001/* 002 * nimbus-jose-jwt 003 * 004 * Copyright 2012-2016, Connect2id Ltd. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.jose.crypto; 019 020 021import javax.crypto.SecretKey; 022import javax.crypto.spec.SecretKeySpec; 023 024import net.jcip.annotations.ThreadSafe; 025 026import com.nimbusds.jose.*; 027import com.nimbusds.jose.jwk.OctetSequenceKey; 028import com.nimbusds.jose.util.Base64URL; 029import com.nimbusds.jose.util.ByteUtils; 030 031 032/** 033 * AES and AES GCM key wrap encrypter of {@link com.nimbusds.jose.JWEObject JWE 034 * objects}. Expects an AES key. 035 * 036 * <p>Encrypts the plain text with a generated AES key (the Content Encryption 037 * Key) according to the specified JOSE encryption method, then wraps the CEK 038 * with the specified AES key and returns it alongside the IV, cipher text and 039 * authentication tag. See RFC 7518, sections 040 * <a href="https://tools.ietf.org/html/rfc7518#section-4.4">4.4</a> and 041 * <a href="https://tools.ietf.org/html/rfc7518#section-4.7">4.7</a> for more 042 * information. 043 * 044 * <p>This class is thread-safe. 045 * 046 * <p>Supports the following key management algorithms: 047 * 048 * <ul> 049 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A128KW} 050 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A192KW} 051 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A256KW} 052 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A128GCMKW} 053 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A192GCMKW} 054 * <li>{@link com.nimbusds.jose.JWEAlgorithm#A256GCMKW} 055 * </ul> 056 * 057 * <p>Supports the following content encryption algorithms: 058 * 059 * <ul> 060 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256} 061 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192CBC_HS384} 062 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512} 063 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128GCM} 064 * <li>{@link com.nimbusds.jose.EncryptionMethod#A192GCM} 065 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256GCM} 066 * <li>{@link com.nimbusds.jose.EncryptionMethod#A128CBC_HS256_DEPRECATED} 067 * <li>{@link com.nimbusds.jose.EncryptionMethod#A256CBC_HS512_DEPRECATED} 068 * </ul> 069 * 070 * @author Melisa Halsband 071 * @author Vladimir Dzhuvinov 072 * @version 2015-06-29 073 */ 074@ThreadSafe 075public class AESEncrypter extends AESCryptoProvider implements JWEEncrypter { 076 077 078 /** 079 * Algorithm family constants. 080 */ 081 private enum AlgFamily { 082 083 AESKW, AESGCMKW 084 } 085 086 087 /** 088 * Creates a new AES encrypter. 089 * 090 * @param kek The Key Encryption Key. Must be 128 bits (16 bytes), 192 091 * bits (24 bytes) or 256 bits (32 bytes). Must not be 092 * {@code null}. 093 * 094 * @throws KeyLengthException If the KEK length is invalid. 095 */ 096 public AESEncrypter(final SecretKey kek) 097 throws KeyLengthException { 098 099 super(kek); 100 } 101 102 /** 103 * Creates a new AES encrypter. 104 * 105 * @param keyBytes The Key Encryption Key, as a byte array. Must be 128 106 * bits (16 bytes), 192 bits (24 bytes) or 256 bits (32 107 * bytes). Must not be {@code null}. 108 * 109 * @throws KeyLengthException If the KEK length is invalid. 110 */ 111 public AESEncrypter(final byte[] keyBytes) 112 throws KeyLengthException { 113 114 this(new SecretKeySpec(keyBytes, "AES")); 115 } 116 117 118 /** 119 * Creates a new AES encrypter. 120 * 121 * @param octJWK The Key Encryption Key, as a JWK. Must be 128 bits (16 122 * bytes), 192 bits (24 bytes), 256 bits (32 bytes), 384 123 * bits (48 bytes) or 512 bits (64 bytes) long. Must not 124 * be {@code null}. 125 * 126 * @throws KeyLengthException If the KEK length is invalid. 127 */ 128 public AESEncrypter(final OctetSequenceKey octJWK) 129 throws KeyLengthException { 130 131 this(octJWK.toSecretKey("AES")); 132 } 133 134 135 @Override 136 public JWECryptoParts encrypt(final JWEHeader header, final byte[] clearText) 137 throws JOSEException { 138 139 final JWEAlgorithm alg = header.getAlgorithm(); 140 141 // Check the AES key size and determine the algorithm family 142 final AlgFamily algFamily; 143 144 if (alg.equals(JWEAlgorithm.A128KW)) { 145 146 if(ByteUtils.bitLength(getKey().getEncoded()) != 128){ 147 throw new KeyLengthException("The Key Encryption Key (KEK) length must be 128 bits for A128KW encryption"); 148 } 149 algFamily = AlgFamily.AESKW; 150 151 } else if (alg.equals(JWEAlgorithm.A192KW)) { 152 153 if(ByteUtils.bitLength(getKey().getEncoded()) != 192){ 154 throw new KeyLengthException("The Key Encryption Key (KEK) length must be 192 bits for A192KW encryption"); 155 } 156 algFamily = AlgFamily.AESKW; 157 158 } else if (alg.equals(JWEAlgorithm.A256KW)) { 159 160 if (ByteUtils.bitLength(getKey().getEncoded()) != 256) { 161 throw new KeyLengthException("The Key Encryption Key (KEK) length must be 256 bits for A256KW encryption"); 162 } 163 algFamily = AlgFamily.AESKW; 164 165 } else if (alg.equals(JWEAlgorithm.A128GCMKW)) { 166 167 if(ByteUtils.bitLength(getKey().getEncoded()) != 128){ 168 throw new KeyLengthException("The Key Encryption Key (KEK) length must be 128 bits for A128GCMKW encryption"); 169 } 170 algFamily = AlgFamily.AESGCMKW; 171 172 } else if (alg.equals(JWEAlgorithm.A192GCMKW)) { 173 174 if(ByteUtils.bitLength(getKey().getEncoded()) != 192){ 175 throw new KeyLengthException("The Key Encryption Key (KEK) length must be 192 bits for A192GCMKW encryption"); 176 } 177 algFamily = AlgFamily.AESGCMKW; 178 179 } else if (alg.equals(JWEAlgorithm.A256GCMKW)) { 180 181 if(ByteUtils.bitLength(getKey().getEncoded()) != 256){ 182 throw new KeyLengthException("The Key Encryption Key (KEK) length must be 256 bits for A256GCMKW encryption"); 183 } 184 algFamily = AlgFamily.AESGCMKW; 185 186 } else { 187 188 throw new JOSEException(AlgorithmSupportMessage.unsupportedJWEAlgorithm(alg, SUPPORTED_ALGORITHMS)); 189 } 190 191 192 final JWEHeader updatedHeader; // We need to work on the header 193 final Base64URL encryptedKey; // The second JWE part 194 195 // Generate and encrypt the CEK according to the enc method 196 final EncryptionMethod enc = header.getEncryptionMethod(); 197 final SecretKey cek = ContentCryptoProvider.generateCEK(enc, getJCAContext().getSecureRandom()); 198 199 if(AlgFamily.AESKW.equals(algFamily)) { 200 201 encryptedKey = Base64URL.encode(AESKW.wrapCEK(cek, getKey(), getJCAContext().getKeyEncryptionProvider())); 202 updatedHeader = header; // simply copy ref 203 204 } else if(AlgFamily.AESGCMKW.equals(algFamily)) { 205 206 final byte[] keyIV = AESGCM.generateIV(getJCAContext().getSecureRandom()); 207 final AuthenticatedCipherText authCiphCEK = AESGCMKW.encryptCEK(cek, keyIV, getKey(), getJCAContext().getKeyEncryptionProvider()); 208 encryptedKey = Base64URL.encode(authCiphCEK.getCipherText()); 209 210 // Add iv and tag to the header 211 updatedHeader = new JWEHeader.Builder(header). 212 iv(Base64URL.encode(keyIV)). 213 authTag(Base64URL.encode(authCiphCEK.getAuthenticationTag())). 214 build(); 215 } else { 216 // This should never happen 217 throw new JOSEException("Unexpected JWE algorithm: " + alg); 218 } 219 220 return ContentCryptoProvider.encrypt(updatedHeader, clearText, cek, encryptedKey, getJCAContext()); 221 } 222}