JWE Class

Properties Methods Events Configuration Settings Errors

Create, Encrypt and Decrypt JSON Web Encryption (JWE) messages.

Syntax

class ipworksencrypt.JWE

Remarks

The JWE class supports encrypting and decrypting JSON Web Encryption (JWE) messages.

Specify any payload via input properties and use encrypt to create a JWE message using a variety of algorithms including ECDH, RSA, and AES. Use decrypt to decrypt the payload of any received JWE message. The following algorithms are supported:

RSA1_5
RSA-OAEP
RSA-OAEP-256
A128KW
A192KW
A256KW
dir
ECDH-ES
ECDH-ES+A128KW
ECDH-ES+A192KW
ECDH-ES+A256KW
A128GCMKW
A192GCMKW
A256GCMKW
PBES2-HS256+A128KW
PBES2-HS384+A192KW
PBES2-HS512+A256KW

See encryption_algorithm for more details about supported algorithms.

Encrypting

The encrypt method may be used to encrypt a payload with a variety of algorithms. JSON Web Encryption (JWE) is performed by first generating a random key used to encrypt the content. The content encryption key is used to encrypt the content using the algorithm specified by content_encryption_algorithm. The content encryption key is then encrypted itself using the algorithm specified by encryption_algorithm. The content encryption key is not directly exposed in the API as it is randomly generated.

After calling this method the compact serialized JWE string is written to the specified output location. For instance:

eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiaXYiOiJMa0tNeTZ5Qlpfbzh6QW92IiwidGFnIjoiSmpMTkRsV3l3bWt3V2pMa0NLU0xxQSJ9.wiwySYm6fXZre-3IdT1tb_02KMQDrMICwUawVf7Gjhc.k84s7ne8J41QnA5BQ31k_A.kjIveRjjNYV4x92CVE9Agw.uAygkyeO2KWeFQIy9JLU0A

The class is agnostic of the payload that is encrypted. Any value may be encrypted. key_id may be set to include an identifier to help the receiving party identify the key or certificate used to encrypt the data. The following properties are applicable when calling this method:

encryption_algorithm (required)
key (conditional - required for AES)
key_password (conditional - required for PBES)
certificate (conditional - required for ECDH and RSA)
content_encryption_algorithm
CompressionAlgorithm
Header*
overwrite

Input and Output Properties

The class will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found the search stops. The order in which the output properties are checked is as follows:

output_file
output_message: The output data is written to this property if no other destination is specified.

Notes for AES Algorithms (A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW)

When encryption_algorithm is set to a AES algorithm key must be set to a key of appropriate length for the algorithm. For instance a 256 bit key would be used for A256KW.

The example below uses the EzRand class to generate a key, but the key may be created using any method. The key must be known by both parties in order for encryption and decryption to take place.

//Generate a 256 bit (32 byte) key
Ezrand rand = new Ezrand();
rand.RandBytesLength = 32;
rand.GetNextBytes();
byte[] key = rand.RandBytesB;

//Encrypt the payload using A256KW
Jwe jwe = new Jwe();
jwe.KeyB = key;
jwe.InputMessage = "test data";
jwe.EncryptionAlgorithm = JweEncryptionAlgorithms.eaA256KW;
jwe.Encrypt();

string encryptedData = jwe.OutputMessage;

To use an existing AES key provide the bytes to the key property. For instance:

byte[] key = new byte[] { 164, 60, 194, 0, 161, 189, 41, 38, 130, 89, 141, 164, 45, 170, 159, 209, 69, 137, 243, 216, 191, 131, 47, 250, 32, 107, 231, 117, 37, 158, 225, 234 };

//Encrypt the payload using A256KW
Jwe jwe = new Jwe();
jwe.KeyB = key;
jwe.InputMessage = "test data";
jwe.EncryptionAlgorithm = JweEncryptionAlgorithms.eaA256KW;
jwe.Encrypt();

string encryptedData = jwe.OutputMessage;

Notes for RSA Algorithms (RSA1_5, RSA-OEAP, RSA-OAEP-256)

The RSA based algorithms use asymmetric encryption. Encrypting is done with a public key and decryption is done with a private key. The public certificate should be in PEM (base64) format. For instance:

Jwe jwe = new Jwe();
jwe.Certificate = new Certificate("..\\recipient.cer");
jwe.InputMessage = "test data";
jwe.EncryptionAlgorithm = JweEncryptionAlgorithms.eaRSA_OAEP;
jwe.Encrypt();

string encryptedData = jwe.OutputMessage;

Notes for ECDH Algorithms (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW)

ECDH algorithms require a valid ECC public key to encrypt the message. If the key was originally created with the ECC class the PEM encoded PublicKey may be used directly with the certificate property. An example PEM encoded public certificate created by the ECC component:

-----BEGIN PUBLIC KEY----- MIIBMjCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEA/////wAAAAEAAAAAAAAAAAAA AAD///////////////8wRAQg/////wAAAAEAAAAAAAAAAAAAAAD///////////////wEIFrG NdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n0mBLBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt 6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA //////////+85vqtpxeehPO5ysL8YyVRAgEBA0EEIC5rbLp11Mnz6cBXLLriaDIov3rm8RAY x/OR0bOKiff0cQy+sLVaxjseqFk/+Xvl4ORSv5Z6HdHv5GyEpA0UoA== -----END PUBLIC KEY-----

Jwe jwe = new Jwe();
jwe.Certificate = new Certificate(CertStoreTypes.cstPublicKeyFile, pubKeyFile, "", "*");
jwe.InputMessage = "test data";
jwe.EncryptionAlgorithm = JweEncryptionAlgorithms.eaECDH_ES_A256KW;
jwe.Encrypt();

string encryptedData = jwe.OutputMessage;

To use an ECC public key created by other means the ECC class may be used to import the key parameters. Populate the Rx and Ry properties of the ECC component first to obtain the PEM formatted public key. For instance:

byte[] x_bytes = new byte[] { 171, 170, 196, 151, 94, 196, 231, 12, 128, 232, 17, 61, 45, 105, 41, 209, 192, 187, 112, 242, 110, 178, 95, 240, 36, 55, 83, 171, 190, 176, 78, 13 };
byte[] y_bytes = new byte[] { 197, 75, 134, 245, 245, 28, 199, 9, 7, 117, 1, 54, 49, 178, 135, 252, 62, 89, 35, 180, 117, 80, 231, 23, 110, 250, 28, 124, 219, 253, 224, 156 };

Ecc ecc = new Ecc();
ecc.Key.RxB = x_bytes;
ecc.Key.RyB = y_bytes;

string pubKey = ecc.Key.PublicKey;

Jwe jwe = new Jwe();
jwe.Certificate = new Certificate(CertStoreTypes.cstPublicKeyFile, pubKey, "", "*");
jwe.InputMessage = "test data";
jwe.EncryptionAlgorithm = JweEncryptionAlgorithms.eaECDH_ES_A256KW;
jwe.Encrypt();

string encryptedData = jwe.OutputMessage;

Notes for PBES Algorithms (PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW

PBES algorithms derive a content encryption key from the key_password property. Set key_password to a shared secret.

Jwe jwe = new Jwe();
jwe.KeyPassword = "secret";
jwe.InputMessage = "test data";
jwe.EncryptionAlgorithm = JweEncryptionAlgorithms.eaPBES2_HS512_A256KW;
jwe.Encrypt();

string encryptedData = jwe.OutputMessage;

Notes for Direct Shared Keys

When encryption_algorithm is set to Direct the key property must be set to a valid symmetric key that will be used directly by the content_encryption_algorithm. In this case a content encryption key is not generated randomly, the key is used instead. The length of the specified key must be valid for the selected content_encryption_algorithm. For instance:

//Generate a 256 bit (32 byte) key
Ezrand rand = new Ezrand();
rand.RandBytesLength = 32;
rand.GetNextBytes();

byte[] key = rand.RandBytesB;

Jwe jwe = new Jwe();
jwe.EncryptionAlgorithm = JweEncryptionAlgorithms.eaDir;
jwe.ContentEncryptionAlgorithm = JweContentEncryptionAlgorithms.ceaA256GCM;
jwe.KeyB = key;
jwe.InputMessage = "test data";
jwe.Encrypt();

string encryptedData = jwe.OutputMessage;

Decrypting

The decrypt method may be used to decrypt a received JWE message. Before calling the decrypt method set input_message or input_file to a valid compact serialized JWE string. For instance:

The type and format of the private key depends on the algorithm used to encrypt the data. The following table summarizes the relationship:


Algorithm	Private Key Location
AES	key
RSA and ECDH	certificate
PBES	key_password

If the correct key or certificate is not known ahead of time the KeyId parameter of the on_recipient_info event may be used to identify the correct key.

If this method returns without error decryption was successful. If decryption fails then this method fails with an error. After calling this method the payload will be present in the output_message or file specified by output_file and the Header* properties will contain the headers. Headers of the parsed message are also available through the on_header_param event.

The following properties are applicable when calling this method:

certificate (conditional - required for RSA and ECDH)
key (conditional - required for AES)
content_encryption_algorithm (only if StrictValidation is True)
encryption_algorithm (only if StrictValidation is True)
Header*
overwrite
StrictValidation

Input and Output Properties

The class will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found the search stops. The order in which the output properties are checked is as follows:

output_file
output_message: The output data is written to this property if no other destination is specified.

Notes for AES Algorithms (A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW)

To decrypt messages that use AES encryption key must be set to a key of appropriate length for the algorithm. For instance a 256 bit key would be used for A256KW.

The key must be known by both parties in order for encryption and decryption to take place.

byte[] key = new byte[] { 164, 60, 194, 0, 161, 189, 41, 38, 130, 89, 141, 164, 45, 170, 159, 209, 69, 137, 243, 216, 191, 131, 47, 250, 32, 107, 231, 117, 37, 158, 225, 234 };

Jwe jwe = new Jwe();
jwe.KeyB = key;
jwe.InputMessage = encryptedData;
jwe.Decrypt();

string decryptedData = jwe.OutputMessage;

Notes for RSA Algorithms (RSA1_5, RSA-OEAP, RSA-OAEP-256)

The RSA based algorithms use asymmetric encryption. Encrypting is done with a public key and decryption is done with a private key. The certificate with private key must be specified. For instance:

Jwe jwe = new Jwe();
jwe.Certificate = new Certificate(CertStoreTypes.cstPFXFile, "..\\jwt.pfx", "password", "*");
jwe.InputMessage = encryptedData;
jwe.Decrypt();

string decryptedData = jwe.OutputMessage;

Notes for ECDH Algorithms (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW)

ECDH algorithms require a valid ECC private key to decrypt the message. If the key was originally created with the ECC class the PEM encoded PrivateKey may be used directly with the certificate property.

Jwe jwe = new Jwe();
jwe.Certificate = new Certificate(CertStoreTypes.cstPEMKeyFile, privKeyFile, "", "*");
jwe.InputMessage = encryptedData;
jwe.Decrypt();

string decryptedData = jwe.OutputMessage;

To use an ECC private key created by other means the ECC class may be used to import the key parameters. Populate the Rx, Ry, and KB properties of the ECC component first to obtain the PEM formatted public key. For instance:

Ecc ecc = new Ecc();

byte[] x_bytes = new byte[] { 171, 170, 196, 151, 94, 196, 231, 12, 128, 232, 17, 61, 45, 105, 41, 209, 192, 187, 112, 242, 110, 178, 95, 240, 36, 55, 83, 171, 190, 176, 78, 13 };
byte[] y_bytes = new byte[] { 197, 75, 134, 245, 245, 28, 199, 9, 7, 117, 1, 54, 49, 178, 135, 252, 62, 89, 35, 180, 117, 80, 231, 23, 110, 250, 28, 124, 219, 253, 224, 156 };
byte[] k_bytes = new byte[] { 81, 65, 201, 24, 235, 249, 162, 148, 169, 150, 109, 181, 61, 238, 145, 122, 31, 30, 151, 94, 239, 90, 222, 217, 63, 103, 54, 2, 176, 232, 248, 168 };

ecc.Key.RxB = x_bytes;
ecc.Key.RyB = y_bytes;
ecc.Key.KB = k_bytes;

string privKey = ecc.Key.PrivateKey;

Jwe jwe = new Jwe();
jwe.Certificate = new Certificate(CertStoreTypes.cstPEMKeyBlob, privKey, "", "*");
jwe.InputMessage = encryptedData;
jwe.Decrypt();

string decryptedData = jwe.OutputMessage;

Notes for PBES Algorithms (PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW

PBES algorithms derive a content encryption key from the key_password property. Set key_password to the shared secret.

Jwe jwe = new Jwe();
jwe.KeyPassword = "secret";
jwe.InputMessage = encryptedData;
jwe.Decrypt();

string decryptedData = jwe.OutputMessage;

Notes for Direct Shared Keys

When Direct encryption is used the key property must be set to a valid symmetric key that will be used directly by the content_encryption_algorithm. For instance:

byte[] key = new byte[] { 164, 60, 194, 0, 161, 189, 41, 38, 130, 89, 141, 164, 45, 170, 159, 209, 69, 137, 243, 216, 191, 131, 47, 250, 32, 107, 231, 117, 37, 158, 225, 234 };

Jwe jwe = new Jwe();
jwe.KeyB = key;
jwe.InputMessage = encryptedData;
jwe.Decrypt();

string decryptedData = jwe.OutputMessage;

Other Functionality

In addition to standard encrypting and decrypting the class also supports a variety of other features including:

Adding custom header parameters with add_header_param
Enforcing algorithm restrictions when decrypting by setting StrictValidation
Inspect the JWE headers without decrypting by calling parse

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.


cert_encoded	The certificate (PEM/base64 encoded).
cert_store	The name of the certificate store for the client certificate.
cert_store_password	If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
cert_store_type	The type of certificate store for this certificate.
cert_subject	The subject of the certificate used for client authentication.
content_encryption_algorithm	The algorithm used to encrypt the content.
encryption_algorithm	The key encryption algorithm.
header_param_count	The number of records in the HeaderParam arrays.
header_param_data_type	The data type of the header parameter.
header_param_name	The header parameter name.
header_param_value	The header parameter value.
input_file	The file to process.
input_message	The message to process.
key	The secret key for the AES algorithm.
key_id	The Id of the key used to encrypt the message.
key_password	The key password used in the PBES algorithm.
output_file	The output file when encrypting or decrypting.
output_message	The output message after processing.
overwrite	Indicates whether or not the class should overwrite files.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.


add_header_param	Adds additional header parameters.
config	Sets or retrieves a configuration setting.
decrypt	Decrypts the payload.
encrypt	Encrypts the payload with the specified algorithms.
parse	Parses the compact serialized JWE string.
reset	Resets the class.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.


on_error	Information about errors during data delivery.
on_header_param	Fires once for each JOSE header parameter.
on_recipient_info	Fired with information about the recipient key of the encrypted message.

Configuration Settings

The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.


CompressionAlgorithm	The compression algorithm to use.
PartyUInfo	Information about the producer of the message.
PartyVInfo	Information about the recipient of the message.
PBES2Count	The PBKDF2 iteration count.
PBES2SaltLength	The salt input value length.
RawHeader	Holds the raw JOSE header.
StrictValidation	Requires specific algorithm when decrypting.
BuildInfo	Information about the product's build.
CodePage	The system code page used for Unicode to Multibyte translations.
LicenseInfo	Information about the current license.
ProcessIdleEvents	Whether the class uses its internal event loop to process events when the main thread is idle.
SelectWaitMillis	The length of time in milliseconds the class will wait when DoEvents is called if there are no events to process.
UseInternalSecurityAPI	Tells the class whether or not to use the system security libraries or an internal implementation.

IPWorks Encrypt 2020 Python Edition