added JWE decryption helper

pom.xml

@@ -27,7 +27,7 @@
 		<nonModularGroupIds>com.github.serceman,com.github.jnr,org.ow2.asm,net.java.dev.jna,org.apache.jackrabbit,org.apache.httpcomponents,de.swiesend,org.purejava,com.github.hypfvieh</nonModularGroupIds>
 
 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptolib.version>2.1.0-beta2</cryptomator.cryptolib.version>
+		<cryptomator.cryptolib.version>2.1.0-beta3</cryptomator.cryptolib.version>
 		<cryptomator.cryptofs.version>2.2.0</cryptomator.cryptofs.version>
 		<cryptomator.integrations.version>1.0.0</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.0.0</cryptomator.integrations.win.version>
@@ -157,6 +157,11 @@
 			<artifactId>java-jwt</artifactId>
 			<version>${jwt.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>com.nimbusds</groupId>
+			<artifactId>nimbus-jose-jwt</artifactId>
+			<version>9.15.2</version>
+		</dependency>
 
 		<!-- EasyBind -->
 		<dependency>

src/main/java/module-info.java

@@ -35,6 +35,7 @@ module org.cryptomator.desktop {
 	requires static javax.inject; /* ugly dagger/guava crap */
 	requires logback.classic;
 	requires logback.core;
+	requires com.nimbusds.jose.jwt;
 
 	uses AutoStartProvider;
 	uses KeychainAccessProvider;

src/main/java/org/cryptomator/ui/keyloading/hub/JWEHelper.java

@@ -0,0 +1,55 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import com.google.common.base.Preconditions;
+import com.google.common.io.BaseEncoding;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEObject;
+import com.nimbusds.jose.crypto.ECDHDecrypter;
+import org.cryptomator.cryptolib.api.Masterkey;
+import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.interfaces.ECPrivateKey;
+import java.util.Arrays;
+
+class JWEHelper {
+
+	private static final Logger LOG = LoggerFactory.getLogger(JWEHelper.class);
+	private static final String JWE_PAYLOAD_MASTERKEY_FIELD = "key";
+
+	private JWEHelper(){}
+
+	public static Masterkey decrypt(JWEObject jwe, ECPrivateKey privateKey) throws MasterkeyLoadingFailedException {
+		try {
+			jwe.decrypt(new ECDHDecrypter(privateKey));
+			return readKey(jwe);
+		} catch (JOSEException e) {
+			LOG.warn("Failed to decrypt JWE: {}", jwe);
+			throw new MasterkeyLoadingFailedException("Failed to decrypt JWE", e);
+		}
+	}
+
+	private static Masterkey readKey(JWEObject jwe) throws MasterkeyLoadingFailedException {
+		Preconditions.checkArgument(jwe.getState() == JWEObject.State.DECRYPTED);
+		var fields = jwe.getPayload().toJSONObject();
+		if (fields == null) {
+			LOG.error("Expected JWE payload to be JSON: {}", jwe.getPayload());
+			throw new MasterkeyLoadingFailedException("Expected JWE payload to be JSON");
+		}
+		var keyBytes = new byte[0];
+		try {
+			if (fields.get(JWE_PAYLOAD_MASTERKEY_FIELD) instanceof String key) {
+				keyBytes = BaseEncoding.base64().decode(key);
+				return new Masterkey(keyBytes);
+			} else {
+				throw new IllegalArgumentException("JWE payload doesn't contain field " + JWE_PAYLOAD_MASTERKEY_FIELD);
+			}
+		} catch (IllegalArgumentException e) {
+			LOG.error("Unexpected JWE payload: {}", jwe.getPayload());
+			throw new MasterkeyLoadingFailedException("Unexpected JWE payload", e);
+		} finally {
+			Arrays.fill(keyBytes, (byte) 0x00);
+		}
+	}
+}

src/main/resources/license/THIRD-PARTY.txt

@@ -11,16 +11,18 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see http://www.gnu.org/licenses/.
 
-Cryptomator uses 43 third-party dependencies under the following licenses:
+Cryptomator uses 45 third-party dependencies under the following licenses:
         Apache License v2.0:
 			- jffi (com.github.jnr:jffi:1.3.5 - http://github.com/jnr/jffi)
 			- jnr-a64asm (com.github.jnr:jnr-a64asm:1.0.0 - http://nexus.sonatype.org/oss-repository-hosting.html/jnr-a64asm)
 			- jnr-constants (com.github.jnr:jnr-constants:0.10.2 - http://github.com/jnr/jnr-constants)
 			- jnr-ffi (com.github.jnr:jnr-ffi:2.2.7 - http://github.com/jnr/jnr-ffi)
+			- JCIP Annotations under Apache License (com.github.stephenc.jcip:jcip-annotations:1.0-1 - http://stephenc.github.com/jcip-annotations)
 			- Gson (com.google.code.gson:gson:2.8.8 - https://github.com/google/gson/gson)
 			- Dagger (com.google.dagger:dagger:2.39 - https://github.com/google/dagger)
 			- Guava InternalFutureFailureAccess and InternalFutures (com.google.guava:failureaccess:1.0.1 - https://github.com/google/guava/failureaccess)
 			- Guava: Google Core Libraries for Java (com.google.guava:guava:31.0-jre - https://github.com/google/guava)
+			- Nimbus JOSE+JWT (com.nimbusds:nimbus-jose-jwt:9.15.2 - https://bitbucket.org/connect2id/nimbus-jose-jwt)
 			- Apache Commons CLI (commons-cli:commons-cli:1.4 - http://commons.apache.org/proper/commons-cli/)
 			- javax.inject (javax.inject:javax.inject:1 - http://code.google.com/p/atinject/)
 			- Apache Commons Lang (org.apache.commons:commons-lang3:3.12.0 - https://commons.apache.org/proper/commons-lang/)