Nimbus JOSE + JWT

Create, parse and process JOSE and JWT objects:

• {@link com.nimbusds.jose.PlainObject Unsecured (alg=none) JOSE objects}.
• {@link com.nimbusds.jose.JWSObject JSON Web Signature (JWS) objects}.
• {@link com.nimbusds.jose.JWEObject JSON Web Encryption (JWE) objects}.
• {@link com.nimbusds.jose.jwk.JWK JSON Web Key (JWK) objects} and {@link com.nimbusds.jose.jwk.JWKSet JWK Sets}.
• {@link com.nimbusds.jwt.PlainJWT Unsecured}, {@link com.nimbusds.jwt.SignedJWT signed} and {@link com.nimbusds.jwt.EncryptedJWT encrypted} {@link com.nimbusds.jwt.JWT JSON Web Tokens (JWTs)}.

A framework for secure application-specific {@link com.nimbusds.jwt.proc processing of JWTs} as well as generic (i.e. arbitrary payload) {@link com.nimbusds.jose.proc JOSE objects} is provided.

The library {@link com.nimbusds.jose.crypto implements} all standard JWS and JWE algorithms:

JWS algorithms:

1. HMAC integrity protection: HS256, HS384 and HS512
2. RSA signatures: RS256, RS384, RS512, PS256, PS384 and PS512.
3. EC signatures: ES256, ES256K, ES384, ES512 and EdDSA

JWE key management algorithms:

1. Key encryption with RSAES-PKCS1-V1_5: RSA1_5 (deprecated)
2. Key encryption with RSAES OAEP: RSA-OAEP (deprecated) and RSA-OAEP-256
3. Key encryption with AES key wrap: A128KW, A192KW and A256KW
4. Key encryption with AES GCM key wrap: A128CGMKW, A192CGMKW and A256CGMKW
5. Direct encryption with a symmetric key: dir
6. Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW
7. Password-based encryption: PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW

JWE content encryption algorithms:

1. AES_CBC_HMAC_SHA2: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, the deprecated A128CBC+HS256 and A256CBC+HS512 are also supported
2. AES GCM: A128GCM, A192GCM and A256GCM

New JWA algorithms can be easily added. The library provides a set of simple interfaces to decouple the representation of JOSE / JWT objects from JWA crypto code for signing / verification or encryption / decryption. Multiple JCA providers, including hardware-based can be configured.

Implemented IETF standards:

1. RFC 7515 (JWS)
2. RFC 7516 (JWE)
3. RFC 7517 (JWK)
4. RFC 7518 (JWA)
5. RFC 7519 (JWT)
6. RFC 7638 (JWK Thumbprint)
7. RFC 8037 - CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)

Dependencies (see the Maven pom.xml for details):

1. JSON Smart for highly efficient parsing and serialisation of JSON.
2. JCIP for concurrency annotations.
3. Apache Commons IO for reading local and remote JWK sets.
4. [optional] BouncyCastle as an alternative JCA provider

To post bug reports and suggestions:

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues

Follow updates and new releases on Twitter:

https://twitter.com/connect2id