generateIV(jcaProvider.getSecureRandom());
-
- authCipherText = AESCBC.encryptAuthenticated(
- cek, iv, plainText, aad,
- jcaProvider.getContentEncryptionProvider(),
- jcaProvider.getMACProvider());
-
- } else if (header.getEncryptionMethod().equals(EncryptionMethod.A128GCM) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A192GCM) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A256GCM) ) {
-
- Container ivContainer = new Container<>(AESGCM.generateIV(jcaProvider.getSecureRandom()));
-
- authCipherText = AESGCM.encrypt(
- cek, ivContainer, plainText, aad,
- jcaProvider.getContentEncryptionProvider());
-
- iv = ivContainer.get();
-
- } else if (header.getEncryptionMethod().equals(EncryptionMethod.A128CBC_HS256_DEPRECATED) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A256CBC_HS512_DEPRECATED) ) {
-
- iv = AESCBC.generateIV(jcaProvider.getSecureRandom());
-
- authCipherText = AESCBC.encryptWithConcatKDF(
- header, cek, encryptedKey, iv, plainText,
- jcaProvider.getContentEncryptionProvider(),
- jcaProvider.getMACProvider());
-
- } else {
-
- throw new JOSEException(AlgorithmSupportMessage.unsupportedEncryptionMethod(
- header.getEncryptionMethod(),
- SUPPORTED_ENCRYPTION_METHODS));
- }
-
- return new JWECryptoParts(
- header,
- encryptedKey,
- Base64URL.encode(iv),
- Base64URL.encode(authCipherText.getCipherText()),
- Base64URL.encode(authCipherText.getAuthenticationTag()));
- }
-
-
- /**
- * Decrypts the specified cipher text.
- *
- * @param header The JWE header. Must not be {@code null}.
- * @param encryptedKey The encrypted key, {@code null} if not
- * specified.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param authTag The authentication tag. Must not be
- * {@code null}.
- * @param cek The Content Encryption Key (CEK). Must not be
- * {@code null}.
- * @param jcaProvider The JWE JCA provider specification. Must not be
- * {@code null}.
- *
- * @return The clear text.
- *
- * @throws JOSEException If decryption failed.
- */
- public static byte[] decrypt(final JWEHeader header,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag,
- final SecretKey cek,
- final JWEJCAContext jcaProvider)
- throws JOSEException {
-
- checkCEKLength(cek, header.getEncryptionMethod());
-
- // Compose the AAD
- byte[] aad = AAD.compute(header);
-
- // Decrypt the cipher text according to the JWE enc
-
- byte[] plainText;
-
- if (header.getEncryptionMethod().equals(EncryptionMethod.A128CBC_HS256) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A192CBC_HS384) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A256CBC_HS512)) {
-
- plainText = AESCBC.decryptAuthenticated(
- cek,
- iv.decode(),
- cipherText.decode(),
- aad,
- authTag.decode(),
- jcaProvider.getContentEncryptionProvider(),
- jcaProvider.getMACProvider());
-
- } else if (header.getEncryptionMethod().equals(EncryptionMethod.A128GCM) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A192GCM) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A256GCM)) {
-
- plainText = AESGCM.decrypt(
- cek,
- iv.decode(),
- cipherText.decode(),
- aad,
- authTag.decode(),
- jcaProvider.getContentEncryptionProvider());
-
- } else if (header.getEncryptionMethod().equals(EncryptionMethod.A128CBC_HS256_DEPRECATED) ||
- header.getEncryptionMethod().equals(EncryptionMethod.A256CBC_HS512_DEPRECATED)) {
-
- plainText = AESCBC.decryptWithConcatKDF(
- header,
- cek,
- encryptedKey,
- iv,
- cipherText,
- authTag,
- jcaProvider.getContentEncryptionProvider(),
- jcaProvider.getMACProvider());
-
- } else {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedEncryptionMethod(
- header.getEncryptionMethod(),
- SUPPORTED_ENCRYPTION_METHODS));
- }
-
-
- // Apply decompression if requested
- return DeflateHelper.applyDecompression(header, plainText);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CriticalHeaderParamsDeferral.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CriticalHeaderParamsDeferral.java
deleted file mode 100644
index 3f493708..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/CriticalHeaderParamsDeferral.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.Set;
-
-import com.nimbusds.jose.CriticalHeaderParamsAware;
-import com.nimbusds.jose.Header;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEHeader;
-
-
-/**
- * Critical ({@code crit}) header parameters deferral policy.
- *
- * @see CriticalHeaderParamsAware
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-20
- */
-public class CriticalHeaderParamsDeferral {
-
-
- /**
- * The names of the deferred critical headers.
- */
- private Set deferredParams = Collections.emptySet();
-
-
- /**
- * Returns the names of the critical ({@code crit}) header parameters
- * that are understood and processed.
- *
- * @return Empty immutable set.
- */
- public Set getProcessedCriticalHeaderParams() {
-
- return Collections.emptySet();
- }
-
-
- /**
- * Returns the names of the critical ({@code crit}) header parameters
- * that are deferred to the application for processing.
- *
- * @return The names of the critical header parameters that are
- * deferred to the application for processing, as an
- * unmodifiable set, empty set if none.
- */
- public Set getDeferredCriticalHeaderParams() {
-
- return Collections.unmodifiableSet(deferredParams);
- }
-
-
- /**
- * Sets the names of the critical ({@code crit}) header parameters
- * that are deferred to the application for processing.
- *
- * @param defCritHeaders The names of the critical header parameters
- * that are deferred to the application for
- * processing, empty set or {@code null} if none.
- */
- public void setDeferredCriticalHeaderParams(final Set defCritHeaders) {
-
- if (defCritHeaders == null) {
- this.deferredParams = Collections.emptySet();
- } else {
- this.deferredParams = defCritHeaders;
- }
- }
-
-
- /**
- * Returns {@code true} if the specified header passes the critical
- * parameters check.
- *
- * @param header The JWS or JWE header to check. Must not be
- * {@code null}.
- *
- * @return {@code true} if the header passes, {@code false} if the
- * header contains one or more critical header parameters which
- * are not marked for deferral to the application.
- */
- public boolean headerPasses(final Header header) {
-
- Set crit = header.getCriticalParams();
-
- if (crit == null || crit.isEmpty()) {
- return true; // OK
- }
-
- // Ensure all marked as deferred
- return deferredParams != null && deferredParams.containsAll(crit);
- }
-
-
- /**
- * Throws a JOSE exception if the specified JWE header doesn't pass the
- * critical header parameters check.
- *
- * @param header The JWE header to check. Must not be {@code null}.
- *
- * @throws JOSEException If the JWE header doesn't pass the check.
- */
- public void ensureHeaderPasses(final JWEHeader header)
- throws JOSEException {
-
- if (! headerPasses(header)) {
- throw new JOSEException("Unsupported critical header parameter(s)");
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/DeflateHelper.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/DeflateHelper.java
deleted file mode 100644
index 78fa9b1b..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/DeflateHelper.java
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import com.nimbusds.jose.CompressionAlgorithm;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.util.DeflateUtils;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Deflate (RFC 1951) helper methods, intended for use by JWE encrypters and
- * decrypters. This class is thread-safe.
- *
- * @author Vladimir Dzhuvinov
- * @version 2014-07-08
- */
-@ThreadSafe
-public class DeflateHelper {
-
-
- /**
- * Applies compression to the specified plain text if requested.
- *
- * @param jweHeader The JWE header. Must not be {@code null}.
- * @param bytes The plain text bytes. Must not be {@code null}.
- *
- * @return The bytes to encrypt.
- *
- * @throws JOSEException If compression failed or the requested
- * compression algorithm is not supported.
- */
- public static byte[] applyCompression(final JWEHeader jweHeader, final byte[] bytes)
- throws JOSEException {
-
- CompressionAlgorithm compressionAlg = jweHeader.getCompressionAlgorithm();
-
- if (compressionAlg == null) {
-
- return bytes;
-
- } else if (compressionAlg.equals(CompressionAlgorithm.DEF)) {
-
- try {
- return DeflateUtils.compress(bytes);
-
- } catch (Exception e) {
-
- throw new JOSEException("Couldn't compress plain text: " + e.getMessage(), e);
- }
-
- } else {
-
- throw new JOSEException("Unsupported compression algorithm: " + compressionAlg);
- }
- }
-
-
- /**
- * Applies decompression to the specified plain text if requested.
- *
- * @param jweHeader The JWE header. Must not be {@code null}.
- * @param bytes The plain text bytes. Must not be {@code null}.
- *
- * @return The output bytes, decompressed if requested.
- *
- * @throws JOSEException If decompression failed or the requested
- * compression algorithm is not supported.
- */
- public static byte[] applyDecompression(final JWEHeader jweHeader, final byte[] bytes)
- throws JOSEException {
-
- CompressionAlgorithm compressionAlg = jweHeader.getCompressionAlgorithm();
-
- if (compressionAlg == null) {
-
- return bytes;
-
- } else if (compressionAlg.equals(CompressionAlgorithm.DEF)) {
-
- try {
- return DeflateUtils.decompress(bytes);
-
- } catch (Exception e) {
-
- throw new JOSEException("Couldn't decompress plain text: " + e.getMessage(), e);
- }
-
- } else {
-
- throw new JOSEException("Unsupported compression algorithm: " + compressionAlg);
- }
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/DirectCryptoProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/DirectCryptoProvider.java
deleted file mode 100644
index 7b626166..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/DirectCryptoProvider.java
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.KeyLengthException;
-import com.nimbusds.jose.util.ByteUtils;
-
-
-/**
- * The base abstract class for direct encrypters and decrypters of
- * {@link com.nimbusds.jose.JWEObject JWE objects} with a shared symmetric key.
- *
- * Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#DIR}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-06-29
- */
-public abstract class DirectCryptoProvider extends BaseJWEProvider {
-
-
- /**
- * The supported JWE algorithms by the direct crypto provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- /**
- * The supported encryption methods by the direct crypto provider
- * class.
- */
- public static final Set SUPPORTED_ENCRYPTION_METHODS = ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWEAlgorithm.DIR);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * Returns the compatible encryption methods for the specified Content
- * Encryption Key (CEK) length.
- *
- * @param cekLength The CEK length in bits.
- *
- * @return The compatible encryption methods.
- *
- * @throws KeyLengthException If the CEK length is not compatible.
- */
- private static Set getCompatibleEncryptionMethods(final int cekLength)
- throws KeyLengthException {
-
- Set encs = ContentCryptoProvider.COMPATIBLE_ENCRYPTION_METHODS.get(cekLength);
-
- if (encs == null) {
- throw new KeyLengthException("The Content Encryption Key length must be 128 bits (16 bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 bits (48 bytes) or 512 bites (64 bytes)");
- }
-
- return encs;
- }
-
-
- /**
- * The Content Encryption Key (CEK).
- */
- private final SecretKey cek;
-
-
- /**
- * Creates a new direct encryption / decryption provider.
- *
- * @param cek The Content Encryption Key (CEK). Must be 128 bits (16
- * bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384
- * bits (48 bytes) or 512 bits (64 bytes) long. Must not be
- * {@code null}.
- *
- * @throws KeyLengthException If the CEK length is not compatible.
- */
- protected DirectCryptoProvider(final SecretKey cek)
- throws KeyLengthException {
-
- super(SUPPORTED_ALGORITHMS, getCompatibleEncryptionMethods(ByteUtils.bitLength(cek.getEncoded())));
-
- this.cek = cek;
- }
-
-
- /**
- * Gets the Content Encryption Key (CEK).
- *
- * @return The key.
- */
- public SecretKey getKey() {
-
- return cek;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDH.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDH.java
deleted file mode 100644
index 81e5abbf..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDH.java
+++ /dev/null
@@ -1,288 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.nio.charset.Charset;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.Provider;
-import java.security.interfaces.ECPublicKey;
-import javax.crypto.KeyAgreement;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.google.crypto.tink.subtle.X25519;
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.jwk.OctetKeyPair;
-
-
-/**
- * Elliptic Curve Diffie-Hellman key agreement functions and utilities.
- *
- * @author Vladimir Dzhuvinov
- * @version 2018-12-12
- */
-public class ECDH {
-
-
- /**
- * Enumeration of the Elliptic Curve Diffie-Hellman Ephemeral Static
- * algorithm modes.
- */
- public enum AlgorithmMode {
-
- /**
- * Direct key agreement mode.
- */
- DIRECT,
-
-
- /**
- * Key wrapping mode.
- */
- KW
- }
-
-
- /**
- * Resolves the ECDH algorithm mode.
- *
- * @param alg The JWE algorithm. Must be supported and not
- * {@code null}.
- *
- * @return The algorithm mode.
- *
- * @throws JOSEException If the JWE algorithm is not supported.
- */
- public static AlgorithmMode resolveAlgorithmMode(final JWEAlgorithm alg)
- throws JOSEException {
-
- if (alg.equals(JWEAlgorithm.ECDH_ES)) {
-
- return AlgorithmMode.DIRECT;
-
- } else if (alg.equals(JWEAlgorithm.ECDH_ES_A128KW) ||
- alg.equals(JWEAlgorithm.ECDH_ES_A192KW) ||
- alg.equals(JWEAlgorithm.ECDH_ES_A256KW)) {
-
- return AlgorithmMode.KW;
- } else {
-
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(
- alg,
- ECDHCryptoProvider.SUPPORTED_ALGORITHMS));
- }
- }
-
-
- /**
- * Returns the bit length of the shared key (derived via concat KDF)
- * for the specified JWE ECDH algorithm.
- *
- * @param alg The JWE ECDH algorithm. Must be supported and not
- * {@code null}.
- * @param enc The encryption method. Must be supported} and not
- * {@code null}.
- *
- * @return The bit length of the shared key.
- *
- * @throws JOSEException If the JWE algorithm or encryption method is
- * not supported.
- */
- public static int sharedKeyLength(final JWEAlgorithm alg, final EncryptionMethod enc)
- throws JOSEException {
-
- if (alg.equals(JWEAlgorithm.ECDH_ES)) {
-
- int length = enc.cekBitLength();
-
- if (length == 0) {
- throw new JOSEException("Unsupported JWE encryption method " + enc);
- }
-
- return length;
-
- } else if (alg.equals(JWEAlgorithm.ECDH_ES_A128KW)) {
- return 128;
- } else if (alg.equals(JWEAlgorithm.ECDH_ES_A192KW)) {
- return 192;
- } else if (alg.equals(JWEAlgorithm.ECDH_ES_A256KW)) {
- return 256;
- } else {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(
- alg, ECDHCryptoProvider.SUPPORTED_ALGORITHMS));
- }
- }
-
-
- /**
- * Derives a shared secret (also called 'Z') from the specified ECDH
- * key agreement.
- *
- * @param publicKey The public EC key, i.e. the consumer's public EC
- * key on encryption, or the ephemeral public EC key
- * on decryption. Must not be {@code null}.
- * @param privateKey The private EC Key, i.e. the ephemeral private EC
- * key on encryption, or the consumer's private EC
- * key on decryption. Must not be {@code null}.
- * @param provider The specific JCA provider for the ECDH key
- * agreement, {@code null} to use the default one.
- *
- * @return The derived shared secret ('Z'), with algorithm "AES".
- *
- * @throws JOSEException If derivation of the shared secret failed.
- */
- public static SecretKey deriveSharedSecret(final ECPublicKey publicKey,
- final PrivateKey privateKey,
- final Provider provider)
- throws JOSEException {
-
- // Get an ECDH key agreement instance from the JCA provider
- KeyAgreement keyAgreement;
-
- try {
- if (provider != null) {
- keyAgreement = KeyAgreement.getInstance("ECDH", provider);
- } else {
- keyAgreement = KeyAgreement.getInstance("ECDH");
- }
-
- } catch (NoSuchAlgorithmException e) {
- throw new JOSEException("Couldn't get an ECDH key agreement instance: " + e.getMessage(), e);
- }
-
- try {
- keyAgreement.init(privateKey);
- keyAgreement.doPhase(publicKey, true);
-
- } catch (InvalidKeyException e) {
- throw new JOSEException("Invalid key for ECDH key agreement: " + e.getMessage(), e);
- }
-
- return new SecretKeySpec(keyAgreement.generateSecret(), "AES");
- }
-
-
- /**
- * Derives a shared secret (also called 'Z') from the specified ECDH
- * key agreement.
- *
- * @param publicKey The public OKP key, i.e. the consumer's public EC
- * key on encryption, or the ephemeral public EC key
- * on decryption. Must not be {@code null}.
- * @param privateKey The private OKP key, i.e. the ephemeral private EC
- * key on encryption, or the consumer's private EC
- * key on decryption. Must not be {@code null}.
- *
- * @return The derived shared secret ('Z'), with algorithm "AES".
- *
- * @throws JOSEException If derivation of the shared secret failed.
- */
- public static SecretKey deriveSharedSecret(final OctetKeyPair publicKey, final OctetKeyPair privateKey)
- throws JOSEException {
-
- if (publicKey.isPrivate()) {
- throw new JOSEException("Expected public key but received OKP with 'd' value");
- }
-
- if (! Curve.X25519.equals(publicKey.getCurve())) {
- throw new JOSEException("Expected public key OKP with crv=X25519");
- }
-
- if (! privateKey.isPrivate()) {
- throw new JOSEException("Expected private key but received OKP without 'd' value");
- }
-
- if (! Curve.X25519.equals(privateKey.getCurve())) {
- throw new JOSEException("Expected private key OKP with crv=X25519");
- }
-
- final byte[] privateKeyBytes = privateKey.getDecodedD();
- final byte[] publicKeyBytes = publicKey.getDecodedX();
-
- final byte[] sharedSecretBytes;
- try {
- sharedSecretBytes = X25519.computeSharedSecret(privateKeyBytes, publicKeyBytes);
- } catch (InvalidKeyException e) {
- throw new JOSEException(e.getMessage(), e);
- }
-
- return new SecretKeySpec(sharedSecretBytes, "AES");
- }
-
-
- /**
- * Derives a shared key (via concat KDF).
- *
- * @param header The JWE header. Its algorithm and encryption method
- * must be supported. Must not be {@code null}.
- * @param Z The derived shared secret ('Z'). Must not be
- * {@code null}.
- * @param concatKDF The concat KDF. Must be initialised and not
- * {@code null}.
- *
- * @return The derived shared key.
- *
- * @throws JOSEException If derivation of the shared key failed.
- */
- public static SecretKey deriveSharedKey(final JWEHeader header,
- final SecretKey Z,
- final ConcatKDF concatKDF)
- throws JOSEException {
-
- final int sharedKeyLength = sharedKeyLength(header.getAlgorithm(), header.getEncryptionMethod());
-
- // Set the alg ID for the concat KDF
- AlgorithmMode algMode = resolveAlgorithmMode(header.getAlgorithm());
-
- final String algID;
-
- if (algMode == AlgorithmMode.DIRECT) {
- // algID = enc
- algID = header.getEncryptionMethod().getName();
- } else if (algMode == AlgorithmMode.KW) {
- // algID = alg
- algID = header.getAlgorithm().getName();
- } else {
- throw new JOSEException("Unsupported JWE ECDH algorithm mode: " + algMode);
- }
-
- return concatKDF.deriveKey(
- Z,
- sharedKeyLength,
- ConcatKDF.encodeDataWithLength(algID.getBytes(Charset.forName("ASCII"))),
- ConcatKDF.encodeDataWithLength(header.getAgreementPartyUInfo()),
- ConcatKDF.encodeDataWithLength(header.getAgreementPartyVInfo()),
- ConcatKDF.encodeIntData(sharedKeyLength),
- ConcatKDF.encodeNoData());
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private ECDH() {
-
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDHCryptoProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDHCryptoProvider.java
deleted file mode 100644
index 3dfb9127..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDHCryptoProvider.java
+++ /dev/null
@@ -1,254 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2019, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.JWECryptoParts;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.jwk.Curve;
-import com.nimbusds.jose.util.Base64URL;
-
-
-/**
- * The base abstract class for Elliptic Curve Diffie-Hellman encrypters and
- * decrypters of {@link com.nimbusds.jose.JWEObject JWE objects}.
- *
- * Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#ECDH_ES_A256KW}
- *
- *
- * Supports the following elliptic curves:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#P_256}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_384}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_521}
- *
- {@link com.nimbusds.jose.jwk.Curve#X25519}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Tim McLean
- * @author Vladimir Dzhuvinov
- * @author Fernando González Callejas
- * @version 2019-01-24
- */
-public abstract class ECDHCryptoProvider extends BaseJWEProvider {
-
-
- /**
- * The supported JWE algorithms by the ECDH crypto provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- /**
- * The supported encryption methods by the ECDH crypto provider class.
- */
- public static final Set SUPPORTED_ENCRYPTION_METHODS = ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWEAlgorithm.ECDH_ES);
- algs.add(JWEAlgorithm.ECDH_ES_A128KW);
- algs.add(JWEAlgorithm.ECDH_ES_A192KW);
- algs.add(JWEAlgorithm.ECDH_ES_A256KW);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * The elliptic curve.
- */
- private final Curve curve;
-
-
- /**
- * The Concatenation Key Derivation Function (KDF).
- */
- private final ConcatKDF concatKDF;
-
-
- /**
- * Creates a new Elliptic Curve Diffie-Hellman encryption /decryption
- * provider.
- *
- * @param curve The elliptic curve. Must be supported and not
- * {@code null}.
- *
- * @throws JOSEException If the elliptic curve is not supported.
- */
- protected ECDHCryptoProvider(final Curve curve)
- throws JOSEException {
-
- super(SUPPORTED_ALGORITHMS, ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
-
- Curve definedCurve = curve != null ? curve : new Curve("unknown");
-
- if (! supportedEllipticCurves().contains(curve)) {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedEllipticCurve(
- definedCurve, supportedEllipticCurves()));
- }
-
- this.curve = curve;
-
- concatKDF = new ConcatKDF("SHA-256");
- }
-
-
- /**
- * Returns the Concatenation Key Derivation Function (KDF).
- *
- * @return The concat KDF.
- */
- protected ConcatKDF getConcatKDF() {
-
- return concatKDF;
- }
-
-
- /**
- * Returns the names of the supported elliptic curves. These correspond
- * to the {@code crv} EC JWK parameter.
- *
- * @return The supported elliptic curves.
- */
- public abstract Set supportedEllipticCurves();
-
-
- /**
- * Returns the elliptic curve of the key (JWK designation).
- *
- * @return The elliptic curve.
- */
- public Curve getCurve() {
-
- return curve;
- }
-
- /**
- * Encrypts the specified plaintext using the specified shared secret
- * ("Z").
- */
- protected JWECryptoParts encryptWithZ(final JWEHeader header, final SecretKey Z, final byte[] clearText)
- throws JOSEException {
-
- return this.encryptWithZ(header, Z, clearText, null);
- }
-
- /**
- * Encrypts the specified plaintext using the specified shared secret
- * ("Z") and, if provided, the content encryption key (CEK).
- */
- protected JWECryptoParts encryptWithZ(final JWEHeader header,
- final SecretKey Z,
- final byte[] clearText,
- final SecretKey contentEncryptionKey)
- throws JOSEException {
-
- final JWEAlgorithm alg = header.getAlgorithm();
- final ECDH.AlgorithmMode algMode = ECDH.resolveAlgorithmMode(alg);
- final EncryptionMethod enc = header.getEncryptionMethod();
-
- // Derive shared key via concat KDF
- getConcatKDF().getJCAContext().setProvider(getJCAContext().getMACProvider()); // update before concat
- SecretKey sharedKey = ECDH.deriveSharedKey(header, Z, getConcatKDF());
-
- final SecretKey cek;
- final Base64URL encryptedKey; // The CEK encrypted (second JWE part)
-
- if (algMode.equals(ECDH.AlgorithmMode.DIRECT)) {
- cek = sharedKey;
- encryptedKey = null;
- } else if (algMode.equals(ECDH.AlgorithmMode.KW)) {
- if(contentEncryptionKey != null) { // Use externally supplied CEK
- cek = contentEncryptionKey;
- } else { // Generate the CEK according to the enc method
- cek = ContentCryptoProvider.generateCEK(enc, getJCAContext().getSecureRandom());
- }
- encryptedKey = Base64URL.encode(AESKW.wrapCEK(cek, sharedKey, getJCAContext().getKeyEncryptionProvider()));
- } else {
- throw new JOSEException("Unexpected JWE ECDH algorithm mode: " + algMode);
- }
-
- return ContentCryptoProvider.encrypt(header, clearText, cek, encryptedKey, getJCAContext());
- }
-
-
- /**
- * Decrypts the encrypted JWE parts using the specified shared secret ("Z").
- */
- protected byte[] decryptWithZ(final JWEHeader header,
- final SecretKey Z,
- final Base64URL encryptedKey,
- final Base64URL iv,
- final Base64URL cipherText,
- final Base64URL authTag)
- throws JOSEException {
-
- final JWEAlgorithm alg = header.getAlgorithm();
- final ECDH.AlgorithmMode algMode = ECDH.resolveAlgorithmMode(alg);
-
- // Derive shared key via concat KDF
- getConcatKDF().getJCAContext().setProvider(getJCAContext().getMACProvider()); // update before concat
- SecretKey sharedKey = ECDH.deriveSharedKey(header, Z, getConcatKDF());
-
- final SecretKey cek;
-
- if (algMode.equals(ECDH.AlgorithmMode.DIRECT)) {
- cek = sharedKey;
- } else if (algMode.equals(ECDH.AlgorithmMode.KW)) {
- if (encryptedKey == null) {
- throw new JOSEException("Missing JWE encrypted key");
- }
- cek = AESKW.unwrapCEK(sharedKey, encryptedKey.decode(), getJCAContext().getKeyEncryptionProvider());
- } else {
- throw new JOSEException("Unexpected JWE ECDH algorithm mode: " + algMode);
- }
-
- return ContentCryptoProvider.decrypt(header, encryptedKey, iv, cipherText, authTag, cek, getJCAContext());
- }
-
-
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDSA.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDSA.java
deleted file mode 100644
index ed6565c5..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDSA.java
+++ /dev/null
@@ -1,318 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Signature;
-import java.security.interfaces.ECKey;
-import java.security.spec.ECParameterSpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.jwk.Curve;
-
-
-/**
- * Elliptic Curve Digital Signature Algorithm (ECDSA) functions and utilities.
- *
- * @author Vladimir Dzhuvinov
- * @author Aleksei Doroganov
- * @version 2018-03-28
- */
-public class ECDSA {
-
-
- /**
- * Resolves the matching EC DSA algorithm for the specified EC key
- * (public or private).
- *
- * @param ecKey The EC key. Must not be {@code null}.
- *
- * @return The matching EC DSA algorithm.
- *
- * @throws JOSEException If the elliptic curve of key is not supported.
- */
- public static JWSAlgorithm resolveAlgorithm(final ECKey ecKey)
- throws JOSEException {
-
- ECParameterSpec ecParameterSpec = ecKey.getParams();
- return resolveAlgorithm(Curve.forECParameterSpec(ecParameterSpec));
- }
-
-
- /**
- * Resolves the matching EC DSA algorithm for the specified elliptic
- * curve.
- *
- * @param curve The elliptic curve. May be {@code null}.
- *
- * @return The matching EC DSA algorithm.
- *
- * @throws JOSEException If the elliptic curve of key is not supported.
- */
- public static JWSAlgorithm resolveAlgorithm(final Curve curve)
- throws JOSEException {
-
- if (curve == null) {
- throw new JOSEException("The EC key curve is not supported, must be P-256, P-384 or P-521");
- } else if (Curve.P_256.equals(curve)) {
- return JWSAlgorithm.ES256;
- } else if (Curve.P_256K.equals(curve)) {
- return JWSAlgorithm.ES256K;
- } else if (Curve.P_384.equals(curve)) {
- return JWSAlgorithm.ES384;
- } else if (Curve.P_521.equals(curve)) {
- return JWSAlgorithm.ES512;
- } else {
- throw new JOSEException("Unexpected curve: " + curve);
- }
- }
-
-
- /**
- * Creates a new JCA signer / verifier for ECDSA.
- *
- * @param alg The ECDSA JWS algorithm. Must not be
- * {@code null}.
- * @param jcaProvider The JCA provider, {@code null} if not specified.
- *
- * @return The JCA signer / verifier instance.
- *
- * @throws JOSEException If a JCA signer / verifier couldn't be
- * created.
- */
- public static Signature getSignerAndVerifier(final JWSAlgorithm alg,
- final Provider jcaProvider)
- throws JOSEException {
-
- String jcaAlg;
-
- if (alg.equals(JWSAlgorithm.ES256)) {
- jcaAlg = "SHA256withECDSA";
- } else if (alg.equals(JWSAlgorithm.ES256K)) {
- jcaAlg = "SHA256withECDSA";
- } else if (alg.equals(JWSAlgorithm.ES384)) {
- jcaAlg = "SHA384withECDSA";
- } else if (alg.equals(JWSAlgorithm.ES512)) {
- jcaAlg = "SHA512withECDSA";
- } else {
- throw new JOSEException(
- AlgorithmSupportMessage.unsupportedJWSAlgorithm(
- alg,
- ECDSAProvider.SUPPORTED_ALGORITHMS));
- }
-
- try {
- if (jcaProvider != null) {
- return Signature.getInstance(jcaAlg, jcaProvider);
- } else {
- return Signature.getInstance(jcaAlg);
- }
- } catch (NoSuchAlgorithmException e) {
- throw new JOSEException("Unsupported ECDSA algorithm: " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Returns the expected signature byte array length (R + S parts) for
- * the specified ECDSA algorithm.
- *
- * @param alg The ECDSA algorithm. Must be supported and not
- * {@code null}.
- *
- * @return The expected byte array length for the signature.
- *
- * @throws JOSEException If the algorithm is not supported.
- */
- public static int getSignatureByteArrayLength(final JWSAlgorithm alg)
- throws JOSEException {
-
- if (alg.equals(JWSAlgorithm.ES256)) {
-
- return 64;
-
- } else if (alg.equals(JWSAlgorithm.ES256K)) {
-
- return 64;
-
- } else if (alg.equals(JWSAlgorithm.ES384)) {
-
- return 96;
-
- } else if (alg.equals(JWSAlgorithm.ES512)) {
-
- return 132;
-
- } else {
-
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(
- alg,
- ECDSAProvider.SUPPORTED_ALGORITHMS));
- }
- }
-
-
- /**
- * Transcodes the JCA ASN.1/DER-encoded signature into the concatenated
- * R + S format expected by ECDSA JWS.
- *
- * @param derSignature The ASN1./DER-encoded. Must not be {@code null}.
- * @param outputLength The expected length of the ECDSA JWS signature.
- *
- * @return The ECDSA JWS encoded signature.
- *
- * @throws JOSEException If the ASN.1/DER signature format is invalid.
- */
- public static byte[] transcodeSignatureToConcat(final byte[] derSignature, int outputLength)
- throws JOSEException {
-
- if (derSignature.length < 8 || derSignature[0] != 48) {
- throw new JOSEException("Invalid ECDSA signature format");
- }
-
- int offset;
- if (derSignature[1] > 0) {
- offset = 2;
- } else if (derSignature[1] == (byte) 0x81) {
- offset = 3;
- } else {
- throw new JOSEException("Invalid ECDSA signature format");
- }
-
- byte rLength = derSignature[offset + 1];
-
- int i;
- for (i = rLength; (i > 0) && (derSignature[(offset + 2 + rLength) - i] == 0); i--) {
- // do nothing
- }
-
- byte sLength = derSignature[offset + 2 + rLength + 1];
-
- int j;
- for (j = sLength; (j > 0) && (derSignature[(offset + 2 + rLength + 2 + sLength) - j] == 0); j--) {
- // do nothing
- }
-
- int rawLen = Math.max(i, j);
- rawLen = Math.max(rawLen, outputLength / 2);
-
- if ((derSignature[offset - 1] & 0xff) != derSignature.length - offset
- || (derSignature[offset - 1] & 0xff) != 2 + rLength + 2 + sLength
- || derSignature[offset] != 2
- || derSignature[offset + 2 + rLength] != 2) {
- throw new JOSEException("Invalid ECDSA signature format");
- }
-
- final byte[] concatSignature = new byte[2 * rawLen];
-
- System.arraycopy(derSignature, (offset + 2 + rLength) - i, concatSignature, rawLen - i, i);
- System.arraycopy(derSignature, (offset + 2 + rLength + 2 + sLength) - j, concatSignature, 2 * rawLen - j, j);
-
- return concatSignature;
- }
-
-
-
- /**
- * Transcodes the ECDSA JWS signature into ASN.1/DER format for use by
- * the JCA verifier.
- *
- * @param jwsSignature The JWS signature, consisting of the
- * concatenated R and S values. Must not be
- * {@code null}.
- *
- * @return The ASN.1/DER encoded signature.
- *
- * @throws JOSEException If the ECDSA JWS signature format is invalid.
- */
- public static byte[] transcodeSignatureToDER(byte[] jwsSignature)
- throws JOSEException {
-
- // Adapted from org.apache.xml.security.algorithms.implementations.SignatureECDSA
-
- int rawLen = jwsSignature.length / 2;
-
- int i;
-
- for (i = rawLen; (i > 0) && (jwsSignature[rawLen - i] == 0); i--) {
- // do nothing
- }
-
- int j = i;
-
- if (jwsSignature[rawLen - i] < 0) {
- j += 1;
- }
-
- int k;
-
- for (k = rawLen; (k > 0) && (jwsSignature[2 * rawLen - k] == 0); k--) {
- // do nothing
- }
-
- int l = k;
-
- if (jwsSignature[2 * rawLen - k] < 0) {
- l += 1;
- }
-
- int len = 2 + j + 2 + l;
-
- if (len > 255) {
- throw new JOSEException("Invalid ECDSA signature format");
- }
-
- int offset;
-
- final byte derSignature[];
-
- if (len < 128) {
- derSignature = new byte[2 + 2 + j + 2 + l];
- offset = 1;
- } else {
- derSignature = new byte[3 + 2 + j + 2 + l];
- derSignature[1] = (byte) 0x81;
- offset = 2;
- }
-
- derSignature[0] = 48;
- derSignature[offset++] = (byte) len;
- derSignature[offset++] = 2;
- derSignature[offset++] = (byte) j;
-
- System.arraycopy(jwsSignature, rawLen - i, derSignature, (offset + j) - i, i);
-
- offset += j;
-
- derSignature[offset++] = 2;
- derSignature[offset++] = (byte) l;
-
- System.arraycopy(jwsSignature, 2 * rawLen - k, derSignature, (offset + l) - k, k);
-
- return derSignature;
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private ECDSA() {}
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDSAProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDSAProvider.java
deleted file mode 100644
index bac22616..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/ECDSAProvider.java
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-
-
-/**
- * The base abstract class for Elliptic Curve Digital Signature Algorithm
- * (ECDSA) signers and validators of {@link com.nimbusds.jose.JWSObject JWS
- * objects}.
- *
- * Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#ES256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#ES256K}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#ES384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#ES512}
- *
- *
- * @author Axel Nennker
- * @author Vladimir Dzhuvinov
- * @version 2017-05-13
- */
-public abstract class ECDSAProvider extends BaseJWSProvider {
-
-
- /**
- * The supported JWS algorithms by the EC-DSA provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWSAlgorithm.ES256);
- algs.add(JWSAlgorithm.ES256K);
- algs.add(JWSAlgorithm.ES384);
- algs.add(JWSAlgorithm.ES512);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * Creates a new Elliptic Curve Digital Signature Algorithm (ECDSA)
- * provider.
- *
- * @param alg The EC-DSA algorithm. Must be supported and not
- * {@code null}.
- *
- * @throws JOSEException If JWS algorithm is not supported.
- */
- protected ECDSAProvider(final JWSAlgorithm alg)
- throws JOSEException {
-
- super(new HashSet<>(Collections.singletonList(alg)));
-
- if (! SUPPORTED_ALGORITHMS.contains(alg)) {
- throw new JOSEException("Unsupported EC DSA algorithm: " + alg);
- }
- }
-
-
- /**
- * Returns the supported ECDSA algorithm.
- *
- * @see #supportedJWSAlgorithms()
- *
- * @return The supported ECDSA algorithm.
- */
- public JWSAlgorithm supportedECDSAAlgorithm() {
-
- return supportedJWSAlgorithms().iterator().next();
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/EdDSAProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/EdDSAProvider.java
deleted file mode 100644
index 321be1f5..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/EdDSAProvider.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.Set;
-
-import com.nimbusds.jose.JWSAlgorithm;
-
-
-/**
- * The base abstract class for Edwards-curve Digital Signature Algorithm
- * (EdDSA) signers and validators of {@link com.nimbusds.jose.JWSObject JWS
- * objects}.
- *
- * Supports the following algorithm:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#EdDSA}
- *
- *
- * @author Tim McLean
- * @version 2018-07-11
- */
-public abstract class EdDSAProvider extends BaseJWSProvider {
-
-
- /**
- * The supported JWS algorithms by the EdDSA provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- static {
- SUPPORTED_ALGORITHMS = Collections.singleton(JWSAlgorithm.EdDSA);
- }
-
-
- /**
- * Creates a new Edwards-curve Digital Signature Algorithm (EdDSA)
- * provider.
- */
- protected EdDSAProvider() {
-
- super(SUPPORTED_ALGORITHMS);
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/HMAC.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/HMAC.java
deleted file mode 100644
index d79eaa79..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/HMAC.java
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * Static methods for Hash-based Message Authentication Codes (HMAC). This
- * class is thread-safe.
- *
- * @author Axel Nennker
- * @author Vladimir Dzhuvinov
- * @version 2015-04-23
- */
-@ThreadSafe
-public class HMAC {
-
-
- public static Mac getInitMac(final SecretKey secretKey,
- final Provider provider)
- throws JOSEException {
-
- Mac mac;
-
- try {
- if (provider != null) {
- mac = Mac.getInstance(secretKey.getAlgorithm(), provider);
- } else {
- mac = Mac.getInstance(secretKey.getAlgorithm());
- }
-
- mac.init(secretKey);
-
- } catch (NoSuchAlgorithmException e) {
-
- throw new JOSEException("Unsupported HMAC algorithm: " + e.getMessage(), e);
-
- } catch (InvalidKeyException e) {
-
- throw new JOSEException("Invalid HMAC key: " + e.getMessage(), e);
- }
-
- return mac;
- }
-
-
- /**
- * Computes a Hash-based Message Authentication Code (HMAC) for the
- * specified secret and message.
- *
- * @param alg The Java Cryptography Architecture (JCA) HMAC
- * algorithm name. Must not be {@code null}.
- * @param secret The secret. Must not be {@code null}.
- * @param message The message. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the default
- * one.
- *
- * @return A MAC service instance.
- *
- * @throws JOSEException If the algorithm is not supported or the
- * MAC secret key is invalid.
- */
- public static byte[] compute(final String alg,
- final byte[] secret,
- final byte[] message,
- final Provider provider)
- throws JOSEException {
-
- return compute(new SecretKeySpec(secret, alg), message, provider);
- }
-
-
- /**
- * Computes a Hash-based Message Authentication Code (HMAC) for the
- * specified secret key and message.
- *
- * @param secretKey The secret key, with the appropriate HMAC
- * algorithm. Must not be {@code null}.
- * @param message The message. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return A MAC service instance.
- *
- * @throws JOSEException If the algorithm is not supported or the MAC
- * secret key is invalid.
- */
- public static byte[] compute(final SecretKey secretKey,
- final byte[] message,
- final Provider provider)
- throws JOSEException {
-
- Mac mac = getInitMac(secretKey, provider);
- mac.update(message);
- return mac.doFinal();
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/LegacyAESGCM.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/LegacyAESGCM.java
deleted file mode 100644
index 3322914f..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/LegacyAESGCM.java
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import javax.crypto.SecretKey;
-
-import com.nimbusds.jose.JOSEException;
-import net.jcip.annotations.ThreadSafe;
-import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.CipherParameters;
-import org.bouncycastle.crypto.InvalidCipherTextException;
-import org.bouncycastle.crypto.engines.AESEngine;
-import org.bouncycastle.crypto.modes.GCMBlockCipher;
-import org.bouncycastle.crypto.params.AEADParameters;
-import org.bouncycastle.crypto.params.KeyParameter;
-
-
-/**
- * Legacy AES/GSM/NoPadding encryption and decryption methods. Uses the
- * BouncyCastle.org API. This class is thread-safe.
- *
- * @author Vladimir Dzhuvinov
- * @author Axel Nennker
- * @version 2015-11-15
- */
-@ThreadSafe
-public class LegacyAESGCM {
-
-
- /**
- * The standard authentication tag length (128 bits).
- */
- public static final int AUTH_TAG_BIT_LENGTH = 128;
-
-
- /**
- * Creates a new AES cipher.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param forEncryption If {@code true} creates an AES encryption
- * cipher, else creates an AES decryption
- * cipher.
- *
- * @return The AES cipher.
- */
- public static AESEngine createAESCipher(final SecretKey secretKey,
- final boolean forEncryption) {
-
- AESEngine cipher = new AESEngine();
-
- CipherParameters cipherParams = new KeyParameter(secretKey.getEncoded());
-
- cipher.init(forEncryption, cipherParams);
-
- return cipher;
- }
-
-
- /**
- * Creates a new AES/GCM/NoPadding cipher.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param forEncryption If {@code true} creates an encryption cipher,
- * else creates a decryption cipher.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param authData The authenticated data. Must not be
- * {@code null}.
- *
- * @return The AES/GCM/NoPadding cipher.
- */
- private static GCMBlockCipher createAESGCMCipher(final SecretKey secretKey,
- final boolean forEncryption,
- final byte[] iv,
- final byte[] authData) {
-
- // Initialise AES cipher
- BlockCipher cipher = createAESCipher(secretKey, forEncryption);
-
- // Create GCM cipher with AES
- GCMBlockCipher gcm = new GCMBlockCipher(cipher);
-
- AEADParameters aeadParams = new AEADParameters(new KeyParameter(secretKey.getEncoded()),
- AUTH_TAG_BIT_LENGTH,
- iv,
- authData);
- gcm.init(forEncryption, aeadParams);
-
- return gcm;
- }
-
-
- /**
- * Encrypts the specified plain text using AES/GCM/NoPadding.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param plainText The plain text. Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param authData The authenticated data. Must not be {@code null}.
- *
- * @return The authenticated cipher text.
- *
- * @throws JOSEException If encryption failed.
- */
- public static AuthenticatedCipherText encrypt(final SecretKey secretKey,
- final byte[] iv,
- final byte[] plainText,
- final byte[] authData)
- throws JOSEException {
-
- // Initialise AES/GCM cipher for encryption
- GCMBlockCipher cipher = createAESGCMCipher(secretKey, true, iv, authData);
-
-
- // Prepare output buffer
- int outputLength = cipher.getOutputSize(plainText.length);
- byte[] output = new byte[outputLength];
-
-
- // Produce cipher text
- int outputOffset = cipher.processBytes(plainText, 0, plainText.length, output, 0);
-
-
- // Produce authentication tag
- try {
- outputOffset += cipher.doFinal(output, outputOffset);
-
- } catch (InvalidCipherTextException e) {
-
- throw new JOSEException("Couldn't generate GCM authentication tag: " + e.getMessage(), e);
- }
-
- // Split output into cipher text and authentication tag
- int authTagLength = AUTH_TAG_BIT_LENGTH / 8;
-
- byte[] cipherText = new byte[outputOffset - authTagLength];
- byte[] authTag = new byte[authTagLength];
-
- System.arraycopy(output, 0, cipherText, 0, cipherText.length);
- System.arraycopy(output, outputOffset - authTagLength, authTag, 0, authTag.length);
-
- return new AuthenticatedCipherText(cipherText, authTag);
- }
-
-
- /**
- * Decrypts the specified cipher text using AES/GCM/NoPadding.
- *
- * @param secretKey The AES key. Must not be {@code null}.
- * @param iv The initialisation vector (IV). Must not be
- * {@code null}.
- * @param cipherText The cipher text. Must not be {@code null}.
- * @param authData The authenticated data. Must not be {@code null}.
- * @param authTag The authentication tag. Must not be {@code null}.
- *
- * @return The decrypted plain text.
- *
- * @throws JOSEException If decryption failed.
- */
- public static byte[] decrypt(final SecretKey secretKey,
- final byte[] iv,
- final byte[] cipherText,
- final byte[] authData,
- final byte[] authTag)
- throws JOSEException {
-
- // Initialise AES/GCM cipher for decryption
- GCMBlockCipher cipher = createAESGCMCipher(secretKey, false, iv, authData);
-
-
- // Join cipher text and authentication tag to produce cipher input
- byte[] input = new byte[cipherText.length + authTag.length];
-
- System.arraycopy(cipherText, 0, input, 0, cipherText.length);
- System.arraycopy(authTag, 0, input, cipherText.length, authTag.length);
-
- int outputLength = cipher.getOutputSize(input.length);
-
- byte[] output = new byte[outputLength];
-
-
- // Decrypt
- int outputOffset = cipher.processBytes(input, 0, input.length, output, 0);
-
- // Validate authentication tag
- try {
- outputOffset += cipher.doFinal(output, outputOffset);
-
- } catch (InvalidCipherTextException e) {
-
- throw new JOSEException("Couldn't validate GCM authentication tag: " + e.getMessage(), e);
- }
-
- return output;
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private LegacyAESGCM() { }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/LegacyConcatKDF.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/LegacyConcatKDF.java
deleted file mode 100644
index 792c7c1d..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/LegacyConcatKDF.java
+++ /dev/null
@@ -1,274 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.util.IntegerUtils;
-import com.nimbusds.jose.util.StandardCharset;
-
-
-/**
- * Legacy implementation of a Concatenation Key Derivation Function (KDF) for
- * use by the deprecated {@code A128CBC+HS256} and {@code A256CBC+HS512}
- * encryption methods. Provides static methods for deriving the Content
- * Encryption Key (CEK) and the Content Integrity Key (CIK) from a Content
- * Master Key (CMKs).
- *
- * See draft-ietf-jose-json-web-encryption-08, appendices A.4 and A.5.
- *
- *
See NIST.800-56A.
- *
- * @author Vladimir Dzhuvinov
- * @version 2018-01-04
- */
-public class LegacyConcatKDF {
-
-
- /**
- * The four byte array (32-byte) representation of 1.
- */
- private static final byte[] ONE_BYTES = { (byte)0, (byte)0, (byte)0, (byte)1 };
-
-
- /**
- * The four byte array (32-bit) representation of 0.
- */
- private static final byte[] ZERO_BYTES = { (byte)0, (byte)0, (byte)0, (byte)0 };
-
-
- /**
- * The byte array representation of the string "Encryption".
- */
- private static final byte[] ENCRYPTION_BYTES = {
-
- (byte)69, (byte)110, (byte)99, (byte)114, (byte)121, (byte)112, (byte)116, (byte)105, (byte)111, (byte)110
- };
-
-
- /**
- * The byte array representation of the string "Integrity".
- */
- private static final byte[] INTEGRITY_BYTES = {
-
- (byte)73, (byte)110, (byte)116, (byte)101, (byte)103, (byte)114, (byte)105, (byte)116, (byte)121
- };
-
-
- /**
- * Generates a Content Encryption Key (CEK) from the specified
- * Content Master Key (CMK) and JOSE encryption method.
- *
- * @param key The Content Master Key (CMK). Must not be {@code null}.
- * @param enc The JOSE encryption method. Must not be {@code null}.
- * @param epu The value of the encryption PartyUInfo header parameter,
- * {@code null} if not specified.
- * @param epv The value of the encryption PartyVInfo header parameter,
- * {@code null} if not specified.
- *
- * @return The generated AES CEK.
- *
- * @throws JOSEException If CEK generation failed.
- */
- public static SecretKey generateCEK(final SecretKey key,
- final EncryptionMethod enc,
- final byte[] epu,
- final byte[] epv)
- throws JOSEException {
-
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
- int hashBitLength;
-
- try {
- // Write [0, 0, 0, 1]
- baos.write(ONE_BYTES);
-
- // Append CMK
- byte[] cmkBytes = key.getEncoded();
- baos.write(cmkBytes);
-
- // Append [CEK-bit-length...]
- final int cmkBitLength = cmkBytes.length * 8;
- hashBitLength = cmkBitLength;
- final int cekBitLength = cmkBitLength / 2;
- byte[] cekBitLengthBytes = IntegerUtils.toBytes(cekBitLength);
- baos.write(cekBitLengthBytes);
-
- // Append the encryption method value, e.g. "A128CBC+HS256"
- byte[] encBytes = enc.toString().getBytes(StandardCharset.UTF_8);
- baos.write(encBytes);
-
- // Append encryption PartyUInfo=Datalen || Data
- if (epu != null) {
-
- baos.write(IntegerUtils.toBytes(epu.length));
- baos.write(epu);
-
- } else {
- baos.write(ZERO_BYTES);
- }
-
- // Append encryption PartyVInfo=Datalen || Data
- if (epv != null) {
-
- baos.write(IntegerUtils.toBytes(epv.length));
- baos.write(epv);
-
- } else {
- baos.write(ZERO_BYTES);
- }
-
- // Append "Encryption" label
- baos.write(ENCRYPTION_BYTES);
-
- } catch (IOException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- // Write out
- byte[] hashInput = baos.toByteArray();
-
- MessageDigest md;
-
- try {
- // SHA-256 or SHA-512
- md = MessageDigest.getInstance("SHA-" + hashBitLength);
-
- } catch (NoSuchAlgorithmException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- byte[] hashOutput = md.digest(hashInput);
-
- byte[] cekBytes = new byte[hashOutput.length / 2];
- System.arraycopy(hashOutput, 0, cekBytes, 0, cekBytes.length);
-
- return new SecretKeySpec(cekBytes, "AES");
- }
-
-
- /**
- * Generates a Content Integrity Key (CIK) from the specified
- * Content Master Key (CMK) and JOSE encryption method.
- *
- * @param key The Content Master Key (CMK). Must not be {@code null}.
- * @param enc The JOSE encryption method. Must not be {@code null}.
- * @param epu The value of the encryption PartyUInfo header parameter,
- * {@code null} if not specified.
- * @param epv The value of the encryption PartyVInfo header parameter,
- * {@code null} if not specified.
- *
- * @return The generated HMAC SHA CIK.
- *
- * @throws JOSEException If CIK generation failed.
- */
- public static SecretKey generateCIK(final SecretKey key,
- final EncryptionMethod enc,
- final byte[] epu,
- final byte[] epv)
- throws JOSEException {
-
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
- int hashBitLength;
- int cikBitLength;
-
- try {
- // Write [0, 0, 0, 1]
- baos.write(ONE_BYTES);
-
- // Append CMK
- byte[] cmkBytes = key.getEncoded();
- baos.write(cmkBytes);
-
- // Append [CIK-bit-length...]
- final int cmkBitLength = cmkBytes.length * 8;
- hashBitLength = cmkBitLength;
- cikBitLength = cmkBitLength;
- byte[] cikBitLengthBytes = IntegerUtils.toBytes(cikBitLength);
- baos.write(cikBitLengthBytes);
-
- // Append the encryption method value, e.g. "A128CBC+HS256"
- byte[] encBytes = enc.toString().getBytes(StandardCharset.UTF_8);
- baos.write(encBytes);
-
- // Append encryption PartyUInfo=Datalen || Data
- if (epu != null) {
-
- baos.write(IntegerUtils.toBytes(epu.length));
- baos.write(epu);
-
- } else {
- baos.write(ZERO_BYTES);
- }
-
- // Append encryption PartyVInfo=Datalen || Data
- if (epv != null) {
-
- baos.write(IntegerUtils.toBytes(epv.length));
- baos.write(epv);
-
- } else {
- baos.write(ZERO_BYTES);
- }
-
- // Append "Encryption" label
- baos.write(INTEGRITY_BYTES);
-
- } catch (IOException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- // Write out
- byte[] hashInput = baos.toByteArray();
-
- MessageDigest md;
-
- try {
- // SHA-256 or SHA-512
- md = MessageDigest.getInstance("SHA-" + hashBitLength);
-
- } catch (NoSuchAlgorithmException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- // HMACSHA256 or HMACSHA512
- return new SecretKeySpec(md.digest(hashInput), "HMACSHA" + cikBitLength);
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private LegacyConcatKDF() {
-
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/MACProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/MACProvider.java
deleted file mode 100644
index c61c38a7..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/MACProvider.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.KeyLengthException;
-import com.nimbusds.jose.util.StandardCharset;
-
-
-/**
- * The base abstract class for Message Authentication Code (MAC) signers and
- * verifiers of {@link com.nimbusds.jose.JWSObject JWS objects}.
- *
- *
Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#HS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#HS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#HS512}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-07-27
- */
-public abstract class MACProvider extends BaseJWSProvider {
-
-
- /**
- * The supported JWS algorithms by the MAC provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWSAlgorithm.HS256);
- algs.add(JWSAlgorithm.HS384);
- algs.add(JWSAlgorithm.HS512);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * Gets the matching Java Cryptography Architecture (JCA) algorithm
- * name for the specified HMAC-based JSON Web Algorithm (JWA).
- *
- * @param alg The JSON Web Algorithm (JWA). Must be supported and not
- * {@code null}.
- *
- * @return The matching JCA algorithm name.
- *
- * @throws JOSEException If the algorithm is not supported.
- */
- protected static String getJCAAlgorithmName(final JWSAlgorithm alg)
- throws JOSEException {
-
- if (alg.equals(JWSAlgorithm.HS256)) {
- return "HMACSHA256";
- } else if (alg.equals(JWSAlgorithm.HS384)) {
- return "HMACSHA384";
- } else if (alg.equals(JWSAlgorithm.HS512)) {
- return "HMACSHA512";
- } else {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(
- alg,
- SUPPORTED_ALGORITHMS));
- }
- }
-
-
- /**
- * The secret.
- */
- private final byte[] secret;
-
-
- /**
- * Creates a new Message Authentication (MAC) provider.
- *
- * @param secret The secret. Must be at least 256 bits long and
- * not {@code null}.
- * @param supportedAlgs The supported HMAC algorithms. Must not be
- * {@code null}.
- *
- * @throws KeyLengthException If the secret length is shorter than the
- * minimum 256-bit requirement.
- */
- protected MACProvider(final byte[] secret,
- final Set supportedAlgs)
- throws KeyLengthException {
-
- super(supportedAlgs);
-
- if (secret.length < 256 / 8) {
- throw new KeyLengthException("The secret length must be at least 256 bits");
- }
-
- this.secret = secret;
- }
-
-
- /**
- * Gets the secret key.
- *
- * @return The secret key.
- */
- public SecretKey getSecretKey() {
-
- return new SecretKeySpec(secret, "MAC");
- }
-
-
- /**
- * Gets the secret bytes.
- *
- * @return The secret bytes.
- */
- public byte[] getSecret() {
-
- return secret;
- }
-
-
- /**
- * Gets the secret as a UTF-8 encoded string.
- *
- * @return The secret as a UTF-8 encoded string.
- */
- public String getSecretString() {
-
- return new String(secret, StandardCharset.UTF_8);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PBKDF2.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PBKDF2.java
deleted file mode 100644
index b5076e00..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PBKDF2.java
+++ /dev/null
@@ -1,223 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.util.ByteUtils;
-import com.nimbusds.jose.util.IntegerUtils;
-import com.nimbusds.jose.util.StandardCharset;
-
-
-/**
- * Password-Based Key Derivation Function 2 (PBKDF2) utilities. Provides static
- * methods to generate Key Encryption Keys (KEK) from passwords. Adopted from
- * jose4j by Brian Campbell.
- *
- * @author Brian Campbell
- * @author Yavor Vassilev
- * @version 2016-07-26
- */
-public class PBKDF2 {
-
-
- /**
- * Zero byte array of length one.
- */
- public static byte[] ZERO_BYTE = { 0 };
-
-
- /**
- * Formats the specified cryptographic salt for use in PBKDF2.
- *
- *
- * UTF8(JWE-alg) || 0x00 || Salt Input
- *
- *
- * @param alg The JWE algorithm. Must not be {@code null}.
- * @param salt The cryptographic salt. Must not be empty or null.
- *
- * @return The formatted salt for use in PBKDF2.
- */
- public static byte[] formatSalt(final JWEAlgorithm alg, final byte[] salt)
- throws JOSEException {
-
- byte[] algBytes = alg.toString().getBytes(StandardCharset.UTF_8);
-
- ByteArrayOutputStream out = new ByteArrayOutputStream();
-
- try {
- out.write(algBytes);
- out.write(ZERO_BYTE);
- out.write(salt);
-
- } catch (IOException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
-
- return out.toByteArray();
- }
-
-
- /**
- * Derives a PBKDF2 key from the specified password and parameters.
- *
- * @param password The password. Must not be {@code null}.
- * @param formattedSalt The formatted cryptographic salt. Must not be
- * {@code null}.
- * @param iterationCount The iteration count. Must be positive.
- * @param prfParams The Pseudo-Random Function (PRF) parameters.
- * Must not be {@code null}.
- *
- * @return The derived secret key (with "AES" algorithm).
- *
- * @throws JOSEException If the key derivation failed.
- */
- public static SecretKey deriveKey(final byte[] password,
- final byte[] formattedSalt,
- final int iterationCount,
- final PRFParams prfParams)
- throws JOSEException {
-
- SecretKey macKey = new SecretKeySpec(password, prfParams.getMACAlgorithm());
-
- Mac prf = HMAC.getInitMac(macKey, prfParams.getMacProvider());
-
- int hLen = prf.getMacLength();
-
- // 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
- // stop.
- long maxDerivedKeyLength = 4294967295L; // value of (long) Math.pow(2, 32) - 1;
- if (prfParams.getDerivedKeyByteLength() > maxDerivedKeyLength) {
- throw new JOSEException("derived key too long " + prfParams.getDerivedKeyByteLength());
- }
-
- // 2. Let l be the number of hLen-octet blocks in the derived key,
- // rounding up, and let r be the number of octets in the last
- // block:
- //
- // l = CEIL (dkLen / hLen) ,
- // r = dkLen - (l - 1) * hLen .
- //
- // Here, CEIL (x) is the "ceiling" function, i.e. the smallest
- // integer greater than, or equal to, x.
- int l = (int) Math.ceil((double) prfParams.getDerivedKeyByteLength() / (double) hLen);
- int r = prfParams.getDerivedKeyByteLength() - (l - 1) * hLen;
-
- // 3. For each block of the derived key apply the function F defined
- // below to the password P, the salt S, the iteration count c, and
- // the block index to compute the block:
- //
- // T_1 = F (P, S, c, 1) ,
- // T_2 = F (P, S, c, 2) ,
- // ...
- // T_l = F (P, S, c, l) ,
- //
- // where the function F is defined as the exclusive-or sum of the
- // first c iterates of the underlying pseudorandom function PRF
- // applied to the password P and the concatenation of the salt S
- // and the block index i:
- //
- // F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
- //
- // where
- //
- // U_1 = PRF (P, S || INT (i)) ,
- // U_2 = PRF (P, U_1) ,
- // ...
- // U_c = PRF (P, U_{c-1}) .
- //
- // Here, INT (i) is a four-octet encoding of the integer i, most
- // significant octet first.
-
- // 4. Concatenate the blocks and extract the first dkLen octets to
- // produce a derived key DK:
- //
- // DK = T_1 || T_2 || ... || T_l<0..r-1>
- //
- ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
- for (int i = 0; i < l; i++) {
- byte[] block = extractBlock(formattedSalt, iterationCount, i + 1, prf);
- if (i == (l - 1)) {
- block = ByteUtils.subArray(block, 0, r);
- }
- byteArrayOutputStream.write(block, 0, block.length);
- }
-
- // 5. Output the derived key DK.
- return new SecretKeySpec(byteArrayOutputStream.toByteArray(), "AES");
- }
-
-
- /**
- * Block extraction iteration.
- *
- * @param salt The cryptographic salt. Must not be
- * {@code null}.
- * @param iterationCount The iteration count.
- * @param blockIndex The block index.
- * @param prf The pseudo-random function (HMAC). Must not be
- * {@code null.
- *
- * @return The block.
- */
- private static byte[] extractBlock(byte[] salt, int iterationCount, int blockIndex, Mac prf) {
-
- byte[] currentU;
- byte[] lastU = null;
- byte[] xorU = null;
-
- for (int i = 1; i <= iterationCount; i++)
- {
- byte[] inputBytes;
- if (i == 1)
- {
- inputBytes = ByteUtils.concat(salt, IntegerUtils.toBytes(blockIndex));
- currentU = prf.doFinal(inputBytes);
- xorU = currentU;
- }
- else
- {
- currentU = prf.doFinal(lastU);
- for (int j = 0; j < currentU.length; j++)
- {
- xorU[j] = (byte) (currentU[j] ^ xorU[j]);
- }
- }
-
- lastU = currentU;
- }
- return xorU;
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private PBKDF2() {
-
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PRFParams.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PRFParams.java
deleted file mode 100644
index b7954266..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PRFParams.java
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.Provider;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWEAlgorithm;
-import net.jcip.annotations.Immutable;
-
-
-/**
- * Pseudo-Random Function (PRF) parameters, intended for use in the Password-
- * Based Key Derivation Function 2 (PBKDF2).
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-26
- */
-@Immutable
-public final class PRFParams {
-
-
- /**
- * The JCA MAC algorithm name.
- */
- private final String jcaMacAlg;
-
-
- /**
- * The JCA MAC provider, {@code null} to use the default one.
- */
- private final Provider macProvider;
-
-
- /**
- * The byte length of the key to derive.
- */
- private final int dkLen;
-
-
- /**
- * Creates a new pseudo-random function parameters instance.
- *
- * @param jcaMacAlg The JCA MAC algorithm name. Must not be
- * {@code null}.
- * @param macProvider The JCA MAC provider, {@code null} to use the
- * default one.
- * @param dkLen The byte length of the key to derive.
-
- */
- public PRFParams(String jcaMacAlg, Provider macProvider, int dkLen) {
- this.jcaMacAlg = jcaMacAlg;
- this.macProvider = macProvider;
- this.dkLen = dkLen;
- }
-
-
- /**
- * Returns the JCA MAC algorithm name.
- *
- * @return The JCA MAC algorithm name.
- */
- public String getMACAlgorithm() {
-
- return jcaMacAlg;
- }
-
-
- /**
- * Returns the JCA MAC provider.
- *
- * @return The JCA MAC provider, {@code null} to use the default one.
- */
- public Provider getMacProvider() {
-
- return macProvider;
- }
-
-
- /**
- * Returns the byte length of the key to derive.
- *
- * @return The byte length of the key to derive.
- */
- public int getDerivedKeyByteLength() {
-
- return dkLen;
- }
-
-
- /**
- * Resolves the Pseudo-Random Function (PRF) parameters for the
- * specified PBES2 JWE algorithm.
- *
- * @param alg The JWE algorithm. Must be supported and not
- * {@code null}.
- * @param macProvider The specific MAC JCA provider, {@code null} to
- * use the default one.
- *
- * @return The PRF parameters.
- *
- * @throws JOSEException If the JWE algorithm is not supported.
- */
- public static PRFParams resolve(final JWEAlgorithm alg,
- final Provider macProvider)
- throws JOSEException {
-
- final String jcaMagAlg;
- final int dkLen;
-
- if (JWEAlgorithm.PBES2_HS256_A128KW.equals(alg)) {
- jcaMagAlg = "HmacSHA256";
- dkLen = 16;
- } else if (JWEAlgorithm.PBES2_HS384_A192KW.equals(alg)) {
- jcaMagAlg = "HmacSHA384";
- dkLen = 24;
- } else if (JWEAlgorithm.PBES2_HS512_A256KW.equals(alg)) {
- jcaMagAlg = "HmacSHA512";
- dkLen = 32;
- } else {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(
- alg,
- PasswordBasedCryptoProvider.SUPPORTED_ALGORITHMS));
- }
-
- return new PRFParams(jcaMagAlg, macProvider, dkLen);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PasswordBasedCryptoProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PasswordBasedCryptoProvider.java
deleted file mode 100644
index 42977de4..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/PasswordBasedCryptoProvider.java
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.util.StandardCharset;
-
-
-/**
- * The base abstract class for password-based encrypters and decrypters of
- * {@link com.nimbusds.jose.JWEObject JWE objects}.
- *
- * Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS256_A128KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS384_A192KW}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#PBES2_HS512_A256KW}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2016-07-26
- */
-public abstract class PasswordBasedCryptoProvider extends BaseJWEProvider {
-
-
- /**
- * The supported JWE algorithms by the password-based crypto provider
- * class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- /**
- * The supported encryption methods by the password-base crypto
- * provider class.
- */
- public static final Set SUPPORTED_ENCRYPTION_METHODS = ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWEAlgorithm.PBES2_HS256_A128KW);
- algs.add(JWEAlgorithm.PBES2_HS384_A192KW);
- algs.add(JWEAlgorithm.PBES2_HS512_A256KW);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * The password.
- */
- private final byte[] password;
-
-
- /**
- * Creates a new password-based encryption / decryption provider.
- *
- * @param password The password bytes. Must not be empty or
- * {@code null}.
- */
- protected PasswordBasedCryptoProvider(final byte[] password) {
-
- super(SUPPORTED_ALGORITHMS, ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
-
- if (password == null || password.length == 0) {
- throw new IllegalArgumentException("The password must not be null or empty");
- }
-
- this.password = password;
- }
-
-
- /**
- * Returns the password.
- *
- * @return The password bytes.
- */
- public byte[] getPassword() {
-
- return password;
- }
-
-
- /**
- * Returns the password.
- *
- * @return The password as a UTF-8 encoded string.
- */
- public String getPasswordString() {
-
- return new String(password, StandardCharset.UTF_8);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA1_5.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA1_5.java
deleted file mode 100644
index 4d842162..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA1_5.java
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.PrivateKey;
-import java.security.Provider;
-import java.security.interfaces.RSAPublicKey;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.util.ByteUtils;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * RSAES-PKCS1-V1_5 methods for Content Encryption Key (CEK) encryption and
- * decryption. This class is thread-safe.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-06-01
- */
-@ThreadSafe
-public class RSA1_5 {
-
-
- /**
- * Encrypts the specified Content Encryption Key (CEK).
- *
- * @param pub The public RSA key. Must not be {@code null}.
- * @param cek The Content Encryption Key (CEK) to encrypt. Must
- * not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the default
- * one.
- *
- * @return The encrypted Content Encryption Key (CEK).
- *
- * @throws JOSEException If encryption failed.
- */
- public static byte[] encryptCEK(final RSAPublicKey pub, final SecretKey cek, Provider provider)
- throws JOSEException {
-
- try {
- Cipher cipher = CipherHelper.getInstance("RSA/ECB/PKCS1Padding", provider);
- cipher.init(Cipher.ENCRYPT_MODE, pub);
- return cipher.doFinal(cek.getEncoded());
-
- } catch (IllegalBlockSizeException e) {
- throw new JOSEException("RSA block size exception: The RSA key is too short, try a longer one", e);
- } catch (Exception e) {
- // java.security.NoSuchAlgorithmException
- // java.security.InvalidKeyException
- throw new JOSEException("Couldn't encrypt Content Encryption Key (CEK): " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Decrypts the specified encrypted Content Encryption Key (CEK).
- *
- * @param priv The private RSA key. Must not be {@code null}.
- * @param encryptedCEK The encrypted Content Encryption Key (CEK) to
- * decrypt. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return The decrypted Content Encryption Key (CEK), {@code null} if
- * there was a CEK key length mismatch.
- *
- * @throws JOSEException If decryption failed.
- */
- public static SecretKey decryptCEK(final PrivateKey priv,
- final byte[] encryptedCEK,
- final int keyLength,
- final Provider provider)
- throws JOSEException {
-
- try {
- Cipher cipher = CipherHelper.getInstance("RSA/ECB/PKCS1Padding", provider);
- cipher.init(Cipher.DECRYPT_MODE, priv);
- byte[] secretKeyBytes = cipher.doFinal(encryptedCEK);
-
- if (ByteUtils.safeBitLength(secretKeyBytes) != keyLength) {
- // CEK key length mismatch
- return null;
- }
-
- return new SecretKeySpec(secretKeyBytes, "AES");
-
- } catch (Exception e) {
-
- // java.security.NoSuchAlgorithmException
- // java.security.InvalidKeyException
- // javax.crypto.IllegalBlockSizeException
- // javax.crypto.BadPaddingException
- throw new JOSEException("Couldn't decrypt Content Encryption Key (CEK): " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private RSA1_5() { }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSACryptoProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSACryptoProvider.java
deleted file mode 100644
index a1c86f82..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSACryptoProvider.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JWEAlgorithm;
-
-
-/**
- * The base abstract class for RSA encrypters and decrypters of
- * {@link com.nimbusds.jose.JWEObject JWE objects}.
- *
- * Supports the following key management algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWEAlgorithm#RSA1_5}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#RSA_OAEP}
- *
- {@link com.nimbusds.jose.JWEAlgorithm#RSA_OAEP_256}
- *
- *
- * Supports the following content encryption algorithms:
- *
- *
- * - {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A192GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256GCM}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED}
- *
- {@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED}
- *
- *
- * @author David Ortiz
- * @author Vladimir Dzhuvinov
- * @version 2015-05-26
- */
-public abstract class RSACryptoProvider extends BaseJWEProvider {
-
-
- /**
- * The supported JWE algorithms by the RSA crypto provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- /**
- * The supported encryption methods by the RSA crypto provider class.
- */
- public static final Set SUPPORTED_ENCRYPTION_METHODS = ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWEAlgorithm.RSA1_5);
- algs.add(JWEAlgorithm.RSA_OAEP);
- algs.add(JWEAlgorithm.RSA_OAEP_256);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * Creates a new RSA encryption / decryption provider.
- */
- protected RSACryptoProvider() {
-
- super(SUPPORTED_ALGORITHMS, ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSAKeyUtils.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSAKeyUtils.java
deleted file mode 100644
index 08c314ec..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSAKeyUtils.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.PrivateKey;
-import java.security.interfaces.RSAPrivateKey;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.jwk.RSAKey;
-
-
-/**
- * RSA JWK conversion utility.
- */
-public class RSAKeyUtils {
-
-
- /**
- * Returns the private RSA key of the specified RSA JWK. Supports
- * PKCS#11 keys stores.
- *
- * @param rsaJWK The RSA JWK. Must not be {@code null}.
- *
- * @return The private RSA key.
- *
- * @throws JOSEException If the RSA JWK doesn't contain a private part.
- */
- public static PrivateKey toRSAPrivateKey(final RSAKey rsaJWK)
- throws JOSEException {
-
- if (! rsaJWK.isPrivate()) {
- throw new JOSEException("The RSA JWK doesn't contain a private part");
- }
-
- return rsaJWK.toPrivateKey();
- }
-
-
- /**
- * Returns the length in bits of the specified RSA private key.
- *
- * @param privateKey The RSA private key. Must not be {@code null}.
- *
- * @return The key length in bits, -1 if the length couldn't be
- * determined, e.g. for a PKCS#11 backed key which doesn't
- * expose an RSAPrivateKey interface or support the
- * {@code getModulus()} method.
- */
- public static int keyBitLength(final PrivateKey privateKey) {
-
- if (! (privateKey instanceof RSAPrivateKey)) {
- return -1; // May be an PKCS#11 backed key
- }
-
- RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
-
- try {
- return rsaPrivateKey.getModulus().bitLength();
- } catch (Exception e) {
- // Some PKCS#11 backed keys still have the
- // RSAPrivateKey interface, but will throw an exception
- // here
- return -1;
- }
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSASSA.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSASSA.java
deleted file mode 100644
index 4741d6c4..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSASSA.java
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Signature;
-import java.security.spec.MGF1ParameterSpec;
-import java.security.spec.PSSParameterSpec;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-
-
-/**
- * RSA-SSA functions and utilities.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-31
- */
-public class RSASSA {
-
-
- /**
- * Returns a signer and verifier for the specified RSASSA-based JSON
- * Web Algorithm (JWA).
- *
- * @param alg The JSON Web Algorithm (JWA). Must be supported and not
- * {@code null}.
- *
- * @return A signer and verifier instance.
- *
- * @throws JOSEException If the algorithm is not supported.
- */
- public static Signature getSignerAndVerifier(final JWSAlgorithm alg,
- final Provider provider)
- throws JOSEException {
-
- // The JCE crypto provider uses different alg names
-
- final String jcaAlg;
-
- PSSParameterSpec pssSpec = null;
-
- if (alg.equals(JWSAlgorithm.RS256)) {
- jcaAlg = "SHA256withRSA";
- } else if (alg.equals(JWSAlgorithm.RS384)) {
- jcaAlg = "SHA384withRSA";
- } else if (alg.equals(JWSAlgorithm.RS512)) {
- jcaAlg = "SHA512withRSA";
- } else if (alg.equals(JWSAlgorithm.PS256)) {
- jcaAlg = "SHA256withRSAandMGF1";
- // JWA mandates salt length must equal hash
- pssSpec = new PSSParameterSpec("SHA256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1);
- } else if (alg.equals(JWSAlgorithm.PS384)) {
- jcaAlg = "SHA384withRSAandMGF1";
- // JWA mandates salt length must equal hash
- pssSpec = new PSSParameterSpec("SHA384", "MGF1", MGF1ParameterSpec.SHA384, 48, 1);
- } else if (alg.equals(JWSAlgorithm.PS512)) {
- jcaAlg = "SHA512withRSAandMGF1";
- // JWA mandates salt length must equal hash
- pssSpec = new PSSParameterSpec("SHA512", "MGF1", MGF1ParameterSpec.SHA512, 64, 1);
- } else {
- throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(alg, RSASSAProvider.SUPPORTED_ALGORITHMS));
- }
-
- final Signature signature;
- try {
- if (provider != null) {
- signature = Signature.getInstance(jcaAlg, provider);
- } else {
- signature = Signature.getInstance(jcaAlg);
- }
- } catch (NoSuchAlgorithmException e) {
- throw new JOSEException("Unsupported RSASSA algorithm: " + e.getMessage(), e);
- }
-
-
- if (pssSpec != null) {
- try {
- signature.setParameter(pssSpec);
- } catch (InvalidAlgorithmParameterException e) {
- throw new JOSEException("Invalid RSASSA-PSS salt length parameter: " + e.getMessage(), e);
- }
- }
-
- return signature;
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private RSASSA() {
-
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSASSAProvider.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSASSAProvider.java
deleted file mode 100644
index 5d777099..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSASSAProvider.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.util.Collections;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import com.nimbusds.jose.JWSAlgorithm;
-
-
-/**
- * The base abstract class for RSA signers and verifiers of {@link
- * com.nimbusds.jose.JWSObject JWS objects}.
- *
- * Supports the following algorithms:
- *
- *
- * - {@link com.nimbusds.jose.JWSAlgorithm#RS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#RS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#RS512}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS256}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS384}
- *
- {@link com.nimbusds.jose.JWSAlgorithm#PS512}
- *
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-05-31
- */
-public abstract class RSASSAProvider extends BaseJWSProvider {
-
-
- /**
- * The supported JWS algorithms by the RSA-SSA provider class.
- */
- public static final Set SUPPORTED_ALGORITHMS;
-
-
- static {
- Set algs = new LinkedHashSet<>();
- algs.add(JWSAlgorithm.RS256);
- algs.add(JWSAlgorithm.RS384);
- algs.add(JWSAlgorithm.RS512);
- algs.add(JWSAlgorithm.PS256);
- algs.add(JWSAlgorithm.PS384);
- algs.add(JWSAlgorithm.PS512);
- SUPPORTED_ALGORITHMS = Collections.unmodifiableSet(algs);
- }
-
-
- /**
- * Creates a new RSASSA provider.
- */
- protected RSASSAProvider() {
-
- super(SUPPORTED_ALGORITHMS);
- }
-}
-
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA_OAEP.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA_OAEP.java
deleted file mode 100644
index a1bb54a0..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA_OAEP.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.PrivateKey;
-import java.security.Provider;
-import java.security.SecureRandom;
-import java.security.interfaces.RSAPublicKey;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * RSAES OAEP methods for Content Encryption Key (CEK) encryption and
- * decryption. Uses the BouncyCastle.org provider. This class is thread-safe
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-11-27
- */
-@ThreadSafe
-public class RSA_OAEP {
-
-
- /**
- * The JCA algorithm name for RSA-OAEP.
- */
- private static final String RSA_OEAP_JCA_ALG = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
-
-
- /**
- * Encrypts the specified Content Encryption Key (CEK).
- *
- * @param pub The public RSA key. Must not be {@code null}.
- * @param cek The Content Encryption Key (CEK) to encrypt. Must
- * not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the default
- * one.
- *
- * @return The encrypted Content Encryption Key (CEK).
- *
- * @throws JOSEException If encryption failed.
- */
- public static byte[] encryptCEK(final RSAPublicKey pub, final SecretKey cek, final Provider provider)
- throws JOSEException {
-
- try {
- Cipher cipher = CipherHelper.getInstance(RSA_OEAP_JCA_ALG, provider);
- cipher.init(Cipher.ENCRYPT_MODE, pub, new SecureRandom());
- return cipher.doFinal(cek.getEncoded());
-
- } catch (IllegalBlockSizeException e) {
- throw new JOSEException("RSA block size exception: The RSA key is too short, try a longer one", e);
- } catch (Exception e) {
- // java.security.NoSuchAlgorithmException
- // java.security.NoSuchPaddingException
- // java.security.InvalidKeyException
- // javax.crypto.BadPaddingException
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Decrypts the specified encrypted Content Encryption Key (CEK).
- *
- * @param priv The private RSA key. Must not be {@code null}.
- * @param encryptedCEK The encrypted Content Encryption Key (CEK) to
- * decrypt. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return The decrypted Content Encryption Key (CEK).
- *
- * @throws JOSEException If decryption failed.
- */
- public static SecretKey decryptCEK(final PrivateKey priv,
- final byte[] encryptedCEK, final Provider provider)
- throws JOSEException {
-
- try {
- Cipher cipher = CipherHelper.getInstance(RSA_OEAP_JCA_ALG, provider);
- cipher.init(Cipher.DECRYPT_MODE, priv);
- return new SecretKeySpec(cipher.doFinal(encryptedCEK), "AES");
-
- } catch (Exception e) {
- // java.security.NoSuchAlgorithmException
- // java.security.NoSuchPaddingException
- // java.security.InvalidKeyException
- // javax.crypto.IllegalBlockSizeException
- // javax.crypto.BadPaddingException
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private RSA_OAEP() { }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA_OAEP_256.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA_OAEP_256.java
deleted file mode 100644
index 41934c7f..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/RSA_OAEP_256.java
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.impl;
-
-
-import java.security.AlgorithmParameters;
-import java.security.PrivateKey;
-import java.security.Provider;
-import java.security.interfaces.RSAPublicKey;
-import java.security.spec.AlgorithmParameterSpec;
-import java.security.spec.MGF1ParameterSpec;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.OAEPParameterSpec;
-import javax.crypto.spec.PSource;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.nimbusds.jose.JOSEException;
-import net.jcip.annotations.ThreadSafe;
-
-
-/**
- * RSAES OAEP (SHA-256) methods for Content Encryption Key (CEK) encryption and
- * decryption. Uses the BouncyCastle.org provider. This class is thread-safe
- *
- * @author Vladimir Dzhuvinov
- * @author Justin Richer
- * @version 2017-11-27
- */
-@ThreadSafe
-public class RSA_OAEP_256 {
-
-
- /**
- * The JCA algorithm name for RSA-OAEP-256.
- */
- private static final String RSA_OEAP_256_JCA_ALG = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
-
-
- /**
- * Encrypts the specified Content Encryption Key (CEK).
- *
- * @param pub The public RSA key. Must not be {@code null}.
- * @param cek The Content Encryption Key (CEK) to encrypt. Must
- * not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the default
- * one.
- *
- * @return The encrypted Content Encryption Key (CEK).
- *
- * @throws JOSEException If encryption failed.
- */
- public static byte[] encryptCEK(final RSAPublicKey pub, final SecretKey cek, final Provider provider)
- throws JOSEException {
-
- try {
- AlgorithmParameters algp = AlgorithmParametersHelper.getInstance("OAEP", provider);
- AlgorithmParameterSpec paramSpec = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
- algp.init(paramSpec);
- Cipher cipher = CipherHelper.getInstance(RSA_OEAP_256_JCA_ALG, provider);
- cipher.init(Cipher.ENCRYPT_MODE, pub, algp);
- return cipher.doFinal(cek.getEncoded());
-
- } catch (IllegalBlockSizeException e) {
- throw new JOSEException("RSA block size exception: The RSA key is too short, try a longer one", e);
- } catch (Exception e) {
- // java.security.NoSuchAlgorithmException
- // java.security.NoSuchPaddingException
- // java.security.InvalidKeyException
- // javax.crypto.BadPaddingException
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Decrypts the specified encrypted Content Encryption Key (CEK).
- *
- * @param priv The private RSA key. Must not be {@code null}.
- * @param encryptedCEK The encrypted Content Encryption Key (CEK) to
- * decrypt. Must not be {@code null}.
- * @param provider The JCA provider, or {@code null} to use the
- * default one.
- *
- * @return The decrypted Content Encryption Key (CEK).
- *
- * @throws JOSEException If decryption failed.
- */
- public static SecretKey decryptCEK(final PrivateKey priv,
- final byte[] encryptedCEK, final Provider provider)
- throws JOSEException {
-
- try {
- AlgorithmParameters algp = AlgorithmParametersHelper.getInstance("OAEP", provider);
- AlgorithmParameterSpec paramSpec = new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT);
- algp.init(paramSpec);
- Cipher cipher = CipherHelper.getInstance(RSA_OEAP_256_JCA_ALG, provider);
- cipher.init(Cipher.DECRYPT_MODE, priv, algp);
- return new SecretKeySpec(cipher.doFinal(encryptedCEK), "AES");
-
- } catch (Exception e) {
- // java.security.NoSuchAlgorithmException
- // java.security.NoSuchPaddingException
- // java.security.InvalidKeyException
- // javax.crypto.IllegalBlockSizeException
- // javax.crypto.BadPaddingException
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private RSA_OAEP_256() { }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/package-info.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/package-info.java
deleted file mode 100644
index d7fbad55..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/impl/package-info.java
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-/**
- * Cryptographic primitives and framework for the JWS signers / verifiers and
- * JWE encrypters / decrypters in the {@link com.nimbusds.jose.crypto} package.
- */
-package com.nimbusds.jose.crypto.impl;
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/package-info.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/package-info.java
deleted file mode 100644
index c6c14e58..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/package-info.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-/**
- * Implementations of all standard Javascript Object Signing and Encryption
- * (JOSE) algorithms.
- *
- * Provides {@link com.nimbusds.jose.JWSSigner signers} and
- * {@link com.nimbusds.jose.JWSVerifier verifiers} for the following JSON Web
- * Signature (JWS) algorithms:
- *
- *
- * - For HMAC algorithms HS256, HS384 and HS512:
- *
- * - {@link com.nimbusds.jose.crypto.MACSigner}
- *
- {@link com.nimbusds.jose.crypto.MACVerifier}
- *
- * - For RSA-SSA signatures RS256, RS384, RS512, PS256, PS384 and PS512:
- *
- * - {@link com.nimbusds.jose.crypto.RSASSASigner}
- *
- {@link com.nimbusds.jose.crypto.RSASSAVerifier}
- *
- * - For ECDSA signatures ES256, ES384 and ES512:
- *
- * - {@link com.nimbusds.jose.crypto.ECDSASigner}
- *
- {@link com.nimbusds.jose.crypto.ECDSAVerifier}
- *
- * - For EdDSA signatures Ed25519:
- *
- * - {@link com.nimbusds.jose.crypto.Ed25519Signer}
- *
- {@link com.nimbusds.jose.crypto.Ed25519Verifier}
- *
- *
- *
- * Provides {@link com.nimbusds.jose.JWEEncrypter encrypters} and
- * {@link com.nimbusds.jose.JWEDecrypter decrypters} for the following JSON
- * Web Encryption (JWE) algorithms:
- *
- *
- * - For RSA PKCS#1 v1.5 and RSA OAEP:
- *
- * - {@link com.nimbusds.jose.crypto.RSAEncrypter}
- *
- {@link com.nimbusds.jose.crypto.RSADecrypter}
- *
- * - For AES key wrap and AES GCM key encryption:
- *
- * - {@link com.nimbusds.jose.crypto.AESEncrypter}
- *
- {@link com.nimbusds.jose.crypto.AESDecrypter}
- *
- * - For direct encryption (using a shared symmetric key):
- *
- * - {@link com.nimbusds.jose.crypto.DirectEncrypter}
- *
- {@link com.nimbusds.jose.crypto.DirectDecrypter}
- *
- * - For Elliptic Curve Diffie-Hellman (ECDH) encryption:
- *
- * - {@link com.nimbusds.jose.crypto.ECDHEncrypter}
- *
- {@link com.nimbusds.jose.crypto.ECDHDecrypter}
- *
- {@link com.nimbusds.jose.crypto.X25519Encrypter} (for Curve25519 only)
- *
- {@link com.nimbusds.jose.crypto.X25519Decrypter} (for Curve25519 only)
- *
- * - For password-based (PBKDF2) encryption:
- *
- * - {@link com.nimbusds.jose.crypto.PasswordBasedEncrypter}
- *
- {@link com.nimbusds.jose.crypto.PasswordBasedDecrypter}
- *
- *
- *
- * References:
- *
- *
- */
-package com.nimbusds.jose.crypto;
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/ConstantTimeUtils.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/ConstantTimeUtils.java
deleted file mode 100644
index 51866765..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/ConstantTimeUtils.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.utils;
-
-
-/**
- * Array utilities.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-04-26
- */
-public class ConstantTimeUtils {
-
-
- /**
- * Checks the specified arrays for equality in constant time. Intended
- * to mitigate timing attacks.
- *
- * @param a The first array. Must not be {@code null}.
- * @param b The second array. Must not be {@code null}.
- *
- * @return {@code true} if the two arrays are equal, else
- * {@code false}.
- */
- public static boolean areEqual(final byte[] a, final byte[] b) {
-
- // From http://codahale.com/a-lesson-in-timing-attacks/
-
- if (a.length != b.length) {
- return false;
- }
-
- int result = 0;
- for (int i = 0; i < a.length; i++) {
- result |= a[i] ^ b[i];
- }
-
- return result == 0;
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private ConstantTimeUtils() { }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/ECChecks.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/ECChecks.java
deleted file mode 100644
index e2bc2264..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/ECChecks.java
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.crypto.utils;
-
-
-import java.math.BigInteger;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.security.spec.ECFieldFp;
-import java.security.spec.ECParameterSpec;
-import java.security.spec.ECPoint;
-import java.security.spec.EllipticCurve;
-
-
-/**
- * Elliptic curve checks.
- *
- * @author Vladimir Dzhuvinov
- * @version 2017-04-13
- */
-public class ECChecks {
-
-
- /**
- * Checks if the specified (ephemeral) public key is on the curve of
- * the private key. Intended to prevent an "Invalid Curve Attack",
- * independent from any JCA provider checks (the SUN provider in Java
- * 1.8.0_51+ and BouncyCastle have them, other / older provider do
- * not).
- *
- * See https://www.cs.bris.ac.uk/Research/CryptographySecurity/RWC/2017/nguyen.quan.pdf
- *
- * @param publicKey The public EC key. Must not be {@code null}.
- * @param privateKey The private EC key. Must not be {@code null}.
- *
- * @return {@code true} if public key passed the curve check.
- */
- public static boolean isPointOnCurve(final ECPublicKey publicKey, final ECPrivateKey privateKey) {
-
- return isPointOnCurve(publicKey, privateKey.getParams());
- }
-
-
- /**
- * Checks if the specified (ephemeral) public key is on the given
- * curve. Intended to prevent an "Invalid Curve Attack", independent
- * from any JCA provider checks (the SUN provider in Java 1.8.0_51+ and
- * BouncyCastle have them, other / older provider do not).
- *
- *
See https://www.cs.bris.ac.uk/Research/CryptographySecurity/RWC/2017/nguyen.quan.pdf
- *
- * @param publicKey The public EC key. Must not be {@code null}.
- * @param ecParameterSpec The EC spec. Must not be {@code null}.
- *
- * @return {@code true} if public key passed the curve check.
- */
- public static boolean isPointOnCurve(final ECPublicKey publicKey, final ECParameterSpec ecParameterSpec) {
-
- ECPoint point = publicKey.getW();
- return isPointOnCurve(point.getAffineX(), point.getAffineY(), ecParameterSpec);
- }
-
-
- /**
- * Checks if the specified (ephemeral) public key is on the given
- * curve. Intended to prevent an "Invalid Curve Attack", independent
- * from any JCA provider checks (the SUN provider in Java 1.8.0_51+ and
- * BouncyCastle have them, other / older provider do not).
- *
- *
See https://www.cs.bris.ac.uk/Research/CryptographySecurity/RWC/2017/nguyen.quan.pdf
- *
- * @param x The public EC x coordinate. Must not be
- * {@code null}.
- * @param y The public EC y coordinate. Must not be
- * {@code null}.
- * @param ecParameterSpec The EC spec. Must not be {@code null}.
- *
- * @return {@code true} if public key passed the curve check.
- */
- public static boolean isPointOnCurve(final BigInteger x, final BigInteger y, final ECParameterSpec ecParameterSpec) {
-
- // Ensure the following condition is met:
- // (y^2) mod p = (x^3 + ax + b) mod p
- EllipticCurve curve = ecParameterSpec.getCurve();
- BigInteger a = curve.getA();
- BigInteger b = curve.getB();
- BigInteger p = ((ECFieldFp) curve.getField()).getP();
- BigInteger leftSide = (y.pow(2)).mod(p);
- BigInteger rightSide = (x.pow(3).add(a.multiply(x)).add(b)).mod(p);
-
- return leftSide.equals(rightSide);
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private ECChecks() {}
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/package-info.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/package-info.java
deleted file mode 100644
index d5b3ec66..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/crypto/utils/package-info.java
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-/**
- * Cryptographic utilities.
- */
-package com.nimbusds.jose.crypto.utils;
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCAAware.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCAAware.java
deleted file mode 100644
index f2970f51..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCAAware.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jca;
-
-
-/**
- * Interface for a Java Cryptography Architecture (JCA) aware object, intended
- * for setting a JCA {@link java.security.Provider provider} and
- * {@link java.security.SecureRandom secure random generator}.
- *
- * @version 2015-06-30
- */
-public interface JCAAware {
-
-
- /**
- * Returns the Java Cryptography Architecture (JCA) context. May be
- * used to set a specific JCA security provider or secure random
- * generator.
- *
- * @return The JCA context. Not {@code null}.
- */
- T getJCAContext();
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCAContext.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCAContext.java
deleted file mode 100644
index e0722460..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCAContext.java
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jca;
-
-
-import java.security.Provider;
-import java.security.SecureRandom;
-
-
-/**
- * Java Cryptography Architecture (JCA) context, consisting of a JCA
- * {@link java.security.Provider provider} and
- * {@link java.security.SecureRandom secure random generator}.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-06-08
- */
-public class JCAContext {
-
-
- /**
- * The JCA provider.
- */
- private Provider provider;
-
-
- /**
- * The secure random generator.
- */
- private SecureRandom randomGen;
-
-
- /**
- * Creates a new default JCA context.
- */
- public JCAContext() {
-
- this(null, null);
- }
-
-
- /**
- * Creates a new JCA context.
- *
- * @param provider The JCA provider, {@code null} to use the default
- * system one.
- * @param randomGen The specific secure random generator, {@code null}
- * to use the default system one.
- */
- public JCAContext(final Provider provider, final SecureRandom randomGen) {
-
- this.provider = provider;
- this.randomGen = randomGen;
- }
-
-
- /**
- * Gets the JCA provider to be used for all operations.
- *
- * @return The JCA provider to be used for all operations where a more
- * specific one is absent, {@code null} implies the default
- * system provider.
- */
- public Provider getProvider() {
-
- return provider;
- }
-
-
- /**
- * Sets the JCA provider to be used for all operations.
- *
- * @param provider The JCA provider to be used for all operations where
- * a more specific one is absent, {@code null} to use
- * the default system provider.
- */
- public void setProvider(final Provider provider) {
-
- this.provider = provider;
- }
-
-
- /**
- * Gets the secure random generator. Intended for generation of
- * initialisation vectors and other purposes that require a secure
- * random generator.
- *
- * @return The specific secure random generator (if available), else
- * the default system one.
- */
- public SecureRandom getSecureRandom() {
-
- return randomGen != null ? randomGen : new SecureRandom();
- }
-
-
- /**
- * Sets a specific secure random generator for the initialisation
- * vector and other purposes requiring a random number.
- *
- * @param randomGen The secure random generator, {@code null} to use
- * the default system one.
- */
- public void setSecureRandom(final SecureRandom randomGen) {
-
- this.randomGen = randomGen;
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCASupport.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCASupport.java
deleted file mode 100644
index 8c91b003..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JCASupport.java
+++ /dev/null
@@ -1,375 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jca;
-
-
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Security;
-import javax.crypto.Cipher;
-import javax.crypto.NoSuchPaddingException;
-
-import com.nimbusds.jose.Algorithm;
-import com.nimbusds.jose.EncryptionMethod;
-import com.nimbusds.jose.JWEAlgorithm;
-import com.nimbusds.jose.JWSAlgorithm;
-
-
-/**
- * Java Cryptography Architecture (JCA) support helper.
- */
-public final class JCASupport {
-
-
- /**
- * Checks if unlimited cryptographic strength is supported. If not
- * download the appropriate jurisdiction policy files for your Java
- * edition:
- *
- * JCE Unlimited Strength Jurisdiction Policy Files for Java 7
- *
- *
JCE Unlimited Strength Jurisdiction Policy Files for Java 8
- *
- * @return {@code true} if unlimited cryptographic strength is
- * supported, {@code false} if not.
- */
- public static boolean isUnlimitedStrength() {
-
- try {
- return Cipher.getMaxAllowedKeyLength("AES") >= 256;
- } catch (NoSuchAlgorithmException e) {
- return false;
- }
- }
-
-
- /**
- * Checks if the specified JOSE algorithm is supported by the default
- * system JCA provider(s).
- *
- * @param alg The JOSE algorithm. Must not be {@code null}.
- *
- * @return {@code true} if the JOSE algorithm is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final Algorithm alg) {
-
- if (alg instanceof JWSAlgorithm) {
- return isSupported((JWSAlgorithm)alg);
- }
- if (alg instanceof JWEAlgorithm) {
- return isSupported((JWEAlgorithm)alg);
- }
- if (alg instanceof EncryptionMethod) {
- return isSupported((EncryptionMethod)alg);
- }
- throw new IllegalArgumentException("Unexpected algorithm class: " + alg.getClass().getCanonicalName());
- }
-
-
- /**
- * Checks if a JOSE algorithm is supported by the the specified JCA
- * provider.
- *
- * @param alg The JOSE algorithm. Must not be {@code null}.
- * @param provider The JCA provider. Must not be {@code null}.
- *
- * @return {@code true} if the JOSE algorithm is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final Algorithm alg, final Provider provider) {
-
- if (alg instanceof JWSAlgorithm) {
- return isSupported((JWSAlgorithm)alg, provider);
- }
- if (alg instanceof JWEAlgorithm) {
- return isSupported((JWEAlgorithm)alg, provider);
- }
- if (alg instanceof EncryptionMethod) {
- return isSupported((EncryptionMethod)alg, provider);
- }
- throw new IllegalArgumentException("Unexpected algorithm class: " + alg.getClass().getCanonicalName());
- }
-
-
- /**
- * Checks if the specified JWS algorithm is supported by the default
- * system JCA provider(s).
- *
- * @param alg The JWS algorithm. Must not be {@code null}.
- *
- * @return {@code true} if the JWS algorithm is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final JWSAlgorithm alg) {
-
- if (alg.getName().equals(Algorithm.NONE.getName())) {
- return true;
- }
-
- for (Provider p: Security.getProviders()) {
-
- if (isSupported(alg, p)) {
- return true;
- }
- }
-
- return false;
- }
-
-
- /**
- * Checks if a JWS algorithm is supported by the the specified JCA
- * provider.
- *
- * @param alg The JWS algorithm. Must not be {@code null}.
- * @param provider The JCA provider. Must not be {@code null}.
- *
- * @return {@code true} if the JWS algorithm is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final JWSAlgorithm alg, final Provider provider) {
-
- if (JWSAlgorithm.Family.HMAC_SHA.contains(alg)) {
- String jcaName;
- if (alg.equals(JWSAlgorithm.HS256)) {
- jcaName = "HMACSHA256";
- } else if (alg.equals(JWSAlgorithm.HS384)) {
- jcaName = "HMACSHA384";
- } else if (alg.equals(JWSAlgorithm.HS512)) {
- jcaName = "HMACSHA512";
- } else {
- return false;
- }
- return provider.getService("KeyGenerator", jcaName) != null;
- }
-
- if (JWSAlgorithm.Family.RSA.contains(alg)) {
- String jcaName;
- if (alg.equals(JWSAlgorithm.RS256)) {
- jcaName = "SHA256withRSA";
- } else if (alg.equals(JWSAlgorithm.RS384)) {
- jcaName = "SHA384withRSA";
- } else if (alg.equals(JWSAlgorithm.RS512)) {
- jcaName = "SHA512withRSA";
- } else if (alg.equals(JWSAlgorithm.PS256)) {
- jcaName = "SHA256withRSAandMGF1";
- } else if (alg.equals(JWSAlgorithm.PS384)) {
- jcaName = "SHA384withRSAandMGF1";
- } else if (alg.equals(JWSAlgorithm.PS512)) {
- jcaName = "SHA512withRSAandMGF1";
- } else {
- return false;
- }
- return provider.getService("Signature", jcaName) != null;
- }
-
- if (JWSAlgorithm.Family.EC.contains(alg)) {
- String jcaName;
- if (alg.equals(JWSAlgorithm.ES256)) {
- jcaName = "SHA256withECDSA";
- } else if (alg.equals(JWSAlgorithm.ES384)) {
- jcaName = "SHA384withECDSA";
- } else if (alg.equals(JWSAlgorithm.ES512)) {
- jcaName = "SHA512withECDSA";
- } else {
- return false;
- }
- return provider.getService("Signature", jcaName) != null;
- }
-
- return false;
- }
-
-
- /**
- * Checks if the specified JWE algorithm is supported by the default
- * system JCA provider(s).
- *
- * @param alg The JWE algorithm. Must not be {@code null}.
- *
- * @return {@code true} if the JWE algorithm is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final JWEAlgorithm alg) {
-
- for (Provider p: Security.getProviders()) {
-
- if (isSupported(alg, p)) {
- return true;
- }
- }
-
- return false;
- }
-
-
- /**
- * Checks if a JWE algorithm is supported by the the specified JCA
- * provider.
- *
- * @param alg The JWE algorithm. Must not be {@code null}.
- * @param provider The JCA provider. Must not be {@code null}.
- *
- * @return {@code true} if the JWE algorithm is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final JWEAlgorithm alg, final Provider provider) {
-
- String jcaName;
-
- if (JWEAlgorithm.Family.RSA.contains(alg)) {
- if (alg.equals(JWEAlgorithm.RSA1_5)) {
- jcaName = "RSA/ECB/PKCS1Padding";
- } else if (alg.equals(JWEAlgorithm.RSA_OAEP)) {
- jcaName = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
- } else if (alg.equals(JWEAlgorithm.RSA_OAEP_256)) {
- jcaName = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
- } else {
- return false;
- }
-
- // Do direct test
- try {
- Cipher.getInstance(jcaName, provider);
- } catch (NoSuchAlgorithmException e) {
- return false;
- } catch (NoSuchPaddingException e) {
- return false;
- }
- return true;
- }
-
- if (JWEAlgorithm.Family.AES_KW.contains(alg)) {
- return provider.getService("Cipher", "AESWrap") != null;
- }
-
- if (JWEAlgorithm.Family.ECDH_ES.contains(alg)) {
- return provider.getService("KeyAgreement", "ECDH") != null;
- }
-
- if (JWEAlgorithm.Family.AES_GCM_KW.contains(alg)) {
- // Do direct test
- try {
- Cipher.getInstance("AES/GCM/NoPadding", provider);
- } catch (NoSuchAlgorithmException e) {
- return false;
- } catch (NoSuchPaddingException e) {
- return false;
- }
- return true;
- }
-
- if (JWEAlgorithm.Family.PBES2.contains(alg)) {
- String hmac;
- if (alg.equals(JWEAlgorithm.PBES2_HS256_A128KW)) {
- hmac = "HmacSHA256";
- } else if (alg.equals(JWEAlgorithm.PBES2_HS384_A192KW)) {
- hmac = "HmacSHA384";
- } else {
- hmac = "HmacSHA512";
- }
- return provider.getService("KeyGenerator", hmac) != null;
- }
-
- if (JWEAlgorithm.DIR.equals(alg)) {
- return true; // Always supported
- }
-
- return false;
- }
-
-
- /**
- * Checks if the specified JWE encryption method is supported by the
- * default system JCA provider(s).
- *
- * @param enc The JWE encryption method. Must not be {@code null}.
- *
- * @return {@code true} if the JWE algorithm is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final EncryptionMethod enc) {
-
- for (Provider p: Security.getProviders()) {
-
- if (isSupported(enc, p)) {
- return true;
- }
- }
-
- return false;
- }
-
-
- /**
- * Checks if a JWE encryption method is supported by the specified
- * JCA provider.
- *
- * @param enc The JWE encryption method. Must not be {@code null}.
- * @param provider The JCA provider. Must not be {@code null}.
- *
- * @return {@code true} if the JWE encryption method is supported, else
- * {@code false}.
- */
- public static boolean isSupported(final EncryptionMethod enc, final Provider provider) {
-
- if (EncryptionMethod.Family.AES_CBC_HMAC_SHA.contains(enc)) {
- // Do direct test
- try {
- Cipher.getInstance("AES/CBC/PKCS5Padding", provider);
- } catch (NoSuchAlgorithmException e) {
- return false;
- } catch (NoSuchPaddingException e) {
- return false;
- }
- // Check hmac
- String hmac;
- if (enc.equals(EncryptionMethod.A128CBC_HS256)) {
- hmac = "HmacSHA256";
- } else if (enc.equals(EncryptionMethod.A192CBC_HS384)) {
- hmac = "HmacSHA384";
- } else {
- hmac = "HmacSHA512";
- }
- return provider.getService("KeyGenerator", hmac) != null;
- }
-
- if (EncryptionMethod.Family.AES_GCM.contains(enc)) {
- // Do direct test
- try {
- Cipher.getInstance("AES/GCM/NoPadding", provider);
- } catch (NoSuchAlgorithmException e) {
- return false;
- } catch (NoSuchPaddingException e) {
- return false;
- }
- return true;
- }
-
- return false;
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private JCASupport() {
-
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JWEJCAContext.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JWEJCAContext.java
deleted file mode 100644
index 737c6775..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/JWEJCAContext.java
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jca;
-
-
-import java.security.Provider;
-import java.security.SecureRandom;
-
-
-/**
- * Java Cryptography Architecture (JCA) context intended specifically for
- * JSON Web Encryption (JWE) providers. Allows setting of more specific JCA
- * providers for key encryption, content encryption and MAC computation.
- *
- * @author Vladimir Dzhuvinov
- * @version 2015-06-08
- */
-public final class JWEJCAContext extends JCAContext {
-
-
- /**
- * The key encryption provider.
- */
- private Provider keProvider;
-
-
- /**
- * The content encryption provider.
- */
- private Provider ceProvider;
-
-
- /**
- * The MAC provider.
- */
- private Provider macProvider;
-
-
- /**
- * Creates a new default JCA context for JWE.
- */
- public JWEJCAContext() {
-
- this(null, null, null, null, null);
- }
-
-
- /**
- * Creates a new JCA context for JWE with the specified JCA providers
- * and secure random generator.
- *
- * @param generalProvider The general JCA provider to be used for all
- * operations where a more specific one is
- * absent, {@code null} to use the default
- * system provider.
- * @param keProvider The specific JCA provider to be used for the
- * key encryption, {@code null} to fall back to
- * the general one, and if that is not specified
- * to the default system provider.
- * @param ceProvider The specific JCA provider to be used for the
- * content encryption, {@code null} to fall back
- * to the general one, and if that is not
- * specified to the default system provider.
- * @param macProvider The specific JCA provider to be used for the
- * MAC computation (where required by the JWE
- * encryption method), {@code null} to fall back
- * to the general one, and if that is not
- * specified to the default system provider.
- * @param randomGen The specific secure random generator for the
- * initialisation vector and other purposes
- * requiring a random number, {@code null} to
- * use the default system one.
- */
- public JWEJCAContext(final Provider generalProvider,
- final Provider keProvider,
- final Provider ceProvider,
- final Provider macProvider,
- final SecureRandom randomGen) {
-
- super(generalProvider, randomGen);
- this.keProvider = keProvider;
- this.ceProvider = ceProvider;
- this.macProvider = macProvider;
- }
-
-
-
- /**
- * Sets a specific JCA provider for the key encryption.
- *
- * @param keProvider The specific JCA provider to be used for the key
- * encryption, {@code null} to fall back to the
- * general one, and if that is not specified to the
- * default system provider.
- */
- public void setKeyEncryptionProvider(final Provider keProvider) {
-
- this.keProvider = keProvider;
- }
-
-
- /**
- * Gets the specific JCA provider for the key encryption.
- *
- * @return The applicable JCA provider, {@code null} implies the
- * default system provider.
- */
- public Provider getKeyEncryptionProvider() {
-
- return keProvider != null ? keProvider : getProvider();
- }
-
-
- /**
- * Sets a specific JCA provider for the content encryption.
- *
- * @param ceProvider The specific JCA provider to be used for the
- * content encryption, {@code null} to fall back to
- * the general one, and if that is not specified to
- * the default system provider.
- */
- public void setContentEncryptionProvider(final Provider ceProvider) {
-
- this.ceProvider = ceProvider;
- }
-
-
- /**
- * Gets the specific JCA provider for the content encryption.
- *
- * @return The applicable JCA provider, {@code null} implies the
- * default system provider.
- */
- public Provider getContentEncryptionProvider() {
-
- return ceProvider != null ? ceProvider : getProvider();
- }
-
-
- /**
- * Sets a specific JCA provider for the MAC computation (where required
- * by the JWE encryption method).
- *
- * @param macProvider The specific JCA provider to be used for the MAC
- * computation (where required by the JWE encryption
- * method), {@code null} to fall back to the general
- * one, and if that is not specified to the default
- * system provider.
- */
- public void setMACProvider(final Provider macProvider) {
-
- this.macProvider = macProvider;
- }
-
-
- /**
- * Gets the specific JCA provider for the MAC computation (where
- * required by the JWE encryption method).
- *
- * @return The applicable JCA provider, {@code null} implies the
- * default system provider.
- */
- public Provider getMACProvider() {
-
- return macProvider != null ? macProvider : getProvider();
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/package-info.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/package-info.java
deleted file mode 100644
index 57ff3a93..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jca/package-info.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-/**
- * Java Cryptography Architecture (JCA) context interfaces and classes.
- *
- *
References:
- *
- *
- */
-package com.nimbusds.jose.jca;
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/AsymmetricJWK.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/AsymmetricJWK.java
deleted file mode 100644
index 04cc1519..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/AsymmetricJWK.java
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jwk;
-
-
-import java.security.KeyPair;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.cert.X509Certificate;
-
-import com.nimbusds.jose.JOSEException;
-
-
-/**
- * Asymmetric (pair) JSON Web Key (JWK).
- *
- * @author Vladimir Dzhuvinov
- * @version 2018-02-27
- */
-public interface AsymmetricJWK {
-
-
- /**
- * Returns a Java public key representation of the JWK.
- *
- * @return The Java public key.
- *
- * @throws JOSEException If conversion failed or is not supported.
- */
- PublicKey toPublicKey()
- throws JOSEException;
-
-
- /**
- * Returns a Java private key representation of this JWK.
- *
- * @return The Java private key, {@code null} if not specified.
- *
- * @throws JOSEException If conversion failed or is not supported.
- */
- PrivateKey toPrivateKey()
- throws JOSEException;
-
-
- /**
- * Returns a Java key pair representation of this JWK.
- *
- * @return The Java key pair. The private key will be {@code null} if
- * not specified.
- *
- * @throws JOSEException If conversion failed or is not supported.
- */
- KeyPair toKeyPair()
- throws JOSEException;
-
-
- /**
- * Returns {@code true} if the public key material of this JWK matches
- * the public subject key info of the specified X.509 certificate.
- *
- * @param cert The X.509 certificate. Must not be {@code null}.
- *
- * @return {@code true} if the public key material of this JWK matches
- * the public subject key info of the specified X.509
- * certificate, else {@code false}.
- */
- boolean matches(X509Certificate cert);
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/Curve.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/Curve.java
deleted file mode 100644
index 211521ce..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/Curve.java
+++ /dev/null
@@ -1,371 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jwk;
-
-
-import java.io.Serializable;
-import java.security.spec.ECParameterSpec;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-
-import com.nimbusds.jose.JWSAlgorithm;
-import net.jcip.annotations.Immutable;
-
-
-/**
- * Cryptographic curve. This class is immutable.
- *
- * Includes constants for the following standard cryptographic curves:
- *
- *
- * - {@link #P_256}
- *
- {@link #P_256K}
- *
- {@link #P_384}
- *
- {@link #P_521}
- *
- {@link #Ed25519}
- *
- {@link #Ed448}
- *
- {@link #X25519}
- *
- {@link #X448}
- *
- *
- * See
- *
- *
- * - "Digital Signature Standard (DSS)", FIPS PUB 186-3, June 2009,
- * National Institute of Standards and Technology (NIST).
- *
- CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON
- * Object Signing and Encryption (JOSE) (RFC 8037).
- *
- *
- * @author Vladimir Dzhuvinov
- * @author Aleksei Doroganov
- * @version 2013-03-28
- */
-@Immutable
-public final class Curve implements Serializable {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * P-256 curve (secp256r1, also called prime256v1, OID =
- * 1.2.840.10045.3.1.7).
- */
- public static final Curve P_256 = new Curve("P-256", "secp256r1", "1.2.840.10045.3.1.7");
-
-
- /**
- * P-256K curve (secp256k1, OID = 1.3.132.0.10).
- */
- public static final Curve P_256K = new Curve("P-256K", "secp256k1", "1.3.132.0.10");
-
-
- /**
- * P-384 curve (secp384r1, OID = 1.3.132.0.34).
- */
- public static final Curve P_384 = new Curve("P-384", "secp384r1", "1.3.132.0.34");
-
-
- /**
- * P-521 curve (secp521r1).
- */
- public static final Curve P_521 = new Curve("P-521", "secp521r1", "1.3.132.0.35");
-
-
- /**
- * Ed25519 signature algorithm key pairs.
- */
- public static final Curve Ed25519 = new Curve("Ed25519", "Ed25519", null);
-
-
- /**
- * Ed448 signature algorithm key pairs.
- */
- public static final Curve Ed448 = new Curve("Ed448", "Ed448", null);
-
-
- /**
- * X25519 function key pairs.
- */
- public static final Curve X25519 = new Curve("X25519", "X25519", null);
-
-
- /**
- * X448 function key pairs.
- */
- public static final Curve X448 = new Curve("X448", "X448", null);
-
-
- /**
- * The JOSE curve name.
- */
- private final String name;
-
-
- /**
- * The standard curve name, {@code null} if not specified.
- */
- private final String stdName;
-
-
- /**
- * The standard object identifier for the curve, {@code null}
- * if not specified.
- */
- private final String oid;
-
-
- /**
- * Creates a new cryptographic curve with the specified JOSE name. A
- * standard curve name and object identifier (OID) are not unspecified.
- *
- * @param name The JOSE name of the cryptographic curve. Must not be
- * {@code null}.
- */
- public Curve(final String name) {
-
- this(name, null, null);
- }
-
-
- /**
- * Creates a new cryptographic curve with the specified JOSE name,
- * standard name and object identifier (OID).
- *
- * @param name The JOSE name of the cryptographic curve. Must not
- * be {@code null}.
- * @param stdName The standard name of the cryptographic curve,
- * {@code null} if not specified.
- * @param oid The object identifier (OID) of the cryptographic
- * curve, {@code null} if not specified.
- */
- public Curve(final String name, final String stdName, final String oid) {
-
- if (name == null) {
- throw new IllegalArgumentException("The JOSE cryptographic curve name must not be null");
- }
-
- this.name = name;
-
- this.stdName = stdName;
-
- this.oid = oid;
- }
-
-
- /**
- * Returns the JOSE name of this cryptographic curve.
- *
- * @return The JOSE name.
- */
- public String getName() {
-
- return name;
- }
-
-
- /**
- * Returns the standard name of this cryptographic curve.
- *
- * @return The standard name, {@code null} if not specified.
- */
- public String getStdName() {
-
- return stdName;
- }
-
-
- /**
- * Returns the standard object identifier (OID) of this cryptographic
- * curve.
- *
- * @return The OID, {@code null} if not specified.
- */
- public String getOID() {
-
- return oid;
- }
-
-
- /**
- * Returns the parameter specification for this cryptographic curve.
- *
- * @return The EC parameter specification, {@code null} if it cannot be
- * determined.
- */
- public ECParameterSpec toECParameterSpec() {
-
- return ECParameterTable.get(this);
- }
-
-
- /**
- * @see #getName
- */
- @Override
- public String toString() {
-
- return getName();
- }
-
-
- @Override
- public boolean equals(final Object object) {
-
- return object instanceof Curve &&
- this.toString().equals(object.toString());
- }
-
-
- /**
- * Parses a cryptographic curve from the specified string.
- *
- * @param s The string to parse. Must not be {@code null} or empty.
- *
- * @return The cryptographic curve.
- */
- public static Curve parse(final String s) {
-
- if (s == null || s.trim().isEmpty()) {
- throw new IllegalArgumentException("The cryptographic curve string must not be null or empty");
- }
-
- if (s.equals(P_256.getName())) {
- return P_256;
- } else if (s.equals(P_256K.getName())) {
- return P_256K;
- } else if (s.equals(P_384.getName())) {
- return P_384;
- } else if (s.equals(P_521.getName())) {
- return P_521;
- } else if (s.equals(Ed25519.getName())) {
- return Ed25519;
- } else if (s.equals(Ed448.getName())) {
- return Ed448;
- } else if (s.equals(X25519.getName())) {
- return X25519;
- } else if (s.equals(X448.getName())) {
- return X448;
- } else {
- return new Curve(s);
- }
- }
-
-
- /**
- * Gets the cryptographic curve for the specified standard
- * name.
- *
- * @param stdName The standard curve name. May be {@code null}.
- *
- * @return The curve, {@code null} if it cannot be determined.
- */
- public static Curve forStdName(final String stdName) {
- if( "secp256r1".equals(stdName) || "prime256v1".equals(stdName)) {
- return P_256;
- } else if("secp256k1".equals(stdName)) {
- return P_256K;
- } else if("secp384r1".equals(stdName)) {
- return P_384;
- } else if("secp521r1".equals(stdName)) {
- return P_521;
- } else if (Ed25519.getStdName().equals(stdName)) {
- return Ed25519;
- } else if (Ed448.getStdName().equals(stdName)) {
- return Ed448;
- } else if (X25519.getStdName().equals(stdName)) {
- return X25519;
- } else if (X448.getStdName().equals(stdName)) {
- return X448;
- } else {
- return null;
- }
- }
-
-
- /**
- * Gets the cryptographic curve for the specified object identifier
- * (OID).
- *
- * @param oid The object OID. May be {@code null}.
- *
- * @return The curve, {@code null} if it cannot be determined.
- */
- public static Curve forOID(final String oid) {
-
- if (P_256.getOID().equals(oid)) {
- return P_256;
- } else if (P_256K.getOID().equals(oid)) {
- return P_256K;
- } else if (P_384.getOID().equals(oid)) {
- return P_384;
- } else if (P_521.getOID().equals(oid)) {
- return P_521;
- } else {
- return null;
- }
- }
-
-
- /**
- * Gets the cryptographic curve(s) for the specified JWS algorithm.
- *
- * @param alg The JWS algorithm. May be {@code null}.
- *
- * @return The curve(s), {@code null} if the JWS algorithm is not curve
- * based, or the JWS algorithm is not supported.
- */
- public static Set forJWSAlgorithm(final JWSAlgorithm alg) {
-
- if (JWSAlgorithm.ES256.equals(alg)) {
- return Collections.singleton(P_256);
- } else if (JWSAlgorithm.ES256K.equals(alg)) {
- return Collections.singleton(P_256K);
- } else if (JWSAlgorithm.ES384.equals(alg)) {
- return Collections.singleton(P_384);
- } else if (JWSAlgorithm.ES512.equals(alg)) {
- return Collections.singleton(P_521);
- } else if (JWSAlgorithm.EdDSA.equals(alg)) {
- return Collections.unmodifiableSet(
- new HashSet<>(Arrays.asList(
- Ed25519,
- Ed448
- ))
- );
- } else {
- return null;
- }
- }
-
-
- /**
- * Gets the cryptographic curve for the specified parameter
- * specification.
- *
- * @param spec The EC parameter spec. May be {@code null}.
- *
- * @return The curve, {@code null} if it cannot be determined.
- */
- public static Curve forECParameterSpec(final ECParameterSpec spec) {
-
- return ECParameterTable.get(spec);
- }
-}
\ No newline at end of file
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/CurveBasedJWK.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/CurveBasedJWK.java
deleted file mode 100644
index 22c73956..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/CurveBasedJWK.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd and contributors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jwk;
-
-
-/**
- * Curve based JSON Web Key (JWK).
- *
- * @author Vladimir Dzhuvinov
- * @version 2018-08-23
- */
-public interface CurveBasedJWK {
-
-
- /**
- * Returns the cryptographic curve.
- *
- * @return The cryptographic curve.
- */
- Curve getCurve();
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/ECKey.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/ECKey.java
deleted file mode 100644
index 84f626f4..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/ECKey.java
+++ /dev/null
@@ -1,1582 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jwk;
-
-
-import java.math.BigInteger;
-import java.net.URI;
-import java.security.*;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.security.spec.*;
-import java.text.ParseException;
-import java.util.*;
-
-import net.jcip.annotations.Immutable;
-import net.minidev.json.JSONObject;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
-
-import com.nimbusds.jose.Algorithm;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.crypto.utils.ECChecks;
-import com.nimbusds.jose.util.Base64;
-import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jose.util.BigIntegerUtils;
-import com.nimbusds.jose.util.JSONObjectUtils;
-
-
-/**
- * Public and private {@link KeyType#EC Elliptic Curve} JSON Web Key (JWK).
- * This class is immutable.
- *
- * Supported curves:
- *
- *
- * - {@link Curve#P_256 P-256}
- *
- {@link Curve#P_256K P-256K}
- *
- {@link Curve#P_384 P-384}
- *
- {@link Curve#P_521 P-512}
- *
- *
- * Provides EC JWK import from / export to the following standard Java
- * interfaces and classes:
- *
- *
- * - {@link java.security.interfaces.ECPublicKey}
- *
- {@link java.security.interfaces.ECPrivateKey}
- *
- {@link java.security.PrivateKey} for an EC key in a PKCS#11 store
- *
- {@link java.security.KeyPair}
- *
- *
- * Example JSON object representation of a public EC JWK:
- *
- *
- * {
- * "kty" : "EC",
- * "crv" : "P-256",
- * "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
- * "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
- * "use" : "enc",
- * "kid" : "1"
- * }
- *
- *
- * Example JSON object representation of a private EC JWK:
- *
- *
- * {
- * "kty" : "EC",
- * "crv" : "P-256",
- * "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
- * "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
- * "d" : "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE",
- * "use" : "enc",
- * "kid" : "1"
- * }
- *
- *
- * Use the builder to create a new EC JWK:
- *
- *
- * ECKey key = new ECKey.Builder(Curve.P_256, x, y)
- * .keyUse(KeyUse.SIGNATURE)
- * .keyID("1")
- * .build();
- *
- *
- * See http://en.wikipedia.org/wiki/Elliptic_curve_cryptography
- *
- * @author Vladimir Dzhuvinov
- * @author Justin Richer
- * @version 2019-04-15
- */
-@Immutable
-public final class ECKey extends JWK implements AsymmetricJWK, CurveBasedJWK {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * Supported EC curves.
- */
- public static final Set SUPPORTED_CURVES = Collections.unmodifiableSet(
- new HashSet<>(Arrays.asList(Curve.P_256, Curve.P_256K, Curve.P_384, Curve.P_521))
- );
-
-
- /**
- * Builder for constructing Elliptic Curve JWKs.
- *
- * Example usage:
- *
- *
- * ECKey key = new ECKey.Builder(Curve.P521, x, y)
- * .d(d)
- * .algorithm(JWSAlgorithm.ES512)
- * .keyID("1")
- * .build();
- *
- */
- public static class Builder {
-
-
- /**
- * The curve name.
- */
- private final Curve crv;
-
-
- /**
- * The public 'x' EC coordinate.
- */
- private final Base64URL x;
-
-
- /**
- * The public 'y' EC coordinate.
- */
- private final Base64URL y;
-
-
- /**
- * The private 'd' EC coordinate, optional.
- */
- private Base64URL d;
-
-
- /**
- * The private EC key, as PKCS#11 handle, optional.
- */
- private PrivateKey priv;
-
-
- /**
- * The key use, optional.
- */
- private KeyUse use;
-
-
- /**
- * The key operations, optional.
- */
- private Set ops;
-
-
- /**
- * The intended JOSE algorithm for the key, optional.
- */
- private Algorithm alg;
-
-
- /**
- * The key ID, optional.
- */
- private String kid;
-
-
- /**
- * X.509 certificate URL, optional.
- */
- private URI x5u;
-
-
- /**
- * X.509 certificate SHA-1 thumbprint, optional.
- */
- @Deprecated
- private Base64URL x5t;
-
-
- /**
- * X.509 certificate SHA-256 thumbprint, optional.
- */
- private Base64URL x5t256;
-
-
- /**
- * The X.509 certificate chain, optional.
- */
- private List x5c;
-
-
- /**
- * Reference to the underlying key store, {@code null} if none.
- */
- private KeyStore ks;
-
-
- /**
- * Creates a new Elliptic Curve JWK builder.
- *
- * @param crv The cryptographic curve. Must not be
- * {@code null}.
- * @param x The public 'x' coordinate for the elliptic curve
- * point. It is represented as the Base64URL
- * encoding of the coordinate's big endian
- * representation. Must not be {@code null}.
- * @param y The public 'y' coordinate for the elliptic curve
- * point. It is represented as the Base64URL
- * encoding of the coordinate's big endian
- * representation. Must not be {@code null}.
- */
- public Builder(final Curve crv, final Base64URL x, final Base64URL y) {
-
- if (crv == null) {
- throw new IllegalArgumentException("The curve must not be null");
- }
-
- this.crv = crv;
-
- if (x == null) {
- throw new IllegalArgumentException("The 'x' coordinate must not be null");
- }
-
- this.x = x;
-
- if (y == null) {
- throw new IllegalArgumentException("The 'y' coordinate must not be null");
- }
-
- this.y = y;
- }
-
-
- /**
- * Creates a new Elliptic Curve JWK builder.
- *
- * @param crv The cryptographic curve. Must not be
- * {@code null}.
- * @param pub The public EC key to represent. Must not be
- * {@code null}.
- */
- public Builder(final Curve crv, final ECPublicKey pub) {
-
- this(crv,
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineX()),
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineY()));
- }
-
-
- /**
- * Creates a new Elliptic Curve JWK builder.
- *
- * @param ecJWK The EC JWK to start with. Must not be
- * {@code null}.
- */
- public Builder(final ECKey ecJWK) {
-
- crv = ecJWK.crv;
- x = ecJWK.x;
- y = ecJWK.y;
- d = ecJWK.d;
- priv = ecJWK.privateKey;
- use = ecJWK.getKeyUse();
- ops = ecJWK.getKeyOperations();
- alg = ecJWK.getAlgorithm();
- kid = ecJWK.getKeyID();
- x5u = ecJWK.getX509CertURL();
- x5t = ecJWK.getX509CertThumbprint();
- x5t256 = ecJWK.getX509CertSHA256Thumbprint();
- x5c = ecJWK.getX509CertChain();
- ks = ecJWK.getKeyStore();
- }
-
-
- /**
- * Sets the private 'd' coordinate for the elliptic curve
- * point. The alternative method is {@link #privateKey}.
- *
- * @param d The private 'd' coordinate. It is represented as
- * the Base64URL encoding of the coordinate's big
- * endian representation. {@code null} if not
- * specified (for a public key).
- *
- * @return This builder.
- */
- public Builder d(final Base64URL d) {
-
- this.d = d;
- return this;
- }
-
-
- /**
- * Sets the private Elliptic Curve key. The alternative method
- * is {@link #d}.
- *
- * @param priv The private EC key, used to obtain the private
- * 'd' coordinate for the elliptic curve point.
- * {@code null} if not specified (for a public
- * key).
- *
- * @return This builder.
- */
- public Builder privateKey(final ECPrivateKey priv) {
-
- if (priv != null) {
- this.d = encodeCoordinate(priv.getParams().getCurve().getField().getFieldSize(), priv.getS());
- }
-
- return this;
- }
-
-
- /**
- * Sets the private EC key, typically for a key located in a
- * PKCS#11 store that doesn't expose the private key parameters
- * (such as a smart card or HSM).
- *
- * @param priv The private EC key reference. Its algorithm must
- * be "EC". Must not be {@code null}.
- *
- * @return This builder.
- */
- public Builder privateKey(final PrivateKey priv) {
-
- if (priv instanceof ECPrivateKey) {
- return privateKey((ECPrivateKey) priv);
- }
-
- if (! "EC".equalsIgnoreCase(priv.getAlgorithm())) {
- throw new IllegalArgumentException("The private key algorithm must be EC");
- }
-
- this.priv = priv;
- return this;
- }
-
-
- /**
- * Sets the use ({@code use}) of the JWK.
- *
- * @param use The key use, {@code null} if not specified or if
- * the key is intended for signing as well as
- * encryption.
- *
- * @return This builder.
- */
- public Builder keyUse(final KeyUse use) {
-
- this.use = use;
- return this;
- }
-
-
- /**
- * Sets the operations ({@code key_ops}) of the JWK.
- *
- * @param ops The key operations, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder keyOperations(final Set ops) {
-
- this.ops = ops;
- return this;
- }
-
-
- /**
- * Sets the intended JOSE algorithm ({@code alg}) for the JWK.
- *
- * @param alg The intended JOSE algorithm, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder algorithm(final Algorithm alg) {
-
- this.alg = alg;
- return this;
- }
-
- /**
- * Sets the ID ({@code kid}) of the JWK. The key ID can be used
- * to match a specific key. This can be used, for instance, to
- * choose a key within a {@link JWKSet} during key rollover.
- * The key ID may also correspond to a JWS/JWE {@code kid}
- * header parameter value.
- *
- * @param kid The key ID, {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder keyID(final String kid) {
-
- this.kid = kid;
- return this;
- }
-
-
- /**
- * Sets the ID ({@code kid}) of the JWK to its SHA-256 JWK
- * thumbprint (RFC 7638). The key ID can be used to match a
- * specific key. This can be used, for instance, to choose a
- * key within a {@link JWKSet} during key rollover. The key ID
- * may also correspond to a JWS/JWE {@code kid} header
- * parameter value.
- *
- * @return This builder.
- *
- * @throws JOSEException If the SHA-256 hash algorithm is not
- * supported.
- */
- public Builder keyIDFromThumbprint()
- throws JOSEException {
-
- return keyIDFromThumbprint("SHA-256");
- }
-
-
- /**
- * Sets the ID ({@code kid}) of the JWK to its JWK thumbprint
- * (RFC 7638). The key ID can be used to match a specific key.
- * This can be used, for instance, to choose a key within a
- * {@link JWKSet} during key rollover. The key ID may also
- * correspond to a JWS/JWE {@code kid} header parameter value.
- *
- * @param hashAlg The hash algorithm for the JWK thumbprint
- * computation. Must not be {@code null}.
- *
- * @return This builder.
- *
- * @throws JOSEException If the hash algorithm is not
- * supported.
- */
- public Builder keyIDFromThumbprint(final String hashAlg)
- throws JOSEException {
-
- // Put mandatory params in sorted order
- LinkedHashMap requiredParams = new LinkedHashMap<>();
- requiredParams.put("crv", crv.toString());
- requiredParams.put("kty", KeyType.EC.getValue());
- requiredParams.put("x", x.toString());
- requiredParams.put("y", y.toString());
- this.kid = ThumbprintUtils.compute(hashAlg, requiredParams).toString();
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate URL ({@code x5u}) of the JWK.
- *
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- *
- * @return This builder.
- */
- public Builder x509CertURL(final URI x5u) {
-
- this.x5u = x5u;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate SHA-1 thumbprint ({@code x5t}) of
- * the JWK.
- *
- * @param x5t The X.509 certificate SHA-1 thumbprint,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- @Deprecated
- public Builder x509CertThumbprint(final Base64URL x5t) {
-
- this.x5t = x5t;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate SHA-256 thumbprint
- * ({@code x5t#S256}) of the JWK.
- *
- * @param x5t256 The X.509 certificate SHA-256 thumbprint,
- * {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertSHA256Thumbprint(final Base64URL x5t256) {
-
- this.x5t256 = x5t256;
- return this;
- }
-
-
- /**
- * Sets the X.509 certificate chain ({@code x5c}) of the JWK.
- *
- * @param x5c The X.509 certificate chain as a unmodifiable
- * list, {@code null} if not specified.
- *
- * @return This builder.
- */
- public Builder x509CertChain(final List x5c) {
-
- this.x5c = x5c;
- return this;
- }
-
-
- /**
- * Sets the underlying key store.
- *
- * @param keyStore Reference to the underlying key store,
- * {@code null} if none.
- *
- * @return This builder.
- */
- public Builder keyStore(final KeyStore keyStore) {
-
- this.ks = keyStore;
- return this;
- }
-
-
- /**
- * Builds a new Elliptic Curve JWK.
- *
- * @return The Elliptic Curve JWK.
- *
- * @throws IllegalStateException If the JWK parameters were
- * inconsistently specified.
- */
- public ECKey build() {
-
- try {
- if (d == null && priv == null) {
- // Public key
- return new ECKey(crv, x, y, use, ops, alg, kid, x5u, x5t, x5t256, x5c, ks);
- }
-
- if (priv != null) {
- // PKCS#11 reference to private key
- return new ECKey(crv, x, y, priv, use, ops, alg, kid, x5u, x5t, x5t256, x5c, ks);
- }
-
- // Public / private key pair with 'd'
- return new ECKey(crv, x, y, d, use, ops, alg, kid, x5u, x5t, x5t256, x5c, ks);
-
- } catch (IllegalArgumentException e) {
- throw new IllegalStateException(e.getMessage(), e);
- }
- }
- }
-
-
- /**
- * Returns the Base64URL encoding of the specified elliptic curve 'x',
- * 'y' or 'd' coordinate, with leading zero padding up to the specified
- * field size in bits.
- *
- * @param fieldSize The field size in bits.
- * @param coordinate The elliptic curve coordinate. Must not be
- * {@code null}.
- *
- * @return The Base64URL-encoded coordinate, with leading zero padding
- * up to the curve's field size.
- */
- public static Base64URL encodeCoordinate(final int fieldSize, final BigInteger coordinate) {
-
- final byte[] notPadded = BigIntegerUtils.toBytesUnsigned(coordinate);
-
- int bytesToOutput = (fieldSize + 7)/8;
-
- if (notPadded.length >= bytesToOutput) {
- // Greater-than check to prevent exception on malformed
- // key below
- return Base64URL.encode(notPadded);
- }
-
- final byte[] padded = new byte[bytesToOutput];
-
- System.arraycopy(notPadded, 0, padded, bytesToOutput - notPadded.length, notPadded.length);
-
- return Base64URL.encode(padded);
- }
-
-
- /**
- * The curve name.
- */
- private final Curve crv;
-
-
- /**
- * The public 'x' EC coordinate.
- */
- private final Base64URL x;
-
-
- /**
- * The public 'y' EC coordinate.
- */
- private final Base64URL y;
-
-
- /**
- * The private 'd' EC coordinate.
- */
- private final Base64URL d;
-
-
- /**
- * Private PKCS#11 key handle.
- */
- private final PrivateKey privateKey;
-
-
- /**
- * Ensures the specified 'x' and 'y' public coordinates are on the
- * given curve.
- *
- * @param crv The curve. Must not be {@code null}.
- * @param x The public 'x' coordinate. Must not be {@code null}.
- * @param y The public 'y' coordinate. Must not be {@code null}.
- */
- private static void ensurePublicCoordinatesOnCurve(final Curve crv, final Base64URL x, final Base64URL y) {
-
- if (! SUPPORTED_CURVES.contains(crv)) {
- throw new IllegalArgumentException("Unknown / unsupported curve: " + crv);
- }
-
- if (! ECChecks.isPointOnCurve(x.decodeToBigInteger(), y.decodeToBigInteger(), crv.toECParameterSpec())) {
- throw new IllegalArgumentException("Invalid EC JWK: The 'x' and 'y' public coordinates are not on the " + crv + " curve");
- }
- }
-
-
- /**
- * Creates a new public Elliptic Curve JSON Web Key (JWK) with the
- * specified parameters.
- *
- * @param crv The cryptographic curve. Must not be {@code null}.
- * @param x The public 'x' coordinate for the elliptic curve
- * point. It is represented as the Base64URL encoding of
- * the coordinate's big endian representation. Must not
- * be {@code null}.
- * @param y The public 'y' coordinate for the elliptic curve
- * point. It is represented as the Base64URL encoding of
- * the coordinate's big endian representation. Must not
- * be {@code null}.
- * @param use The key use, {@code null} if not specified or if the
- * key is intended for signing as well as encryption.
- * @param ops The key operations, {@code null} if not specified.
- * @param alg The intended JOSE algorithm for the key, {@code null}
- * if not specified.
- * @param kid The key ID, {@code null} if not specified.
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint, {@code null}
- * if not specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint, {@code null}
- * if not specified.
- * @param x5c The X.509 certificate chain, {@code null} if not
- * specified.
- * @param ks Reference to the underlying key store, {@code null} if
- * not specified.
- */
- public ECKey(final Curve crv, final Base64URL x, final Base64URL y,
- final KeyUse use, final Set ops, final Algorithm alg, final String kid,
- final URI x5u, final Base64URL x5t, final Base64URL x5t256, final List x5c,
- final KeyStore ks) {
-
- super(KeyType.EC, use, ops, alg, kid, x5u, x5t, x5t256, x5c, ks);
-
- if (crv == null) {
- throw new IllegalArgumentException("The curve must not be null");
- }
-
- this.crv = crv;
-
- if (x == null) {
- throw new IllegalArgumentException("The 'x' coordinate must not be null");
- }
-
- this.x = x;
-
- if (y == null) {
- throw new IllegalArgumentException("The 'y' coordinate must not be null");
- }
-
- this.y = y;
-
- ensurePublicCoordinatesOnCurve(crv, x, y);
-
- ensureMatches(getParsedX509CertChain());
-
- this.d = null;
-
- this.privateKey = null;
- }
-
-
- /**
- * Creates a new public / private Elliptic Curve JSON Web Key (JWK)
- * with the specified parameters.
- *
- * @param crv The cryptographic curve. Must not be {@code null}.
- * @param x The public 'x' coordinate for the elliptic curve
- * point. It is represented as the Base64URL encoding of
- * the coordinate's big endian representation. Must not
- * be {@code null}.
- * @param y The public 'y' coordinate for the elliptic curve
- * point. It is represented as the Base64URL encoding of
- * the coordinate's big endian representation. Must not
- * be {@code null}.
- * @param d The private 'd' coordinate for the elliptic curve
- * point. It is represented as the Base64URL encoding of
- * the coordinate's big endian representation. Must not
- * be {@code null}.
- * @param use The key use, {@code null} if not specified or if the
- * key is intended for signing as well as encryption.
- * @param ops The key operations, {@code null} if not specified.
- * @param alg The intended JOSE algorithm for the key, {@code null}
- * if not specified.
- * @param kid The key ID, {@code null} if not specified.
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint, {@code null}
- * if not specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint, {@code null}
- * if not specified.
- * @param x5c The X.509 certificate chain, {@code null} if not
- * specified.
- * @param ks Reference to the underlying key store, {@code null} if
- * not specified.
- */
- public ECKey(final Curve crv, final Base64URL x, final Base64URL y, final Base64URL d,
- final KeyUse use, final Set ops, final Algorithm alg, final String kid,
- final URI x5u, final Base64URL x5t, final Base64URL x5t256, final List x5c,
- final KeyStore ks) {
-
- super(KeyType.EC, use, ops, alg, kid, x5u, x5t, x5t256, x5c, ks);
-
- if (crv == null) {
- throw new IllegalArgumentException("The curve must not be null");
- }
-
- this.crv = crv;
-
- if (x == null) {
- throw new IllegalArgumentException("The 'x' coordinate must not be null");
- }
-
- this.x = x;
-
- if (y == null) {
- throw new IllegalArgumentException("The 'y' coordinate must not be null");
- }
-
- this.y = y;
-
- ensurePublicCoordinatesOnCurve(crv, x, y);
-
- ensureMatches(getParsedX509CertChain());
-
- if (d == null) {
- throw new IllegalArgumentException("The 'd' coordinate must not be null");
- }
-
- this.d = d;
-
- this.privateKey = null;
- }
-
-
- /**
- * Creates a new public / private Elliptic Curve JSON Web Key (JWK)
- * with the specified parameters. The private key is specified by its
- * PKCS#11 handle.
- *
- * @param crv The cryptographic curve. Must not be {@code null}.
- * @param x The public 'x' coordinate for the elliptic curve
- * point. It is represented as the Base64URL encoding of
- * the coordinate's big endian representation. Must not
- * be {@code null}.
- * @param y The public 'y' coordinate for the elliptic curve
- * point. It is represented as the Base64URL encoding of
- * the coordinate's big endian representation. Must not
- * be {@code null}.
- * @param priv The private key as a PKCS#11 handle, {@code null} if
- * not specified.
- * @param use The key use, {@code null} if not specified or if the
- * key is intended for signing as well as encryption.
- * @param ops The key operations, {@code null} if not specified.
- * @param alg The intended JOSE algorithm for the key, {@code null}
- * if not specified.
- * @param kid The key ID, {@code null} if not specified.
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint, {@code null}
- * if not specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint, {@code null}
- * if not specified.
- * @param x5c The X.509 certificate chain, {@code null} if not
- * specified.
- */
- public ECKey(final Curve crv, final Base64URL x, final Base64URL y, final PrivateKey priv,
- final KeyUse use, final Set ops, final Algorithm alg, final String kid,
- final URI x5u, final Base64URL x5t, final Base64URL x5t256, final List x5c,
- final KeyStore ks) {
-
- super(KeyType.EC, use, ops, alg, kid, x5u, x5t, x5t256, x5c, ks);
-
- if (crv == null) {
- throw new IllegalArgumentException("The curve must not be null");
- }
-
- this.crv = crv;
-
- if (x == null) {
- throw new IllegalArgumentException("The 'x' coordinate must not be null");
- }
-
- this.x = x;
-
- if (y == null) {
- throw new IllegalArgumentException("The 'y' coordinate must not be null");
- }
-
- this.y = y;
-
- ensurePublicCoordinatesOnCurve(crv, x, y);
-
- ensureMatches(getParsedX509CertChain());
-
- d = null;
-
- this.privateKey = priv;
- }
-
-
- /**
- * Creates a new public Elliptic Curve JSON Web Key (JWK) with the
- * specified parameters.
- *
- * @param crv The cryptographic curve. Must not be {@code null}.
- * @param pub The public EC key to represent. Must not be
- * {@code null}.
- * @param use The key use, {@code null} if not specified or if the
- * key is intended for signing as well as encryption.
- * @param ops The key operations, {@code null} if not specified.
- * @param alg The intended JOSE algorithm for the key, {@code null}
- * if not specified.
- * @param kid The key ID, {@code null} if not specified.
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint, {@code null}
- * if not specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint, {@code null}
- * if not specified.
- * @param x5c The X.509 certificate chain, {@code null} if not
- * specified.
- * @param ks Reference to the underlying key store, {@code null} if
- * not specified.
- */
- public ECKey(final Curve crv, final ECPublicKey pub,
- final KeyUse use, final Set ops, final Algorithm alg, final String kid,
- final URI x5u, final Base64URL x5t, final Base64URL x5t256, final List x5c,
- final KeyStore ks) {
-
- this(crv,
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineX()),
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineY()),
- use, ops, alg, kid,
- x5u, x5t, x5t256, x5c,
- ks);
- }
-
-
- /**
- * Creates a new public / private Elliptic Curve JSON Web Key (JWK)
- * with the specified parameters.
- *
- * @param crv The cryptographic curve. Must not be {@code null}.
- * @param pub The public EC key to represent. Must not be
- * {@code null}.
- * @param priv The private EC key to represent. Must not be
- * {@code null}.
- * @param use The key use, {@code null} if not specified or if the
- * key is intended for signing as well as encryption.
- * @param ops The key operations, {@code null} if not specified.
- * @param alg The intended JOSE algorithm for the key, {@code null}
- * if not specified.
- * @param kid The key ID, {@code null} if not specified.
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint, {@code null}
- * if not specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint, {@code null}
- * if not specified.
- * @param x5c The X.509 certificate chain, {@code null} if not
- * specified.
- * @param ks Reference to the underlying key store, {@code null} if
- * not specified.
- */
- public ECKey(final Curve crv, final ECPublicKey pub, final ECPrivateKey priv,
- final KeyUse use, final Set ops, final Algorithm alg, final String kid,
- final URI x5u, final Base64URL x5t, final Base64URL x5t256, final List x5c,
- final KeyStore ks) {
-
- this(crv,
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineX()),
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineY()),
- encodeCoordinate(priv.getParams().getCurve().getField().getFieldSize(), priv.getS()),
- use, ops, alg, kid,
- x5u, x5t, x5t256, x5c,
- ks);
- }
-
-
- /**
- * Creates a new public / private Elliptic Curve JSON Web Key (JWK)
- * with the specified parameters. The private key is specified by its
- * PKCS#11 handle.
- *
- * @param crv The cryptographic curve. Must not be {@code null}.
- * @param pub The public EC key to represent. Must not be
- * {@code null}.
- * @param priv The private key as a PKCS#11 handle, {@code null} if
- * not specified.
- * @param use The key use, {@code null} if not specified or if the
- * key is intended for signing as well as encryption.
- * @param ops The key operations, {@code null} if not specified.
- * @param alg The intended JOSE algorithm for the key, {@code null}
- * if not specified.
- * @param kid The key ID, {@code null} if not specified.
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- * @param x5t The X.509 certificate SHA-1 thumbprint, {@code null}
- * if not specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint, {@code null}
- * if not specified.
- * @param x5c The X.509 certificate chain, {@code null} if not
- * specified.
- * @param ks Reference to the underlying key store, {@code null} if
- * not specified.
- */
- public ECKey(final Curve crv, final ECPublicKey pub, final PrivateKey priv,
- final KeyUse use, final Set ops, final Algorithm alg, final String kid,
- final URI x5u, final Base64URL x5t, final Base64URL x5t256, final List x5c,
- final KeyStore ks) {
-
- this(
- crv,
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineX()),
- encodeCoordinate(pub.getParams().getCurve().getField().getFieldSize(), pub.getW().getAffineY()),
- priv,
- use, ops, alg, kid, x5u, x5t, x5t256, x5c,
- ks);
- }
-
-
- @Override
- public Curve getCurve() {
-
- return crv;
- }
-
-
- /**
- * Gets the public 'x' coordinate for the elliptic curve point.
- *
- * @return The 'x' coordinate. It is represented as the Base64URL
- * encoding of the coordinate's big endian representation.
- */
- public Base64URL getX() {
-
- return x;
- }
-
-
- /**
- * Gets the public 'y' coordinate for the elliptic curve point.
- *
- * @return The 'y' coordinate. It is represented as the Base64URL
- * encoding of the coordinate's big endian representation.
- */
- public Base64URL getY() {
-
- return y;
- }
-
-
- /**
- * Gets the private 'd' coordinate for the elliptic curve point. It is
- * represented as the Base64URL encoding of the coordinate's big endian
- * representation.
- *
- * @return The 'd' coordinate. It is represented as the Base64URL
- * encoding of the coordinate's big endian representation.
- * {@code null} if not specified (for a public key).
- */
- public Base64URL getD() {
-
- return d;
- }
-
-
- /**
- * Returns a standard {@code java.security.interfaces.ECPublicKey}
- * representation of this Elliptic Curve JWK. Uses the default JCA
- * provider.
- *
- * @return The public Elliptic Curve key.
- *
- * @throws JOSEException If EC is not supported by the underlying Java
- * Cryptography (JCA) provider or if the JWK
- * parameters are invalid for a public EC key.
- */
- public ECPublicKey toECPublicKey()
- throws JOSEException {
-
- return toECPublicKey(null);
- }
-
-
- /**
- * Returns a standard {@code java.security.interfaces.ECPublicKey}
- * representation of this Elliptic Curve JWK.
- *
- * @param provider The specific JCA provider to use, {@code null}
- * implies the default one.
- *
- * @return The public Elliptic Curve key.
- *
- * @throws JOSEException If EC is not supported by the underlying Java
- * Cryptography (JCA) provider or if the JWK
- * parameters are invalid for a public EC key.
- */
- public ECPublicKey toECPublicKey(final Provider provider)
- throws JOSEException {
-
- ECParameterSpec spec = crv.toECParameterSpec();
-
- if (spec == null) {
- throw new JOSEException("Couldn't get EC parameter spec for curve " + crv);
- }
-
- ECPoint w = new ECPoint(x.decodeToBigInteger(), y.decodeToBigInteger());
-
- ECPublicKeySpec publicKeySpec = new ECPublicKeySpec(w, spec);
-
- try {
- KeyFactory keyFactory;
-
- if (provider == null) {
- keyFactory = KeyFactory.getInstance("EC");
- } else {
- keyFactory = KeyFactory.getInstance("EC", provider);
- }
-
- return (ECPublicKey) keyFactory.generatePublic(publicKeySpec);
-
- } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- /**
- * Returns a standard {@code java.security.interfaces.ECPrivateKey}
- * representation of this Elliptic Curve JWK. Uses the default JCA
- * provider.
- *
- * @return The private Elliptic Curve key, {@code null} if not
- * specified by this JWK.
- *
- * @throws JOSEException If EC is not supported by the underlying Java
- * Cryptography (JCA) provider or if the JWK
- * parameters are invalid for a private EC key.
- */
- public ECPrivateKey toECPrivateKey()
- throws JOSEException {
-
- return toECPrivateKey(null);
- }
-
-
- /**
- * Returns a standard {@code java.security.interfaces.ECPrivateKey}
- * representation of this Elliptic Curve JWK.
- *
- * @param provider The specific JCA provider to use, {@code null}
- * implies the default one.
- *
- * @return The private Elliptic Curve key, {@code null} if not
- * specified by this JWK.
- *
- * @throws JOSEException If EC is not supported by the underlying Java
- * Cryptography (JCA) provider or if the JWK
- * parameters are invalid for a private EC key.
- */
- public ECPrivateKey toECPrivateKey(final Provider provider)
- throws JOSEException {
-
- if (d == null) {
- // No private 'd' param
- return null;
- }
-
- ECParameterSpec spec = crv.toECParameterSpec();
-
- if (spec == null) {
- throw new JOSEException("Couldn't get EC parameter spec for curve " + crv);
- }
-
- ECPrivateKeySpec privateKeySpec = new ECPrivateKeySpec(d.decodeToBigInteger(), spec);
-
- try {
- KeyFactory keyFactory;
-
- if (provider == null) {
- keyFactory = KeyFactory.getInstance("EC");
- } else {
- keyFactory = KeyFactory.getInstance("EC", provider);
- }
-
- return (ECPrivateKey) keyFactory.generatePrivate(privateKeySpec);
-
- } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
-
- throw new JOSEException(e.getMessage(), e);
- }
- }
-
-
- @Override
- public PublicKey toPublicKey()
- throws JOSEException {
-
- return toECPublicKey();
- }
-
-
- @Override
- public PrivateKey toPrivateKey()
- throws JOSEException {
-
- PrivateKey prv = toECPrivateKey();
-
- if (prv != null) {
- // Return private EC key with key material
- return prv;
- }
-
- // Return private EC key as PKCS#11 handle, or null
- return privateKey;
- }
-
-
- /**
- * Returns a standard {@code java.security.KeyPair} representation of
- * this Elliptic Curve JWK. Uses the default JCA provider.
- *
- * @return The Elliptic Curve key pair. The private Elliptic Curve key
- * will be {@code null} if not specified.
- *
- * @throws JOSEException If EC is not supported by the underlying Java
- * Cryptography (JCA) provider or if the JWK
- * parameters are invalid for a public and / or
- * private EC key.
- */
- @Override
- public KeyPair toKeyPair()
- throws JOSEException {
-
- return toKeyPair(null);
- }
-
-
- /**
- * Returns a standard {@code java.security.KeyPair} representation of
- * this Elliptic Curve JWK.
- *
- * @param provider The specific JCA provider to use, {@code null}
- * implies the default one.
- *
- * @return The Elliptic Curve key pair. The private Elliptic Curve key
- * will be {@code null} if not specified.
- *
- * @throws JOSEException If EC is not supported by the underlying Java
- * Cryptography (JCA) provider or if the JWK
- * parameters are invalid for a public and / or
- * private EC key.
- */
- public KeyPair toKeyPair(final Provider provider)
- throws JOSEException {
-
- if (privateKey != null) {
- // Private key as PKCS#11 handle
- return new KeyPair(toECPublicKey(provider), privateKey);
- } else {
- return new KeyPair(toECPublicKey(provider), toECPrivateKey(provider));
- }
- }
-
-
- @Override
- public boolean matches(final X509Certificate cert) {
-
- ECPublicKey certECKey;
- try {
- certECKey = (ECPublicKey) getParsedX509CertChain().get(0).getPublicKey();
- } catch (ClassCastException ex) {
- return false;
- }
- // Compare Big Ints, base64url encoding may have padding!
- // https://tools.ietf.org/html/rfc7518#section-6.2.1.2
- if (! getX().decodeToBigInteger().equals(certECKey.getW().getAffineX())) {
- return false;
- }
- if (! getY().decodeToBigInteger().equals(certECKey.getW().getAffineY())) {
- return false;
- }
- return true;
- }
-
-
- /**
- * Calls {@link #matches(X509Certificate)} for the first X.509
- * certificate in the specified chain.
- *
- * @param chain The X.509 certificate chain, {@code null} if not
- * specified.
- *
- * @throws IllegalArgumentException If a certificate chain is specified
- * and the first certificate in it
- * doesn't match.
- */
- private void ensureMatches(final List chain) {
-
- if (chain == null)
- return;
-
- if (! matches(chain.get(0)))
- throw new IllegalArgumentException("The public subject key info of the first X.509 certificate in the chain must match the JWK type and public parameters");
- }
-
-
- @Override
- public LinkedHashMap getRequiredParams() {
-
- // Put mandatory params in sorted order
- LinkedHashMap requiredParams = new LinkedHashMap<>();
- requiredParams.put("crv", crv.toString());
- requiredParams.put("kty", getKeyType().getValue());
- requiredParams.put("x", x.toString());
- requiredParams.put("y", y.toString());
- return requiredParams;
- }
-
-
- @Override
- public boolean isPrivate() {
-
- return d != null || privateKey != null;
- }
-
-
- @Override
- public int size() {
-
- ECParameterSpec ecParameterSpec = crv.toECParameterSpec();
-
- if (ecParameterSpec == null) {
- throw new UnsupportedOperationException("Couldn't determine field size for curve " + crv.getName());
- }
-
- return ecParameterSpec.getCurve().getField().getFieldSize();
- }
-
-
- /**
- * Returns a copy of this Elliptic Curve JWK with any private values
- * removed.
- *
- * @return The copied public Elliptic Curve JWK.
- */
- @Override
- public ECKey toPublicJWK() {
-
- return new ECKey(
- getCurve(), getX(), getY(),
- getKeyUse(), getKeyOperations(), getAlgorithm(), getKeyID(),
- getX509CertURL(), getX509CertThumbprint(), getX509CertSHA256Thumbprint(), getX509CertChain(),
- getKeyStore());
- }
-
-
- @Override
- public JSONObject toJSONObject() {
-
- JSONObject o = super.toJSONObject();
-
- // Append EC specific attributes
- o.put("crv", crv.toString());
- o.put("x", x.toString());
- o.put("y", y.toString());
-
- if (d != null) {
- o.put("d", d.toString());
- }
-
- return o;
- }
-
-
- /**
- * Parses a public / private Elliptic Curve JWK from the specified JSON
- * object string representation.
- *
- * @param s The JSON object string to parse. Must not be {@code null}.
- *
- * @return The public / private Elliptic Curve JWK.
- *
- * @throws ParseException If the string couldn't be parsed to an
- * Elliptic Curve JWK.
- */
- public static ECKey parse(final String s)
- throws ParseException {
-
- return parse(JSONObjectUtils.parse(s));
- }
-
-
- /**
- * Parses a public / private Elliptic Curve JWK from the specified JSON
- * object representation.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- *
- * @return The public / private Elliptic Curve JWK.
- *
- * @throws ParseException If the JSON object couldn't be parsed to an
- * Elliptic Curve JWK.
- */
- public static ECKey parse(final JSONObject jsonObject)
- throws ParseException {
-
- // Parse the mandatory parameters first
- Curve crv = Curve.parse(JSONObjectUtils.getString(jsonObject, "crv"));
- Base64URL x = new Base64URL(JSONObjectUtils.getString(jsonObject, "x"));
- Base64URL y = new Base64URL(JSONObjectUtils.getString(jsonObject, "y"));
-
- // Check key type
- KeyType kty = JWKMetadata.parseKeyType(jsonObject);
-
- if (kty != KeyType.EC) {
- throw new ParseException("The key type \"kty\" must be EC", 0);
- }
-
- // Get optional private key
- Base64URL d = null;
- if (jsonObject.get("d") != null) {
- d = new Base64URL(JSONObjectUtils.getString(jsonObject, "d"));
- }
-
-
- try {
- if (d == null) {
- // Public key
- return new ECKey(crv, x, y,
- JWKMetadata.parseKeyUse(jsonObject),
- JWKMetadata.parseKeyOperations(jsonObject),
- JWKMetadata.parseAlgorithm(jsonObject),
- JWKMetadata.parseKeyID(jsonObject),
- JWKMetadata.parseX509CertURL(jsonObject),
- JWKMetadata.parseX509CertThumbprint(jsonObject),
- JWKMetadata.parseX509CertSHA256Thumbprint(jsonObject),
- JWKMetadata.parseX509CertChain(jsonObject),
- null);
-
- } else {
- // Key pair
- return new ECKey(crv, x, y, d,
- JWKMetadata.parseKeyUse(jsonObject),
- JWKMetadata.parseKeyOperations(jsonObject),
- JWKMetadata.parseAlgorithm(jsonObject),
- JWKMetadata.parseKeyID(jsonObject),
- JWKMetadata.parseX509CertURL(jsonObject),
- JWKMetadata.parseX509CertThumbprint(jsonObject),
- JWKMetadata.parseX509CertSHA256Thumbprint(jsonObject),
- JWKMetadata.parseX509CertChain(jsonObject),
- null);
- }
-
- } catch (IllegalArgumentException ex) {
-
- // Conflicting 'use' and 'key_ops'
- throw new ParseException(ex.getMessage(), 0);
- }
- }
-
-
- /**
- * Parses a public Elliptic Curve JWK from the specified X.509
- * certificate. Requires BouncyCastle.
- *
- * Important: The X.509 certificate is not
- * validated!
- *
- *
Sets the following JWK parameters:
- *
- *
- * - The curve is obtained from the subject public key info
- * algorithm parameters.
- *
- The JWK use inferred by {@link KeyUse#from}.
- *
- The JWK ID from the X.509 serial number (in base 10).
- *
- The JWK X.509 certificate chain (this certificate only).
- *
- The JWK X.509 certificate SHA-256 thumbprint.
- *
- *
- * @param cert The X.509 certificate. Must not be {@code null}.
- *
- * @return The public Elliptic Curve JWK.
- *
- * @throws JOSEException If parsing failed.
- */
- public static ECKey parse(final X509Certificate cert)
- throws JOSEException {
-
- if (! (cert.getPublicKey() instanceof ECPublicKey)) {
- throw new JOSEException("The public key of the X.509 certificate is not EC");
- }
-
- ECPublicKey publicKey = (ECPublicKey) cert.getPublicKey();
-
- try {
- JcaX509CertificateHolder certHolder = new JcaX509CertificateHolder(cert);
-
- String oid = certHolder.getSubjectPublicKeyInfo().getAlgorithm().getParameters().toString();
-
- Curve crv = Curve.forOID(oid);
-
- if (crv == null) {
- throw new JOSEException("Couldn't determine EC JWK curve for OID " + oid);
- }
-
- MessageDigest sha256 = MessageDigest.getInstance("SHA-256");
-
- return new ECKey.Builder(crv, publicKey)
- .keyUse(KeyUse.from(cert))
- .keyID(cert.getSerialNumber().toString(10))
- .x509CertChain(Collections.singletonList(Base64.encode(cert.getEncoded())))
- .x509CertSHA256Thumbprint(Base64URL.encode(sha256.digest(cert.getEncoded())))
- .build();
- } catch (NoSuchAlgorithmException e) {
- throw new JOSEException("Couldn't encode x5t parameter: " + e.getMessage(), e);
- } catch (CertificateEncodingException e) {
- throw new JOSEException("Couldn't encode x5c parameter: " + e.getMessage(), e);
- }
- }
-
-
- /**
- * Loads a public / private Elliptic Curve JWK from the specified JCA
- * key store. Requires BouncyCastle.
- *
- * Important: The X.509 certificate is not
- * validated!
- *
- * @param keyStore The key store. Must not be {@code null}.
- * @param alias The alias. Must not be {@code null}.
- * @param pin The pin to unlock the private key if any, empty or
- * {@code null} if not required.
- *
- * @return The public / private Elliptic Curve JWK., {@code null} if no
- * key with the specified alias was found.
- *
- * @throws KeyStoreException On a key store exception.
- * @throws JOSEException If EC key loading failed.
- */
- public static ECKey load(final KeyStore keyStore,
- final String alias,
- final char[] pin)
- throws KeyStoreException, JOSEException {
-
- Certificate cert = keyStore.getCertificate(alias);
-
- if (cert == null || ! (cert instanceof X509Certificate)) {
- return null;
- }
-
- X509Certificate x509Cert = (X509Certificate)cert;
-
- if (! (x509Cert.getPublicKey() instanceof ECPublicKey)) {
- throw new JOSEException("Couldn't load EC JWK: The key algorithm is not EC");
- }
-
- ECKey ecJWK = ECKey.parse(x509Cert);
-
- // Let kid=alias
- ecJWK = new ECKey.Builder(ecJWK).keyID(alias).keyStore(keyStore).build();
-
- // Check for private counterpart
- Key key;
- try {
- key = keyStore.getKey(alias, pin);
- } catch (UnrecoverableKeyException | NoSuchAlgorithmException e) {
- throw new JOSEException("Couldn't retrieve private EC key (bad pin?): " + e.getMessage(), e);
- }
-
- if (key instanceof ECPrivateKey) {
- // Simple file based key store
- return new ECKey.Builder(ecJWK)
- .privateKey((ECPrivateKey)key)
- .build();
- } else if (key instanceof PrivateKey && "EC".equalsIgnoreCase(key.getAlgorithm())) {
- // PKCS#11 store
- return new ECKey.Builder(ecJWK)
- .privateKey((PrivateKey)key)
- .build();
- } else {
- return ecJWK;
- }
- }
-
-
- @Override
- public boolean equals(Object o) {
- if (this == o) return true;
- if (!(o instanceof ECKey)) return false;
- if (!super.equals(o)) return false;
- ECKey ecKey = (ECKey) o;
- return Objects.equals(crv, ecKey.crv) &&
- Objects.equals(x, ecKey.x) &&
- Objects.equals(y, ecKey.y) &&
- Objects.equals(d, ecKey.d) &&
- Objects.equals(privateKey, ecKey.privateKey);
- }
-
-
- @Override
- public int hashCode() {
- return Objects.hash(super.hashCode(), crv, x, y, d, privateKey);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/ECParameterTable.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/ECParameterTable.java
deleted file mode 100644
index 33a77845..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/ECParameterTable.java
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jwk;
-
-
-import java.math.BigInteger;
-import java.security.spec.*;
-
-
-/**
- * Elliptic curve parameter table.
- *
- *
Supports the following standard EC JWK curves:
- *
- *
- * - {@link com.nimbusds.jose.jwk.Curve#P_256}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_256K}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_384}
- *
- {@link com.nimbusds.jose.jwk.Curve#P_521}
- *
- *
- * @author Vladimir Dzhuvinov
- * @author Aleksei Doroganov
- * @version 2018-03-28
- */
-class ECParameterTable {
-
-
- /**
- * The parameter spec for a
- * {@link com.nimbusds.jose.jwk.Curve#P_256} curve.
- */
- private static final ECParameterSpec P_256_SPEC;
-
-
- /**
- * The parameter spec for a
- * {@link com.nimbusds.jose.jwk.Curve#P_256K} curve.
- */
- private static final ECParameterSpec P_256K_SPEC;
-
-
- /**
- * The parameter spec for a
- * {@link com.nimbusds.jose.jwk.Curve#P_384} curve.
- */
- private static final ECParameterSpec P_384_SPEC;
-
-
- /**
- * The parameter spec for a
- * {@link com.nimbusds.jose.jwk.Curve#P_521} curve.
- */
- private static final ECParameterSpec P_521_SPEC;
-
-
- /**
- * Simple EC field implementation.
- */
- private static class ECFieldImpl implements ECField {
-
-
- /**
- * The field size.
- */
- private int size;
-
-
- /**
- * Creates a new EC field with the specified size.
- *
- * @param size The EC field size.
- */
- public ECFieldImpl(final int size) {
-
- this.size = size;
- }
-
-
- @Override
- public int getFieldSize() {
- return size;
- }
- }
-
-
- static {
- // Values obtained from org.bouncycastle.jce.ECNamedCurveTable
-
- P_256_SPEC = new ECParameterSpec(
- new EllipticCurve(
- new ECFieldFp(new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853951")),
- new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853948"),
- new BigInteger("41058363725152142129326129780047268409114441015993725554835256314039467401291")),
- new ECPoint(
- new BigInteger("48439561293906451759052585252797914202762949526041747995844080717082404635286"),
- new BigInteger("36134250956749795798585127919587881956611106672985015071877198253568414405109")),
- new BigInteger("115792089210356248762697446949407573529996955224135760342422259061068512044369"),
- 1);
-
- P_256K_SPEC = new ECParameterSpec(
- new EllipticCurve(
- new ECFieldFp(new BigInteger("115792089237316195423570985008687907853269984665640564039457584007908834671663")),
- new BigInteger("0"),
- new BigInteger("7")),
- new ECPoint(
- new BigInteger("55066263022277343669578718895168534326250603453777594175500187360389116729240"),
- new BigInteger("32670510020758816978083085130507043184471273380659243275938904335757337482424")),
- new BigInteger("115792089237316195423570985008687907852837564279074904382605163141518161494337"),
- 1);
-
- P_384_SPEC = new ECParameterSpec(
- new EllipticCurve(
- new ECFieldFp(new BigInteger("39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319")),
- new BigInteger("39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112316"),
- new BigInteger("27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575")),
- new ECPoint(
- new BigInteger("26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087"),
- new BigInteger("8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871")),
- new BigInteger("39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643"),
- 1);
-
- P_521_SPEC = new ECParameterSpec(
- new EllipticCurve(
- new ECFieldFp(new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151")),
- new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057148"),
- new BigInteger("1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984")),
- new ECPoint(
- new BigInteger("2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846"),
- new BigInteger("3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784")),
- new BigInteger("6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449"),
- 1);
- }
-
-
- /**
- * Gets the parameter specification for the specified elliptic curve.
- *
- * @param curve The JWK elliptic curve. May be {@code null}.
- *
- * @return The EC parameter spec, {@code null} if it cannot be
- * determined.
- */
- public static ECParameterSpec get(final Curve curve) {
-
- if (Curve.P_256.equals(curve)) {
- return P_256_SPEC;
- } else if (Curve.P_256K.equals(curve)) {
- return P_256K_SPEC;
- } else if (Curve.P_384.equals(curve)) {
- return P_384_SPEC;
- } else if (Curve.P_521.equals(curve)) {
- return P_521_SPEC;
- } else {
- return null;
- }
- }
-
-
- /**
- * Gets the JWK elliptic curve for the specified parameter
- * specification.
- *
- * @param spec The EC parameter spec. May be {@code null}.
- *
- * @return The JWK elliptic curve, {@code null} if it cannot be
- * determined.
- */
- public static Curve get(final ECParameterSpec spec) {
-
- if (spec == null) {
- return null;
- }
-
- if (spec.getCurve().getField().getFieldSize() == P_256_SPEC.getCurve().getField().getFieldSize() &&
- spec.getCurve().getA().equals(P_256_SPEC.getCurve().getA()) &&
- spec.getCurve().getB().equals(P_256_SPEC.getCurve().getB()) &&
- spec.getGenerator().getAffineX().equals(P_256_SPEC.getGenerator().getAffineX()) &&
- spec.getGenerator().getAffineY().equals(P_256_SPEC.getGenerator().getAffineY()) &&
- spec.getOrder().equals(P_256_SPEC.getOrder()) &&
- spec.getCofactor() == P_256_SPEC.getCofactor()) {
-
- return Curve.P_256;
-
- } else if (spec.getCurve().getField().getFieldSize() == P_256K_SPEC.getCurve().getField().getFieldSize() &&
- spec.getCurve().getA().equals(P_256K_SPEC.getCurve().getA()) &&
- spec.getCurve().getB().equals(P_256K_SPEC.getCurve().getB()) &&
- spec.getGenerator().getAffineX().equals(P_256K_SPEC.getGenerator().getAffineX()) &&
- spec.getGenerator().getAffineY().equals(P_256K_SPEC.getGenerator().getAffineY()) &&
- spec.getOrder().equals(P_256K_SPEC.getOrder()) &&
- spec.getCofactor() == P_256K_SPEC.getCofactor()) {
-
- return Curve.P_256K;
-
- } else if (spec.getCurve().getField().getFieldSize() == P_384_SPEC.getCurve().getField().getFieldSize() &&
- spec.getCurve().getA().equals(P_384_SPEC.getCurve().getA()) &&
- spec.getCurve().getB().equals(P_384_SPEC.getCurve().getB()) &&
- spec.getGenerator().getAffineX().equals(P_384_SPEC.getGenerator().getAffineX()) &&
- spec.getGenerator().getAffineY().equals(P_384_SPEC.getGenerator().getAffineY()) &&
- spec.getOrder().equals(P_384_SPEC.getOrder()) &&
- spec.getCofactor() == P_384_SPEC.getCofactor()) {
-
- return Curve.P_384;
-
- } else if (spec.getCurve().getField().getFieldSize() == P_521_SPEC.getCurve().getField().getFieldSize() &&
- spec.getCurve().getA().equals(P_521_SPEC.getCurve().getA()) &&
- spec.getCurve().getB().equals(P_521_SPEC.getCurve().getB()) &&
- spec.getGenerator().getAffineX().equals(P_521_SPEC.getGenerator().getAffineX()) &&
- spec.getGenerator().getAffineY().equals(P_521_SPEC.getGenerator().getAffineY()) &&
- spec.getOrder().equals(P_521_SPEC.getOrder()) &&
- spec.getCofactor() == P_521_SPEC.getCofactor()) {
-
- return Curve.P_521;
-
- } else {
- return null;
- }
- }
-
-
- /**
- * Prevents public instantiation.
- */
- private ECParameterTable() {
-
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/JWK.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/JWK.java
deleted file mode 100644
index a64b579b..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/JWK.java
+++ /dev/null
@@ -1,845 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2016, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jwk;
-
-
-import java.io.Serializable;
-import java.net.URI;
-import java.security.*;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.security.spec.ECParameterSpec;
-import java.text.ParseException;
-import java.util.*;
-
-import net.minidev.json.JSONAware;
-import net.minidev.json.JSONObject;
-
-import com.nimbusds.jose.Algorithm;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.util.Base64;
-import com.nimbusds.jose.util.*;
-
-
-/**
- * The base abstract class for JSON Web Keys (JWKs). It serialises to a JSON
- * object.
- *
- * The following JSON object members are common to all JWK types:
- *
- *
- * - {@link #getKeyType kty} (required)
- *
- {@link #getKeyUse use} (optional)
- *
- {@link #getKeyOperations key_ops} (optional)
- *
- {@link #getKeyID kid} (optional)
- *
- {@link #getX509CertURL() x5u} (optional)
- *
- {@link #getX509CertThumbprint() x5t} (optional)
- *
- {@link #getX509CertSHA256Thumbprint() x5t#S256} (optional)
- *
- {@link #getX509CertChain() x5c} (optional)
- *
- {@link #getKeyStore()}
- *
- *
- * Example JWK (of the Elliptic Curve type):
- *
- *
- * {
- * "kty" : "EC",
- * "crv" : "P-256",
- * "x" : "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
- * "y" : "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM",
- * "use" : "enc",
- * "kid" : "1"
- * }
- *
- *
- * @author Vladimir Dzhuvinov
- * @author Justin Richer
- * @author Stefan Larsson
- * @version 2019-04-15
- */
-public abstract class JWK implements JSONAware, Serializable {
-
-
- private static final long serialVersionUID = 1L;
-
-
- /**
- * The MIME type of JWK objects:
- * {@code application/jwk+json; charset=UTF-8}
- */
- public static final String MIME_TYPE = "application/jwk+json; charset=UTF-8";
-
-
- /**
- * The key type, required.
- */
- private final KeyType kty;
-
-
- /**
- * The key use, optional.
- */
- private final KeyUse use;
-
-
- /**
- * The key operations, optional.
- */
- private final Set ops;
-
-
- /**
- * The intended JOSE algorithm for the key, optional.
- */
- private final Algorithm alg;
-
-
- /**
- * The key ID, optional.
- */
- private final String kid;
-
-
- /**
- * X.509 certificate URL, optional.
- */
- private final URI x5u;
-
-
- /**
- * X.509 certificate SHA-1 thumbprint, optional.
- */
- @Deprecated
- private final Base64URL x5t;
-
-
- /**
- * X.509 certificate SHA-256 thumbprint, optional.
- */
- private Base64URL x5t256;
-
-
- /**
- * The X.509 certificate chain, optional.
- */
- private final List x5c;
-
-
- /**
- * The parsed X.509 certificate chain, optional.
- */
- private final List parsedX5c;
-
-
- /**
- * Reference to the underlying key store, {@code null} if none.
- */
- private final KeyStore keyStore;
-
-
- /**
- * Creates a new JSON Web Key (JWK).
- *
- * @param kty The key type. Must not be {@code null}.
- * @param use The key use, {@code null} if not specified or if the
- * key is intended for signing as well as encryption.
- * @param ops The key operations, {@code null} if not specified.
- * @param alg The intended JOSE algorithm for the key, {@code null}
- * if not specified.
- * @param kid The key ID, {@code null} if not specified.
- * @param x5u The X.509 certificate URL, {@code null} if not
- * specified.
- * @param x5t The X.509 certificate thumbprint, {@code null} if not
- * specified.
- * @param x5t256 The X.509 certificate SHA-256 thumbprint, {@code null}
- * if not specified.
- * @param x5c The X.509 certificate chain, {@code null} if not
- * specified.
- * @param ks Reference to the underlying key store, {@code null} if
- * none.
- */
- protected JWK(final KeyType kty,
- final KeyUse use,
- final Set ops,
- final Algorithm alg,
- final String kid,
- final URI x5u,
- final Base64URL x5t,
- final Base64URL x5t256,
- final List x5c,
- final KeyStore ks) {
-
- if (kty == null) {
- throw new IllegalArgumentException("The key type \"kty\" parameter must not be null");
- }
-
- this.kty = kty;
-
- if (! KeyUseAndOpsConsistency.areConsistent(use, ops)) {
- throw new IllegalArgumentException("The key use \"use\" and key options \"key_opts\" parameters are not consistent, " +
- "see RFC 7517, section 4.3");
- }
-
- this.use = use;
- this.ops = ops;
-
- this.alg = alg;
- this.kid = kid;
-
- this.x5u = x5u;
- this.x5t = x5t;
- this.x5t256 = x5t256;
-
- if (x5c != null && x5c.isEmpty()) {
- throw new IllegalArgumentException("The X.509 certificate chain \"x5c\" must not be empty");
- }
- this.x5c = x5c;
-
- try {
- parsedX5c = X509CertChainUtils.parse(x5c);
- } catch (ParseException e) {
- throw new IllegalArgumentException("Invalid X.509 certificate chain \"x5c\": " + e.getMessage(), e);
- }
-
- this.keyStore = ks;
- }
-
-
- /**
- * Gets the type ({@code kty}) of this JWK.
- *
- * @return The key type.
- */
- public KeyType getKeyType() {
-
- return kty;
- }
-
-
- /**
- * Gets the use ({@code use}) of this JWK.
- *
- * @return The key use, {@code null} if not specified or if the key is
- * intended for signing as well as encryption.
- */
- public KeyUse getKeyUse() {
-
- return use;
- }
-
-
- /**
- * Gets the operations ({@code key_ops}) for this JWK.
- *
- * @return The key operations, {@code null} if not specified.
- */
- public Set getKeyOperations() {
-
- return ops;
- }
-
-
- /**
- * Gets the intended JOSE algorithm ({@code alg}) for this JWK.
- *
- * @return The intended JOSE algorithm, {@code null} if not specified.
- */
- public Algorithm getAlgorithm() {
-
- return alg;
- }
-
-
- /**
- * Gets the ID ({@code kid}) of this JWK. The key ID can be used to
- * match a specific key. This can be used, for instance, to choose a
- * key within a {@link JWKSet} during key rollover. The key ID may also
- * correspond to a JWS/JWE {@code kid} header parameter value.
- *
- * @return The key ID, {@code null} if not specified.
- */
- public String getKeyID() {
-
- return kid;
- }
-
-
- /**
- * Gets the X.509 certificate URL ({@code x5u}) of this JWK.
- *
- * @return The X.509 certificate URL, {@code null} if not specified.
- */
- public URI getX509CertURL() {
-
- return x5u;
- }
-
-
- /**
- * Gets the X.509 certificate SHA-1 thumbprint ({@code x5t}) of this
- * JWK.
- *
- * @return The X.509 certificate SHA-1 thumbprint, {@code null} if not
- * specified.
- */
- @Deprecated
- public Base64URL getX509CertThumbprint() {
-
- return x5t;
- }
-
-
- /**
- * Gets the X.509 certificate SHA-256 thumbprint ({@code x5t#S256}) of
- * this JWK.
- *
- * @return The X.509 certificate SHA-256 thumbprint, {@code null} if
- * not specified.
- */
- public Base64URL getX509CertSHA256Thumbprint() {
-
- return x5t256;
- }
-
-
- /**
- * Gets the X.509 certificate chain ({@code x5c}) of this JWK.
- *
- * @return The X.509 certificate chain as a unmodifiable list,
- * {@code null} if not specified.
- */
- public List getX509CertChain() {
-
- if (x5c == null) {
- return null;
- }
-
- return Collections.unmodifiableList(x5c);
- }
-
-
- /**
- * Gets the parsed X.509 certificate chain ({@code x5c}) of this JWK.
- *
- * @return The X.509 certificate chain as a unmodifiable list,
- * {@code null} if not specified.
- */
- public List getParsedX509CertChain() {
-
- if (parsedX5c == null) {
- return null;
- }
-
- return Collections.unmodifiableList(parsedX5c);
- }
-
-
- /**
- * Returns a reference to the underlying key store.
- *
- * @return The underlying key store, {@code null} if none.
- */
- public KeyStore getKeyStore() {
-
- return keyStore;
- }
-
-
- /**
- * Returns the required JWK parameters. Intended as input for JWK
- * thumbprint computation. See RFC 7638 for more information.
- *
- * @return The required JWK parameters, sorted alphanumerically by key
- * name and ready for JSON serialisation.
- */
- public abstract LinkedHashMap getRequiredParams();
-
-
- /**
- * Computes the SHA-256 thumbprint of this JWK. See RFC 7638 for more
- * information.
- *
- * @return The SHA-256 thumbprint.
- *
- * @throws JOSEException If the SHA-256 hash algorithm is not
- * supported.
- */
- public Base64URL computeThumbprint()
- throws JOSEException {
-
- return computeThumbprint("SHA-256");
- }
-
-
- /**
- * Computes the thumbprint of this JWK using the specified hash
- * algorithm. See RFC 7638 for more information.
- *
- * @param hashAlg The hash algorithm. Must not be {@code null}.
- *
- * @return The SHA-256 thumbprint.
- *
- * @throws JOSEException If the hash algorithm is not supported.
- */
- public Base64URL computeThumbprint(final String hashAlg)
- throws JOSEException {
-
- return ThumbprintUtils.compute(hashAlg, this);
- }
-
-
- /**
- * Returns {@code true} if this JWK contains private or sensitive
- * (non-public) parameters.
- *
- * @return {@code true} if this JWK contains private parameters, else
- * {@code false}.
- */
- public abstract boolean isPrivate();
-
-
- /**
- * Creates a copy of this JWK with all private or sensitive parameters
- * removed.
- *
- * @return The newly created public JWK, or {@code null} if none can be
- * created.
- */
- public abstract JWK toPublicJWK();
-
-
- /**
- * Returns the size of this JWK.
- *
- * @return The JWK size, in bits.
- */
- public abstract int size();
-
-
- /**
- * Returns a JSON object representation of this JWK. This method is
- * intended to be called from extending classes.
- *
- * Example:
- *
- *
- * {
- * "kty" : "RSA",
- * "use" : "sig",
- * "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b"
- * }
- *
- *
- * @return The JSON object representation.
- */
- public JSONObject toJSONObject() {
-
- JSONObject o = new JSONObject();
-
- o.put("kty", kty.getValue());
-
- if (use != null) {
- o.put("use", use.identifier());
- }
-
- if (ops != null) {
-
- List sl = new ArrayList<>(ops.size());
-
- for (KeyOperation op: ops) {
- sl.add(op.identifier());
- }
-
- o.put("key_ops", sl);
- }
-
- if (alg != null) {
- o.put("alg", alg.getName());
- }
-
- if (kid != null) {
- o.put("kid", kid);
- }
-
- if (x5u != null) {
- o.put("x5u", x5u.toString());
- }
-
- if (x5t != null) {
- o.put("x5t", x5t.toString());
- }
-
- if (x5t256 != null) {
- o.put("x5t#S256", x5t256.toString());
- }
-
- if (x5c != null) {
- o.put("x5c", x5c);
- }
-
- return o;
- }
-
-
- /**
- * Returns the JSON object string representation of this JWK.
- *
- * @return The JSON object string representation.
- */
- @Override
- public String toJSONString() {
-
- return toJSONObject().toString();
- }
-
-
- /**
- * @see #toJSONString
- */
- @Override
- public String toString() {
-
- return toJSONObject().toString();
- }
-
-
- /**
- * Parses a JWK from the specified JSON object string representation.
- * The JWK must be an {@link ECKey}, an {@link RSAKey}, or a
- * {@link OctetSequenceKey}.
- *
- * @param s The JSON object string to parse. Must not be {@code null}.
- *
- * @return The JWK.
- *
- * @throws ParseException If the string couldn't be parsed to a
- * supported JWK.
- */
- public static JWK parse(final String s)
- throws ParseException {
-
- return parse(JSONObjectUtils.parse(s));
- }
-
-
- /**
- * Parses a JWK from the specified JSON object representation. The JWK
- * must be an {@link ECKey}, an {@link RSAKey}, or a
- * {@link OctetSequenceKey}.
- *
- * @param jsonObject The JSON object to parse. Must not be
- * {@code null}.
- *
- * @return The JWK.
- *
- * @throws ParseException If the JSON object couldn't be parsed to a
- * supported JWK.
- */
- public static JWK parse(final JSONObject jsonObject)
- throws ParseException {
-
- KeyType kty = KeyType.parse(JSONObjectUtils.getString(jsonObject, "kty"));
-
- if (kty == KeyType.EC) {
-
- return ECKey.parse(jsonObject);
-
- } else if (kty == KeyType.RSA) {
-
- return RSAKey.parse(jsonObject);
-
- } else if (kty == KeyType.OCT) {
-
- return OctetSequenceKey.parse(jsonObject);
-
- } else if (kty == KeyType.OKP) {
-
- return OctetKeyPair.parse(jsonObject);
-
- } else {
-
- throw new ParseException("Unsupported key type \"kty\" parameter: " + kty, 0);
- }
- }
-
-
- /**
- * Parses a public {@link RSAKey RSA} or {@link ECKey EC JWK} from the
- * specified X.509 certificate. Requires BouncyCastle.
- *
- * Important: The X.509 certificate is not
- * validated!
- *
- *
Sets the following JWK parameters:
- *
- *
- * - For an EC key the curve is obtained from the subject public
- * key info algorithm parameters.
- *
- The JWK use inferred by {@link KeyUse#from}.
- *
- The JWK ID from the X.509 serial number (in base 10).
- *
- The JWK X.509 certificate chain (this certificate only).
- *
- The JWK X.509 certificate SHA-256 thumbprint.
- *
- *
- * @param cert The X.509 certificate. Must not be {@code null}.
- *
- * @return The public RSA or EC JWK.
- *
- * @throws JOSEException If parsing failed.
- */
- public static JWK parse(final X509Certificate cert)
- throws JOSEException {
-
- if (cert.getPublicKey() instanceof RSAPublicKey) {
- return RSAKey.parse(cert);
- } else if (cert.getPublicKey() instanceof ECPublicKey) {
- return ECKey.parse(cert);
- } else {
- throw new JOSEException("Unsupported public key algorithm: " + cert.getPublicKey().getAlgorithm());
- }
- }
-
-
- /**
- * Parses a public {@link RSAKey RSA} or {@link ECKey EC JWK} from the
- * specified PEM-encoded X.509 certificate. Requires BouncyCastle.
- *
- * Important: The X.509 certificate is not
- * validated!
- *
- *
Sets the following JWK parameters:
- *
- *
- * - For an EC key the curve is obtained from the subject public
- * key info algorithm parameters.
- *
- The JWK use inferred by {@link KeyUse#from}.
- *
- The JWK ID from the X.509 serial number (in base 10).
- *
- The JWK X.509 certificate chain (this certificate only).
- *
- The JWK X.509 certificate SHA-256 thumbprint.
- *
- *
- * @param pemEncodedCert The PEM-encoded X.509 certificate. Must not be
- * {@code null}.
- *
- * @return The public RSA or EC JWK.
- *
- * @throws JOSEException If parsing failed.
- */
- public static JWK parseFromPEMEncodedX509Cert(final String pemEncodedCert)
- throws JOSEException {
-
- X509Certificate cert = X509CertUtils.parse(pemEncodedCert);
-
- if (cert == null) {
- throw new JOSEException("Couldn't parse PEM-encoded X.509 certificate");
- }
-
- return parse(cert);
- }
-
-
- /**
- * Loads a JWK from the specified JCE key store. The JWK can be a
- * public / private {@link RSAKey RSA key}, a public / private
- * {@link ECKey EC key}, or a {@link OctetSequenceKey secret key}.
- * Requires BouncyCastle.
- *
- * Important: The X.509 certificate is not
- * validated!
- *
- * @param keyStore The key store. Must not be {@code null}.
- * @param alias The alias. Must not be {@code null}.
- * @param pin The pin to unlock the private key if any, empty or
- * {@code null} if not required.
- *
- * @return The public / private RSA or EC JWK, or secret JWK, or
- * {@code null} if no key with the specified alias was found.
- *
- * @throws KeyStoreException On a key store exception.
- * @throws JOSEException If RSA or EC key loading failed.
- */
- public static JWK load(final KeyStore keyStore, final String alias, final char[] pin)
- throws KeyStoreException, JOSEException {
-
- java.security.cert.Certificate cert = keyStore.getCertificate(alias);
-
- if (cert == null) {
- // Try secret key
- return OctetSequenceKey.load(keyStore, alias, pin);
- }
-
- if (cert.getPublicKey() instanceof RSAPublicKey) {
- return RSAKey.load(keyStore, alias, pin);
- } else if (cert.getPublicKey() instanceof ECPublicKey) {
- return ECKey.load(keyStore, alias, pin);
- } else {
- throw new JOSEException("Unsupported public key algorithm: " + cert.getPublicKey().getAlgorithm());
- }
- }
-
- /**
- * Parses an RSA or EC JWK from the specified string of one or more
- * PEM-encoded object(s):
- *
- *
- * - X.509 certificate (PEM header: BEGIN CERTIFICATE)
- *
- PKCS#1 RSAPublicKey (PEM header: BEGIN RSA PUBLIC KEY)
- *
- X.509 SubjectPublicKeyInfo (PEM header: BEGIN PUBLIC KEY)
- *
- PKCS#1 RSAPrivateKey (PEM header: BEGIN RSA PRIVATE KEY)
- *
- PKCS#8 PrivateKeyInfo (PEM header: BEGIN PRIVATE KEY)
- *
- matching pair of the above
- *
- *
- * Requires BouncyCastle.
- *
- * @param pemEncodedObjects The string of PEM-encoded object(s).
- *
- * @return The public / (private) RSA or EC JWK.
- *
- * @throws JOSEException If RSA or EC key parsing failed.
- */
- public static JWK parseFromPEMEncodedObjects(final String pemEncodedObjects)
- throws JOSEException {
-
- final List keys = PEMEncodedKeyParser.parseKeys(pemEncodedObjects);
- if (keys.isEmpty()) {
- throw new JOSEException("No PEM-encoded keys found");
- }
-
- final KeyPair pair = mergeKeyPairs(toKeyPairList(pemEncodedObjects));
-
- final PublicKey publicKey = pair.getPublic();
- final PrivateKey privateKey = pair.getPrivate();
-
- if (publicKey instanceof ECPublicKey) {
- final ECPublicKey ecPubKey = (ECPublicKey) publicKey;
- final ECParameterSpec pubParams = ecPubKey.getParams();
-
- if (privateKey instanceof ECPrivateKey) {
- validateEcCurves(ecPubKey, (ECPrivateKey) privateKey);
- }
- if (privateKey != null && !(privateKey instanceof ECPrivateKey)) {
- throw new JOSEException("Unsupported EC private key type: " + privateKey);
- }
-
- final Curve curve = Curve.forECParameterSpec(pubParams);
- final ECKey.Builder builder = new ECKey.Builder(curve, (ECPublicKey) publicKey);
-
- if (privateKey != null) {
- builder.privateKey((ECPrivateKey) privateKey);
- }
- return builder.build();
- }
-
- if (publicKey instanceof RSAPublicKey) {
- final RSAKey.Builder builder = new RSAKey.Builder((RSAPublicKey) publicKey);
- if (privateKey instanceof RSAPrivateKey) {
- builder.privateKey((RSAPrivateKey) privateKey);
- } else if (privateKey != null) {
- throw new JOSEException("Unsupported RSA private key type: " + privateKey);
- }
- return builder.build();
- }
-
- throw new JOSEException("Unsupported algorithm of PEM-encoded key: " + publicKey.getAlgorithm());
- }
-
-
- private static void validateEcCurves(ECPublicKey publicKey, ECPrivateKey privateKey) throws JOSEException {
- final ECParameterSpec pubParams = publicKey.getParams();
- final ECParameterSpec privParams = privateKey.getParams();
- if (!pubParams.getCurve().equals(privParams.getCurve())) {
- throw new JOSEException("Public/private EC key curve mismatch: " + publicKey);
- }
- if (pubParams.getCofactor() != privParams.getCofactor()) {
- throw new JOSEException("Public/private EC key cofactor mismatch: " + publicKey);
- }
- if (!pubParams.getGenerator().equals(privParams.getGenerator())) {
- throw new JOSEException("Public/private EC key generator mismatch: " + publicKey);
- }
- if (!pubParams.getOrder().equals(privParams.getOrder())) {
- throw new JOSEException("Public/private EC key order mismatch: " + publicKey);
- }
- }
-
-
- private static KeyPair mergeKeyPairs(final List keys) throws JOSEException {
- final KeyPair pair;
- if (keys.size() == 1) {
- // Assume public key, or private key easy to convert to public,
- // otherwise not representable as a JWK
- pair = keys.get(0);
- } else if (keys.size() == 2) {
- // If two keys, assume public + private keys separated
- pair = twoKeysToKeyPair(keys);
- } else {
- throw new JOSEException("Expected key or pair of PEM-encoded keys");
- }
- return pair;
- }
-
-
- private static List toKeyPairList(final String pem) throws JOSEException {
- final List keys = PEMEncodedKeyParser.parseKeys(pem);
- if (keys.isEmpty()) {
- throw new JOSEException("No PEM-encoded keys found");
- }
- return keys;
- }
-
-
- private static KeyPair twoKeysToKeyPair(final List keys) throws JOSEException {
- final KeyPair key1 = keys.get(0);
- final KeyPair key2 = keys.get(1);
- if (key1.getPublic() != null && key2.getPrivate() != null) {
- return new KeyPair(key1.getPublic(), key2.getPrivate());
- } else if (key1.getPrivate() != null && key2.getPublic() != null) {
- return new KeyPair(key2.getPublic(), key1.getPrivate());
- } else {
- throw new JOSEException("Not a public/private key pair");
- }
- }
-
-
- @Override
- public boolean equals(Object o) {
- if (this == o) return true;
- if (!(o instanceof JWK)) return false;
- JWK jwk = (JWK) o;
- return Objects.equals(kty, jwk.kty) &&
- Objects.equals(use, jwk.use) &&
- Objects.equals(ops, jwk.ops) &&
- Objects.equals(alg, jwk.alg) &&
- Objects.equals(kid, jwk.kid) &&
- Objects.equals(x5u, jwk.x5u) &&
- Objects.equals(x5t, jwk.x5t) &&
- Objects.equals(x5t256, jwk.x5t256) &&
- Objects.equals(x5c, jwk.x5c) &&
- Objects.equals(parsedX5c, jwk.parsedX5c) &&
- Objects.equals(keyStore, jwk.keyStore);
- }
-
-
- @Override
- public int hashCode() {
- return Objects.hash(kty, use, ops, alg, kid, x5u, x5t, x5t256, x5c, parsedX5c, keyStore);
- }
-}
diff --git a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java b/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java
deleted file mode 100644
index de8b79c0..00000000
--- a/maxkey-jose-jwt/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java
+++ /dev/null
@@ -1,1377 +0,0 @@
-/*
- * nimbus-jose-jwt
- *
- * Copyright 2012-2019, Connect2id Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
- * this file except in compliance with the License. You may obtain a copy of the
- * License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed
- * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
- * CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package com.nimbusds.jose.jwk;
-
-
-import java.util.*;
-
-import com.nimbusds.jose.Algorithm;
-import com.nimbusds.jose.JWEHeader;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.util.Base64URL;
-import net.jcip.annotations.Immutable;
-
-
-/**
- * JSON Web Key (JWK) matcher. May be used to ensure a JWK matches a set of
- * application-specific criteria.
- *
- * Supported key matching criteria:
- *
- *
- * - Any, unspecified, one or more key types (typ).
- *
- Any, unspecified, one or more key uses (use).
- *
- Any, unspecified, one or more key operations (key_ops).
- *
- Any, unspecified, one or more key algorithms (alg).
- *
- Any, unspecified, one or more key identifiers (kid).
- *
- Private only key.
- *
- Public only key.
- *
- Minimum, maximum or exact key sizes.
- *
- Any, unspecified, one or more curves for EC and OKP keys (crv).
- *
- X.509 certificate SHA-256 thumbprint.
- *
- *
- * Matching by JWK thumbprint (RFC 7638), X.509 certificate URL and X.509
- * certificate chain is not supported.
- *
- * @author Vladimir Dzhuvinov
- * @author Josh Cummings
- * @version 2018-06-13
- */
-@Immutable
-public class JWKMatcher {
-
-
- /**
- * The key types to match.
- */
- private final Set types;
-
-
- /**
- * The public key uses to match.
- */
- private final Set uses;
-
-
- /**
- * The key operations to match.
- */
- private final Set ops;
-
-
- /**
- * The algorithms to match.
- */
- private final Set algs;
-
-
- /**
- * The key IDs to match.
- */
- private final Set ids;
-
-
- /**
- * {@code true} to match a key with a set use.
- */
- private final boolean hasUse;
-
-
- /**
- * {@code true} to match a key with a set ID.
- */
- private final boolean hasID;
-
-
- /**
- * {@code true} to match a private key.
- */
- private final boolean privateOnly;
-
-
- /**
- * {@code true} to match a public only key.
- */
- private final boolean publicOnly;
-
-
- /**
- * The minimum key size in bits, zero implies no minimum size limit.
- */
- private final int minSizeBits;
-
-
- /**
- * The maximum key size in bits, zero implies no maximum size limit.
- */
- private final int maxSizeBits;
-
-
- /**
- * The key sizes in bits.
- */
- private final Set sizesBits;
-
-
- /**
- * The curves to match (for EC and OKP keys).
- */
- private final Set curves;
-
-
- /**
- * The X.509 certificate SHA-256 thumbprints to match.
- */
- private final Set x5tS256s;
-
-
- /**
- * Builder for constructing JWK matchers.
- *
- * Example usage:
- *
- *
- * JWKMatcher matcher = new JWKMatcher().keyID("123").build();
- *
- */
- public static class Builder {
-
-
- /**
- * The key types to match.
- */
- private Set types;
-
-
- /**
- * The public key uses to match.
- */
- private Set uses;
-
-
- /**
- * The key operations to match.
- */
- private Set ops;
-
-
- /**
- * The algorithms to match.
- */
- private Set algs;
-
-
- /**
- * The key IDs to match.
- */
- private Set