Class EncryptionCore

java.lang.Object
org.webpki.crypto.EncryptionCore

public class EncryptionCore extends Object
Core JOSE and COSE encryption support.

Implements a subset of the RFC 7516 (JWE) and RFC 8152 (COSE) algorithms.

  • Method Details

    • setAesProvider

      public static void setAesProvider(String providerName)
      Explicitly set provider for AES operations.
      Parameters:
      providerName - Name of provider
    • setEcProvider

      public static void setEcProvider(String ecStaticProviderName, String ecEphemeralProviderName)
      Explicitly set provider for ECDH operations.

      Setting ecStaticProviderName to "AndroidKeystore" permits decryption using HSM protected keys.

      Setting ecEphemeralProviderName to anything but null should be done with caution.

      Parameters:
      ecStaticProviderName - Name of provider for static private keys
      ecEphemeralProviderName - Name of provider for ephemeral private keys
    • setRsaProvider

      public static void setRsaProvider(String rsaProviderName)
      Explicitly set provider for RSA operations.
      Parameters:
      rsaProviderName - Name of provider
    • createIv

      public static byte[] createIv(ContentEncryptionAlgorithms contentEncryptionAlgorithm)
      Create an IV with an algorithm specific length.
      Parameters:
      contentEncryptionAlgorithm -
      Returns:
    • contentEncryption

      public static EncryptionCore.SymmetricEncryptionResult contentEncryption(ContentEncryptionAlgorithms contentEncryptionAlgorithm, byte[] key, byte[] iv, byte[] plainText, byte[] authData)
      Perform a symmetric key encryption.
      Parameters:
      contentEncryptionAlgorithm - Encryption algorithm
      key - Encryption key
      iv - Initialization vector
      plainText - Data to be encrypted
      authData - Additional input factor for authentication
      Returns:
      A composite object including encrypted data
    • contentDecryption

      public static byte[] contentDecryption(ContentEncryptionAlgorithms contentEncryptionAlgorithm, byte[] key, byte[] cipherText, byte[] iv, byte[] authData, byte[] tag)
      Decrypt using a symmetric key.
      Parameters:
      contentEncryptionAlgorithm - Encryption algorithm
      key - Encryption key
      cipherText - Encrypted data
      iv - Initialization Vector
      authData - Additional input used for authentication purposes
      tag - Authentication tag
      Returns:
      Decrypted data
    • rsaEncryptKey

      public static EncryptionCore.AsymmetricEncryptionResult rsaEncryptKey(byte[] contentEncryptionKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, PublicKey publicKey)
      Perform an RSA encrypt key operation.
      Parameters:
      contentEncryptionKey - Also known as CEK
      keyEncryptionAlgorithm - The RSA encryption algorithm
      publicKey - The receiver's (usually static) public key
      Returns:
      A composite object including the (plain text) data encryption key
    • rsaDecryptKey

      public static byte[] rsaDecryptKey(PrivateKey privateKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, byte[] encryptedKey)
      Decrypt a symmetric key using an RSA cipher.
      Parameters:
      privateKey - The RSA private key
      keyEncryptionAlgorithm - The algorithm to use
      encryptedKey - Contains a symmetric key used for encrypting the data
      Returns:
      The key in plain text
    • receiverKeyAgreement

      public static byte[] receiverKeyAgreement(boolean coseMode, PrivateKey privateKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm, PublicKey publicKey, byte[] encryptedKey)
      Perform a receiver side ECDH operation.
      Parameters:
      coseMode - If true => hmacKdf, else concatKdf
      privateKey - The receiver's private key
      keyEncryptionAlgorithm - The ECDH algorithm
      contentEncryptionAlgorithm - The designated content encryption algorithm
      publicKey - The sender's (usually ephemeral) public key
      encryptedKey - For ECDH+KW based operations only
      Returns:
      Shared secret
    • senderKeyAgreement

      public static EncryptionCore.AsymmetricEncryptionResult senderKeyAgreement(boolean coseMode, byte[] contentEncryptionKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm, PublicKey publicKey)
      Perform a sender side ECDH operation.
      Parameters:
      coseMode - If true => hmacKdf, else concatKdf
      contentEncryptionKey - Also known as CEK
      keyEncryptionAlgorithm - The ECDH algorithm
      contentEncryptionAlgorithm - The designated content encryption algorithm
      publicKey - The receiver's (usually static) public key
      Returns:
      A composite object including the (plain text) data encryption key
    • encryptKey

      public static EncryptionCore.AsymmetricEncryptionResult encryptKey(boolean coseMode, PublicKey publicKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm)
      Key encryption convenience method.
      Parameters:
      coseMode - true for COSE, false for JOSE
      publicKey - Public decryption key
      keyEncryptionAlgorithm - Key encryption algorithm
      contentEncryptionAlgorithm - Content encryption algorithm
      Returns:
      Encryption parameters including a content encryption key
    • decryptKey

      public static byte[] decryptKey(boolean coseMode, PrivateKey privateKey, byte[] optionalEncryptedKey, PublicKey optionalEphemeralKey, KeyEncryptionAlgorithms keyEncryptionAlgorithm, ContentEncryptionAlgorithms contentEncryptionAlgorithm)
      Key decryption convenience method.
      Parameters:
      coseMode - true for COSE, false for JOSE
      privateKey - Private decryption key
      optionalEncryptedKey - For key-wrapping algorithms
      optionalEphemeralKey - For ECDH*
      keyEncryptionAlgorithm - Key encryption algorithm
      contentEncryptionAlgorithm - Content encryption algorithm
      Returns:
      Decrypted content encryption key