Module io.helidon.security.jwt
Package io.helidon.security.jwt

Class EncryptedJwt

  • public final class EncryptedJwt
extends Object
    The JWT used to transfer content across network - e.g. the base64 parts concatenated with a dot. The content of the transferred JWT is encrypted by one of the supported ciphers mentioned here EncryptedJwt.SupportedEncryption. Key for the content encryption is randomly generated and encrypted by selected EncryptedJwt.SupportedAlgorithm algorithm. A new key and initialization vector is being generated automatically for each encrypted JWT.

    • Method Detail

      • builder

        public static EncryptedJwt.Builder builder​(SignedJwt jwt)
        Builder of the Encrypted JWT.
        Parameters:
        jwt - jwt to be encrypted
        Returns:
        encrypted jwt builder instance

      • parseToken

        public static EncryptedJwt parseToken​(String token)
        Parse a token received over network. The expected content is jwe_header_base64.encrypted_content_key_base64.iv_base64.content_base64.authentication_tag_base64 where base64 is base64 URL encoding. Use this method if you have previous knowledge of this being an encrypted token. Use parseToken(JwtHeaders, String) if header had to be parsed separately to identify token type. This method does NO validation of content at all, only validates that the content is correctly formatted:
        • correct format of string (e.g. base64.base64.base64.base64.base64)
        • each base64 part is actually base64 URL encoded
        • header is JSON object
        Parameters:
        token - String with the token
        Returns:
        Encrypted jwt parts
        Throws:
        RuntimeException - in case of invalid content, see Errors.ErrorMessagesException

      • parseToken

        public static EncryptedJwt parseToken​(JwtHeaders header,
                                      String token)
        Parse a token received over network. The expected content is jwe_header_base64.encrypted_content_key_base64.iv_base64.content_base64.authentication_tag_base64 where base64 is base64 URL encoding. Use this method if you have pre-parsed header, otherwise use parseToken(String). This method does NO validation of content at all, only validates that the content is correctly formatted:
        • correct format of string (e.g. base64.base64.base64.base64.base64)
        • each base64 part is actually base64 URL encoded
        • header is JSON object
        Parameters:
        header - parsed JWT header
        token - String with the token
        Returns:
        Encrypted jwt parts
        Throws:
        RuntimeException - in case of invalid content, see Errors.ErrorMessagesException

      • decrypt

        public SignedJwt decrypt​(JwkKeys jwkKeys)
        Decrypt SignedJwt from the content of the encrypted jwt. Encrypted JWT needs to have "kid" header specified to be able to determine Jwk from the JwkKeys instance. Selected Jwk needs to have private key set.
        Parameters:
        jwkKeys - jwk keys
        Returns:
        empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful

      • decrypt

        public SignedJwt decrypt​(Jwk jwk)
        Decrypt SignedJwt from the content of the encrypted jwt. Provided jwk will be used for content key decryption. Provided Jwk needs to have private key set.
        Parameters:
        jwk - jwk keys
        Returns:
        empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful

      • decrypt

        public SignedJwt decrypt​(JwkKeys jwkKeys,
                         Jwk defaultJwk)
        Decrypt SignedJwt from the content of the encrypted jwt. If the kid header is specified among encrypted JWT headers, it will be used to match corresponding key from the jwkKeys. If no kid is specified, provided default Jwk is used. Used Jwk needs to have private key set.
        Parameters:
        jwkKeys - jwk keys
        defaultJwk - default jwk
        Returns:
        empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful

      • headers

        public JwtHeaders headers()
        Encrypted JWT headers.
        Returns:
        headers of the encrypted JWT

      • token

        public String token()
        Encrypted JWT as token.
        Returns:
        encrypted jwt token

      • iv

        public byte[] iv()
        Initialization vector for the encrypted content.
        Returns:
        initialization vector

      • encryptedKey

        public byte[] encryptedKey()
        Encrypted content encryption key.
        Returns:
        content encryption key

      • authTag

        public byte[] authTag()
        Authentication tag of the encrypted content.
        Returns:
        authentication tag

      • encryptedPayload

        public byte[] encryptedPayload()
        Encrypted content.
        Returns:
        encrypted content