java.lang.Object
io.helidon.security.jwt.EncryptedJwt
The JWT used to transfer content across network - e.g. the base64 parts concatenated with a dot.
The content of the transferred JWT is encrypted by one of the supported ciphers mentioned here
EncryptedJwt.SupportedEncryption
.
Key for the content encryption is randomly generated and encrypted by selected EncryptedJwt.SupportedAlgorithm
algorithm.
A new key and initialization vector is being generated automatically for each encrypted JWT.-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Encrypted JWT builder.static enum
Supported RSA cipher for content key encryption.static enum
Supported AES cipher for content encryption. -
Method Summary
Modifier and TypeMethodDescriptionbyte[]
authTag()
Authentication tag of the encrypted content.static EncryptedJwt.Builder
Builder of the Encrypted JWT.static EncryptedJwt
Create new EncryptedJwt.DecryptSignedJwt
from the content of the encrypted jwt.DecryptSignedJwt
from the content of the encrypted jwt.DecryptSignedJwt
from the content of the encrypted jwt.byte[]
Encrypted content encryption key.byte[]
Encrypted content.headers()
Encrypted JWT headers.byte[]
iv()
Initialization vector for the encrypted content.static EncryptedJwt
parseToken
(JwtHeaders header, String token) Parse a token received over network.static EncryptedJwt
parseToken
(String token) Parse a token received over network.token()
Encrypted JWT as token.
-
Method Details
-
builder
Builder of the Encrypted JWT.- Parameters:
jwt
- jwt to be encrypted- Returns:
- encrypted jwt builder instance
-
create
Create new EncryptedJwt. Content is encrypted byEncryptedJwt.SupportedEncryption.A256GCM
and content encryption key is encrypted byEncryptedJwt.SupportedAlgorithm.RSA_OAEP
for transportation.- Parameters:
jwt
- jwt to be encryptedjwk
- jwk used for content key encryption- Returns:
- encrypted jwt instance
-
parseToken
Parse a token received over network. The expected content isjwe_header_base64.encrypted_content_key_base64.iv_base64.content_base64.authentication_tag_base64
where base64 is base64 URL encoding. Use this method if you have previous knowledge of this being an encrypted token. UseparseToken(JwtHeaders, String)
if header had to be parsed separately to identify token type. This method does NO validation of content at all, only validates that the content is correctly formatted:- correct format of string (e.g. base64.base64.base64.base64.base64)
- each base64 part is actually base64 URL encoded
- header is JSON object
- Parameters:
token
- String with the token- Returns:
- Encrypted jwt parts
- Throws:
RuntimeException
- in case of invalid content, seeErrors.ErrorMessagesException
-
parseToken
Parse a token received over network. The expected content isjwe_header_base64.encrypted_content_key_base64.iv_base64.content_base64.authentication_tag_base64
where base64 is base64 URL encoding. Use this method if you have pre-parsed header, otherwise useparseToken(String)
. This method does NO validation of content at all, only validates that the content is correctly formatted:- correct format of string (e.g. base64.base64.base64.base64.base64)
- each base64 part is actually base64 URL encoded
- header is JSON object
- Parameters:
header
- parsed JWT headertoken
- String with the token- Returns:
- Encrypted jwt parts
- Throws:
RuntimeException
- in case of invalid content, seeErrors.ErrorMessagesException
-
decrypt
DecryptSignedJwt
from the content of the encrypted jwt. Encrypted JWT needs to have "kid" header specified to be able to determineJwk
from theJwkKeys
instance. SelectedJwk
needs to have private key set.- Parameters:
jwkKeys
- jwk keys- Returns:
- empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful
-
decrypt
DecryptSignedJwt
from the content of the encrypted jwt. Provided jwk will be used for content key decryption. ProvidedJwk
needs to have private key set.- Parameters:
jwk
- jwk keys- Returns:
- empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful
-
decrypt
DecryptSignedJwt
from the content of the encrypted jwt. If the kid header is specified among encrypted JWT headers, it will be used to match corresponding key from the jwkKeys. If no kid is specified, provided default Jwk is used. UsedJwk
needs to have private key set.- Parameters:
jwkKeys
- jwk keysdefaultJwk
- default jwk- Returns:
- empty optional if any error has occurred or SignedJwt instance if the decryption and validation was successful
-
headers
Encrypted JWT headers.- Returns:
- headers of the encrypted JWT
-
token
Encrypted JWT as token.- Returns:
- encrypted jwt token
-
iv
public byte[] iv()Initialization vector for the encrypted content.- Returns:
- initialization vector
-
encryptedKey
public byte[] encryptedKey()Encrypted content encryption key.- Returns:
- content encryption key
-
authTag
public byte[] authTag()Authentication tag of the encrypted content.- Returns:
- authentication tag
-
encryptedPayload
public byte[] encryptedPayload()Encrypted content.- Returns:
- encrypted content
-