Nimbus JOSE + JWT

Create, parse and process JOSE and JWT objects:

• {@link com.nimbusds.jose.PlainObject Unsecured (alg=none) JOSE objects}.
• {@link com.nimbusds.jose.JWSObject JSON Web Signature (JWS) objects}.
• {@link com.nimbusds.jose.JWEObject JSON Web Encryption (JWE) objects}.
• {@link com.nimbusds.jose.jwk.JWK JSON Web Key (JWK) objects} and {@link com.nimbusds.jose.jwk.JWKSet JWK Sets}.
• {@link com.nimbusds.jwt.PlainJWT Unsecured}, {@link com.nimbusds.jwt.SignedJWT signed} and {@link com.nimbusds.jwt.EncryptedJWT encrypted} {@link com.nimbusds.jwt.JWT JSON Web Tokens (JWTs)}.

A framework for secure application-specific {@link com.nimbusds.jwt.proc processing of JWTs} as well as generic (i.e. arbitrary payload) {@link com.nimbusds.jose.proc JOSE objects} is provided.

The library {@link com.nimbusds.jose.crypto implements} all standard JWS and JWE algorithms:

JWS algorithms:

1. HMAC integrity protection: HS256, HS384 and HS512
2. RSA signatures: RS256, RS384, RS512, PS256, PS384 and PS512.
3. EC signatures: ES256, ES384 and ES512

JWE key management algorithms:

1. Key encryption with RSAES-PKCS1-V1_5: RSA1_5
2. Key encryption with RSAES OAEP: RSA-OAEP and RSA-OAEP-256
3. Key encryption with AES key wrap: A128KW, A192KW and A256KW
4. Key encryption with AES GCM key wrap: A128CGMKW, A192CGMKW and A256CGMKW
5. Direct encryption with a symmetric key: dir
6. Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static: ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW
7. Password-based encryption: PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW

JWE content encryption algorithms:

1. AES_CBC_HMAC_SHA2: A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, the deprecated A128CBC+HS256 and A256CBC+HS512 are also supported
2. AES GCM: A128GCM, A192GCM and A256GCM

New JWA algorithms can be easily added. The library provides a set of simple interfaces to decouple the representation of JOSE / JWT objects from JWA crypto code for signing / verification or encryption / decryption. Multiple JCA providers, including hardware-based can be configured.

Implemented IETF standards:

1. RFC 7515 (JWS)
2. RFC 7516 (JWE)
3. RFC 7517 (JWK)
4. RFC 7518 (JWA)
5. RFC 7519 (JWT)
6. RFC 7638 (JWK Thumbprint)

Dependencies (see the Maven pom.xml for details):

1. JSON Smart for highly efficient parsing and serialisation of JSON.
2. JCIP for concurrency annotations.
3. Apache Commons IO for reading local and remote JWK sets.
4. [optional] BouncyCastle as an alternative JCA provider

To post bug reports and suggestions:

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues

Follow updates and new releases on Twitter:

https://twitter.com/connect2id