Package com.nimbusds.jose.jwk

Class RSAKey

java.lang.Object
com.nimbusds.jose.jwk.JWK
com.nimbusds.jose.jwk.RSAKey
All Implemented Interfaces:
AsymmetricJWK, Serializable
@Immutable public final class RSAKey extends JWK implements AsymmetricJWK
Public and private RSA JSON Web Key (JWK). This class is immutable.

Provides RSA JWK import from / export to the following standard Java interfaces and classes:

Example JSON object representation of a public RSA JWK: 

 { 
   "kty" : "RSA",
   "n"   : "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
            4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
            tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
            QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
            SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
            w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
   "e"   : "AQAB",
   "alg" : "RS256",
   "kid" : "2011-04-29"
 }

Example JSON object representation of a public and private RSA JWK (with both the first and the second private key representations): 

 { 
   "kty" : "RSA",
   "n"   : "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
            4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
            tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
            QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
            SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
            w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
   "e"   : "AQAB",
   "d"   : "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9
            M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqij
            wp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d
            _cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBz
            nbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFz
            me1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q",
   "p"   : "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPV
            nwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqV
            WlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs",
   "q"   : "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyum
            qjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgx
            kIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk",
   "dp"  : "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oim
            YwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_Nmtu
            YZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
   "dq"  : "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUU
            vMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9
            GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
   "qi"  : "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzg
            UIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rx
            yR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
   "alg" : "RS256",
   "kid" : "2011-04-29"
 }

Use the builder to create a new RSA JWK: 

 RSAKey key = new RSAKey.Builder(n, e)
        .keyUse(KeyUse.SIGNATURE)
        .keyID("123")
        .build();

See RFC 3447.

See http://en.wikipedia.org/wiki/RSA_%28algorithm%29

Version:
2022-12-26
Author:
Vladimir Dzhuvinov, Justin Richer, Cedric Staub
See Also:

  • Constructor Details

    • RSAKey

      @Deprecated public RSAKey(Base64URL n, Base64URL e, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public RSA JSON Web Key (JWK) with the specified parameters.
      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(Base64URL n, Base64URL e, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public RSA JSON Web Key (JWK) with the specified parameters.
      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(Base64URL n, Base64URL e, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its first representation (see RFC 3447, section 3.2).
      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(Base64URL n, Base64URL e, Base64URL d, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its first representation (see RFC 3447, section 3.2).
      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(Base64URL n, Base64URL e, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation (see RFC 3447, section 3.2).
      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      oth - The other primes information, should they exist, null or an empty list if not specified.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(Base64URL n, Base64URL e, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation (see RFC 3447, section 3.2).
      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. Must not be null.
      oth - The other primes information, should they exist, null or an empty list if not specified.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(Base64URL n, Base64URL e, Base64URL d, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by both its first and second representations (see RFC 3447, section 3.2).

      A valid first private RSA key representation must specify the d parameter.

      A valid second private RSA key representation must specify all required Chinese Remainder Theorem (CRT) parameters - p, q, dp, dq and qi, else an IllegalArgumentException will be thrown.

      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      oth - The other primes information, should they exist, null or an empty list if not specified.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(Base64URL n, Base64URL e, Base64URL d, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, PrivateKey prv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key can be specified by its first representation, its second representation (see RFC 3447, section 3.2), or by a PKCS#11 handle as PrivateKey.

      A valid first private RSA key representation must specify the d parameter.

      A valid second private RSA key representation must specify all required Chinese Remainder Theorem (CRT) parameters - p, q, dp, dq and qi, else an IllegalArgumentException will be thrown.

      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      oth - The other primes information, should they exist, null or an empty list if not specified.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(Base64URL n, Base64URL e, Base64URL d, Base64URL p, Base64URL q, Base64URL dp, Base64URL dq, Base64URL qi, List<RSAKey.OtherPrimesInfo> oth, PrivateKey prv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key can be specified by its first representation, its second representation (see RFC 3447, section 3.2), or by a PKCS#11 handle as PrivateKey.

      A valid first private RSA key representation must specify the d parameter.

      A valid second private RSA key representation must specify all required Chinese Remainder Theorem (CRT) parameters - p, q, dp, dq and qi, else an IllegalArgumentException will be thrown.

      Parameters:
      n - The the modulus value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      e - The exponent value for the public RSA key. It is represented as the Base64URL encoding of value's big endian representation. Must not be null.
      d - The private exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      p - The first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      q - The second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      dp - The first factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      dq - The second factor Chinese Remainder Theorem exponent. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      qi - The first Chinese Remainder Theorem coefficient. It is represented as the Base64URL encoding of the value's big endian representation. May be null.
      oth - The other primes information, should they exist, null or an empty list if not specified.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(RSAPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public RSA JSON Web Key (JWK) with the specified parameters.
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(RSAPublicKey pub, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public RSA JSON Web Key (JWK) with the specified parameters.
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(RSAPublicKey pub, RSAPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its first representation (see RFC 3447, section 3.2).
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(RSAPublicKey pub, RSAPrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its first representation (see RFC 3447, section 3.2).
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(RSAPublicKey pub, RSAPrivateCrtKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation (see RFC 3447, section 3.2).
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(RSAPublicKey pub, RSAPrivateCrtKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation (see RFC 3447, section 3.2).
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(RSAPublicKey pub, RSAMultiPrimePrivateCrtKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation, with optional other primes info (see RFC 3447, section 3.2).
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(RSAPublicKey pub, RSAMultiPrimePrivateCrtKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by its second representation, with optional other primes info (see RFC 3447, section 3.2).
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key to represent. Must not be null.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      @Deprecated public RSAKey(RSAPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, KeyStore ks)
      Deprecated.
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by a PKCS#11 handle.
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key as PKCS#11 handle, null if not specified.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

    • RSAKey

      public RSAKey(RSAPublicKey pub, PrivateKey priv, KeyUse use, Set<KeyOperation> ops, Algorithm alg, String kid, URI x5u, Base64URL x5t, Base64URL x5t256, List<Base64> x5c, Date exp, Date nbf, Date iat, KeyStore ks)
      Creates a new public / private RSA JSON Web Key (JWK) with the specified parameters. The private RSA key is specified by a PKCS#11 handle.
      Parameters:
      pub - The public RSA key to represent. Must not be null.
      priv - The private RSA key as PKCS#11 handle, null if not specified.
      use - The key use, null if not specified or if the key is intended for signing as well as encryption.
      ops - The key operations, null if not specified.
      alg - The intended JOSE algorithm for the key, null if not specified.
      kid - The key ID. null if not specified.
      x5u - The X.509 certificate URL, null if not specified.
      x5t - The X.509 certificate SHA-1 thumbprint, null if not specified.
      x5t256 - The X.509 certificate SHA-256 thumbprint, null if not specified.
      x5c - The X.509 certificate chain, null if not specified.
      exp - The key expiration time, null if not specified.
      nbf - The key not-before time, null if not specified.
      iat - The key issued-at time, null if not specified.
      ks - Reference to the underlying key store, null if not specified.

  • Method Details

    • getModulus

      public Base64URL getModulus()
      Gets the modulus value (n) of the RSA key.
      Returns:
      The RSA key modulus. It is represented as the Base64URL encoding of the value's big endian representation.

    • getPublicExponent

      public Base64URL getPublicExponent()
      Gets the public exponent (e) of the RSA key.
      Returns:
      The public RSA key exponent. It is represented as the Base64URL encoding of the value's big endian representation.

    • getPrivateExponent

      public Base64URL getPrivateExponent()
      Gets the private exponent (d) of the RSA key.
      Returns:
      The private RSA key exponent. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the second representation only).

    • getFirstPrimeFactor

      public Base64URL getFirstPrimeFactor()
      Gets the first prime factor (p) of the private RSA key.
      Returns:
      The RSA first prime factor. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

    • getSecondPrimeFactor

      public Base64URL getSecondPrimeFactor()
      Gets the second prime factor (q) of the private RSA key.
      Returns:
      The RSA second prime factor. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

    • getFirstFactorCRTExponent

      public Base64URL getFirstFactorCRTExponent()
      Gets the first factor Chinese Remainder Theorem (CRT) exponent (dp) of the private RSA key.
      Returns:
      The RSA first factor CRT exponent. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

    • getSecondFactorCRTExponent

      public Base64URL getSecondFactorCRTExponent()
      Gets the second factor Chinese Remainder Theorem (CRT) exponent (dq) of the private RSA key.
      Returns:
      The RSA second factor CRT exponent. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

    • getFirstCRTCoefficient

      public Base64URL getFirstCRTCoefficient()
      Gets the first Chinese Remainder Theorem (CRT) coefficient (qi)} of the private RSA key.
      Returns:
      The RSA first CRT coefficient. It is represented as the Base64URL encoding of the value's big endian representation. null if not specified (for a public key or a private key using the first representation only).

    • getOtherPrimes

      public List<RSAKey.OtherPrimesInfo> getOtherPrimes()
      Gets the other primes information (oth) for the private RSA key, should they exist.
      Returns:
      The RSA other primes information, null or empty list if not specified.

    • toRSAPublicKey

      public RSAPublicKey toRSAPublicKey() throws JOSEException
      Returns a standard java.security.interfaces.RSAPublicKey representation of this RSA JWK.
      Returns:
      The public RSA key.
      Throws:
      JOSEException - If RSA is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public RSA key.

    • toRSAPrivateKey

      public RSAPrivateKey toRSAPrivateKey() throws JOSEException
      Returns a standard java.security.interfaces.RSAPrivateKey representation of this RSA JWK.
      Returns:
      The private RSA key, null if not specified by this JWK.
      Throws:
      JOSEException - If RSA is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a private RSA key.

    • toPublicKey

      public PublicKey toPublicKey() throws JOSEException
      Description copied from interface: AsymmetricJWK
      Returns a Java public key representation of the JWK.
      Specified by:
      toPublicKey in interface AsymmetricJWK
      Returns:
      The Java public key.
      Throws:
      JOSEException - If conversion failed or is not supported.

    • toPrivateKey

      public PrivateKey toPrivateKey() throws JOSEException
      Description copied from interface: AsymmetricJWK
      Returns a Java private key representation of this JWK.
      Specified by:
      toPrivateKey in interface AsymmetricJWK
      Returns:
      The Java private key, null if not specified.
      Throws:
      JOSEException - If conversion failed or is not supported.

    • toKeyPair

      public KeyPair toKeyPair() throws JOSEException
      Returns a standard java.security.KeyPair representation of this RSA JWK.
      Specified by:
      toKeyPair in interface AsymmetricJWK
      Returns:
      The RSA key pair. The private RSA key will be null if not specified.
      Throws:
      JOSEException - If RSA is not supported by the underlying Java Cryptography (JCA) provider or if the JWK parameters are invalid for a public and / or private RSA key.

    • matches

      public boolean matches(X509Certificate cert)
      Description copied from interface: AsymmetricJWK
      Returns true if the public key material of this JWK matches the public subject key info of the specified X.509 certificate.
      Specified by:
      matches in interface AsymmetricJWK
      Parameters:
      cert - The X.509 certificate. Must not be null.
      Returns:
      true if the public key material of this JWK matches the public subject key info of the specified X.509 certificate, else false.

    • getRequiredParams

      public LinkedHashMap<String,?> getRequiredParams()
      Description copied from class: JWK
      Returns the required JWK parameters. Intended as input for JWK thumbprint computation. See RFC 7638 for more information.
      Specified by:
      getRequiredParams in class JWK
      Returns:
      The required JWK parameters, sorted alphanumerically by key name and ready for JSON serialisation.

    • isPrivate

      public boolean isPrivate()
      Description copied from class: JWK
      Returns true if this JWK contains private or sensitive (non-public) parameters.
      Specified by:
      isPrivate in class JWK
      Returns:
      true if this JWK contains private parameters, else false.

    • size

      public int size()
      Description copied from class: JWK
      Returns the size of this JWK.
      Specified by:
      size in class JWK
      Returns:
      The JWK size, in bits.

    • toPublicJWK

      public RSAKey toPublicJWK()
      Returns a copy of this RSA JWK with any private values removed.
      Specified by:
      toPublicJWK in class JWK
      Returns:
      The copied public RSA JWK.

    • toJSONObject

      public Map<String,Object> toJSONObject()
      Description copied from class: JWK
      Returns a JSON object representation of this JWK. This method is intended to be called from extending classes.

      Example: 

       {
   "kty" : "RSA",
   "use" : "sig",
   "kid" : "fd28e025-8d24-48bc-a51a-e2ffc8bc274b"
 }
      Overrides:
      toJSONObject in class JWK
      Returns:
      The JSON object representation.

    • parse

      public static RSAKey parse(String s) throws ParseException
      Parses a public / private RSA JWK from the specified JSON object string representation.
      Parameters:
      s - The JSON object string to parse. Must not be null.
      Returns:
      The public / private RSA JWK.
      Throws:
      ParseException - If the string couldn't be parsed to an RSA JWK.

    • parse

      public static RSAKey parse(Map<String,Object> jsonObject) throws ParseException
      Parses a public / private RSA JWK from the specified JSON object representation.
      Parameters:
      jsonObject - The JSON object to parse. Must not be null.
      Returns:
      The public / private RSA Key.
      Throws:
      ParseException - If the JSON object couldn't be parsed to an RSA JWK.

    • parse

      public static RSAKey parse(X509Certificate cert) throws JOSEException
      Parses a public RSA JWK from the specified X.509 certificate.

      Important: The X.509 certificate is not validated!

      Sets the following JWK parameters:

      Parameters:
      cert - The X.509 certificate. Must not be null.
      Returns:
      The public RSA key.
      Throws:
      JOSEException - If parsing failed.

    • load

      public static RSAKey load(KeyStore keyStore, String alias, char[] pin) throws KeyStoreException, JOSEException
      Loads a public / private RSA JWK from the specified JCA key store.

      Important: The X.509 certificate is not validated!

      Parameters:
      keyStore - The key store. Must not be null.
      alias - The alias. Must not be null.
      pin - The pin to unlock the private key if any, empty or null if not required.
      Returns:
      The public / private RSA key, null if no key with the specified alias was found.
      Throws:
      KeyStoreException - On a key store exception.
      JOSEException - If RSA key loading failed.

    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class JWK

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class JWK