...
Code Block | ||||
---|---|---|---|---|
| ||||
final String text = "The true sign of intelligence is not knowledge but imagination."; SecretKey wrapperKey1 = CryptoUtils.createSecretKeySpec(WRAPPER_BYTES1, "AES"); SecretKey wrapperKey2 = CryptoUtils.createSecretKeySpec(WRAPPER_BYTES2, "AES"); JweHeaders protectedHeaders = new JweHeaders(ContentAlgorithm.A128GCM); JweHeaders sharedUnprotectedHeaders = new JweHeaders(); sharedUnprotectedHeaders.setJsonWebKeysUrl("https://server.example.com/keys.jwks"); sharedUnprotectedHeaders.setKeyEncryptionAlgorithm(KeyAlgorithm.A128KW); ContentEncryptionProvider contentEncryption = JweUtils.getContentEncryptionProvider(ContentAlgorithm.A128GCM); KeyEncryptionProvider keyEncryption1 = JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey1, KeyAlgorithm.A128KW); JweEncryptionProvider jweEnc1 = new JweEncryption(keyEncryption1, contentEncryption); KeyEncryptionProvider keyEncryption2 = JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey2, KeyAlgorithm.A128KW); JweEncryptionProvider jweEnc2 = new JweEncryption(keyEncryption2, contentEncryption); List<JweEncryptionProvider> jweListjweProviders = new LinkedList<JweEncryptionProvider>(); jweListjweProviders.add(jweEnc1); jweListjweProviders.add(jweEnc2); List<JweHeaders> perRecipientHeades = new LinkedList<JweHeaders>(); perRecipientHeades.add(new JweHeaders("key1")); perRecipientHeades.add(new JweHeaders("key2")); JweJsonProducer p = new JweJsonProducer(protectedHeaders, sharedUnprotectedHeaders, StringUtils.toBytesUTF8(text), StringUtils.toBytesUTF8(EXTRA_AAD_SOURCE), false); String jweJsonOut = p.encryptWith(jweList); // first consumer: JweDecryptionProvider jweDecrypt = JweUtils.createJweDecryptionProvider(wrapperKey1, { protected JweEncryptionInput createEncryptionInput(JweHeaders jsonHeaders) { JweEncryptionInput input = super.createEncryptionInput(jsonHeaders); KeyAlgorithm.A128KW, input.setCek(CEK_BYTES); input.setIv(JweCompactReaderWriterTest.INIT_VECTOR_A1); return input; } } String jweJsonOut = p.encryptWith(jweProviders, perRecipientHeades); JweJsonConsumer consumer = new JweJsonConsumer(jweJsonOut); // first recipient: JweDecryptionProvider jwe1 = JweUtils.createJweDecryptionProvider(wrapperKey1, KeyAlgorithm.A128KW, ContentAlgorithm.A128GCM); // the consumer will iterate over JWE entries and will try to find the one which can be decrypted with this decryptor // or do consumer.getRecipientsMap() returning a list of entries and their metadata to do a more precise selection. String content = consumer.decryptWith(jwe1, Collections.singletonMap("kid", "key1")).getContent(); // second recipient: JweDecryptionProvider jwe2 = JweUtils.createJweDecryptionProvider(wrapperKey2, KeyAlgorithm.A128KW, ContentAlgorithm.A128GCM); JweJsonConsumer c = new JweJsonConsumer(jweJsonOut); // the consumer will iterate over JWE entries and will try to find the one which can be decrypted with this decryptor // which is always precise if only a single receipient entry is available // or do consumer.getRecipientsMap() returning a list of entries and their metadata to do a more precise selectionContentAlgorithm.A128GCM); String content = consumer.decryptWith(jweDecrypt(jwe2, Collections.singletonMap("kid", "key1")).getContent(); |
If the sequence contains a single recipient entry only then the JWE JSON 'recipients' array will contain a single entry, or the whole sequence can be flattened instead with the actual 'recipients' array dropped. JweJsonProducer does not produce the flattened sequence when only a single encryption is done by default because 3rd party JWE JSON consumers may only be able to process the sequences with the 'recipients' array, so pass a 'canBeFlat' flag to JwEJsonProducer if needed
...