Package org.webpki.crypto
Class EncryptionCore
java.lang.Object
org.webpki.crypto.EncryptionCore
Core JOSE and COSE encryption support.
Implements a subset of the RFC 7516 (JWE) and RFC 8152 (COSE) algorithms.
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Return object for ECDH and RSA encryptions.static class
Return object for symmetric key encryptions. -
Method Summary
Modifier and TypeMethodDescriptionstatic byte[]
contentDecryption
(ContentEncryptionAlgorithms contentEncryptionAlgorithm, byte[] key, byte[] cipherText, byte[] iv, byte[] authData, byte[] tag) Decrypt using a symmetric key.contentEncryption
(ContentEncryptionAlgorithms contentEncryptionAlgorithm, byte[] key, byte[] iv, byte[] plainText, byte[] authData) Perform a symmetric key encryption.static byte[]
createIv
(ContentEncryptionAlgorithms contentEncryptionAlgorithm) Create an IV with an algorithm specific length.static byte[]
decryptKey
(boolean coseMode, PrivateKey privateKey, byte[] optionalEncryptedKey, PublicKey optionalEphemeralKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm) Key decryption convenience method.encryptKey
(boolean coseMode, PublicKey publicKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm) Key encryption convenience method.static byte[]
receiverKeyAgreement
(boolean coseMode, PrivateKey privateKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm, PublicKey publicKey, byte[] encryptedKey) Perform a receiver side ECDH operation.static byte[]
rsaDecryptKey
(PrivateKey privateKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, byte[] encryptedKey) Decrypt a symmetric key using an RSA cipher.rsaEncryptKey
(byte[] contentEncryptionKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, PublicKey publicKey) Perform an RSA encrypt key operation.senderKeyAgreement
(boolean coseMode, byte[] contentEncryptionKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm, PublicKey publicKey) Perform a sender side ECDH operation.static void
setAesProvider
(String providerName) Explicitly set provider for AES operations.static void
setEcProvider
(String ecStaticProviderName, String ecEphemeralProviderName) Explicitly set provider for ECDH operations.static void
setRsaProvider
(String rsaProviderName) Explicitly set provider for RSA operations.
-
Method Details
-
setAesProvider
Explicitly set provider for AES operations.- Parameters:
providerName
- Name of provider
-
setEcProvider
Explicitly set provider for ECDH operations.Setting
ecStaticProviderName
to"AndroidKeystore" permits decryption using HSM protected keys.
Setting
ecEphemeralProviderName
to anything butnull
should be done with caution.- Parameters:
ecStaticProviderName
- Name of provider for static private keysecEphemeralProviderName
- Name of provider for ephemeral private keys
-
setRsaProvider
Explicitly set provider for RSA operations.- Parameters:
rsaProviderName
- Name of provider
-
createIv
Create an IV with an algorithm specific length.- Parameters:
contentEncryptionAlgorithm
-- Returns:
-
contentEncryption
public static EncryptionCore.SymmetricEncryptionResult contentEncryption(ContentEncryptionAlgorithms contentEncryptionAlgorithm, byte[] key, byte[] iv, byte[] plainText, byte[] authData) Perform a symmetric key encryption.- Parameters:
contentEncryptionAlgorithm
- Encryption algorithmkey
- Encryption keyiv
- Initialization vectorplainText
- Data to be encryptedauthData
- Additional input factor for authentication- Returns:
- A composite object including encrypted data
-
contentDecryption
public static byte[] contentDecryption(ContentEncryptionAlgorithms contentEncryptionAlgorithm, byte[] key, byte[] cipherText, byte[] iv, byte[] authData, byte[] tag) Decrypt using a symmetric key.- Parameters:
contentEncryptionAlgorithm
- Encryption algorithmkey
- Encryption keycipherText
- Encrypted dataiv
- Initialization VectorauthData
- Additional input used for authentication purposestag
- Authentication tag- Returns:
- Decrypted data
-
rsaEncryptKey
public static EncryptionCore.AsymmetricEncryptionResult rsaEncryptKey(byte[] contentEncryptionKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, PublicKey publicKey) Perform an RSA encrypt key operation.- Parameters:
contentEncryptionKey
- Also known as CEKkeyEncryptionAlgorithm
- The RSA encryption algorithmpublicKey
- The receiver's (usually static) public key- Returns:
- A composite object including the (plain text) data encryption key
-
rsaDecryptKey
public static byte[] rsaDecryptKey(PrivateKey privateKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, byte[] encryptedKey) Decrypt a symmetric key using an RSA cipher.- Parameters:
privateKey
- The RSA private keykeyEncryptionAlgorithm
- The algorithm to useencryptedKey
- Contains a symmetric key used for encrypting the data- Returns:
- The key in plain text
-
receiverKeyAgreement
public static byte[] receiverKeyAgreement(boolean coseMode, PrivateKey privateKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm, PublicKey publicKey, byte[] encryptedKey) Perform a receiver side ECDH operation.- Parameters:
coseMode
- Iftrue
=>hmacKdf
, elseconcatKdf
privateKey
- The receiver's private keykeyEncryptionAlgorithm
- The ECDH algorithmcontentEncryptionAlgorithm
- The designated content encryption algorithmpublicKey
- The sender's (usually ephemeral) public keyencryptedKey
- For ECDH+KW based operations only- Returns:
- Shared secret
-
senderKeyAgreement
public static EncryptionCore.AsymmetricEncryptionResult senderKeyAgreement(boolean coseMode, byte[] contentEncryptionKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm, PublicKey publicKey) Perform a sender side ECDH operation.- Parameters:
coseMode
- Iftrue
=>hmacKdf
, elseconcatKdf
contentEncryptionKey
- Also known as CEKkeyEncryptionAlgorithm
- The ECDH algorithmcontentEncryptionAlgorithm
- The designated content encryption algorithmpublicKey
- The receiver's (usually static) public key- Returns:
- A composite object including the (plain text) data encryption key
-
encryptKey
public static EncryptionCore.AsymmetricEncryptionResult encryptKey(boolean coseMode, PublicKey publicKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm) Key encryption convenience method.- Parameters:
coseMode
-true
for COSE,false
for JOSEpublicKey
- Public decryption keykeyEncryptionAlgorithm
- Key encryption algorithmcontentEncryptionAlgorithm
- Content encryption algorithm- Returns:
- Encryption parameters including a content encryption key
-
decryptKey
public static byte[] decryptKey(boolean coseMode, PrivateKey privateKey, byte[] optionalEncryptedKey, PublicKey optionalEphemeralKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm) Key decryption convenience method.- Parameters:
coseMode
-true
for COSE,false
for JOSEprivateKey
- Private decryption keyoptionalEncryptedKey
- For key-wrapping algorithmsoptionalEphemeralKey
- For ECDH*keyEncryptionAlgorithm
- Key encryption algorithmcontentEncryptionAlgorithm
- Content encryption algorithm- Returns:
- Decrypted content encryption key
-