Table of Contents¶
Created by gh-md-toc
Authcrypt JWE Concrete examples¶
The following examples are for JWE authcrypt packer for encrypting the payload secret message
and aad value set as the concatenation of recipients' KIDs (ASCII sorted) joined by .
for non-compact serializations (JWE Compact serializations don't have AAD).
Notes¶
- Since autchrypt requires the sender public key, it must be previously sent, out of band, to the recipient(s). For security reasons, the JWE envelope only includes the sender kid as
skid
in the protected headers. The recipient must be able to resolve the corresponding sender public key during unpack(JWE). - all
x
andy
key coordinates values below are raw (no padding) base64URL encoded. - JWE envelopes with multi recipients use the General JWE JSON Serialization format.
- JWE envelopes with a single recipient will be shown either as JWE Compact or Flattened JWE JSON serialization format.
- General JWE JSON Serialization format uses the above mentioned AAD value in their envelope.
- JWE Compact Serialization format does not support AAD values and therefore were built without it.
- all
apu
recipient header values are set with the raw (no padding) base64URL encoding of the corresponding sender'skid
(skid
) value since authcrypt reveals the sender. - all
apv
recipient header values are set with the raw (no padding) base64URL encoding of the corresponding recipient'skid
value. - The final aad used to encrypt the payload is the concatenation of the raw (no padding) base64URL encoded protected headers and
aad
JWE header joined by a.
. - Even though flattened serialization do support
aad
, the field is omitted in the below examples to be consistent with compact JWE serialization format. Implementations should supportaad
for flattened serialization regardless.
1 A256GCM Content Encryption¶
1.1 Multi recipients JWEs¶
1.1.1 NIST P-256 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"A256GCM","skid":"6PBTUbcLB7-Z4fuAFn42oC1PaMsNmjheq1FeZEUgV_8","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6IjZQQlRVYmNMQjctWjRmdUFGbjQyb0MxUGFNc05tamhlcTFGZVpFVWdWXzgiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0
- Sender key JWK format:
- Sender kid (aka
skid
, jwk thumbprint raw base64 URL encoded):6PBTUbcLB7-Z4fuAFn42oC1PaMsNmjheq1FeZEUgV_8
- Recipient 1 key JWK format:
- Recipient 1 kid (jwk thumbprint raw base64 URL encoded):
D_kHovGtLUZ_ssw_vhZcqsx3LvQ6qC5JK74iPf9vqwk
- Recipient 2 key JWK format:
- Recipient 2 kid (jwk thumbprint raw base64 URL encoded):
pXCqiUJ-A6Zlp6LAvkBWLOXPMuww5Hy_PljoODMsGTw
- Recipient 3 key JWK format:
- Recipient 3 kid (jwk thumbprint raw, no padding, base64 URL encoded):
4CB-2PhtYR9WfjsFNb4rmvSmJozJAL4gRCg_am3oDhw
- List of kids used for AAD for the above recipients (sorted
kid
values joined with.
):4CB-2PhtYR9WfjsFNb4rmvSmJozJAL4gRCg_am3oDhw.D_kHovGtLUZ_ssw_vhZcqsx3LvQ6qC5JK74iPf9vqwk.pXCqiUJ-A6Zlp6LAvkBWLOXPMuww5Hy_PljoODMsGTw
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded):
vo7O9me-lVJv6Y_vjz-rL8eWaa0Xy1WHm2IOsR_UEpk
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{ "protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6IjZQQlRVYmNMQjctWjRmdUFGbjQyb0MxUGFNc05tamhlcTFGZVpFVWdWXzgiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0", "recipients": [ { "header": { "alg": "ECDH-1PU+A256KW", "apu": "NlBCVFViY0xCNy1aNGZ1QUZuNDJvQzFQYU1zTm1qaGVxMUZlWkVVZ1ZfOA", "apv": "RF9rSG92R3RMVVpfc3N3X3ZoWmNxc3gzTHZRNnFDNUpLNzRpUGY5dnF3aw", "kid": "D_kHovGtLUZ_ssw_vhZcqsx3LvQ6qC5JK74iPf9vqwk", "epk": { "kty": "EC", "crv": "P-256", "x": "Vpj5VtHxMt5Xz3vnKA727nTMmJd4zbVcPmKjSyHvLvc", "y": "C7ZLlNCTduhf2qMXjrY907-OdMw_6ixC3UttKCVqgjk" } }, "encrypted_key": "lIm78Z0OmYR5Jc5D416xjb9K3rkmcOgaEFVut4WyNDueoTnM9B86Ug" }, { "header": { "alg": "ECDH-1PU+A256KW", "apu": "NlBCVFViY0xCNy1aNGZ1QUZuNDJvQzFQYU1zTm1qaGVxMUZlWkVVZ1ZfOA", "apv": "RF9rSG92R3RMVVpfc3N3X3ZoWmNxc3gzTHZRNnFDNUpLNzRpUGY5dnF3aw", "kid": "pXCqiUJ-A6Zlp6LAvkBWLOXPMuww5Hy_PljoODMsGTw", "epk": { "kty": "EC", "crv": "P-256", "x": "wDD9G8UK-I246qp6-A1qBPr6N2yX6nTfYb9Zotf898o", "y": "KIW0m4mOlWzwnW9y1R9314keHj5W8b7eqUs_dT3LBEw" } }, "encrypted_key": "BjZsq3DwuggMu1YhSZIX7NydPNSIBOfHWVBEZ9t5yDzlt1am_LI8cg" }, { "header": { "alg": "ECDH-1PU+A256KW", "apu": "NlBCVFViY0xCNy1aNGZ1QUZuNDJvQzFQYU1zTm1qaGVxMUZlWkVVZ1ZfOA", "apv": "RF9rSG92R3RMVVpfc3N3X3ZoWmNxc3gzTHZRNnFDNUpLNzRpUGY5dnF3aw", "kid": "4CB-2PhtYR9WfjsFNb4rmvSmJozJAL4gRCg_am3oDhw", "epk": { "kty": "EC", "crv": "P-256", "x": "CHaH39lqKhUQLcrmbL_sVBmVZQaLlDxNGI1WkcCB7ss", "y": "R36X6eJ2dwPz8T7eto0Uije3KLOGAwzLUVUKWj0SxHk" } }, "encrypted_key": "YnLT86bjwgz4SsKUUiG6bf0AybQywN8k2wHa_E3hGLP3Nwo23CyekQ" } ], "aad": "vo7O9me-lVJv6Y_vjz-rL8eWaa0Xy1WHm2IOsR_UEpk", "iv": "mwMiQc4m9LaoqnIC", "ciphertext": "wQGUFlLz9fHpDoACWEQ", "tag": "Ma9X6kppUNUp5SYH74zXDw" }
1.1.2 NIST P-384 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"A256GCM","skid":"0Bz8yRwu9eC8Gi7cYOwAKMJ8jysInhAtwH8k8m9MX04","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6IjBCejh5Und1OWVDOEdpN2NZT3dBS01KOGp5c0luaEF0d0g4azhtOU1YMDQiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0
- Sender key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "UW1LtMXuZdFS0gyp0_F19uxHqECvCcJA7SmeeuRSSc_PQfsbZWXt5L0KyLYpNIQb",
"y": "FBdPcUvanB7igwkX0NN5rOvH3OKZ1gQHhcad7cCy6QNYKKz7lBWUUOmzypee31pS",
"d": "wrXW0wsFKjvpTWqOAd1mohRublQs4P014-U4_K-eTRFmzhkyLJqNn91dH_AHUc4-"
}
0Bz8yRwu9eC8Gi7cYOwAKMJ8jysInhAtwH8k8m9MX04
- Recipient 1 key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "k3W_RR59uUG3HFlhhqNNmBDyFdMtWHxKAsJaxLBqQgQer3d3aAN-lfdxzGnHtwj1",
"y": "VMSy5zxFEGaGRINailLTUH6NlP0JO2qu0j0_UbS7Ng1b8JkzHDnDbjGgsLqVJaMM",
"d": "iM5K8uqNvFYJnuToMDBguGwUIlu1erT-K0g7NYtJrQnHZOumS8yIC4MCNC60Ch91"
}
obCHRLVDx634Cax_Kr3B8fd_-xj5kAj0r0Kvvvmq1z8
- Recipient 2 key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "W3iUHCzh_PWzUKONKeHwIKcjWNN--c7OlL2H23lV13C9tlkqOleFUmioW-AeitEk",
"y": "CIzVD6KsuDLyKQPm0r62LPZikkT2kiXJpLjcVO3op2kgePQkZ31xniKE0VbUBnTH",
"d": "V_vQwOqHVCGxSjX_dN8H5VXvOGYDRTGI00mNXwB0I0mKDd8kqCJmNtGlf-eUrbub"
}
PfuTIXG60dvOwnFOfMxJ0i59_L7vqNytROX_bLRR-3M
- Recipient 3 key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "bsX8qtEtj5IDLp9iDUKlgdu_3nluupFtFBrfIK1nza1bGZQRlZ3JG3PdBzVAoePz",
"y": "QX_2v0BHloNS7iWoB4CcO9UWHdtirMVmbNcB8ZGczCJOfUyjYcQxGr0RU_tGkFC4",
"d": "rQ-4ZmWn09CsCqRQJhpQhDeUZXeZ3cy_Pei-fchVPFTa2FnAzvjwEF2Nsm2f3MmR"
}
VTVlkyBsoW4ey0sh7TMJBErLGeBeKQsOttFRrXD6eqI
- List of kids used for AAD for the above recipients (sorted kid
values joined with .
): PfuTIXG60dvOwnFOfMxJ0i59_L7vqNytROX_bLRR-3M.VTVlkyBsoW4ey0sh7TMJBErLGeBeKQsOttFRrXD6eqI.obCHRLVDx634Cax_Kr3B8fd_-xj5kAj0r0Kvvvmq1z8
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded): m72Q9j28hFk0imbFVzqY4KfTE77L8itJoX75N3hwiwA
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{
"protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6IjBCejh5Und1OWVDOEdpN2NZT3dBS01KOGp5c0luaEF0d0g4azhtOU1YMDQiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0",
"recipients": [
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "MEJ6OHlSd3U5ZUM4R2k3Y1lPd0FLTUo4anlzSW5oQXR3SDhrOG05TVgwNA",
"apv": "b2JDSFJMVkR4NjM0Q2F4X0tyM0I4ZmRfLXhqNWtBajByMEt2dnZtcTF6OA",
"kid": "obCHRLVDx634Cax_Kr3B8fd_-xj5kAj0r0Kvvvmq1z8",
"epk": {
"kty": "EC",
"crv": "P-384",
"x": "cjJHtV4VkMCww9ig94-_4e4yMfo2WI4Rh4dZh6NkYFvz-EGylA7RLSO5TRC-JJ_G",
"y": "RJe2QisAYpfuTWTV6KVeoLGshsJqYokbcSUqdMxrFGXSp4ZMNrW4yj410Xsn6hy6"
}
},
"encrypted_key": "o0ZZ_xNtmUPcpQAK3kzjOLp8xWBJ31tr-ORQjXtwpqgTuvM_nvhk_w"
},
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "MEJ6OHlSd3U5ZUM4R2k3Y1lPd0FLTUo4anlzSW5oQXR3SDhrOG05TVgwNA",
"apv": "b2JDSFJMVkR4NjM0Q2F4X0tyM0I4ZmRfLXhqNWtBajByMEt2dnZtcTF6OA",
"kid": "PfuTIXG60dvOwnFOfMxJ0i59_L7vqNytROX_bLRR-3M",
"epk": {
"kty": "EC",
"crv": "P-384",
"x": "u1HYhdUJGx49J6wSLYM_JLHTkJrkR7wMSm5uYZMH7ZpcC3qF8MUyKTuKN0FGCBcN",
"y": "K-XI-KAGd2jHebNq44yQrDA6Ubs5M99mIlre0chzI13bSLDOuUG4RJ8yjYjXysWF"
}
},
"encrypted_key": "iCV1_peiRwnsrrBQWmp7GOd-taee-Yk8t6XqJCZPGziglDpGBu_ZhA"
},
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "MEJ6OHlSd3U5ZUM4R2k3Y1lPd0FLTUo4anlzSW5oQXR3SDhrOG05TVgwNA",
"apv": "b2JDSFJMVkR4NjM0Q2F4X0tyM0I4ZmRfLXhqNWtBajByMEt2dnZtcTF6OA",
"kid": "VTVlkyBsoW4ey0sh7TMJBErLGeBeKQsOttFRrXD6eqI",
"epk": {
"kty": "EC",
"crv": "P-384",
"x": "Twps_QU6ShP18uQFNCcdOx9sU9YrHBznNnSbhQD474tLUcnslq5Trubq3ogp-LTX",
"y": "oSES1a5xve9e-lKQ3NMN5_CW9Sii9rTorqUMggDzodLsRGm0Jud3HAy2-uE956Xq"
}
},
"encrypted_key": "dLDKyXeZJDcB_i1Tnn_EUxqCc2ukneaummXF_FwcbpnMH8B0eVizvA"
}
],
"aad": "m72Q9j28hFk0imbFVzqY4KfTE77L8itJoX75N3hwiwA",
"iv": "nuuuri2fyNl3jBo6",
"ciphertext": "DCWevJuEo5dx-MmqPvw",
"tag": "Pyt1S_Smg9Pnd1u_5Z7nbA"
}
1.1.3 NIST P-521 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"A256GCM","skid":"oq-WBIGQm-iHiNRj6nId4-E1QtY8exzp8C56SziUfeU","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6Im9xLVdCSUdRbS1pSGlOUmo2bklkNC1FMVF0WThleHpwOEM1NlN6aVVmZVUiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0
- Sender key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "AXKDGPnD6hlQIre8aEeu33bQffkfl-eQfQXgzNXQX7XFYt5GKA1N6w4-f0_Ci7fQNKGkQuCoAu5-6CNk9M_cHiDi",
"y": "Ae4-APhoZAmM99MdY9io9IZA43dN7dA006wlFb6LJ9bcusJOi5R-o3o3FhCjt5KTv_JxYbo6KU4PsBwQ1eeKyJ0U",
"d": "AP9l2wmQ85P5XD84CkEQVWHaX_46EDvHxLWHEKsHFSQYjEh6BDSuyy1TUNv68v8kpbLCDjvsBc3cIBqC4_T1r4pU"
}
oq-WBIGQm-iHiNRj6nId4-E1QtY8exzp8C56SziUfeU
- Recipient 1 key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "ALmUHkd9Gi2NApJojNzzA34Qdd1-KLnq6jd2UJ9wl-xJzTQ2leg8qi3-hrFs7NqNfxqO6vE5bBoWYFeAcf3LqJOU",
"y": "AN-MutmkAXGzlgzSQJRnctHDcjQQNpRek-8BeqyUDXdZKNGKSMEAzw6Hnl3VdvsvihQfrxcajpx5PSnwxbbdakHq",
"d": "AKv-YbKdI6y8NRMP-e17-RjZyRTfGf0Xh9Og5g7q7aq0xS2mO59ttIJ67XHW5SPTBQDbltdUcydKroWNUIGvhKNv"
}
wax1T_hGUvM0NmlbFJi2RizQ_gWajumI5j0Hx7CbgAw
- Recipient 2 key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "ALmUHkd9Gi2NApJojNzzA34Qdd1-KLnq6jd2UJ9wl-xJzTQ2leg8qi3-hrFs7NqNfxqO6vE5bBoWYFeAcf3LqJOU",
"y": "AN-MutmkAXGzlgzSQJRnctHDcjQQNpRek-8BeqyUDXdZKNGKSMEAzw6Hnl3VdvsvihQfrxcajpx5PSnwxbbdakHq",
"d": "AKv-YbKdI6y8NRMP-e17-RjZyRTfGf0Xh9Og5g7q7aq0xS2mO59ttIJ67XHW5SPTBQDbltdUcydKroWNUIGvhKNv"
}
XmLVV-CqMkTGQIe6-KecWZWtZVwORTMP2y5aqMPV7P4
- Recipient 3 key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "AHCbpo-299Q0Fk71CtBoPu-40-Z0UOu4cGZfgtHHwcu3ciMWVR8IWF4bgvFpAPfKG8Dqx7JJWO8uEgLE67A7aQOL",
"y": "AQ_JBjS3lt8zz3njFhUoJwEdSJMyrSfGPCLpaWkKuRo25k3im-7IjY8T43gvzZXYwV3PKKR3iJ1jnQCrYmfRrmva",
"d": "ACgCw3U3eWTYD5vcygoOpoGPost9TojYJH9FllyRuqwlS3L8dkZu7vKhFyoEg6Bo8AqcOUj5Mtgxhd6Wu02YvqK3"
}
pRJtTY7V1pClPu8WEgEZonzaHq3K0El9Vcb8qmjucSg
- List of kids used for AAD for the above recipients (sorted kid
values joined with .
): S8s7FFL7f0fUMXt93WOWC-3PJrV1iuAmB_ZlCDyjXqs.XmLVV-CqMkTGQIe6-KecWZWtZVwORTMP2y5aqMPV7P4.pRJtTY7V1pClPu8WEgEZonzaHq3K0El9Vcb8qmjucSg
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded): tOS8nLSCERw2V9WOZVo6cenGuM4DJvHse1dsvTk8_As
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{
"protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6Im9xLVdCSUdRbS1pSGlOUmo2bklkNC1FMVF0WThleHpwOEM1NlN6aVVmZVUiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0",
"recipients": [
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "b3EtV0JJR1FtLWlIaU5SajZuSWQ0LUUxUXRZOGV4enA4QzU2U3ppVWZlVQ",
"apv": "WG1MVlYtQ3FNa1RHUUllNi1LZWNXWld0WlZ3T1JUTVAyeTVhcU1QVjdQNA",
"kid": "XmLVV-CqMkTGQIe6-KecWZWtZVwORTMP2y5aqMPV7P4",
"epk": {
"kty": "EC",
"crv": "P-521",
"x": "AP630J9yi2UFBfRWKucXB8eu9-SSKbbbD1fzFhLgbI3xTRTRNMGm-U5EGHbplMLsOfP2pNxtAgo2-d6abiZiD6gg",
"y": "AE1Grtp1iFvySLN4yHVvE0kYWChqVfkO_kHEMujjL6vVu_AAOvl3aogquLv1zgduitCPbKRTno89r3rv0L0Kuj0M"
}
},
"encrypted_key": "FSYpXFfgPlSfj91VFQ4zAs0Wb3CEpWcBcGeW4nld9szVfb_WRbqTtA"
},
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "b3EtV0JJR1FtLWlIaU5SajZuSWQ0LUUxUXRZOGV4enA4QzU2U3ppVWZlVQ",
"apv": "WG1MVlYtQ3FNa1RHUUllNi1LZWNXWld0WlZ3T1JUTVAyeTVhcU1QVjdQNA",
"kid": "S8s7FFL7f0fUMXt93WOWC-3PJrV1iuAmB_ZlCDyjXqs",
"epk": {
"kty": "EC",
"crv": "P-521",
"x": "Acw0XM1IZl63ltysb-ivw8zBhZ-Wz54SaXM_vGGea8Sa5w6VWdZflp1tibzHkfu4novFFpNbKtnCKi-28AqQnOYZ",
"y": "AajoBj0KMrlaIA17RKnShFNzIb1S81oLYZu5MXzAg-XvT8_q83dXajOCiYJLo3taUvHTlcPjkHMG3_8442DgWpU_"
}
},
"encrypted_key": "3ct4awH6xyp9BjA74Q_j6ot6F32okEYXbS2e6NIkiAgs-JGyEPWoxw"
},
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "b3EtV0JJR1FtLWlIaU5SajZuSWQ0LUUxUXRZOGV4enA4QzU2U3ppVWZlVQ",
"apv": "WG1MVlYtQ3FNa1RHUUllNi1LZWNXWld0WlZ3T1JUTVAyeTVhcU1QVjdQNA",
"kid": "pRJtTY7V1pClPu8WEgEZonzaHq3K0El9Vcb8qmjucSg",
"epk": {
"kty": "EC",
"crv": "P-521",
"x": "APu-ArpY-GUntHG7BzTvUauKVP_YpCcVnZFX6r_VvYY2iPbFSZYxvUdUbX3TGK-Q92rTHNaNnutjbPcrCaBpJecM",
"y": "AONhGq1vGU20Wdrx1FT5SBdLOIvqOK_pxhTJZhS0Vwi_JYQdKN6PHrX9GyJ23ZhaY3bBKX6V2uzRJzV8Qam1FUbz"
}
},
"encrypted_key": "U51txv9yfZASl8tlT7GbNtLjeAqTHUVT4O9MEqBKaYIdAcA7Qd7dnw"
}
],
"aad": "tOS8nLSCERw2V9WOZVo6cenGuM4DJvHse1dsvTk8_As",
"iv": "LJl-9ygxPGMAmVHP",
"ciphertext": "HOfi-W7mcQv93scr1z8",
"tag": "zaM6OfzhVhYCsqD2VW5ztw"
}
1.1.4 X25519 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"A256GCM","skid":"X5INSMIv_w4Q7pljH7xjeUrRAKiBGHavSmOYyyiRugc","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6Ilg1SU5TTUl2X3c0UTdwbGpIN3hqZVVyUkFLaUJHSGF2U21PWXl5aVJ1Z2MiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0
- Sender key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "WKkktGWkUB9hDITcqa1Z6MC8rcWy8fWtxuT7xwQF1lw",
"d": "-LEcVt6bW_ah9gY7H_WknTsg1MXq8yc42SrSJhqP0Vo"
}
X5INSMIv_w4Q7pljH7xjeUrRAKiBGHavSmOYyyiRugc
- Recipient 1 key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "NJzDtIa7vjz-isjaI-6GKGDe2EUx26-D44d6jLILeBI",
"d": "MEBNdr6Tpb0XfD60NeHby-Tkmlpgr7pvVe7Q__sBbGw"
}
2UR-nzYjVhsq0cZakWjE38-wUdG0S2EIrLZ8Eh0KVO0
- Recipient 2 key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "_aiA8rwrayc2k9EL-mkqtSh8onyl_-EzVif3L-q-R20",
"d": "ALBfdypF_lAbBtWXhwvq9Rs7TGjcLd-iuDh0s3yWr2Y"
}
dvDd4h1rHj-onj-Xz9O1KRIgkMhh3u23d-94brHbBKo
- Recipient 3 key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "zuHJfrIarLGFga0OwZqDlvlI5P1bb9DFhAtdnI54pwQ",
"d": "8BVFAqxPHXB5W-EBxr-EjdUmA4HqY1gwDjiYvt0UxUk"
}
hj57wbrmOygTc_ktMPqKMHdiL85FdiGJa5DKzoLIzeU
- List of kids used for AAD for the above recipients (sorted kid
values joined with .
): 2UR-nzYjVhsq0cZakWjE38-wUdG0S2EIrLZ8Eh0KVO0.dvDd4h1rHj-onj-Xz9O1KRIgkMhh3u23d-94brHbBKo.hj57wbrmOygTc_ktMPqKMHdiL85FdiGJa5DKzoLIzeU
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded): L-QV1cHI5u8U9BQa8_S4CFW-LhKNXHCjmqydtQYuSLw
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{
"protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJBMjU2R0NNIiwic2tpZCI6Ilg1SU5TTUl2X3c0UTdwbGpIN3hqZVVyUkFLaUJHSGF2U21PWXl5aVJ1Z2MiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0",
"recipients": [
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "WDVJTlNNSXZfdzRRN3Bsakg3eGplVXJSQUtpQkdIYXZTbU9ZeXlpUnVnYw",
"apv": "MlVSLW56WWpWaHNxMGNaYWtXakUzOC13VWRHMFMyRUlyTFo4RWgwS1ZPMA",
"kid": "2UR-nzYjVhsq0cZakWjE38-wUdG0S2EIrLZ8Eh0KVO0",
"epk": {
"kty": "OKP",
"crv": "X25519",
"x": "IcuAA7zPN0mLt4GSZLQJ6f8p3yPALQaSyupbSRpDnwA"
}
},
"encrypted_key": "_GoKcbrlbPR8hdgpDdpotO4WvAKOzyOEXo5A2RlxVaEb0enFej2DFQ"
},
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "WDVJTlNNSXZfdzRRN3Bsakg3eGplVXJSQUtpQkdIYXZTbU9ZeXlpUnVnYw",
"apv": "MlVSLW56WWpWaHNxMGNaYWtXakUzOC13VWRHMFMyRUlyTFo4RWgwS1ZPMA",
"kid": "dvDd4h1rHj-onj-Xz9O1KRIgkMhh3u23d-94brHbBKo",
"epk": {
"kty": "OKP",
"crv": "X25519",
"x": "_BVh0oInkDiqnTkHKLvNMa8cldr79TZS00MJCYwZo3Y"
}
},
"encrypted_key": "gacTLNP-U5mYAHJLG9F97R52aG244NfLeWg_Dj4Fy0C96oIIN-3psw"
},
{
"header": {
"alg": "ECDH-1PU+A256KW",
"apu": "WDVJTlNNSXZfdzRRN3Bsakg3eGplVXJSQUtpQkdIYXZTbU9ZeXlpUnVnYw",
"apv": "MlVSLW56WWpWaHNxMGNaYWtXakUzOC13VWRHMFMyRUlyTFo4RWgwS1ZPMA",
"kid": "hj57wbrmOygTc_ktMPqKMHdiL85FdiGJa5DKzoLIzeU",
"epk": {
"kty": "OKP",
"crv": "X25519",
"x": "alPo4cjEjondCmz8mw8tntYxlpGPSLaqe3SSI_wu11s"
}
},
"encrypted_key": "q2RpqrdZA9mvVBGTvMNHg3P6SysnuCpfraLWhRseiQ1ImJWdLq53TA"
}
],
"aad": "L-QV1cHI5u8U9BQa8_S4CFW-LhKNXHCjmqydtQYuSLw",
"iv": "J-OEJGFWvJ6rw9dX",
"ciphertext": "BvFi1vAzq0Uostj0_ms",
"tag": "C6itmqZ7ehMx9FF70fdGGQ"
}
1.2 Single Recipient JWEs¶
Packing a message with 1 recipient using the Flattened JWE JSON serialization and Compact JWE serialization formats as mentioned in the notes above.
1.2.1 NIST P-256 key¶
- Sender key JWK format:
- Sender kid (jwk thumbprint raw base64 URL encoded):
6PBTUbcLB7-Z4fuAFn42oC1PaMsNmjheq1FeZEUgV_8
- Single Recipient key JWK format:
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
D_kHovGtLUZ_ssw_vhZcqsx3LvQ6qC5JK74iPf9vqwk
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJObEJDVkZWaVkweENOeTFhTkdaMVFVWnVOREp2UXpGUVlVMXpUbTFxYUdWeE1VWmxXa1ZWWjFaZk9BIiwiYXB2IjoiUkY5clNHOTJSM1JNVlZwZmMzTjNYM1pvV21OeGMzZ3pUSFpSTm5GRE5VcExOelJwVUdZNWRuRjNhdyIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiUC0yNTYiLCJrdHkiOiJFQyIsIngiOiJzODRGczRGeWRfSEVFQUN2R3dHak0wWDdGYUNwTlZ5cS1tM19MYXVwT2gwIiwieSI6IndsZzZoQnVnZElWMFlaekh1NHNQRnM0OXRtMGtXQlZjenQ0N25IenZ5UU0ifSwia2lkIjoiRF9rSG92R3RMVVpfc3N3X3ZoWmNxc3gzTHZRNnFDNUpLNzRpUGY5dnF3ayIsInNraWQiOiI2UEJUVWJjTEI3LVo0ZnVBRm40Mm9DMVBhTXNObWpoZXExRmVaRVVnVl84IiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9", "encrypted_key": "0L4GrPjXIy31JcEjV3sQj1Fbtb-dAtFPLng6mB0jyEyzDxzWcZZWag", "iv": "V26sXdaKTIo6SDMn", "ciphertext": "TJcEzgDbw5xDOMOwuuE", "tag": "vgtkaTIM407IG8ZqLLRk6Q" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJObEJDVkZWaVkweENOeTFhTkdaMVFVWnVOREp2UXpGUVlVMXpUbTFxYUdWeE1VWmxXa1ZWWjFaZk9BIiwiYXB2IjoiUkY5clNHOTJSM1JNVlZwZmMzTjNYM1pvV21OeGMzZ3pUSFpSTm5GRE5VcExOelJwVUdZNWRuRjNhdyIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTI1NiIsIngiOiJzODRGczRGeWRfSEVFQUN2R3dHak0wWDdGYUNwTlZ5cS1tM19MYXVwT2gwIiwieSI6IndsZzZoQnVnZElWMFlaekh1NHNQRnM0OXRtMGtXQlZjenQ0N25IenZ5UU0ifSwia2lkIjoiRF9rSG92R3RMVVpfc3N3X3ZoWmNxc3gzTHZRNnFDNUpLNzRpUGY5dnF3ayIsInNraWQiOiI2UEJUVWJjTEI3LVo0ZnVBRm40Mm9DMVBhTXNObWpoZXExRmVaRVVnVl84IiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9.0L4GrPjXIy31JcEjV3sQj1Fbtb-dAtFPLng6mB0jyEyzDxzWcZZWag.V26sXdaKTIo6SDMn.TJcEzgDbw5xDOMOwuuE.vgtkaTIM407IG8ZqLLRk6Q
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to (pretty printed for readability):{ "alg": "ECDH-1PU+A256KW", "apu": "NlBCVFViY0xCNy1aNGZ1QUZuNDJvQzFQYU1zTm1qaGVxMUZlWkVVZ1ZfOA", "apv": "RF9rSG92R3RMVVpfc3N3X3ZoWmNxc3gzTHZRNnFDNUpLNzRpUGY5dnF3aw", "cty": "application/didcomm-plain+json", "enc": "A256GCM", "epk": { "kty": "EC", "crv": "P-256", "x": "s84Fs4Fyd_HEEACvGwGjM0X7FaCpNVyq-m3_LaupOh0", "y": "wlg6hBugdIV0YZzHu4sPFs49tm0kWBVczt47nHzvyQM" }, "kid": "D_kHovGtLUZ_ssw_vhZcqsx3LvQ6qC5JK74iPf9vqwk", "skid": "6PBTUbcLB7-Z4fuAFn42oC1PaMsNmjheq1FeZEUgV_8", "typ": "application/didcomm-encrypted+json" }
1.2.2 NIST P-384 key¶
- Sender key JWK format:
- Sender kid (jwk thumbprint raw base64 URL encoded):
0Bz8yRwu9eC8Gi7cYOwAKMJ8jysInhAtwH8k8m9MX04
- Single Recipient key JWK format:
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
obCHRLVDx634Cax_Kr3B8fd_-xj5kAj0r0Kvvvmq1z8
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJNRUo2T0hsU2QzVTVaVU00UjJrM1kxbFBkMEZMVFVvNGFubHpTVzVvUVhSM1NEaHJPRzA1VFZnd05BIiwiYXB2IjoiYjJKRFNGSk1Wa1I0TmpNMFEyRjRYMHR5TTBJNFptUmZMWGhxTld0QmFqQnlNRXQyZG5adGNURjZPQSIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiUC0zODQiLCJrdHkiOiJFQyIsIngiOiJvZ1dJTHo4aXpDODNWNnFPNFVidHlSMTFadGdtRUMxQV9VM1JtVVV4dk9INE9lVW9xbUxXX295YjJXek5NTTZtIiwieSI6ImNobkphdHpRREJodzhqem5McUFmYWx3eFB3RmFKZjhVY2FzbjlmUWZyeUVWQ2FnRnRBYTNIb1FaSUxoeGxYSWUifSwia2lkIjoib2JDSFJMVkR4NjM0Q2F4X0tyM0I4ZmRfLXhqNWtBajByMEt2dnZtcTF6OCIsInNraWQiOiIwQno4eVJ3dTllQzhHaTdjWU93QUtNSjhqeXNJbmhBdHdIOGs4bTlNWDA0IiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9", "encrypted_key": "ojdzwycN1XFKuiwOmlgS4MHApmDAVKVZt1Zl7sgtJkafQRz81FUnZQ", "iv": "VqEJ6p5J0ZTIw2ts", "ciphertext": "jGznTL6ruVMXzV8xCA8", "tag": "YA_A4pjqqaAeUNvEFnCx8Q" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJNRUo2T0hsU2QzVTVaVU00UjJrM1kxbFBkMEZMVFVvNGFubHpTVzVvUVhSM1NEaHJPRzA1VFZnd05BIiwiYXB2IjoiYjJKRFNGSk1Wa1I0TmpNMFEyRjRYMHR5TTBJNFptUmZMWGhxTld0QmFqQnlNRXQyZG5adGNURjZPQSIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTM4NCIsIngiOiJvZ1dJTHo4aXpDODNWNnFPNFVidHlSMTFadGdtRUMxQV9VM1JtVVV4dk9INE9lVW9xbUxXX295YjJXek5NTTZtIiwieSI6ImNobkphdHpRREJodzhqem5McUFmYWx3eFB3RmFKZjhVY2FzbjlmUWZyeUVWQ2FnRnRBYTNIb1FaSUxoeGxYSWUifSwia2lkIjoib2JDSFJMVkR4NjM0Q2F4X0tyM0I4ZmRfLXhqNWtBajByMEt2dnZtcTF6OCIsInNraWQiOiIwQno4eVJ3dTllQzhHaTdjWU93QUtNSjhqeXNJbmhBdHdIOGs4bTlNWDA0IiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9.ojdzwycN1XFKuiwOmlgS4MHApmDAVKVZt1Zl7sgtJkafQRz81FUnZQ.VqEJ6p5J0ZTIw2ts.jGznTL6ruVMXzV8xCA8.YA_A4pjqqaAeUNvEFnCx8Q
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to (pretty printed for readability):{ "alg": "ECDH-1PU+A256KW", "apu": "MEJ6OHlSd3U5ZUM4R2k3Y1lPd0FLTUo4anlzSW5oQXR3SDhrOG05TVgwNA", "apv": "b2JDSFJMVkR4NjM0Q2F4X0tyM0I4ZmRfLXhqNWtBajByMEt2dnZtcTF6OA", "cty": "application/didcomm-plain+json", "enc": "A256GCM", "epk": { "kty": "EC", "crv": "P-384", "x": "ogWILz8izC83V6qO4UbtyR11ZtgmEC1A_U3RmUUxvOH4OeUoqmLW_oyb2WzNMM6m", "y": "chnJatzQDBhw8jznLqAfalwxPwFaJf8Ucasn9fQfryEVCagFtAa3HoQZILhxlXIe" }, "kid": "obCHRLVDx634Cax_Kr3B8fd_-xj5kAj0r0Kvvvmq1z8", "skid": "0Bz8yRwu9eC8Gi7cYOwAKMJ8jysInhAtwH8k8m9MX04", "typ": "application/didcomm-encrypted+json" }
1.2.3 NIST P-521 key¶
- Sender key JWK format:
{ "kty": "EC", "crv": "P-521", "x": "AXKDGPnD6hlQIre8aEeu33bQffkfl-eQfQXgzNXQX7XFYt5GKA1N6w4-f0_Ci7fQNKGkQuCoAu5-6CNk9M_cHiDi", "y": "Ae4-APhoZAmM99MdY9io9IZA43dN7dA006wlFb6LJ9bcusJOi5R-o3o3FhCjt5KTv_JxYbo6KU4PsBwQ1eeKyJ0U", "d": "AP9l2wmQ85P5XD84CkEQVWHaX_46EDvHxLWHEKsHFSQYjEh6BDSuyy1TUNv68v8kpbLCDjvsBc3cIBqC4_T1r4pU" }
- Sender kid (jwk thumbprint raw base64 URL encoded):
oq-WBIGQm-iHiNRj6nId4-E1QtY8exzp8C56SziUfeU
- Single Recipient key JWK format:
{ "kty": "EC", "crv": "P-521", "x": "ALmUHkd9Gi2NApJojNzzA34Qdd1-KLnq6jd2UJ9wl-xJzTQ2leg8qi3-hrFs7NqNfxqO6vE5bBoWYFeAcf3LqJOU", "y": "AN-MutmkAXGzlgzSQJRnctHDcjQQNpRek-8BeqyUDXdZKNGKSMEAzw6Hnl3VdvsvihQfrxcajpx5PSnwxbbdakHq", "d": "AKv-YbKdI6y8NRMP-e17-RjZyRTfGf0Xh9Og5g7q7aq0xS2mO59ttIJ67XHW5SPTBQDbltdUcydKroWNUIGvhKNv" }
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
XmLVV-CqMkTGQIe6-KecWZWtZVwORTMP2y5aqMPV7P4
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJiM0V0VjBKSlIxRnRMV2xJYVU1U2FqWnVTV1EwTFVVeFVYUlpPR1Y0ZW5BNFF6VTJVM3BwVldabFZRIiwiYXB2IjoiV0cxTVZsWXRRM0ZOYTFSSFVVbGxOaTFMWldOWFdsZDBXbFozVDFKVVRWQXllVFZoY1UxUVZqZFFOQSIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiUC01MjEiLCJrdHkiOiJFQyIsIngiOiJBRHdFcDBlZWJseGZhZHdkVFBlTV81b29MZGdHaWhLM3Bqd3AxakxXWmdxLUJrRV9IZDhnZFQ4RThOSFVvWjRFeWVvbWVKX3J0WGFlVnlHdjdoVzBPb1MtIiwieSI6IkFaY0Zzemg3RUstZ2lGQXRIZ2hPQ21uR3NNN1QzSzFjeUhBV0NwYXBqd2ZEclJjYnE5THdhQjFyRVVOdDMyYndLdWNNNG9idldkSndxVGE3SGVZYlNVOHUifSwia2lkIjoiWG1MVlYtQ3FNa1RHUUllNi1LZWNXWld0WlZ3T1JUTVAyeTVhcU1QVjdQNCIsInNraWQiOiJvcS1XQklHUW0taUhpTlJqNm5JZDQtRTFRdFk4ZXh6cDhDNTZTemlVZmVVIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9", "encrypted_key": "9OyKH83g7RoS-ykrAoQpqn6FUUuYxeKukJbk6y2x9wfoe__rM8sP4w", "iv": "JO2ENu2k2O1OFgjl", "ciphertext": "wpomqxgGqQIWQ_lWCm4", "tag": "XgUX1EOGAePvjlcO7Dzb3A" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJiM0V0VjBKSlIxRnRMV2xJYVU1U2FqWnVTV1EwTFVVeFVYUlpPR1Y0ZW5BNFF6VTJVM3BwVldabFZRIiwiYXB2IjoiV0cxTVZsWXRRM0ZOYTFSSFVVbGxOaTFMWldOWFdsZDBXbFozVDFKVVRWQXllVFZoY1UxUVZqZFFOQSIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTUyMSIsIngiOiJBRHdFcDBlZWJseGZhZHdkVFBlTV81b29MZGdHaWhLM3Bqd3AxakxXWmdxLUJrRV9IZDhnZFQ4RThOSFVvWjRFeWVvbWVKX3J0WGFlVnlHdjdoVzBPb1MtIiwieSI6IkFaY0Zzemg3RUstZ2lGQXRIZ2hPQ21uR3NNN1QzSzFjeUhBV0NwYXBqd2ZEclJjYnE5THdhQjFyRVVOdDMyYndLdWNNNG9idldkSndxVGE3SGVZYlNVOHUifSwia2lkIjoiWG1MVlYtQ3FNa1RHUUllNi1LZWNXWld0WlZ3T1JUTVAyeTVhcU1QVjdQNCIsInNraWQiOiJvcS1XQklHUW0taUhpTlJqNm5JZDQtRTFRdFk4ZXh6cDhDNTZTemlVZmVVIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9.9OyKH83g7RoS-ykrAoQpqn6FUUuYxeKukJbk6y2x9wfoe__rM8sP4w.JO2ENu2k2O1OFgjl.wpomqxgGqQIWQ_lWCm4.XgUX1EOGAePvjlcO7Dzb3A
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to (pretty printed for readability):{ "alg": "ECDH-1PU+A256KW", "apu": "b3EtV0JJR1FtLWlIaU5SajZuSWQ0LUUxUXRZOGV4enA4QzU2U3ppVWZlVQ", "apv": "WG1MVlYtQ3FNa1RHUUllNi1LZWNXWld0WlZ3T1JUTVAyeTVhcU1QVjdQNA", "cty": "application/didcomm-plain+json", "enc": "A256GCM", "epk": { "kty": "EC", "crv": "P-521", "x": "ADwEp0eeblxfadwdTPeM_5ooLdgGihK3pjwp1jLWZgq-BkE_Hd8gdT8E8NHUoZ4EyeomeJ_rtXaeVyGv7hW0OoS-", "y": "AZcFszh7EK-giFAtHghOCmnGsM7T3K1cyHAWCpapjwfDrRcbq9LwaB1rEUNt32bwKucM4obvWdJwqTa7HeYbSU8u" }, "kid": "XmLVV-CqMkTGQIe6-KecWZWtZVwORTMP2y5aqMPV7P4", "skid": "oq-WBIGQm-iHiNRj6nId4-E1QtY8exzp8C56SziUfeU", "typ": "application/didcomm-encrypted+json" }
1.2.4 X25519 key¶
- Sender key JWK format:
- Sender kid (jwk thumbprint raw base64 URL encoded):
X5INSMIv_w4Q7pljH7xjeUrRAKiBGHavSmOYyyiRugc
- Single Recipient key JWK format:
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
2UR-nzYjVhsq0cZakWjE38-wUdG0S2EIrLZ8Eh0KVO0
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJXRFZKVGxOTlNYWmZkelJSTjNCc2FrZzNlR3BsVlhKU1FVdHBRa2RJWVhaVGJVOVplWGxwVW5Wbll3IiwiYXB2IjoiTWxWU0xXNTZXV3BXYUhOeE1HTmFZV3RYYWtVek9DMTNWV1JITUZNeVJVbHlURm80Uldnd1MxWlBNQSIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiWDI1NTE5Iiwia3R5IjoiT0tQIiwieCI6InpxUDB0WHdqVVFxdnBvSVdqNS16U2Q0WVVZZjdmU2hta2dhR0dXRFFrbGsifSwia2lkIjoiMlVSLW56WWpWaHNxMGNaYWtXakUzOC13VWRHMFMyRUlyTFo4RWgwS1ZPMCIsInNraWQiOiJYNUlOU01Jdl93NFE3cGxqSDd4amVVclJBS2lCR0hhdlNtT1l5eWlSdWdjIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9", "encrypted_key": "o_tprm3F-VJE2kHFrCBtgbCVDag0Y6AwLm1jD6S3MUS_rHphYy033w", "iv": "6GKRpv-Bs_2v_7a3", "ciphertext": "qlfWYkCE7zu-aRVP3R8", "tag": "oBDt6-tRYcLTMA7QhX0O2Q" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStBMjU2S1ciLCJhcHUiOiJXRFZKVGxOTlNYWmZkelJSTjNCc2FrZzNlR3BsVlhKU1FVdHBRa2RJWVhaVGJVOVplWGxwVW5Wbll3IiwiYXB2IjoiTWxWU0xXNTZXV3BXYUhOeE1HTmFZV3RYYWtVek9DMTNWV1JITUZNeVJVbHlURm80Uldnd1MxWlBNQSIsImN0eSI6ImFwcGxpY2F0aW9uL2RpZGNvbW0tcGxhaW4ranNvbiIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiT0tQIiwiY3J2IjoiWDI1NTE5IiwieCI6InpxUDB0WHdqVVFxdnBvSVdqNS16U2Q0WVVZZjdmU2hta2dhR0dXRFFrbGsifSwia2lkIjoiMlVSLW56WWpWaHNxMGNaYWtXakUzOC13VWRHMFMyRUlyTFo4RWgwS1ZPMCIsInNraWQiOiJYNUlOU01Jdl93NFE3cGxqSDd4amVVclJBS2lCR0hhdlNtT1l5eWlSdWdjIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9.o_tprm3F-VJE2kHFrCBtgbCVDag0Y6AwLm1jD6S3MUS_rHphYy033w.6GKRpv-Bs_2v_7a3.qlfWYkCE7zu-aRVP3R8.oBDt6-tRYcLTMA7QhX0O2Q
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to:{ "alg": "ECDH-1PU+A256KW", "apu": "WDVJTlNNSXZfdzRRN3Bsakg3eGplVXJSQUtpQkdIYXZTbU9ZeXlpUnVnYw", "apv": "MlVSLW56WWpWaHNxMGNaYWtXakUzOC13VWRHMFMyRUlyTFo4RWgwS1ZPMA", "cty": "application/didcomm-plain+json", "enc": "A256GCM", "epk": { "kty": "OKP", "crv": "X25519", "x": "zqP0tXwjUQqvpoIWj5-zSd4YUYf7fShmkgaGGWDQklk" }, "kid": "2UR-nzYjVhsq0cZakWjE38-wUdG0S2EIrLZ8Eh0KVO0", "skid": "X5INSMIv_w4Q7pljH7xjeUrRAKiBGHavSmOYyyiRugc", "typ": "application/didcomm-encrypted+json" }
2 XC20P content encryption¶
2.1 Multi recipients JWEs¶
2.1.1 NIST P-256 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"XC20P","skid":"T1jGtZoU-Xa_5a1QKexUU0Jq9WKDtS7TCowVvjoFH04","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJUMWpHdFpvVS1YYV81YTFRS2V4VVUwSnE5V0tEdFM3VENvd1Z2am9GSDA0IiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9
- Sender key JWK format:
{
"kty": "EC",
"crv": "P-256",
"x": "46OXm1dUTO3MB-8zoxbn-9dk0khgeIqsKFO-nTJ9keM",
"y": "8IlrwB-dl5bFd5RT4YAbgAdj5Y-a9zhc9wCMnXDZDvA",
"d": "58GZDz9_opy-nEeaJ_cyEL63TO-l063aV5nLADCgsGY"
}
T1jGtZoU-Xa_5a1QKexUU0Jq9WKDtS7TCowVvjoFH04
- Recipient 1 key JWK format:
{
"kty": "EC",
"crv": "P-256",
"x": "r9MRjEQ7CBxAgMyEG3ZjIlkGCuRX0rTaBdbkAcY17hA",
"y": "MRSgHQycDFPdSABGv5V0Qd-2q7ebs_x0_fNFyabGgXU",
"d": "LK9yfSxuET5n5uZDNO-64sJKWxJs7LTkqhA4mAuKQnE"
}
dmfXisqWjRT-tFpODOD-G0CBF6zjHywNUjrrD3IFmcs
- Recipient 2 key JWK format:
{
"kty": "EC",
"crv": "P-256",
"x": "PMhlaU_KNEWou004AEyAFoJi8vNOnY75ROiRzzjhDR0",
"y": "tEcJNRv2rqYlYWeRloRabcp2lRorRaZTLM0ZNBoEyN0",
"d": "t1-QysBdkbkpqEBDo_JPsi-6YqD24UoAGBrruI2XNhA"
}
2_Sf_YshIFhQ11NH9muAxLWwyFUvJnfXbYFOAC-8HTw
- Recipient 3 key JWK format:
{
"kty": "EC",
"crv": "P-256",
"x": "V9dWH69KZ_bvrxdWgt5-o-KnZLcGuWjAKVWMueiQioM",
"y": "lvsUBieuXV6qL4R3L94fCJGu8SDifqh3fAtN2plPWX4",
"d": "llg97kts4YxIF-r3jn7wcZ-zV0hLcn_AydIKHDF-HJc"
}
mKtrI7SV3z2U9XyhaaTYlQFX1ANi6Wkli8b3NWVq4C4
- List of kids used for AAD for the above recipients (sorted kid
values joined with .
): 2_Sf_YshIFhQ11NH9muAxLWwyFUvJnfXbYFOAC-8HTw.dmfXisqWjRT-tFpODOD-G0CBF6zjHywNUjrrD3IFmcs.mKtrI7SV3z2U9XyhaaTYlQFX1ANi6Wkli8b3NWVq4C4
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded): PNKzNc6e0MtDtIGamjsx2fytSu6t8GygofQbzTrtMNA
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{
"protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJUMWpHdFpvVS1YYV81YTFRS2V4VVUwSnE5V0tEdFM3VENvd1Z2am9GSDA0IiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9",
"recipients": [
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "VDFqR3Rab1UtWGFfNWExUUtleFVVMEpxOVdLRHRTN1RDb3dWdmpvRkgwNA",
"apv": "ZG1mWGlzcVdqUlQtdEZwT0RPRC1HMENCRjZ6akh5d05VanJyRDNJRm1jcw",
"kid": "dmfXisqWjRT-tFpODOD-G0CBF6zjHywNUjrrD3IFmcs",
"epk": {
"kty": "EC",
"crv": "P-256",
"x": "80NGcUh0mIy_XrcaAqD7GCHF0FU2W5j4Jt-wfwxvJVs",
"y": "KpsNL9A-FGgL7S97ce8wcWYc9J1Q6_luxKAFIu7BNIw"
}
},
"encrypted_key": "wGQO8LX7o9JmYI0PIGUruU7i6ybZYefsTanZuo7hIDyn21ix6fSFPOmvgjPxZ8q_-hZF2yGYtudfLiuPzXlybWJkmTlP9PcY"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "VDFqR3Rab1UtWGFfNWExUUtleFVVMEpxOVdLRHRTN1RDb3dWdmpvRkgwNA",
"apv": "ZG1mWGlzcVdqUlQtdEZwT0RPRC1HMENCRjZ6akh5d05VanJyRDNJRm1jcw",
"kid": "2_Sf_YshIFhQ11NH9muAxLWwyFUvJnfXbYFOAC-8HTw",
"epk": {
"kty": "EC",
"crv": "P-256",
"x": "4YrbAQCLLya1XqRvjfcYdonllWQulrLP7zE0ooclKXA",
"y": "B3tI8lsWHRwBQ19pAFzXiBkLgpE6leTeQT6b709gllE"
}
},
"encrypted_key": "5tY3t1JI8L6s974kmXbzKMaePHygNan2Qqpd1B0BiqBsjaHNUH2Unv1IMGiT3oQD0xXeVPAxQq7vNZgANitxBbgG_uxGiRld"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "VDFqR3Rab1UtWGFfNWExUUtleFVVMEpxOVdLRHRTN1RDb3dWdmpvRkgwNA",
"apv": "ZG1mWGlzcVdqUlQtdEZwT0RPRC1HMENCRjZ6akh5d05VanJyRDNJRm1jcw",
"kid": "mKtrI7SV3z2U9XyhaaTYlQFX1ANi6Wkli8b3NWVq4C4",
"epk": {
"kty": "EC",
"crv": "P-256",
"x": "-e9kPGp2rmtpFs2zzTaY6xfeXjr1Xua1vHCQZRKJ54s",
"y": "Mc7b8U06KHV__1-XMaReilLxa63LcICqsPtkZGXEkEs"
}
},
"encrypted_key": "zVQUQytYv4EmQS0zye3IsXiN_2ol-Qn2nvyaJgEPvNdwFuzTFPOupTl-PeOhkRvxPfuLlw5TKnSRyPUejP8zyHbBgUZ6gDmz"
}
],
"aad": "PNKzNc6e0MtDtIGamjsx2fytSu6t8GygofQbzTrtMNA",
"iv": "UKgm1XTPf1QFDXoRWlf-KrsBRQKSwpBA",
"ciphertext": "pbwy8HEnr1hPA0Jt5ho",
"tag": "nUazXvxpMXGoL1__92CAyA"
}
2.1.2 NIST P-384 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"XC20P","skid":"xXdnS3M4Bb497A0ko9c6H0D4NNbj1XpwGr4Tk9Fcw7k","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJ4WGRuUzNNNEJiNDk3QTBrbzljNkgwRDROTmJqMVhwd0dyNFRrOUZjdzdrIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9
- Sender key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "bfuATmVQ_jxLIgfuhKNYrNRNu-VnK4FzTCCVRvycgekS8fIuC4rZS9uQi6Q2Ujwd",
"y": "XkVJ93cLKpeZeCMEOsHRKk4rse1zXpzY6yUibEtwZG9nFWF05Ro8OQs5fZVK2TWC",
"d": "OVzGxGyyaHGJpx1MoSwPjmWPas28sfq1tj7UkYFoK3ENsujmzUduAW6HwyaBlXRW"
}
xXdnS3M4Bb497A0ko9c6H0D4NNbj1XpwGr4Tk9Fcw7k
- Recipient 1 key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "xhk5K7x4xw9OJpkFhmsY39jceQqx57psvcZstiNZmKbXD7kT9ajfGKFA6YA-ali5",
"y": "7Hj32-JDMNDYWRGy3f-0E9lbUGp6yURMaZ9M36Q_FPgljKgHa9i0Fn1ogr_zEmO3",
"d": "Pc3r6eg15XZeKgTDMPcGjf_SvImZxG4bDzgCh3QShClAwMdmoNbzPZGhBByNrlvO"
}
aIlhDTWJmT-_Atad5EBbvbZPkPnz2IYT85I6T44kcE4
- Recipient 2 key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "wqW3DUkUAT0Cyk3hq0KVJbqtPSJOoqulp_Tqa29jBEPliIJ9rnq7cRkJyxArCYAj",
"y": "ZfBtdTTVRh9SeQDCwsgAo15cCX2I-7J6xdyxDPyH8LBhbUA_8npHvNquKGta9p8x",
"d": "krddjYsOD4YIIkNjWXTrYV9rOVlmLNaeoLHChJ5oUr4c21LHxGL4xTI1bEoXKgJ2"
}
02WdA5ip_Amam611KA6fdoTs533yZH-ovfpt8t9zVjg
- Recipient 3 key JWK format:
{
"kty": "EC",
"crv": "P-384",
"x": "If6iEafrkcL53mVYCbm5rmnwAw3kjb13gUjBoDePggO7xMiSFyej4wbTabdCyfbg",
"y": "nLX6lEce-9r19NA_nI5mGK3YFLiX9IYRgXZZCUd_Br91PaE8Mr1JR01utAPoGx36",
"d": "jriJKFpQfzJtOrp7PhGvH0osHJQJbZrAKjD95itivioVawzMz9wcI_h9VsFV3ff0"
}
zeqnfYLFWtnJ_e5npBs7CtM5KkToyyM9kCKIFlcyId0
- List of kids used for AAD for the above recipients (sorted kid
values joined with .
): 02WdA5ip_Amam611KA6fdoTs533yZH-ovfpt8t9zVjg.aIlhDTWJmT-_Atad5EBbvbZPkPnz2IYT85I6T44kcE4.zeqnfYLFWtnJ_e5npBs7CtM5KkToyyM9kCKIFlcyId0
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded): CftHmHttuxR6mRrHe-zBXV2UEvL2wvZEt5yeFDhYSF8
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{
"protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJ4WGRuUzNNNEJiNDk3QTBrbzljNkgwRDROTmJqMVhwd0dyNFRrOUZjdzdrIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9",
"recipients": [
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "eFhkblMzTTRCYjQ5N0Ewa285YzZIMEQ0Tk5iajFYcHdHcjRUazlGY3c3aw",
"apv": "YUlsaERUV0ptVC1fQXRhZDVFQmJ2YlpQa1BuejJJWVQ4NUk2VDQ0a2NFNA",
"kid": "aIlhDTWJmT-_Atad5EBbvbZPkPnz2IYT85I6T44kcE4",
"epk": {
"kty": "EC",
"crv": "P-384",
"x": "k7SRlQ7EwCR8VZ-LF92zOgvpFDAed0mN3mmZeCHHDznZp5TLQShFT9TdnwgsvJFP",
"y": "ZHzkS9BD-I2DtNPhbXuTzf6vUnykdZPus9xZnRu1rWgxVtLQ8j-Jp4YoJgdQmcOu"
}
},
"encrypted_key": "BO597Rs1RU3ZU-WdzWPgRnPmRULcFBihZxE7Jvl3qw3VUmR5RUXY0Xy9k_dWRnuRCh9Yzxef7tXlqVMaL4KBCfaAbAEOReQw"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "eFhkblMzTTRCYjQ5N0Ewa285YzZIMEQ0Tk5iajFYcHdHcjRUazlGY3c3aw",
"apv": "YUlsaERUV0ptVC1fQXRhZDVFQmJ2YlpQa1BuejJJWVQ4NUk2VDQ0a2NFNA",
"kid": "02WdA5ip_Amam611KA6fdoTs533yZH-ovfpt8t9zVjg",
"epk": {
"kty": "EC",
"crv": "P-384",
"x": "QT9Q_zU9VE3K9r_50mKh7iG8SxYeXVvwnhykphMAk8akfnTeB7FIRC2MzFat9JMT",
"y": "3HeQPqQ_BS5vy2e2L7kgMhHNwNQ2K1pmL9LImrBg8XROuc9EaAGnFSQ439bZXg9y"
}
},
"encrypted_key": "oKVlxrYhp8Bvr6s6CW7DxTSCMIFMkqLjDP9sCIkLoetHlXM5Mngq46CUqHusKTceHdSOL8sGUbeSBo6lXRKArywtjiVVyStW"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "eFhkblMzTTRCYjQ5N0Ewa285YzZIMEQ0Tk5iajFYcHdHcjRUazlGY3c3aw",
"apv": "YUlsaERUV0ptVC1fQXRhZDVFQmJ2YlpQa1BuejJJWVQ4NUk2VDQ0a2NFNA",
"kid": "zeqnfYLFWtnJ_e5npBs7CtM5KkToyyM9kCKIFlcyId0",
"epk": {
"kty": "EC",
"crv": "P-384",
"x": "GGFw14WnABx5S__MLwjy7WPgmPzCNbygbJikSqwx1nQ7APAiIyLeiAeZnAFQSr8C",
"y": "Bjev4lkaRbd4Ery0vnO8Ox4QgIDGbuflmFq0HhL-QHIe3KhqxrqZqbQYGlDNudEv"
}
},
"encrypted_key": "S8vnyPjW_19Hws3-igk-cVTSqVTY0_D9SWahnYnWBFBqTdx0b0e8hf06Oiou31Ww-Y3p8Z3O_okqQGzZMWUMLSxUPeCR2ZWx"
}
],
"aad": "CftHmHttuxR6mRrHe-zBXV2UEvL2wvZEt5yeFDhYSF8",
"iv": "jTaCuNXs4QdX6HuWvl5AsqIEv4nh2JMP",
"ciphertext": "7y463zoRKgVfpKh3EBw",
"tag": "8YKdJpF2DnQQwEkBcbuEnw"
}
2.1.3 NIST P-521 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"XC20P","skid":"bq3OI5517dSIMeD9K3lTqvkvvkmsRtifD6tvjlrKYsU","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJicTNPSTU1MTdkU0lNZUQ5SzNsVHF2a3Z2a21zUnRpZkQ2dHZqbHJLWXNVIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9
- Sender key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "ACN9T83BbPNn1eRyo-TrL0GyC7kBNQvgUxk55fCeQKDSTVhbzCKia7WecCUshyEF-BOQbfEsOIUCq3g7xY3VEeth",
"y": "APDIfDv6abLQ-Zb_p8PxwJe1x3U0-PdgXLNbtS7evGuUROHt79SVkpfXcZ3UaEc6cMoFfd2oMvbmUjCMM4-Sgipn",
"d": "AXCGyR9uXY8vDr7D4HvMxep-d5biQzgHR6WsdOF4R5M9qYb8FhRIQCMbmDSZzCuqgGgXrPRMPm5-omvWVeYqwwa3"
}
bq3OI5517dSIMeD9K3lTqvkvvkmsRtifD6tvjlrKYsU
- Recipient 1 key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "AZi-AxJkB09qw8dBnNrz53xM-wER0Y5IYXSEWSTtzI5Sdv_5XijQn9z-vGz1pMdww-C75GdpAzp2ghejZJSxbAd6",
"y": "AZzRvW8NBytGNbF3dyNOMHB0DHCOzGp8oYBv_ZCyJbQUUnq-TYX7j8-PlKe9Ce5acxZzrcUKVtJ4I8JgI5x9oXIW",
"d": "AHGOZNkAcQCdDZOpQRdbH-f89mpjY_kGmtEpTExd51CcRlHhXuuAr6jcgb8YStwy9FN7vCU1y5LnJfKhGUGrP2a4"
}
7icoqReWFlpF16dzZD3rBgK1cJ265WzfF9sJJXqOe0M
- Recipient 2 key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "ASRvWU-d_XI2S1UQb7PoXIXTLXd8vgLmFb-9mmmIrzTMmIXFXpsDN9_1-Xg_r3qkEg-zBjTi327GIseWFGMa0Mrp",
"y": "AJ0VyjDn4Rn6SKamFms4593mW5K936d4Jr7-J5OjJqTZtS6APgNkrwFjhKPHQfg7o8T4pmX7vlfFY5Flx7IOYJuw",
"d": "ALzWMohuwSqkiqqEhijiBoH6kJ580Dtxe7CfgqEboc5DG0pMtAUf-a91VbmR1U8bQox-B4_YRXoFLRns2tI_wPYz"
}
BUEVQ3FlDsml4JYrLCwwsL5BUZt-hYwb2B0SoJ6dzHc
- Recipient 3 key JWK format:
{
"kty": "EC",
"crv": "P-521",
"x": "AB2ke_2nVg95OP3Xb4Fg0Gg4KgfZZf3wBEYoOlGhXmHNCj56G10vnOe1hGRKIoD-JkPWuulcUtsIUO7r3Rz2mLP0",
"y": "AJTaqfF8d4cFv_fP4Uoqq-uCCObmyPsD1CphbCuCZumarfzjA5SpAQCdfz3No4Nhn53OqdcTkm654Yvfj1vOp5t6",
"d": "Af6Ba1x6i6glhRcR2RmZMZJ5BJXibpMB0TqjY_2Fe2LekS9QQK21JtrF20dj_gahxcrnfcn8oJ2xCrEMKaexgcsb"
}
C9iN-jkTFBbTz3Yv3FquR3dAsHYnAIg1_hT0jsefLDE
- List of kids used for AAD for the above recipients (sorted kid
values joined with .
): 7icoqReWFlpF16dzZD3rBgK1cJ265WzfF9sJJXqOe0M.BUEVQ3FlDsml4JYrLCwwsL5BUZt-hYwb2B0SoJ6dzHc.C9iN-jkTFBbTz3Yv3FquR3dAsHYnAIg1_hT0jsefLDE
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded): VBNrffp39h1F6sg0dzkArcd2WjpKeqEvqt6HNXaVfKU
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{
"protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJicTNPSTU1MTdkU0lNZUQ5SzNsVHF2a3Z2a21zUnRpZkQ2dHZqbHJLWXNVIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9",
"recipients": [
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "YnEzT0k1NTE3ZFNJTWVEOUszbFRxdmt2dmttc1J0aWZENnR2amxyS1lzVQ",
"apv": "N2ljb3FSZVdGbHBGMTZkelpEM3JCZ0sxY0oyNjVXemZGOXNKSlhxT2UwTQ",
"kid": "7icoqReWFlpF16dzZD3rBgK1cJ265WzfF9sJJXqOe0M",
"epk": {
"kty": "EC",
"crv": "P-521",
"x": "ABd71Xomy3mv-mkAipKb18UQ-1xXt7tGDDwf0k5fpLADg1qK--Jhn8TdzyjTuve7rJQrlCJH4GjuQjCWVs4T7J_T",
"y": "ANrWrk69QRi4cr8ZbU2vF_0jSjTIUn-fQCHJtxLg3uuvLtzGW7oIEkUFJq_sTZXL_gaPdFIWlI4aIjKRgzOUP_ze"
}
},
"encrypted_key": "lZa-4LTyaDP01wmN8bvoD69MLl3VY2H_wNaNJ7kYzTFExlgYTPNrFJ5XL6T_h1DUULX0TYJVxbIWQeJ_x_7i-xSv7-BHbFcm"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "YnEzT0k1NTE3ZFNJTWVEOUszbFRxdmt2dmttc1J0aWZENnR2amxyS1lzVQ",
"apv": "N2ljb3FSZVdGbHBGMTZkelpEM3JCZ0sxY0oyNjVXemZGOXNKSlhxT2UwTQ",
"kid": "BUEVQ3FlDsml4JYrLCwwsL5BUZt-hYwb2B0SoJ6dzHc",
"epk": {
"kty": "EC",
"crv": "P-521",
"x": "ALGN2OH1_DKtEZ-990uL1kzHYhYmZD-stOdL6_NMReCKEPZil7Z1tsq0g9l0HNi6DWuMjNyiJCfDd1erWpByFAOX",
"y": "AQgB2aE_3GltqbWzKbWbLa6Fdq6jO4A3LrYUnNDNIuHY6eRH9sRU0yWjmcmWCoukT98wksXJ3isHr9-NqFuZLehi"
}
},
"encrypted_key": "bybMPkSjuSz8lLAPFJHrxjl1buE8cfONEzvQ2U64h8L0QEZPLK_VewbXVflEPNrOo3oTWlI_878GIKvkxJ8cJOD6a0kZmr87"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "YnEzT0k1NTE3ZFNJTWVEOUszbFRxdmt2dmttc1J0aWZENnR2amxyS1lzVQ",
"apv": "N2ljb3FSZVdGbHBGMTZkelpEM3JCZ0sxY0oyNjVXemZGOXNKSlhxT2UwTQ",
"kid": "C9iN-jkTFBbTz3Yv3FquR3dAsHYnAIg1_hT0jsefLDE",
"epk": {
"kty": "EC",
"crv": "P-521",
"x": "AZKyI6Mg8OdKUYqo3xuKjHiVrlV56_qGBzdwr86QSnebq3Y69Z0qETiTumQv5J3ECmZzs4DiETryRuzdHc2RkKBZ",
"y": "ARJJT7MWjTWWB7leblQgg7PYn_0deScO7AATlcnukFsLbzly0LHs1msVXaerQUCHPg2t-sYGxDP7w0iaDHB8k3Tj"
}
},
"encrypted_key": "nMGoNk1brn9uO9hlSa7NwVgFUMXnxpKKPkuFHSE2aM_N8q8wJbVBLC9rJ9sPIiSU20tq2sJXaAcoMteajOX6wj_Hzl1uRT1e"
}
],
"aad": "VBNrffp39h1F6sg0dzkArcd2WjpKeqEvqt6HNXaVfKU",
"iv": "h0bbZygiAx9MMO2Huxym_QnwrXZHhdyQ",
"ciphertext": "LABYmf_sfPNGgls0wvk",
"tag": "z1rZOEgyryiW_3d5gxnMUQ"
}
2.1.4 X25519 keys¶
The packer generates the following protected headers that includes the skid:
- Generated protected headers: {"cty":"application/didcomm-plain+json","enc":"XC20P","skid":"j8E-tcw1Z_eOCoKEH-7a9T532r8zXfcavbPZlofN0Ek","typ":"application/didcomm-encrypted+json"}
- raw (no padding) base64URL encoded: eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJqOEUtdGN3MVpfZU9Db0tFSC03YTlUNTMycjh6WGZjYXZiUFpsb2ZOMEVrIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9
- Sender key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "g3Lpdd_DRgjK28qi0sR0-hI-zv7a1X52vpzKc6ZM1Qs",
"d": "cPU_Io7RRHNb_xkQ_D6u3ER4vSjvsILDCKwOj8kVHXQ"
}
j8E-tcw1Z_eOCoKEH-7a9T532r8zXfcavbPZlofN0Ek
- Recipient 1 key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "VlhpUXj-oGs9ge-VLrmYF7Xuzy73YchIfckaYcQefBw",
"d": "QFHCCy0wzgJ_AlGMnjetTd0tnDaZ_7yqJODSV0d-kkg"
}
_DHSbVaMeZxriDJn5VoHXYXo6BJacwZx_fGIBfCiJ5c
- Recipient 2 key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "y52sexwATOR5J5znNp94MFx19J0rkgzNyLESMVhkE2M",
"d": "6NwEk3_8lKOwLaZM2YkLdW9MF2zDqMjAx_G-uDoAAkw"
}
n2MxD23PaCkz7vptma_1j9X2JdUoCFLzrtYuDvOA0Kc
- Recipient 3 key JWK format:
{
"kty": "OKP",
"crv": "X25519",
"x": "BYL51mNvx1LKD2wDfga_7GZc0YYI82HhRmHtXfiz_ko",
"d": "MLd_nsRRb_CSzc6Ou8TZFm-A17ZpT1Aen6fIvC6ZuV8"
}
HHN2ZcES5ps7gCjK-06bCE4EjX_hh7nq2cWd-GfnI5s
- List of kids used for AAD for the above recipients (sorted kid
values joined with .
): HHN2ZcES5ps7gCjK-06bCE4EjX_hh7nq2cWd-GfnI5s._DHSbVaMeZxriDJn5VoHXYXo6BJacwZx_fGIBfCiJ5c.n2MxD23PaCkz7vptma_1j9X2JdUoCFLzrtYuDvOA0Kc
- Resulting AAD value (sha256 of above list raw, no padding, base64 URL encoded): K1oFStibrX4x6LplTB0-tO3cwGiZzMvG_6w0LfguVuI
- Finally, packing the payload outputs the following JWE (pretty printed for readability):
{
"protected": "eyJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsInNraWQiOiJqOEUtdGN3MVpfZU9Db0tFSC03YTlUNTMycjh6WGZjYXZiUFpsb2ZOMEVrIiwidHlwIjoiYXBwbGljYXRpb24vZGlkY29tbS1lbmNyeXB0ZWQranNvbiJ9",
"recipients": [
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "ajhFLXRjdzFaX2VPQ29LRUgtN2E5VDUzMnI4elhmY2F2YlBabG9mTjBFaw",
"apv": "X0RIU2JWYU1lWnhyaURKbjVWb0hYWVhvNkJKYWN3WnhfZkdJQmZDaUo1Yw",
"kid": "_DHSbVaMeZxriDJn5VoHXYXo6BJacwZx_fGIBfCiJ5c",
"epk": {
"kty": "OKP",
"crv": "X25519",
"x": "77VAbpx5xn2iavmhzZATXwGnxjRyxjBbtNzojdWP7wo"
}
},
"encrypted_key": "dvBscDJj2H6kZJgfdqazZ9pXZxUzai-mcExsdr11-RNvxxPd4_Cy6rolLSsY6ugm1sCo9BgRhAW1e6vxgTnY3Ctv0_xZIhvr"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "ajhFLXRjdzFaX2VPQ29LRUgtN2E5VDUzMnI4elhmY2F2YlBabG9mTjBFaw",
"apv": "X0RIU2JWYU1lWnhyaURKbjVWb0hYWVhvNkJKYWN3WnhfZkdJQmZDaUo1Yw",
"kid": "n2MxD23PaCkz7vptma_1j9X2JdUoCFLzrtYuDvOA0Kc",
"epk": {
"kty": "OKP",
"crv": "X25519",
"x": "sZtHwxjaS51BR2SBGC32jFvUgVlABZ7rkBFqJk8ktXM"
}
},
"encrypted_key": "2gIQKw_QpnfGbIOso_XesSGWC9ZKu4-ox1eqRu71aS-nBWAbFrdJPqSY7gzAOGUNqg_o6mC1q7coG69G9yen37DIjcoR6mD1"
},
{
"header": {
"alg": "ECDH-1PU+XC20PKW",
"apu": "ajhFLXRjdzFaX2VPQ29LRUgtN2E5VDUzMnI4elhmY2F2YlBabG9mTjBFaw",
"apv": "X0RIU2JWYU1lWnhyaURKbjVWb0hYWVhvNkJKYWN3WnhfZkdJQmZDaUo1Yw",
"kid": "HHN2ZcES5ps7gCjK-06bCE4EjX_hh7nq2cWd-GfnI5s",
"epk": {
"kty": "OKP",
"crv": "X25519",
"x": "48AJF8kNoxfHXpUtBApRMUcTf8B0Ho4i_6CvGT4arGY"
}
},
"encrypted_key": "o_toInYq_NP45UqqFg461O6ruUNSQNKrBXRDA06JQ-faMUUfMGRtzNHK-FzrhtodZLW5bRFFFry9aFjwg5aYloe2JG9-fEcw"
}
],
"aad": "K1oFStibrX4x6LplTB0-tO3cwGiZzMvG_6w0LfguVuI",
"iv": "tcThx2bVV8jhteYknijC-vxSED_BKPF8",
"ciphertext": "DUZLQAnWzApBFdwlZDg",
"tag": "YLuHzCD4xSTDxe_0AWukyw"
}
2.2 Single Recipient JWEs¶
Packing a message with 1 recipient using the Flattened JWE JSON serialization and the Compact JWE serialization formats as mentioned in the notes above.
2.2.1 NIST P-256 key¶
- Sender key JWK format:
- Sender kid (jwk thumbprint raw base64 URL encoded):
T1jGtZoU-Xa_5a1QKexUU0Jq9WKDtS7TCowVvjoFH04
- Single Recipient key JWK format:
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
dmfXisqWjRT-tFpODOD-G0CBF6zjHywNUjrrD3IFmcs
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiVkRGcVIzUmFiMVV0V0dGZk5XRXhVVXRsZUZWVk1FcHhPVmRMUkhSVE4xUkRiM2RXZG1wdlJrZ3dOQSIsImFwdiI6IlpHMW1XR2x6Y1ZkcVVsUXRkRVp3VDBSUFJDMUhNRU5DUmpaNmFraDVkMDVWYW5KeVJETkpSbTFqY3ciLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJjcnYiOiJQLTI1NiIsImt0eSI6IkVDIiwieCI6Ik5ZM3Zra04wYTFPRTBuZk1UaDR4U25IU1A2c0VianYycWp5T3J6Rm9TNnMiLCJ5IjoibUhOdnZYUmVmV0lHcU4zTC1ZWnctdElMTXZlUURWcEEzSk55V20tR21HUSJ9LCJraWQiOiJkbWZYaXNxV2pSVC10RnBPRE9ELUcwQ0JGNnpqSHl3TlVqcnJEM0lGbWNzIiwic2tpZCI6IlQxakd0Wm9VLVhhXzVhMVFLZXhVVTBKcTlXS0R0UzdUQ293VnZqb0ZIMDQiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0", "encrypted_key": "dXV4byLXvAHCGKSNqOT87cOwTmdlhn9665LvwXre0BJqSectrLZVQZ4udqKCccgdZAGwmIct5T-uwGYz_tLkOUQBbTXBxHDt", "iv": "ULEzDlTLgPXfS3a-SfspZmD02o53DfTB", "ciphertext": "8Z4TLHADLiuHmQEFMrU", "tag": "oJgQoovq__wSPgzco1udpA" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiVkRGcVIzUmFiMVV0V0dGZk5XRXhVVXRsZUZWVk1FcHhPVmRMUkhSVE4xUkRiM2RXZG1wdlJrZ3dOQSIsImFwdiI6IlpHMW1XR2x6Y1ZkcVVsUXRkRVp3VDBSUFJDMUhNRU5DUmpaNmFraDVkMDVWYW5KeVJETkpSbTFqY3ciLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ik5ZM3Zra04wYTFPRTBuZk1UaDR4U25IU1A2c0VianYycWp5T3J6Rm9TNnMiLCJ5IjoibUhOdnZYUmVmV0lHcU4zTC1ZWnctdElMTXZlUURWcEEzSk55V20tR21HUSJ9LCJraWQiOiJkbWZYaXNxV2pSVC10RnBPRE9ELUcwQ0JGNnpqSHl3TlVqcnJEM0lGbWNzIiwic2tpZCI6IlQxakd0Wm9VLVhhXzVhMVFLZXhVVTBKcTlXS0R0UzdUQ293VnZqb0ZIMDQiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0.dXV4byLXvAHCGKSNqOT87cOwTmdlhn9665LvwXre0BJqSectrLZVQZ4udqKCccgdZAGwmIct5T-uwGYz_tLkOUQBbTXBxHDt.ULEzDlTLgPXfS3a-SfspZmD02o53DfTB.8Z4TLHADLiuHmQEFMrU.oJgQoovq__wSPgzco1udpA
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to (pretty printed for readability):{ "alg": "ECDH-1PU+XC20PKW", "apu": "VDFqR3Rab1UtWGFfNWExUUtleFVVMEpxOVdLRHRTN1RDb3dWdmpvRkgwNA", "apv": "ZG1mWGlzcVdqUlQtdEZwT0RPRC1HMENCRjZ6akh5d05VanJyRDNJRm1jcw", "cty": "application/didcomm-plain+json", "enc": "XC20P", "epk": { "kty": "EC", "crv": "P-256", "x": "NY3vkkN0a1OE0nfMTh4xSnHSP6sEbjv2qjyOrzFoS6s", "y": "mHNvvXRefWIGqN3L-YZw-tILMveQDVpA3JNyWm-GmGQ" }, "kid": "dmfXisqWjRT-tFpODOD-G0CBF6zjHywNUjrrD3IFmcs", "skid": "T1jGtZoU-Xa_5a1QKexUU0Jq9WKDtS7TCowVvjoFH04", "typ": "application/didcomm-encrypted+json" }
2.2.2 NIST P-384 key¶
- Sender key JWK format:
- Sender kid (jwk thumbprint raw base64 URL encoded):
xXdnS3M4Bb497A0ko9c6H0D4NNbj1XpwGr4Tk9Fcw7k
- Single Recipient key JWK format:
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
aIlhDTWJmT-_Atad5EBbvbZPkPnz2IYT85I6T44kcE4
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiZUZoa2JsTXpUVFJDWWpRNU4wRXdhMjg1WXpaSU1FUTBUazVpYWpGWWNIZEhjalJVYXpsR1kzYzNhdyIsImFwdiI6IllVbHNhRVJVVjBwdFZDMWZRWFJoWkRWRlFtSjJZbHBRYTFCdWVqSkpXVlE0TlVrMlZEUTBhMk5GTkEiLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJjcnYiOiJQLTM4NCIsImt0eSI6IkVDIiwieCI6Inp1TjJhYTZBdmRHVVdjaHNyMTdBMENvOWFmcnlnRll6TjRxZlM0dnlNS05BTF83dVVhR1d2ZVBMNkpoc25MMnYiLCJ5IjoiZTJva1U5VWUzbE9CUWxEZnFVczE5NjFQU2tMTkg1d3U1V2NRd2ZuYzdEdmhsU2tXSU9iQWpoekhoVUVZUjRBZSJ9LCJraWQiOiJhSWxoRFRXSm1ULV9BdGFkNUVCYnZiWlBrUG56MklZVDg1STZUNDRrY0U0Iiwic2tpZCI6InhYZG5TM000QmI0OTdBMGtvOWM2SDBENE5OYmoxWHB3R3I0VGs5RmN3N2siLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0", "encrypted_key": "9bCR6CdqKSRLCFf_vShRhub1pNwoPRypHEqEMfamxy4ZcSp7y8SULzTs2rMmnBt8iJn1PiaBEYbsjsOgzgYamXQ-3OQeIg5z", "iv": "ryiQAsZiEVcDqJb1jQpG9nQ0p50cXJSM", "ciphertext": "xQiyTPTrLUFvTeVn9CI", "tag": "b65D-L5AybH327bWsEIRUg" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiZUZoa2JsTXpUVFJDWWpRNU4wRXdhMjg1WXpaSU1FUTBUazVpYWpGWWNIZEhjalJVYXpsR1kzYzNhdyIsImFwdiI6IllVbHNhRVJVVjBwdFZDMWZRWFJoWkRWRlFtSjJZbHBRYTFCdWVqSkpXVlE0TlVrMlZEUTBhMk5GTkEiLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMzg0IiwieCI6Inp1TjJhYTZBdmRHVVdjaHNyMTdBMENvOWFmcnlnRll6TjRxZlM0dnlNS05BTF83dVVhR1d2ZVBMNkpoc25MMnYiLCJ5IjoiZTJva1U5VWUzbE9CUWxEZnFVczE5NjFQU2tMTkg1d3U1V2NRd2ZuYzdEdmhsU2tXSU9iQWpoekhoVUVZUjRBZSJ9LCJraWQiOiJhSWxoRFRXSm1ULV9BdGFkNUVCYnZiWlBrUG56MklZVDg1STZUNDRrY0U0Iiwic2tpZCI6InhYZG5TM000QmI0OTdBMGtvOWM2SDBENE5OYmoxWHB3R3I0VGs5RmN3N2siLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0.9bCR6CdqKSRLCFf_vShRhub1pNwoPRypHEqEMfamxy4ZcSp7y8SULzTs2rMmnBt8iJn1PiaBEYbsjsOgzgYamXQ-3OQeIg5z.ryiQAsZiEVcDqJb1jQpG9nQ0p50cXJSM.xQiyTPTrLUFvTeVn9CI.b65D-L5AybH327bWsEIRUg
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to (pretty printed for readability):{ "alg": "ECDH-1PU+XC20PKW", "apu": "eFhkblMzTTRCYjQ5N0Ewa285YzZIMEQ0Tk5iajFYcHdHcjRUazlGY3c3aw", "apv": "YUlsaERUV0ptVC1fQXRhZDVFQmJ2YlpQa1BuejJJWVQ4NUk2VDQ0a2NFNA", "cty": "application/didcomm-plain+json", "enc": "XC20P", "epk": { "kty": "EC", "crv": "P-384", "x": "zuN2aa6AvdGUWchsr17A0Co9afrygFYzN4qfS4vyMKNAL_7uUaGWvePL6JhsnL2v", "y": "e2okU9Ue3lOBQlDfqUs1961PSkLNH5wu5WcQwfnc7DvhlSkWIObAjhzHhUEYR4Ae" }, "kid": "aIlhDTWJmT-_Atad5EBbvbZPkPnz2IYT85I6T44kcE4", "skid": "xXdnS3M4Bb497A0ko9c6H0D4NNbj1XpwGr4Tk9Fcw7k", "typ": "application/didcomm-encrypted+json" }
2.2.3 NIST P-521 key¶
- Sender key JWK format:
{ "kty": "EC", "crv": "P-521", "x": "ACN9T83BbPNn1eRyo-TrL0GyC7kBNQvgUxk55fCeQKDSTVhbzCKia7WecCUshyEF-BOQbfEsOIUCq3g7xY3VEeth", "y": "APDIfDv6abLQ-Zb_p8PxwJe1x3U0-PdgXLNbtS7evGuUROHt79SVkpfXcZ3UaEc6cMoFfd2oMvbmUjCMM4-Sgipn", "d": "AXCGyR9uXY8vDr7D4HvMxep-d5biQzgHR6WsdOF4R5M9qYb8FhRIQCMbmDSZzCuqgGgXrPRMPm5-omvWVeYqwwa3" }
- Sender kid (jwk thumbprint raw base64 URL encoded):
bq3OI5517dSIMeD9K3lTqvkvvkmsRtifD6tvjlrKYsU
- Single Recipient key JWK format:
{ "kty": "EC", "crv": "P-521", "x": "AZi-AxJkB09qw8dBnNrz53xM-wER0Y5IYXSEWSTtzI5Sdv_5XijQn9z-vGz1pMdww-C75GdpAzp2ghejZJSxbAd6", "y": "AZzRvW8NBytGNbF3dyNOMHB0DHCOzGp8oYBv_ZCyJbQUUnq-TYX7j8-PlKe9Ce5acxZzrcUKVtJ4I8JgI5x9oXIW", "d": "AHGOZNkAcQCdDZOpQRdbH-f89mpjY_kGmtEpTExd51CcRlHhXuuAr6jcgb8YStwy9FN7vCU1y5LnJfKhGUGrP2a4" }
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
7icoqReWFlpF16dzZD3rBgK1cJ265WzfF9sJJXqOe0M
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiWW5FelQwazFOVEUzWkZOSlRXVkVPVXN6YkZSeGRtdDJkbXR0YzFKMGFXWkVOblIyYW14eVMxbHpWUSIsImFwdiI6Ik4ybGpiM0ZTWlZkR2JIQkdNVFprZWxwRU0zSkNaMHN4WTBveU5qVlhlbVpHT1hOS1NsaHhUMlV3VFEiLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJjcnYiOiJQLTUyMSIsImt0eSI6IkVDIiwieCI6IkFJemJtMzBZRGVIV21sXy1zeHE2c2NHbEdDS3ZuRmttR2pkc1hKOXN6bm5JQzFMSndvc1hqYmRRd29EX2NjbmtkcUtpaU4tNVVFZGtPTEZldDdXbG83bC0iLCJ5IjoiQVdDendGVjJtUFdYMnpaZzN0SHRpVE11SlhGaEtucWhUT0hPWXBzRF9uRlhGRFhrTlRyd0QyblpVNi1hU2g5Q0NLajF2N0x5VlJ0UE0ybzM5bkt3WEhXWiJ9LCJraWQiOiI3aWNvcVJlV0ZscEYxNmR6WkQzckJnSzFjSjI2NVd6ZkY5c0pKWHFPZTBNIiwic2tpZCI6ImJxM09JNTUxN2RTSU1lRDlLM2xUcXZrdnZrbXNSdGlmRDZ0dmpscktZc1UiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0", "encrypted_key": "-cL11h9eF6CRycMYxvJ6Ksmlf-97Vg2s_ziVnFF5RueiGrvKFmgQp09GIyxrMdTG2so6IRmifOlpwF0YPuzyThhmxToTyfpr", "iv": "Q0sk9bMraCAJhZyFi3sOAYMoTac4ZuGj", "ciphertext": "O6OlFqFMz587083_OMU", "tag": "TyXZ30wpVZ6nmj16evdBnA" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiWW5FelQwazFOVEUzWkZOSlRXVkVPVXN6YkZSeGRtdDJkbXR0YzFKMGFXWkVOblIyYW14eVMxbHpWUSIsImFwdiI6Ik4ybGpiM0ZTWlZkR2JIQkdNVFprZWxwRU0zSkNaMHN4WTBveU5qVlhlbVpHT1hOS1NsaHhUMlV3VFEiLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtNTIxIiwieCI6IkFJemJtMzBZRGVIV21sXy1zeHE2c2NHbEdDS3ZuRmttR2pkc1hKOXN6bm5JQzFMSndvc1hqYmRRd29EX2NjbmtkcUtpaU4tNVVFZGtPTEZldDdXbG83bC0iLCJ5IjoiQVdDendGVjJtUFdYMnpaZzN0SHRpVE11SlhGaEtucWhUT0hPWXBzRF9uRlhGRFhrTlRyd0QyblpVNi1hU2g5Q0NLajF2N0x5VlJ0UE0ybzM5bkt3WEhXWiJ9LCJraWQiOiI3aWNvcVJlV0ZscEYxNmR6WkQzckJnSzFjSjI2NVd6ZkY5c0pKWHFPZTBNIiwic2tpZCI6ImJxM09JNTUxN2RTSU1lRDlLM2xUcXZrdnZrbXNSdGlmRDZ0dmpscktZc1UiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0.-cL11h9eF6CRycMYxvJ6Ksmlf-97Vg2s_ziVnFF5RueiGrvKFmgQp09GIyxrMdTG2so6IRmifOlpwF0YPuzyThhmxToTyfpr.Q0sk9bMraCAJhZyFi3sOAYMoTac4ZuGj.O6OlFqFMz587083_OMU.TyXZ30wpVZ6nmj16evdBnA
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to (pretty printed for readability):{ "alg": "ECDH-1PU+XC20PKW", "apu": "YnEzT0k1NTE3ZFNJTWVEOUszbFRxdmt2dmttc1J0aWZENnR2amxyS1lzVQ", "apv": "N2ljb3FSZVdGbHBGMTZkelpEM3JCZ0sxY0oyNjVXemZGOXNKSlhxT2UwTQ", "cty": "application/didcomm-plain+json", "enc": "XC20P", "epk": { "kty": "EC", "crv": "P-521", "x": "AIzbm30YDeHWml_-sxq6scGlGCKvnFkmGjdsXJ9sznnIC1LJwosXjbdQwoD_ccnkdqKiiN-5UEdkOLFet7Wlo7l-", "y": "AWCzwFV2mPWX2zZg3tHtiTMuJXFhKnqhTOHOYpsD_nFXFDXkNTrwD2nZU6-aSh9CCKj1v7LyVRtPM2o39nKwXHWZ" }, "kid": "7icoqReWFlpF16dzZD3rBgK1cJ265WzfF9sJJXqOe0M", "skid": "bq3OI5517dSIMeD9K3lTqvkvvkmsRtifD6tvjlrKYsU", "typ": "application/didcomm-encrypted+json" }
2.2.4 X25519 key¶
- Sender key JWK format:
- Sender kid (jwk thumbprint raw base64 URL encoded):
j8E-tcw1Z_eOCoKEH-7a9T532r8zXfcavbPZlofN0Ek
- Single Recipient key JWK format:
- Single Recipient kid (jwk thumbprint raw base64 URL encoded):
_DHSbVaMeZxriDJn5VoHXYXo6BJacwZx_fGIBfCiJ5c
- Finally, packing the payload outputs the following flattened serialized JWE JSON:
{ "protected": "eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiYWpoRkxYUmpkekZhWDJWUFEyOUxSVWd0TjJFNVZEVXpNbkk0ZWxobVkyRjJZbEJhYkc5bVRqQkZhdyIsImFwdiI6IlgwUklVMkpXWVUxbFduaHlhVVJLYmpWV2IwaFlXVmh2TmtKS1lXTjNXbmhmWmtkSlFtWkRhVW8xWXciLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJjcnYiOiJYMjU1MTkiLCJrdHkiOiJPS1AiLCJ4IjoiWmdZTkJwcDlRZkZMZFpBT05LaUYxWGdRTkZCdW4tdkx4V25TeTF3ZDRRdyJ9LCJraWQiOiJfREhTYlZhTWVaeHJpREpuNVZvSFhZWG82QkphY3daeF9mR0lCZkNpSjVjIiwic2tpZCI6Imo4RS10Y3cxWl9lT0NvS0VILTdhOVQ1MzJyOHpYZmNhdmJQWmxvZk4wRWsiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0", "encrypted_key": "6AxohV0ygxzRGGxqKIMovkJf7rCyE1ymbVzxqVEVpioySTzd4Ociy8yTa4uo-wlVCFaKVxitFgD3bgtuidOw5J8r-CXjR42D", "iv": "AEv2DrMR4rMV8preS0zndED_u11QNnQx", "ciphertext": "c_RTSoNM5hFpOr3lEFU", "tag": "m9GKNsP05SKYS9qdTvnsfA" }
- The compact serialization of this envelope is:
eyJhbGciOiJFQ0RILTFQVStYQzIwUEtXIiwiYXB1IjoiYWpoRkxYUmpkekZhWDJWUFEyOUxSVWd0TjJFNVZEVXpNbkk0ZWxobVkyRjJZbEJhYkc5bVRqQkZhdyIsImFwdiI6IlgwUklVMkpXWVUxbFduaHlhVVJLYmpWV2IwaFlXVmh2TmtKS1lXTjNXbmhmWmtkSlFtWkRhVW8xWXciLCJjdHkiOiJhcHBsaWNhdGlvbi9kaWRjb21tLXBsYWluK2pzb24iLCJlbmMiOiJYQzIwUCIsImVwayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJYMjU1MTkiLCJ4IjoiWmdZTkJwcDlRZkZMZFpBT05LaUYxWGdRTkZCdW4tdkx4V25TeTF3ZDRRdyJ9LCJraWQiOiJfREhTYlZhTWVaeHJpREpuNVZvSFhZWG82QkphY3daeF9mR0lCZkNpSjVjIiwic2tpZCI6Imo4RS10Y3cxWl9lT0NvS0VILTdhOVQ1MzJyOHpYZmNhdmJQWmxvZk4wRWsiLCJ0eXAiOiJhcHBsaWNhdGlvbi9kaWRjb21tLWVuY3J5cHRlZCtqc29uIn0.6AxohV0ygxzRGGxqKIMovkJf7rCyE1ymbVzxqVEVpioySTzd4Ociy8yTa4uo-wlVCFaKVxitFgD3bgtuidOw5J8r-CXjR42D.AEv2DrMR4rMV8preS0zndED_u11QNnQx.c_RTSoNM5hFpOr3lEFU.m9GKNsP05SKYS9qdTvnsfA
- The single recipient's headers are merged into the
protected
header, which base64 URL decoded equals to (pretty printed for readability):{ "alg": "ECDH-1PU+XC20PKW", "apu": "ajhFLXRjdzFaX2VPQ29LRUgtN2E5VDUzMnI4elhmY2F2YlBabG9mTjBFaw", "apv": "X0RIU2JWYU1lWnhyaURKbjVWb0hYWVhvNkJKYWN3WnhfZkdJQmZDaUo1Yw", "cty": "application/didcomm-plain+json", "enc": "XC20P", "epk": { "kty": "OKP", "crv": "X25519", "x": "ZgYNBpp9QfFLdZAONKiF1XgQNFBun-vLxWnSy1wd4Qw" }, "kid": "_DHSbVaMeZxriDJn5VoHXYXo6BJacwZx_fGIBfCiJ5c", "skid": "j8E-tcw1Z_eOCoKEH-7a9T532r8zXfcavbPZlofN0Ek", "typ": "application/didcomm-encrypted+json" }