You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/06/05 18:32:09 UTC
git commit: [CXF-5311] Initial attempt to introduce some 'safety'
into the encryption/decryption process,
with more refactoring due for abstract classes
Repository: cxf
Updated Branches:
refs/heads/master 567f9862f -> fc8331eae
[CXF-5311] Initial attempt to introduce some 'safety' into the encryption/decryption process, with more refactoring due for abstract classes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fc8331ea
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fc8331ea
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fc8331ea
Branch: refs/heads/master
Commit: fc8331eaefef02740849f4cac51bc45c58f22ac4
Parents: 567f986
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Thu Jun 5 17:31:50 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Thu Jun 5 17:31:50 2014 +0100
----------------------------------------------------------------------
.../oauth2/jwe/AbstractJweDecryptor.java | 127 +++++++++++++++
.../oauth2/jwe/AbstractJweEncryptor.java | 156 +++++++++++++++++++
.../oauth2/jwe/DirectKeyJweDecryptor.java | 27 ++++
.../oauth2/jwe/DirectKeyJweEncryptor.java | 35 +++++
.../rs/security/oauth2/jwe/JweDecryptor.java | 127 ---------------
.../rs/security/oauth2/jwe/JweEncryptor.java | 156 -------------------
.../rs/security/oauth2/jwe/RSAJweDecryptor.java | 2 +-
.../rs/security/oauth2/jwe/RSAJweEncryptor.java | 2 +-
.../oauth2/jwe/WrappedKeyJweDecryptor.java | 30 ++++
.../oauth2/jwe/WrappedKeyJweEncryptor.java | 41 +++++
.../oauth2/jwe/JweCompactReaderWriterTest.java | 4 +-
11 files changed, 420 insertions(+), 287 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
new file mode 100644
index 0000000..cff7f28
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public abstract class AbstractJweDecryptor {
+ private JweCompactConsumer jweConsumer;
+ private Key cekDecryptionKey;
+ private byte[] contentDecryptionKey;
+ private boolean unwrap;
+ private CeProvider ceProvider = new CeProvider();
+ protected AbstractJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) {
+ this.jweConsumer = new JweCompactConsumer(jweContent);
+ this.cekDecryptionKey = cekDecryptionKey;
+ this.unwrap = unwrap;
+ }
+ protected AbstractJweDecryptor(String jweContent, Key contentDecryptionKey) {
+ this(jweContent, null, false);
+ this.contentDecryptionKey = contentDecryptionKey.getEncoded();
+ }
+ protected Key getCekDecryptionKey() {
+ return cekDecryptionKey;
+ }
+
+ protected byte[] getContentEncryptionKey() {
+ // This can be overridden if needed
+ if (contentDecryptionKey != null) {
+ return contentDecryptionKey;
+ }
+
+ KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
+ if (!unwrap) {
+ keyProps.setBlockSize(getKeyCipherBlockSize());
+ return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps);
+ } else {
+ return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(),
+ getContentEncryptionAlgorithm(),
+ getCekDecryptionKey(),
+ keyProps).getEncoded();
+ }
+ }
+ protected int getKeyCipherBlockSize() {
+ return -1;
+ }
+ public byte[] getDecryptedContent() {
+
+ return jweConsumer.getDecryptedContent(ceProvider);
+
+ }
+ public String getDecryptedContentText() {
+ return jweConsumer.getDecryptedContentText(ceProvider);
+ }
+ public JweHeaders getJweHeaders() {
+ return getJweConsumer().getJweHeaders();
+ }
+
+ protected AlgorithmParameterSpec getContentDecryptionCipherSpec() {
+ // this can be overridden if needed
+ return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(),
+ getContentEncryptionCipherInitVector());
+ }
+ protected String getKeyEncryptionAlgorithm() {
+ return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
+ }
+ protected String getContentEncryptionAlgorithm() {
+ return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm());
+ }
+ protected byte[] getEncryptedContentEncryptionKey() {
+ return getJweConsumer().getEncryptedContentEncryptionKey();
+ }
+ protected byte[] getContentEncryptionCipherAAD() {
+ return getJweConsumer().getContentEncryptionCipherAAD();
+ }
+ protected byte[] getEncryptedContentWithAuthTag() {
+ return getJweConsumer().getEncryptedContentWithAuthTag();
+ }
+ protected byte[] getContentEncryptionCipherInitVector() {
+ return getJweConsumer().getContentDecryptionCipherInitVector();
+ }
+ protected byte[] getEncryptionAuthenticationTag() {
+ return getJweConsumer().getEncryptionAuthenticationTag();
+ }
+ protected int getEncryptionAuthenticationTagLenBits() {
+ return getEncryptionAuthenticationTag().length * 8;
+ }
+ protected JweCompactConsumer getJweConsumer() {
+ return jweConsumer;
+ }
+
+ private class CeProvider implements ContentEncryptionProvider {
+
+ @Override
+ public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
+ return AbstractJweDecryptor.this.getContentEncryptionKey();
+ }
+
+ @Override
+ public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
+ int authTagLength,
+ byte[] initVector) {
+ return getContentDecryptionCipherSpec();
+ }
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
new file mode 100644
index 0000000..44987f9
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
@@ -0,0 +1,156 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public abstract class AbstractJweEncryptor {
+ protected static final int DEFAULT_IV_SIZE = 96;
+ protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
+ private Key cekEncryptionKey;
+ private JweHeaders headers;
+ private JwtHeadersWriter writer = new JwtTokenReaderWriter();
+ private byte[] cek;
+ private byte[] iv;
+ private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
+ private boolean wrap;
+
+ protected AbstractJweEncryptor(SecretKey cek, byte[] iv) {
+ this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
+ }
+ protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
+ this.headers = headers;
+ this.cek = cek;
+ this.iv = iv;
+ }
+ protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
+ this(headers, cek, iv);
+ this.authTagLen = authTagLen;
+ }
+ protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
+ this.headers = headers;
+ this.cekEncryptionKey = cekEncryptionKey;
+ }
+ protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
+ this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH);
+ this.cekEncryptionKey = cekEncryptionKey;
+ }
+ protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
+ int authTagLen, boolean wrap) {
+ this(headers, cek, iv, authTagLen);
+ this.cekEncryptionKey = cekEncryptionKey;
+ this.wrap = wrap;
+ }
+
+ protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen,
+ boolean wrap, JwtHeadersWriter writer) {
+ this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
+ if (writer != null) {
+ this.writer = writer;
+ }
+ }
+
+ protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
+ return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
+ }
+
+ protected byte[] getContentEncryptionCipherInitVector() {
+ return iv == null ? CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE) : iv;
+ }
+
+ protected byte[] getContentEncryptionKey() {
+ if (cek == null && cekEncryptionKey != null) {
+ String algo = headers.getContentEncryptionAlgorithm();
+ return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
+ } else {
+ return cek;
+ }
+ }
+
+ protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+ if (cekEncryptionKey == null) {
+ return cek;
+ } else {
+ KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
+ if (!wrap) {
+ return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
+ } else {
+ return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,
+ secretKeyProperties.getKeyAlgo());
+ }
+ }
+ }
+
+ protected String getContentEncryptionKeyEncryptionAlgo() {
+ return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
+ }
+ protected String getContentEncryptionAlgo() {
+ return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
+ }
+
+ protected int getAuthTagLen() {
+ return authTagLen;
+ }
+
+ public String getJweContent(byte[] content) {
+ byte[] theCek = getContentEncryptionKey();
+ byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
+
+ String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
+ KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
+ byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer);
+ keyProps.setAdditionalData(additionalEncryptionParam);
+
+ byte[] theIv = getContentEncryptionCipherInitVector();
+ AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
+ keyProps.setAlgoSpec(specParams);
+
+ byte[] cipherText = CryptoUtils.encryptBytes(
+ content,
+ CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName),
+ keyProps);
+
+ JweCompactProducer producer = new JweCompactProducer(headers,
+ jweContentEncryptionKey,
+ theIv,
+ cipherText,
+ getAuthTagLen());
+ return producer.getJweContent();
+ }
+
+ public String getJweContent(String text) {
+ try {
+ return getJweContent(text.getBytes("UTF-8"));
+ } catch (UnsupportedEncodingException ex) {
+ throw new SecurityException(ex);
+ }
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
new file mode 100644
index 0000000..fd98333
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+public class DirectKeyJweDecryptor extends AbstractJweDecryptor {
+ public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey) {
+ super(jweContent, contentDecryptionKey);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
new file mode 100644
index 0000000..e2b0e43
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+
+public class DirectKeyJweEncryptor extends AbstractJweEncryptor {
+ public DirectKeyJweEncryptor(SecretKey cek, byte[] iv) {
+ this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
+ }
+ public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
+ super(headers, cek, iv);
+ }
+ public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
+ super(headers, cek, iv, authTagLen);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
deleted file mode 100644
index 31c432c..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-import java.security.spec.AlgorithmParameterSpec;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class JweDecryptor {
- private JweCompactConsumer jweConsumer;
- private Key cekDecryptionKey;
- private byte[] contentDecryptionKey;
- private boolean unwrap;
- private CeProvider ceProvider = new CeProvider();
- public JweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) {
- this.jweConsumer = new JweCompactConsumer(jweContent);
- this.cekDecryptionKey = cekDecryptionKey;
- this.unwrap = unwrap;
- }
- public JweDecryptor(String jweContent, Key contentDecryptionKey) {
- this(jweContent, null, false);
- this.contentDecryptionKey = contentDecryptionKey.getEncoded();
- }
- protected Key getCekDecryptionKey() {
- return cekDecryptionKey;
- }
-
- protected byte[] getContentEncryptionKey() {
- // This can be overridden if needed
- if (contentDecryptionKey != null) {
- return contentDecryptionKey;
- }
-
- KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
- if (!unwrap) {
- keyProps.setBlockSize(getKeyCipherBlockSize());
- return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps);
- } else {
- return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(),
- getContentEncryptionAlgorithm(),
- getCekDecryptionKey(),
- keyProps).getEncoded();
- }
- }
- protected int getKeyCipherBlockSize() {
- return -1;
- }
- public byte[] getDecryptedContent() {
-
- return jweConsumer.getDecryptedContent(ceProvider);
-
- }
- public String getDecryptedContentText() {
- return jweConsumer.getDecryptedContentText(ceProvider);
- }
- public JweHeaders getJweHeaders() {
- return getJweConsumer().getJweHeaders();
- }
-
- protected AlgorithmParameterSpec getContentDecryptionCipherSpec() {
- // this can be overridden if needed
- return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(),
- getContentEncryptionCipherInitVector());
- }
- protected String getKeyEncryptionAlgorithm() {
- return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
- }
- protected String getContentEncryptionAlgorithm() {
- return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm());
- }
- protected byte[] getEncryptedContentEncryptionKey() {
- return getJweConsumer().getEncryptedContentEncryptionKey();
- }
- protected byte[] getContentEncryptionCipherAAD() {
- return getJweConsumer().getContentEncryptionCipherAAD();
- }
- protected byte[] getEncryptedContentWithAuthTag() {
- return getJweConsumer().getEncryptedContentWithAuthTag();
- }
- protected byte[] getContentEncryptionCipherInitVector() {
- return getJweConsumer().getContentDecryptionCipherInitVector();
- }
- protected byte[] getEncryptionAuthenticationTag() {
- return getJweConsumer().getEncryptionAuthenticationTag();
- }
- protected int getEncryptionAuthenticationTagLenBits() {
- return getEncryptionAuthenticationTag().length * 8;
- }
- protected JweCompactConsumer getJweConsumer() {
- return jweConsumer;
- }
-
- private class CeProvider implements ContentEncryptionProvider {
-
- @Override
- public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
- return JweDecryptor.this.getContentEncryptionKey();
- }
-
- @Override
- public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
- int authTagLength,
- byte[] initVector) {
- return getContentDecryptionCipherSpec();
- }
-
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
deleted file mode 100644
index 600eed3..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.io.UnsupportedEncodingException;
-import java.security.Key;
-import java.security.spec.AlgorithmParameterSpec;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class JweEncryptor {
- protected static final int DEFAULT_IV_SIZE = 96;
- protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
- private Key cekEncryptionKey;
- private JweHeaders headers;
- private JwtHeadersWriter writer = new JwtTokenReaderWriter();
- private byte[] cek;
- private byte[] iv;
- private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
- private boolean wrap;
-
- public JweEncryptor(SecretKey cek, byte[] iv) {
- this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
- }
- public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
- this.headers = headers;
- this.cek = cek;
- this.iv = iv;
- }
- public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
- this(headers, cek, iv);
- this.authTagLen = authTagLen;
- }
- public JweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
- this.headers = headers;
- this.cekEncryptionKey = cekEncryptionKey;
- }
- public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
- this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH);
- this.cekEncryptionKey = cekEncryptionKey;
- }
- public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
- int authTagLen, boolean wrap) {
- this(headers, cek, iv, authTagLen);
- this.cekEncryptionKey = cekEncryptionKey;
- this.wrap = wrap;
- }
-
- public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen,
- boolean wrap, JwtHeadersWriter writer) {
- this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
- if (writer != null) {
- this.writer = writer;
- }
- }
-
- protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
- return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
- }
-
- protected byte[] getContentEncryptionCipherInitVector() {
- return iv == null ? CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE) : iv;
- }
-
- protected byte[] getContentEncryptionKey() {
- if (cek == null && cekEncryptionKey != null) {
- String algo = headers.getContentEncryptionAlgorithm();
- return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
- } else {
- return cek;
- }
- }
-
- protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
- if (cekEncryptionKey == null) {
- return cek;
- } else {
- KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
- if (!wrap) {
- return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
- } else {
- return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,
- secretKeyProperties.getKeyAlgo());
- }
- }
- }
-
- protected String getContentEncryptionKeyEncryptionAlgo() {
- return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
- }
- protected String getContentEncryptionAlgo() {
- return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
- }
-
- protected int getAuthTagLen() {
- return authTagLen;
- }
-
- public String getJweContent(byte[] content) {
- byte[] theCek = getContentEncryptionKey();
- byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
-
- String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
- KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
- byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer);
- keyProps.setAdditionalData(additionalEncryptionParam);
-
- byte[] theIv = getContentEncryptionCipherInitVector();
- AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
- keyProps.setAlgoSpec(specParams);
-
- byte[] cipherText = CryptoUtils.encryptBytes(
- content,
- CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName),
- keyProps);
-
- JweCompactProducer producer = new JweCompactProducer(headers,
- jweContentEncryptionKey,
- theIv,
- cipherText,
- getAuthTagLen());
- return producer.getJweContent();
- }
-
- public String getJweContent(String text) {
- try {
- return getJweContent(text.getBytes("UTF-8"));
- } catch (UnsupportedEncodingException ex) {
- throw new SecurityException(ex);
- }
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
index cce3cb5..cb4666f 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
@@ -22,7 +22,7 @@ import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
-public class RSAJweDecryptor extends JweDecryptor {
+public class RSAJweDecryptor extends WrappedKeyJweDecryptor {
public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) {
super(jweContent, privateKey, unwrap);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
index 22c2f7e..7739379 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
@@ -25,7 +25,7 @@ import javax.crypto.SecretKey;
import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-public class RSAJweEncryptor extends JweEncryptor {
+public class RSAJweEncryptor extends WrappedKeyJweEncryptor {
public RSAJweEncryptor(RSAPublicKey publicKey, String contentEncryptionAlgo) {
super(new JweHeaders(Algorithm.RSA_OAEP_ALGO.getJwtName(),
contentEncryptionAlgo), publicKey);
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
new file mode 100644
index 0000000..0145909
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+public class WrappedKeyJweDecryptor extends AbstractJweDecryptor {
+ public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) {
+ super(jweContent, cekDecryptionKey, unwrap);
+ }
+ public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey) {
+ this(jweContent, cekDecryptionKey, true);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
new file mode 100644
index 0000000..6486604
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+
+public class WrappedKeyJweEncryptor extends AbstractJweEncryptor {
+ public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
+ super(headers, cekEncryptionKey);
+ }
+ public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
+ super(headers, cekEncryptionKey, cek, iv);
+ }
+ public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
+ int authTagLen, boolean wrap) {
+ super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
+ }
+
+ public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen,
+ boolean wrap, JwtHeadersWriter writer) {
+ super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, writer);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
index 9d1b06f..eed51d8 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
@@ -104,7 +104,7 @@ public class JweCompactReaderWriterTest extends Assert {
}
private String encryptContentDirect(String content) throws Exception {
SecretKey key = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES");
- JweEncryptor encryptor = new JweEncryptor(key, INIT_VECTOR);
+ DirectKeyJweEncryptor encryptor = new DirectKeyJweEncryptor(key, INIT_VECTOR);
return encryptor.getJweContent(content);
}
private void decrypt(String jweContent, String plainContent) throws Exception {
@@ -115,7 +115,7 @@ public class JweCompactReaderWriterTest extends Assert {
}
private void decryptDirect(String jweContent, String plainContent) throws Exception {
SecretKey key = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES");
- JweDecryptor decryptor = new JweDecryptor(jweContent, key);
+ DirectKeyJweDecryptor decryptor = new DirectKeyJweDecryptor(jweContent, key);
String decryptedText = decryptor.getDecryptedContentText();
assertEquals(decryptedText, plainContent);
}