Skip to main content
Package: com.helger.phase4.crypto
Maven artifact: com.helger.phase4:phase4-lib AS4CryptParams holds all parameters required to encrypt an outgoing AS4 message or to decrypt an incoming message.

Default values

ConstantValueDescription
DEFAULT_KEY_IDENTIFIER_TYPEBST_DIRECT_REFERENCEKey identifier type
DEFAULT_KEY_ENCRYPTION_ALGORITHMRSA_OAEP_XENC11Key transport algorithm
DEFAULT_MGF_ALGORITHMSHA-256MGF algorithm for RSA-OAEP
DEFAULT_DIGEST_ALGORITHMSHA-256Digest algorithm for RSA-OAEP
DEFAULT_SESSION_KEY_PROVIDERRandom AES-128Session key provider
DEFAULT_ENCRYPT_SYMMETRIC_SESSION_KEYtrueInclude encrypted session key

Setter methods

body.setKeyIdentifierType
ECryptoKeyIdentifierType
required
How the recipient certificate is identified in the encrypted message. Default: BST_DIRECT_REFERENCE. Since 0.11.0.
body.setAlgorithmCrypt
ECryptoAlgorithmCrypt
The symmetric encryption algorithm. Mandatory to enable encryption. Set to null to disable.
body.setKeyEncAlgorithm
ECryptoKeyEncryptionAlgorithm
The key transport/wrapping algorithm. Default: RSA_OAEP_XENC11.
body.setMGFAlgorithm
String
The Mask Generation Function (MGF) algorithm used with RSA-OAEP. Default: SHA-256.
body.setDigestAlgorithm
String
The digest algorithm used with RSA-OAEP. Default: SHA-256.
body.setKeyAgreementMethod
ECryptoKeyAgreementMethod
Key agreement method (e.g. X25519, ECDH_ES). When set, key agreement is used instead of key transport. null means key transport. Since 4.4.0.
body.setKeyDerivationMethod
ECryptoKeyDerivationMethod
Key derivation function for use with key agreement (e.g. HKDF, ConcatKDF). Since 4.4.0.
body.setKeyWrapAlgorithm
ECryptoKeyWrapAlgorithm
Key wrap algorithm for use with key agreement (e.g. AES_128). Since 4.4.0.
body.setCertificate
X509Certificate
The recipient X.509 certificate for encryption. Overrides setAlias. If expired, a warning is logged but the certificate is still used.
body.setAlias
String
Keystore alias for the recipient certificate. Overrides setCertificate.
body.setSessionKeyProvider
ICryptoSessionKeyProvider
Provider for the symmetric session key. Defaults to random AES-128. Since 2.1.2.
body.setSecurityProvider
Provider
Sets the same java.security.Provider for both encryption and decryption. Since 2.1.4.
body.setSecurityProviderEncrypt
Provider
JCA/JCE provider for encryption only. Since 2.4.0.
body.setSecurityProviderDecrypt
Provider
JCA/JCE provider for decryption only. Since 2.4.0.
body.setEncryptSymmetricSessionKey
boolean
default:"true"
Whether to include the encrypted session key in the transmission. Since 2.1.4.
body.setWSSecEncryptCustomizer
IWSSecEncryptCustomizer
Low-level customizer for WSS4J WSSecEncrypt objects.

Convenience methods

// Sets X25519 + HKDF + AES-128 (eDelivery AS4 2.0 EdDSA/X25519)
params.setEDelivery2KeyAgreementX25519();

// Sets ECDH-ES + HKDF + AES-128 (eDelivery AS4 2.0 ECDSA/ECDH-ES)
params.setEDelivery2KeyAgreementECDHES();

// Set algorithm from a PMode security configuration
params.setFromPMode(pmodeLeg.getSecurity());

isCryptEnabled

boolean enabled = params.isCryptEnabled(warningMsg -> LOGGER.warn(warningMsg));
Returns true only when an algorithm is set and at least one of certificate or alias is configured.

Static factory

// Creates a default instance with AES-128-GCM
AS4CryptParams defaults = AS4CryptParams.createDefault();

ECryptoAlgorithmCrypt

Symmetric encryption algorithms supported by phase4.
Enum valueIDAlgorithm URINotes
CRYPT_3DES3desTriple-DES CBCLegacy
AES_128_CBCaes128-cbcAES-128 CBC
AES_128_GCMaes128-gcmAES-128 GCMDefault
AES_192_CBCaes192-cbcAES-192 CBC
AES_192_GCMaes192-gcmAES-192 GCM
AES_256_CBCaes256-cbcAES-256 CBC
AES_256_GCMaes256-gcmAES-256 GCM
ECryptoAlgorithmCrypt.ENCRYPTION_ALGORITHM_DEFAULT // AES_128_GCM

Example

import com.helger.phase4.crypto.AS4CryptParams;
import com.helger.phase4.crypto.ECryptoAlgorithmCrypt;

// Basic encryption
AS4CryptParams params = new AS4CryptParams()
    .setAlgorithmCrypt(ECryptoAlgorithmCrypt.AES_128_GCM)
    .setCertificate(receiverCert);

// Using AS4CryptParams in a sender builder
builder.cryptParams().setAlgorithmCrypt(ECryptoAlgorithmCrypt.AES_256_GCM);
builder.cryptParams().setCertificate(receiverCert);

Build docs developers (and LLMs) love

Get started for freeTalk to us