Module io.helidon.security.jwt
Package io.helidon.security.jwt

Class EncryptedJwt

java.lang.Object
io.helidon.security.jwt.EncryptedJwt
public final class EncryptedJwt extends Object
The JWT used to transfer content across network - e.g. the base64 parts concatenated with a dot. The content of the transferred JWT is encrypted by one of the supported ciphers mentioned here EncryptedJwt.SupportedEncryption. Key for the content encryption is randomly generated and encrypted by selected EncryptedJwt.SupportedAlgorithm algorithm. A new key and initialization vector is being generated automatically for each encrypted JWT.

  • Method Details

    • builder

      public static EncryptedJwt.Builder builder(SignedJwt jwt)
      Builder of the Encrypted JWT.
      Parameters:
      jwt - jwt to be encrypted
      Returns:
      encrypted jwt builder instance

    • create

      public static EncryptedJwt create(SignedJwt jwt, Jwk jwk)
      Create new EncryptedJwt. Content is encrypted by EncryptedJwt.SupportedEncryption.A256GCM and content encryption key is encrypted by EncryptedJwt.SupportedAlgorithm.RSA_OAEP for transportation.
      Parameters:
      jwt - jwt to be encrypted
      jwk - jwk used for content key encryption
      Returns:
      encrypted jwt instance

    • parseToken

      public static EncryptedJwt parseToken(String token)
      Parse a token received over network. The expected content is jwe_header_base64.encrypted_content_key_base64.iv_base64.content_base64.authentication_tag_base64 where base64 is base64 URL encoding. Use this method if you have previous knowledge of this being an encrypted token. Use parseToken(JwtHeaders, String) if header had to be parsed separately to identify token type. This method does NO validation of content at all, only validates that the content is correctly formatted:
      • correct format of string (e.g. base64.base64.base64.base64.base64)
      • each base64 part is actually base64 URL encoded
      • header is JSON object
      Parameters:
      token - String with the token
      Returns:
      Encrypted jwt parts
      Throws:
      RuntimeException - in case of invalid content, see Errors.ErrorMessagesException

    • parseToken

      public static EncryptedJwt parseToken(JwtHeaders header, String token)
      Parse a token received over network. The expected content is jwe_header_base64.encrypted_content_key_base64.iv_base64.content_base64.authentication_tag_base64 where base64 is base64 URL encoding. Use this method if you have pre-parsed header, otherwise use parseToken(String). This method does NO validation of content at all, only validates that the content is correctly formatted:
      • correct format of string (e.g. base64.base64.base64.base64.base64)
      • each base64 part is actually base64 URL encoded
      • header is JSON object
      Parameters:
      header - parsed JWT header
      token - String with the token
      Returns:
      Encrypted jwt parts
      Throws:
      RuntimeException - in case of invalid content, see Errors.ErrorMessagesException

    • addKekValidator

      public static void addKekValidator(Collection<Validator<EncryptedJwt>> validators, String expectedKekAlg, boolean mandatory)
      Add validator of kek algorithm to the collection of validators.
      Parameters:
      validators - collection of validators
      expectedKekAlg - audience key encryption key algorithm
      mandatory - whether the alg field is mandatory in the token

    • decrypt

      public SignedJwt decrypt(JwkKeys jwkKeys)
      Decrypt SignedJwt from the content of the encrypted jwt. Encrypted JWT needs to have "kid" header specified to be able to determine Jwk from the JwkKeys instance. Selected Jwk needs to have private key set.
      Parameters:
      jwkKeys - jwk keys
      Returns:
      empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful

    • decrypt

      public SignedJwt decrypt(Jwk jwk)
      Decrypt SignedJwt from the content of the encrypted jwt. Provided jwk will be used for content key decryption. Provided Jwk needs to have private key set.
      Parameters:
      jwk - jwk keys
      Returns:
      empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful

    • decrypt

      public SignedJwt decrypt(JwkKeys jwkKeys, Jwk defaultJwk)
      Decrypt SignedJwt from the content of the encrypted jwt. If the kid header is specified among encrypted JWT headers, it will be used to match corresponding key from the jwkKeys. If no kid is specified, provided default Jwk is used. Used Jwk needs to have private key set.
      Parameters:
      jwkKeys - jwk keys
      defaultJwk - default jwk
      Returns:
      empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful

    • headers

      public JwtHeaders headers()
      Encrypted JWT headers.
      Returns:
      headers of the encrypted JWT

    • token

      public String token()
      Encrypted JWT as token.
      Returns:
      encrypted jwt token

    • iv

      public byte[] iv()
      Initialization vector for the encrypted content.
      Returns:
      initialization vector

    • encryptedKey

      public byte[] encryptedKey()
      Encrypted content encryption key.
      Returns:
      content encryption key

    • authTag

      public byte[] authTag()
      Authentication tag of the encrypted content.
      Returns:
      authentication tag

    • encryptedPayload

      public byte[] encryptedPayload()
      Encrypted content.
      Returns:
      encrypted content

    • validate

      public Errors validate(List<Validator<EncryptedJwt>> validators)
      Validate this Encrypted JWT against provided validators.
      Parameters:
      validators - Validators to validate with.
      Returns:
      errors instance to check if valid and access error messages