IKeyEncryptor<TJsonWebKey> Interface
Abblix.Jwt
Abblix.Jwt.Encryption
IKeyEncryptor<TJsonWebKey> Interface
Interface for JWE (JSON Web Encryption) key encryption and decryption operations. Encrypts and decrypts the Content Encryption Key (CEK) using a specific key management algorithm. Implements RFC 7516 Section 5 (Key Encryption) and RFC 7518 Section 4 (Key Management Algorithms).
public interface IKeyEncryptor<in TJsonWebKey>
where TJsonWebKey : Abblix.Jwt.JsonWebKey
Type parameters
TJsonWebKey
The specific type of JSON Web Key required by this encryptor implementation.
Remarks
The key encryptor handles the "alg" (algorithm) parameter in the JWE header, which specifies how the CEK is encrypted using the recipient's key. This is separate from the "enc" parameter, which specifies how the actual content is encrypted using the CEK. Common key encryption algorithms include RSA-OAEP, RSA-OAEP-256, RSA1_5, ECDH-ES, and AES key wrap.
Methods
IKeyEncryptor<TJsonWebKey>.EncryptKey(JsonWebTokenHeader, TJsonWebKey, byte[]) Method
Encrypts a Content Encryption Key (CEK) using the configured key management algorithm. Used when creating JWE tokens to protect the CEK with the recipient's public key.
byte[] EncryptKey(Abblix.Jwt.JsonWebTokenHeader header, TJsonWebKey encryptionKey, byte[] keyToEncrypt);
Parameters
header JsonWebTokenHeader
The JWE header that can be modified to add algorithm-specific parameters (e.g., "epk" for ECDH-ES).
encryptionKey TJsonWebKey
The JSON Web Key containing the public key material for encryption.
keyToEncrypt System.Byte[]
The randomly generated Content Encryption Key bytes to protect.
Returns
System.Byte[]
The encrypted CEK bytes that will be placed in the JWE "encrypted_key" field.
For RSA algorithms, output size equals the RSA key size in bytes.
For direct key agreement (ECDH-ES), returns empty array per RFC 7518.
Exceptions
System.InvalidOperationException
Thrown when the key type is not supported for the configured algorithm.
System.Security.Cryptography.CryptographicException
Thrown when encryption fails (e.g., CEK too large for RSA key size).
IKeyEncryptor<TJsonWebKey>.TryDecryptKey(JsonWebTokenHeader, TJsonWebKey, byte[], byte[]) Method
Attempts to decrypt an encrypted Content Encryption Key (CEK) using the configured key management algorithm. Used when validating JWE tokens where multiple decryption keys may be tried sequentially.
bool TryDecryptKey(Abblix.Jwt.JsonWebTokenHeader header, TJsonWebKey decryptingKey, byte[] encryptedKey, out byte[]? decryptedKey);
Parameters
header JsonWebTokenHeader
The JWE header containing algorithm-specific parameters (e.g., "epk" for ECDH-ES).
decryptingKey TJsonWebKey
The JSON Web Key containing the private key material for decryption.
encryptedKey System.Byte[]
The encrypted CEK bytes from the JWE "encrypted_key" field.
decryptedKey System.Byte[]
When this method returns true, contains the decrypted Content Encryption Key. When this method returns false, this parameter is null.
Returns
System.Boolean
True if decryption succeeded with the provided key; otherwise, false.
False typically indicates the wrong private key was used or the data is corrupted.
Remarks
This method does not throw exceptions for decryption failures to support trying multiple keys. Only cryptographic operation errors (not authentication failures) should throw exceptions.