You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/06/06 14:31:27 UTC
git commit: [CXF-5311] Fixing compact serialization if OOB ceks are
used, refactoring abstract JWE helpers,
adding empty encryption and signature properties which can be used to enforce
that only specific encryption/sign algo props were used
Repository: cxf
Updated Branches:
refs/heads/master ac556b7cf -> 117061fed
[CXF-5311] Fixing compact serialization if OOB ceks are used, refactoring abstract JWE helpers, adding empty encryption and signature properties which can be used to enforce that only specific encryption/sign algo props were used
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/117061fe
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/117061fe
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/117061fe
Branch: refs/heads/master
Commit: 117061fed2242b6a927467e2b6488c9fb111565a
Parents: ac556b7
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Fri Jun 6 13:30:21 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Fri Jun 6 13:30:21 2014 +0100
----------------------------------------------------------------------
.../oauth2/jwe/AbstractJweDecryptor.java | 52 +++-----------------
.../oauth2/jwe/AbstractJweEncryptor.java | 52 ++++----------------
.../oauth2/jwe/DirectKeyJweDecryptor.java | 15 +++++-
.../oauth2/jwe/DirectKeyJweEncryptor.java | 3 ++
.../security/oauth2/jwe/JweCompactConsumer.java | 16 +++++-
.../security/oauth2/jwe/JweCompactProducer.java | 4 +-
.../rs/security/oauth2/jwe/RSAJweDecryptor.java | 12 +++--
.../oauth2/jwe/WrappedKeyJweDecryptor.java | 39 +++++++++++++--
.../oauth2/jwe/WrappedKeyJweEncryptor.java | 35 +++++++++++--
.../security/oauth2/jws/JwsCompactConsumer.java | 19 +++++--
.../rs/security/oauth2/jwt/JwtTokenReader.java | 1 -
.../oauth2/jwt/JwtTokenReaderWriter.java | 3 +-
.../security/oauth2/utils/Base64UrlUtility.java | 9 +++-
13 files changed, 151 insertions(+), 109 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
index cff7f28..4b9614f 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
@@ -18,52 +18,20 @@
*/
package org.apache.cxf.rs.security.oauth2.jwe;
-import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
public abstract class AbstractJweDecryptor {
private JweCompactConsumer jweConsumer;
- private Key cekDecryptionKey;
- private byte[] contentDecryptionKey;
- private boolean unwrap;
private CeProvider ceProvider = new CeProvider();
- protected AbstractJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) {
- this.jweConsumer = new JweCompactConsumer(jweContent);
- this.cekDecryptionKey = cekDecryptionKey;
- this.unwrap = unwrap;
- }
- protected AbstractJweDecryptor(String jweContent, Key contentDecryptionKey) {
- this(jweContent, null, false);
- this.contentDecryptionKey = contentDecryptionKey.getEncoded();
- }
- protected Key getCekDecryptionKey() {
- return cekDecryptionKey;
+ protected AbstractJweDecryptor(String jweContent, JweCryptoProperties props) {
+ this.jweConsumer = new JweCompactConsumer(jweContent, props);
}
- protected byte[] getContentEncryptionKey() {
- // This can be overridden if needed
- if (contentDecryptionKey != null) {
- return contentDecryptionKey;
- }
-
- KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
- if (!unwrap) {
- keyProps.setBlockSize(getKeyCipherBlockSize());
- return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps);
- } else {
- return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(),
- getContentEncryptionAlgorithm(),
- getCekDecryptionKey(),
- keyProps).getEncoded();
- }
- }
- protected int getKeyCipherBlockSize() {
- return -1;
- }
+ protected abstract byte[] getContentEncryptionKey();
+
public byte[] getDecryptedContent() {
return jweConsumer.getDecryptedContent(ceProvider);
@@ -72,24 +40,20 @@ public abstract class AbstractJweDecryptor {
public String getDecryptedContentText() {
return jweConsumer.getDecryptedContentText(ceProvider);
}
- public JweHeaders getJweHeaders() {
+ public JweHeaders getHeaders() {
return getJweConsumer().getJweHeaders();
}
protected AlgorithmParameterSpec getContentDecryptionCipherSpec() {
- // this can be overridden if needed
return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(),
getContentEncryptionCipherInitVector());
}
- protected String getKeyEncryptionAlgorithm() {
- return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
- }
- protected String getContentEncryptionAlgorithm() {
- return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm());
- }
protected byte[] getEncryptedContentEncryptionKey() {
return getJweConsumer().getEncryptedContentEncryptionKey();
}
+ protected String getContentEncryptionAlgorithm() {
+ return Algorithm.toJavaName(getHeaders().getContentEncryptionAlgorithm());
+ }
protected byte[] getContentEncryptionCipherAAD() {
return getJweConsumer().getContentEncryptionCipherAAD();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
index 44987f9..2427cc1 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
@@ -19,7 +19,6 @@
package org.apache.cxf.rs.security.oauth2.jwe;
import java.io.UnsupportedEncodingException;
-import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.SecretKey;
@@ -33,13 +32,11 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
public abstract class AbstractJweEncryptor {
protected static final int DEFAULT_IV_SIZE = 96;
protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
- private Key cekEncryptionKey;
private JweHeaders headers;
private JwtHeadersWriter writer = new JwtTokenReaderWriter();
private byte[] cek;
private byte[] iv;
private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
- private boolean wrap;
protected AbstractJweEncryptor(SecretKey cek, byte[] iv) {
this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
@@ -53,24 +50,12 @@ public abstract class AbstractJweEncryptor {
this(headers, cek, iv);
this.authTagLen = authTagLen;
}
- protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
+ protected AbstractJweEncryptor(JweHeaders headers) {
this.headers = headers;
- this.cekEncryptionKey = cekEncryptionKey;
}
- protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
- this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH);
- this.cekEncryptionKey = cekEncryptionKey;
- }
- protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
- int authTagLen, boolean wrap) {
+ protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen,
+ JwtHeadersWriter writer) {
this(headers, cek, iv, authTagLen);
- this.cekEncryptionKey = cekEncryptionKey;
- this.wrap = wrap;
- }
-
- protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen,
- boolean wrap, JwtHeadersWriter writer) {
- this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
if (writer != null) {
this.writer = writer;
}
@@ -85,31 +70,11 @@ public abstract class AbstractJweEncryptor {
}
protected byte[] getContentEncryptionKey() {
- if (cek == null && cekEncryptionKey != null) {
- String algo = headers.getContentEncryptionAlgorithm();
- return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
- } else {
- return cek;
- }
+ return cek;
}
- protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
- if (cekEncryptionKey == null) {
- return cek;
- } else {
- KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
- if (!wrap) {
- return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
- } else {
- return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,
- secretKeyProperties.getKeyAlgo());
- }
- }
- }
+ protected abstract byte[] getEncryptedContentEncryptionKey(byte[] theCek);
- protected String getContentEncryptionKeyEncryptionAlgo() {
- return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
- }
protected String getContentEncryptionAlgo() {
return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
}
@@ -117,11 +82,11 @@ public abstract class AbstractJweEncryptor {
protected int getAuthTagLen() {
return authTagLen;
}
-
+ protected JweHeaders getJweHeaders() {
+ return headers;
+ }
public String getJweContent(byte[] content) {
byte[] theCek = getContentEncryptionKey();
- byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
-
String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer);
@@ -136,6 +101,7 @@ public abstract class AbstractJweEncryptor {
CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName),
keyProps);
+ byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
JweCompactProducer producer = new JweCompactProducer(headers,
jweContentEncryptionKey,
theIv,
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
index fd98333..be9378f 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
@@ -21,7 +21,20 @@ package org.apache.cxf.rs.security.oauth2.jwe;
import java.security.Key;
public class DirectKeyJweDecryptor extends AbstractJweDecryptor {
+ private byte[] contentDecryptionKey;
public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey) {
- super(jweContent, contentDecryptionKey);
+ this(jweContent, contentDecryptionKey, null);
+ }
+ public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey, JweCryptoProperties props) {
+ super(jweContent, props);
+ this.contentDecryptionKey = contentDecryptionKey.getEncoded();
+ }
+ @Override
+ protected byte[] getContentEncryptionKey() {
+ byte[] encryptedCEK = getEncryptedContentEncryptionKey();
+ if (encryptedCEK != null && encryptedCEK.length > 0) {
+ throw new SecurityException();
+ }
+ return contentDecryptionKey;
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
index e2b0e43..8872d81 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
@@ -32,4 +32,7 @@ public class DirectKeyJweEncryptor extends AbstractJweEncryptor {
public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
super(headers, cek, iv, authTagLen);
}
+ protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+ return new byte[0];
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
index 9c11dcf..042ceda 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
@@ -26,6 +26,7 @@ import java.security.spec.AlgorithmParameterSpec;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersReader;
import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
@@ -40,6 +41,12 @@ public class JweCompactConsumer {
private byte[] authTag;
private JweHeaders jweHeaders;
public JweCompactConsumer(String jweContent) {
+ this(jweContent, null);
+ }
+ public JweCompactConsumer(String jweContent, JweCryptoProperties props) {
+ this(jweContent, props, new JwtTokenReaderWriter());
+ }
+ public JweCompactConsumer(String jweContent, JweCryptoProperties props, JwtHeadersReader reader) {
String[] parts = jweContent.split("\\.");
if (parts.length != 5) {
throw new SecurityException("5 JWE parts are expected");
@@ -54,12 +61,19 @@ public class JweCompactConsumer {
encryptedContentWithTag = new byte[cipherText.length + authTag.length];
System.arraycopy(cipherText, 0, encryptedContentWithTag, 0, cipherText.length);
System.arraycopy(authTag, 0, encryptedContentWithTag, cipherText.length, authTag.length);
- jweHeaders = new JweHeaders(new JwtTokenReaderWriter().fromJsonHeaders(headersJson).asMap());
+ jweHeaders = new JweHeaders(reader.fromJsonHeaders(headersJson).asMap());
+ enforceJweCryptoProperties(props);
} catch (Base64Exception ex) {
throw new SecurityException(ex);
}
}
+ private void enforceJweCryptoProperties(JweCryptoProperties props) {
+ if (props != null) {
+ //TODO: Validate
+ }
+ }
+
public String getDecodedJsonHeaders() {
return headersJson;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
index cb61690..82945b7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
@@ -89,9 +89,9 @@ public class JweCompactProducer {
StringBuilder sb = new StringBuilder();
return sb.append(encodedHeaders)
.append('.')
- .append(encodedContentEncryptionKey)
+ .append(encodedContentEncryptionKey == null ? "" : encodedContentEncryptionKey)
.append('.')
- .append(encodedInitVector)
+ .append(encodedInitVector == null ? "" : encodedInitVector)
.append('.')
.append(encodedEncryptedContent)
.append('.')
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
index cb4666f..17a53d1 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
@@ -23,12 +23,18 @@ import java.security.interfaces.RSAPublicKey;
public class RSAJweDecryptor extends WrappedKeyJweDecryptor {
- public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) {
- super(jweContent, privateKey, unwrap);
- }
+
public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey) {
this(jweContent, privateKey, true);
}
+ public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) {
+ this(jweContent, privateKey, unwrap, null);
+ }
+ public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap,
+ JweCryptoProperties props) {
+ super(jweContent, privateKey, unwrap, props);
+ }
+
protected int getKeyCipherBlockSize() {
return ((RSAPublicKey)getCekDecryptionKey()).getModulus().toByteArray().length;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
index 0145909..1798c55 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
@@ -20,11 +20,44 @@ package org.apache.cxf.rs.security.oauth2.jwe;
import java.security.Key;
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
public class WrappedKeyJweDecryptor extends AbstractJweDecryptor {
- public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) {
- super(jweContent, cekDecryptionKey, unwrap);
- }
+ private Key cekDecryptionKey;
+ private boolean unwrap;
public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey) {
this(jweContent, cekDecryptionKey, true);
}
+ public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) {
+ this(jweContent, cekDecryptionKey, unwrap, null);
+ }
+ public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap,
+ JweCryptoProperties props) {
+ super(jweContent, props);
+ this.cekDecryptionKey = cekDecryptionKey;
+ this.unwrap = unwrap;
+ }
+ protected byte[] getContentEncryptionKey() {
+ KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
+ if (!unwrap) {
+ keyProps.setBlockSize(getKeyCipherBlockSize());
+ return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps);
+ } else {
+ return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(),
+ getContentEncryptionAlgorithm(),
+ getCekDecryptionKey(),
+ keyProps).getEncoded();
+ }
+ }
+ protected Key getCekDecryptionKey() {
+ return cekDecryptionKey;
+ }
+ protected int getKeyCipherBlockSize() {
+ return -1;
+ }
+ protected String getKeyEncryptionAlgorithm() {
+ return Algorithm.toJavaName(getHeaders().getKeyEncryptionAlgorithm());
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
index 6486604..ad6b905 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
@@ -20,22 +20,49 @@ package org.apache.cxf.rs.security.oauth2.jwe;
import java.security.Key;
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
public class WrappedKeyJweEncryptor extends AbstractJweEncryptor {
+ private Key cekEncryptionKey;
+ private boolean wrap;
public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
- super(headers, cekEncryptionKey);
+ this(headers, cekEncryptionKey, null, null);
}
public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
- super(headers, cekEncryptionKey, cek, iv);
+ this(headers, cekEncryptionKey, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
}
public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
int authTagLen, boolean wrap) {
- super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
+ this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, null);
}
public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen,
boolean wrap, JwtHeadersWriter writer) {
- super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, writer);
+ super(headers, cek, iv, authTagLen, writer);
+ this.cekEncryptionKey = cekEncryptionKey;
+ this.wrap = wrap;
+ }
+ protected byte[] getContentEncryptionKey() {
+ byte[] theCek = super.getContentEncryptionKey();
+ if (theCek == null) {
+ String algo = getContentEncryptionAlgo();
+ theCek = CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
+ }
+ return theCek;
+ }
+ protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+ KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
+ if (!wrap) {
+ return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
+ } else {
+ return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,
+ secretKeyProperties.getKeyAlgo());
+ }
+ }
+ protected String getContentEncryptionKeyEncryptionAlgo() {
+ return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
index abec1a6..d149587 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
@@ -37,14 +37,21 @@ public class JwsCompactConsumer {
private String headersJson;
private String claimsJson;
private JwtToken token;
+ private JwsSignatureProperties props;
public JwsCompactConsumer(String encodedJws) {
- this(encodedJws, null);
+ this(encodedJws, null, null);
+ }
+ public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props) {
+ this(encodedJws, props, null);
}
public JwsCompactConsumer(String encodedJws, JwtTokenReader r) {
+ this(encodedJws, null, r);
+ }
+ public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props, JwtTokenReader r) {
if (r != null) {
this.reader = r;
}
-
+ this.props = props;
String[] parts = encodedJws.split("\\.");
if (parts.length != 3) {
if (parts.length == 2 && encodedJws.endsWith(".")) {
@@ -87,16 +94,22 @@ public class JwsCompactConsumer {
}
public JwtToken getJwtToken() {
if (token == null) {
- token = reader.fromJson(headersJson, claimsJson);
+ token = reader.fromJson(new JwtTokenJson(headersJson, claimsJson));
}
return token;
}
public boolean verifySignatureWith(JwsSignatureVerifier validator) {
+ enforceJweSignatureProperties();
if (!validator.verify(getJwtHeaders(), getUnsignedEncodedToken(), getDecodedSignature())) {
throw new SecurityException();
}
return true;
}
+ private void enforceJweSignatureProperties() {
+ if (props != null) {
+ //TODO:
+ }
+ }
private static String decodeToString(String encoded) {
try {
return new String(decode(encoded), "UTF-8");
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
index 9be3a0a..f916df7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
@@ -21,6 +21,5 @@ package org.apache.cxf.rs.security.oauth2.jwt;
public interface JwtTokenReader extends JwtHeadersReader {
JwtClaims fromJsonClaims(String jsonClaims);
- JwtToken fromJson(String jsonHeaders, String jsonClaims);
JwtToken fromJson(JwtTokenJson jsonPair);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
index 9d95771..d8d6dd4 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
@@ -68,8 +68,7 @@ public class JwtTokenReaderWriter implements JwtTokenReader, JwtTokenWriter {
}
- @Override
- public JwtToken fromJson(String headersJson, String claimsJson) {
+ private JwtToken fromJson(String headersJson, String claimsJson) {
JwtHeaders headers = fromJsonHeaders(headersJson);
JwtClaims claims = fromJsonClaims(claimsJson);
return new JwtToken(headers, claims);
http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
index 9b5db48..d8d795c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
@@ -73,8 +73,13 @@ public final class Base64UrlUtility {
}
public static String encodeChunk(byte[] id, int offset, int length) {
- String encoded = new String(Base64Utility.encodeChunk(id, offset, length));
- return encoded.replace("+", "-").replace('/', '_').replace("=", "");
+ char[] chunk = Base64Utility.encodeChunk(id, offset, length);
+ if (chunk != null) {
+ String encoded = new String(chunk);
+ return encoded.replace("+", "-").replace('/', '_').replace("=", "");
+ } else {
+ return null;
+ }
}