You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2017/03/22 22:43:48 UTC
cxf git commit: Moving the cek auto-generation into where it should
be in ContentEncryptionProvider,
and optionally controlling if a cek should be generated once
Repository: cxf
Updated Branches:
refs/heads/master 162282359 -> 64070aa91
Moving the cek auto-generation into where it should be in ContentEncryptionProvider, and optionally controlling if a cek should be generated once
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/64070aa9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/64070aa9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/64070aa9
Branch: refs/heads/master
Commit: 64070aa91b4b56155faf7703520a5142fa7a6e36
Parents: 1622823
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Mar 22 22:41:32 2017 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Mar 22 22:41:32 2017 +0000
----------------------------------------------------------------------
.../jwe/AbstractContentEncryptionAlgorithm.java | 25 +++++++++++++++++---
.../jose/jwe/AbstractJweEncryption.java | 16 -------------
.../jose/jwe/AesCbcHmacJweEncryption.java | 22 ++++++++++-------
.../jwe/AesGcmContentEncryptionAlgorithm.java | 6 ++++-
.../security/jose/jwe/JweJsonConsumerTest.java | 4 +---
.../jaxrs/security/jose/jwejws/server.xml | 2 +-
6 files changed, 43 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
index 1ea2e1a..6e27289 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.jose.jwe;
import java.util.concurrent.atomic.AtomicInteger;
+import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
@@ -30,8 +31,12 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
private byte[] cek;
private byte[] iv;
private AtomicInteger providedIvUsageCount;
-
-
+ private boolean generateCekOnce;
+
+ protected AbstractContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce) {
+ super(algo);
+ this.generateCekOnce = generateCekOnce;
+ }
protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm algo) {
super(algo);
this.cek = cek;
@@ -42,7 +47,18 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
}
public byte[] getContentEncryptionKey(JweHeaders headers) {
- return cek;
+ byte[] theCek = null;
+ if (cek == null) {
+ String algoJava = getAlgorithm().getJavaName();
+ theCek = CryptoUtils.getSecretKey(AlgorithmUtils.stripAlgoProperties(algoJava),
+ getContentEncryptionKeySize(headers)).getEncoded();
+ if (generateCekOnce) {
+ cek = theCek;
+ }
+ } else {
+ theCek = cek;
+ }
+ return theCek;
}
public byte[] getInitVector() {
if (iv == null) {
@@ -54,6 +70,9 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
return iv;
}
}
+ protected int getContentEncryptionKeySize(JweHeaders headers) {
+ return getAlgorithm().getKeySizeBits();
+ }
protected int getIvSize() {
return DEFAULT_IV_SIZE;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index acdc067..39057ed 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -29,7 +29,6 @@ import javax.crypto.SecretKey;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
@@ -54,21 +53,6 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
}
protected byte[] getContentEncryptionKey(JweHeaders headers) {
- byte[] cek = getProvidedContentEncryptionKey(headers);
- if (cek == null) {
- String algoJava = getContentEncryptionAlgoJava();
- String algoJwt = getContentEncryptionAlgoJwt();
- cek = CryptoUtils.getSecretKey(AlgorithmUtils.stripAlgoProperties(algoJava),
- getCekSize(algoJwt)).getEncoded();
- }
- return cek;
- }
-
- protected int getCekSize(String algoJwt) {
- return ContentAlgorithm.valueOf(algoJwt.replace('-', '_')).getKeySizeBits();
- }
-
- protected byte[] getProvidedContentEncryptionKey(JweHeaders headers) {
return getContentEncryptionAlgorithm().getContentEncryptionKey(headers);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index 0713100..12170c1 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -44,13 +44,16 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
AES_CEK_SIZE_MAP.put(ContentAlgorithm.A192CBC_HS384.getJwaName(), 48);
AES_CEK_SIZE_MAP.put(ContentAlgorithm.A256CBC_HS512.getJwaName(), 64);
}
- public AesCbcHmacJweEncryption(String cekAlgo,
+ public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt,
KeyEncryptionProvider keyEncryptionAlgorithm) {
- this(ContentAlgorithm.getAlgorithm(cekAlgo), keyEncryptionAlgorithm);
+ this(cekAlgoJwt, keyEncryptionAlgorithm, false);
}
public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt,
- KeyEncryptionProvider keyEncryptionAlgorithm) {
- this(cekAlgoJwt, null, null, keyEncryptionAlgorithm);
+ KeyEncryptionProvider keyEncryptionAlgorithm,
+ boolean generateCekOnce) {
+ super(keyEncryptionAlgorithm,
+ new AesCbcContentEncryptionAlgorithm(validateCekAlgorithm(cekAlgoJwt),
+ generateCekOnce));
}
public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt, byte[] cek,
byte[] iv, KeyEncryptionProvider keyEncryptionAlgorithm) {
@@ -63,10 +66,6 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
protected byte[] getActualCek(byte[] theCek, String algoJwt) {
return doGetActualCek(theCek, algoJwt);
}
- @Override
- protected int getCekSize(String algoJwt) {
- return getFullCekKeySize(algoJwt) * 8;
- }
protected static byte[] doGetActualCek(byte[] theCek, String algoJwt) {
int size = getFullCekKeySize(algoJwt) / 2;
byte[] actualCek = new byte[size];
@@ -147,6 +146,9 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
}
private static class AesCbcContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm {
+ AesCbcContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce) {
+ super(algo, generateCekOnce);
+ }
AesCbcContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm algo) {
super(cek, iv, algo);
}
@@ -158,6 +160,10 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
return null;
}
+ @Override
+ protected int getContentEncryptionKeySize(JweHeaders headers) {
+ return getFullCekKeySize(getAlgorithm().getJwaName()) * 8;
+ }
}
protected static class MacState {
http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
index 94eddff..20e35c9 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -28,7 +28,10 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils;
public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm {
private static final int DEFAULT_IV_SIZE = 96;
public AesGcmContentEncryptionAlgorithm(ContentAlgorithm algo) {
- this((byte[])null, null, algo);
+ this(algo, false);
+ }
+ public AesGcmContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce) {
+ super(checkAlgorithm(algo), generateCekOnce);
}
public AesGcmContentEncryptionAlgorithm(String encodedCek, String encodedIv, ContentAlgorithm algo) {
this((byte[])CryptoUtils.decodeSequence(encodedCek), CryptoUtils.decodeSequence(encodedIv), algo);
@@ -58,4 +61,5 @@ public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionA
LOG.warning("Invalid content encryption algorithm");
throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
+
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
index 9a3a915..4475375 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
@@ -37,7 +37,6 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
-import org.junit.Ignore;
import org.junit.Test;
public class JweJsonConsumerTest extends Assert {
@@ -138,7 +137,6 @@ public class JweJsonConsumerTest extends Assert {
doTestMultipleRecipients(JweJsonProducerTest.MULTIPLE_RECIPIENTS_OUTPUT);
}
@Test
- @Ignore
public void testMultipleRecipientsAutogeneratedCek() {
final String text = "The true sign of intelligence is not knowledge but imagination.";
SecretKey wrapperKey1 = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES1, "AES");
@@ -154,7 +152,7 @@ public class JweJsonConsumerTest extends Assert {
KeyEncryptionProvider keyEncryption1 =
JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey1, KeyAlgorithm.A128KW);
ContentEncryptionProvider contentEncryption =
- new AesGcmContentEncryptionAlgorithm(ContentAlgorithm.A128GCM);
+ new AesGcmContentEncryptionAlgorithm(ContentAlgorithm.A128GCM, true);
JweEncryptionProvider jwe1 = new JweEncryption(keyEncryption1, contentEncryption);
KeyEncryptionProvider keyEncryption2 =
http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
index 5b4cd22..df959aa 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
@@ -46,7 +46,7 @@ under the License.
<constructor-arg value="A128KW"/>
</bean>
<bean id="aesCbcHmacEncryption" class="org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption">
- <constructor-arg value="A128CBC-HS256"/>
+ <constructor-arg value="A128CBC_HS256"/>
<constructor-arg ref="aesWrapEncryptionAlgo"/>
</bean>