You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/10/22 18:11:27 UTC
[1/2] git commit: Updating JWE ContentDecryptionAlgorithm to return
the algo it actually supports
Repository: cxf
Updated Branches:
refs/heads/master 1ebe682c6 -> e125ae55f
Updating JWE ContentDecryptionAlgorithm to return the algo it actually supports
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/29394922
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/29394922
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/29394922
Branch: refs/heads/master
Commit: 29394922c5d7f51de88dfa125dfa541a3d342e72
Parents: 1ebe682
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Wed Oct 22 17:09:47 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Wed Oct 22 17:09:47 2014 +0100
----------------------------------------------------------------------
.../cxf/rs/security/jose/jwa/Algorithm.java | 34 ++++++++++++--------
.../jwe/AbstractContentEncryptionAlgorithm.java | 1 +
...stractContentEncryptionCipherProperties.java | 9 +++++-
.../jose/jwe/AesCbcHmacJweDecryption.java | 7 ++--
.../jwe/AesGcmContentDecryptionAlgorithm.java | 9 ++----
.../jwe/ContentEncryptionCipherProperties.java | 1 +
.../jose/jwe/JweCompactReaderWriterTest.java | 7 ++--
.../jose/jwe/JwePbeHmacAesWrapTest.java | 2 +-
8 files changed, 43 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
index 6c66825..5b15866 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
@@ -91,6 +91,21 @@ public enum Algorithm {
public static final Set<String> EC_SHA_SIGN_SET = new HashSet<String>(Arrays.asList(JoseConstants.ES_SHA_256_ALGO,
JoseConstants.ES_SHA_384_ALGO,
JoseConstants.ES_SHA_512_ALGO));
+ public static final Set<String> RSA_OAEP_CEK_SET = new HashSet<String>(Arrays.asList(JoseConstants.RSA_OAEP_ALGO,
+ JoseConstants.RSA_OAEP_256_ALGO));
+ public static final Set<String> AES_GCM_CEK_SET = new HashSet<String>(Arrays.asList(JoseConstants.A128GCM_ALGO,
+ JoseConstants.A192GCM_ALGO,
+ JoseConstants.A256GCM_ALGO));
+ public static final Set<String> AES_GCM_KW_SET = new HashSet<String>(Arrays.asList(JoseConstants.A192GCMKW_ALGO,
+ JoseConstants.A192GCMKW_ALGO,
+ JoseConstants.A256GCMKW_ALGO));
+ public static final Set<String> AES_KW_SET = new HashSet<String>(Arrays.asList(JoseConstants.A128KW_ALGO,
+ JoseConstants.A192KW_ALGO,
+ JoseConstants.A256KW_ALGO));
+ public static final Set<String> ACBC_HS_SET =
+ new HashSet<String>(Arrays.asList(JoseConstants.A128CBC_HS256_ALGO,
+ JoseConstants.A192CBC_HS384_ALGO,
+ JoseConstants.A256CBC_HS512_ALGO));
private static final Map<String, String> JAVA_TO_JWT_NAMES;
private static final Map<String, String> JWT_TO_JAVA_NAMES;
@@ -199,28 +214,19 @@ public enum Algorithm {
return javaName;
}
public static boolean isRsaOaep(String algo) {
- return JoseConstants.RSA_OAEP_ALGO.equals(algo)
- || JoseConstants.RSA_OAEP_256_ALGO.equals(algo);
+ return RSA_OAEP_CEK_SET.contains(algo);
}
public static boolean isAesKeyWrap(String algo) {
- return JoseConstants.A128KW_ALGO.equals(algo)
- || JoseConstants.A192KW_ALGO.equals(algo)
- || JoseConstants.A256KW_ALGO.equals(algo);
+ return AES_KW_SET.contains(algo);
}
public static boolean isAesGcmKeyWrap(String algo) {
- return JoseConstants.A128GCMKW_ALGO.equals(algo)
- || JoseConstants.A192GCMKW_ALGO.equals(algo)
- || JoseConstants.A256GCMKW_ALGO.equals(algo);
+ return AES_GCM_KW_SET.contains(algo);
}
public static boolean isAesGcm(String algo) {
- return JoseConstants.A128GCM_ALGO.equals(algo)
- || JoseConstants.A192GCM_ALGO.equals(algo)
- || JoseConstants.A256GCM_ALGO.equals(algo);
+ return AES_GCM_CEK_SET.contains(algo);
}
public static boolean isAesCbcHmac(String algo) {
- return JoseConstants.A128CBC_HS256_ALGO.equals(algo)
- || JoseConstants.A192CBC_HS384_ALGO.equals(algo)
- || JoseConstants.A256CBC_HS512_ALGO.equals(algo);
+ return ACBC_HS_SET.contains(algo);
}
public static boolean isHmacSign(String algo) {
return HMAC_SIGN_SET.contains(algo);
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
index 770ee56..5edf9fa 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
@@ -32,6 +32,7 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
private String algorithm;
protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, String algo) {
+ super(algo);
this.cek = cek;
this.iv = iv;
if (iv != null && iv.length > 0) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
index bc30979..ca2d6b9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
@@ -26,7 +26,10 @@ import org.apache.cxf.common.util.crypto.CryptoUtils;
public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties {
private static final int DEFAULT_AUTH_TAG_LENGTH = 128;
private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
-
+ private String algo;
+ public AbstractContentEncryptionCipherProperties(String algo) {
+ this.algo = algo;
+ }
public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) {
return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
}
@@ -36,4 +39,8 @@ public abstract class AbstractContentEncryptionCipherProperties implements Conte
protected int getAuthTagLen() {
return authTagLen;
}
+ @Override
+ public String getAlgorithm() {
+ return algo;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
index bf110f3..0ef6580 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
@@ -37,8 +37,8 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
public AesCbcHmacJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
String supportedAlgo,
JoseHeadersReader reader) {
- super(reader, keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm());
- this.supportedAlgo = null;
+ super(reader, keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm(supportedAlgo));
+ this.supportedAlgo = supportedAlgo;
}
protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) {
validateAuthenticationTag(consumer, cek);
@@ -66,6 +66,9 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
}
private static class AesCbcContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties
implements ContentDecryptionAlgorithm {
+ public AesCbcContentDecryptionAlgorithm(String supportedAlgo) {
+ super(supportedAlgo);
+ }
@Override
public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) {
return new IvParameterSpec(theIv);
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
index 70b3a00..f1f3388 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
@@ -24,19 +24,14 @@ import org.apache.cxf.rs.security.jose.jwa.Algorithm;
public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties
implements ContentDecryptionAlgorithm {
- private String supportedAlgo;
- public AesGcmContentDecryptionAlgorithm() {
- this(null);
- }
public AesGcmContentDecryptionAlgorithm(String supportedAlgo) {
- this.supportedAlgo = supportedAlgo;
+ super(supportedAlgo);
}
@Override
public byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag) {
String algo = headers.getContentEncryptionAlgorithm();
- if (!Algorithm.isAesGcm(algo)
- || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+ if (!Algorithm.isAesGcm(algo) || !getAlgorithm().equals(algo)) {
throw new SecurityException();
}
return JweCompactConsumer.getCipherWithAuthTag(cipher, authTag);
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
index 54da6fd..14ea8f3 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
@@ -24,4 +24,5 @@ import java.security.spec.AlgorithmParameterSpec;
public interface ContentEncryptionCipherProperties {
byte[] getAdditionalAuthenticationData(String headersJson);
AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv);
+ String getAlgorithm();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
index b62dc87..c88c5e4 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
@@ -188,13 +188,16 @@ public class JweCompactReaderWriterTest extends Assert {
private void decrypt(String jweContent, String plainContent, boolean unwrap) throws Exception {
RSAPrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1,
RSA_PRIVATE_EXPONENT_ENCODED_A1);
+ String algo = Cipher.getMaxAllowedKeyLength("AES") > 128
+ ? JoseConstants.A256GCM_ALGO : JoseConstants.A128GCM_ALGO;
JweDecryptionProvider decryptor = new WrappedKeyJweDecryption(new RSAOaepKeyDecryptionAlgorithm(privateKey),
- new AesGcmContentDecryptionAlgorithm());
+ new AesGcmContentDecryptionAlgorithm(algo));
String decryptedText = decryptor.decrypt(jweContent).getContentText();
assertEquals(decryptedText, plainContent);
}
private void decryptDirect(SecretKey key, String jweContent, String plainContent) throws Exception {
- DirectKeyJweDecryption decryptor = new DirectKeyJweDecryption(key, new AesGcmContentDecryptionAlgorithm());
+ DirectKeyJweDecryption decryptor = new DirectKeyJweDecryption(key,
+ new AesGcmContentDecryptionAlgorithm(JoseConstants.A128GCM_ALGO));
String decryptedText = decryptor.decrypt(jweContent).getContentText();
assertEquals(decryptedText, plainContent);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
index 05d53c2..e21cde0 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
@@ -71,7 +71,7 @@ public class JwePbeHmacAesWrapTest extends Assert {
String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password);
JweDecryptionProvider decryption = new WrappedKeyJweDecryption(keyDecryption,
- new AesGcmContentDecryptionAlgorithm());
+ new AesGcmContentDecryptionAlgorithm(JoseConstants.A128GCM_ALGO));
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);
[2/2] git commit: Updating JWE ContentDecryptionAlgorithm to return
the algo it actually supports
Posted by se...@apache.org.
Updating JWE ContentDecryptionAlgorithm to return the algo it actually supports
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e125ae55
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e125ae55
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e125ae55
Branch: refs/heads/master
Commit: e125ae55fb591173bdce691ceda7a8954e2877b9
Parents: 2939492
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Wed Oct 22 17:10:27 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Wed Oct 22 17:10:27 2014 +0100
----------------------------------------------------------------------
.../cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java | 1 -
.../rs/security/jose/jwe/ContentEncryptionCipherProperties.java | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/e125ae55/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java
index 07b370e..6f53f53 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java
@@ -21,7 +21,6 @@ package org.apache.cxf.rs.security.jose.jwe;
public interface ContentEncryptionAlgorithm extends ContentEncryptionCipherProperties {
- String getAlgorithm();
byte[] getInitVector();
byte[] getContentEncryptionKey(JweHeaders headers);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e125ae55/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
index 14ea8f3..89d70f4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
@@ -22,7 +22,7 @@ import java.security.spec.AlgorithmParameterSpec;
public interface ContentEncryptionCipherProperties {
+ String getAlgorithm();
byte[] getAdditionalAuthenticationData(String headersJson);
AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv);
- String getAlgorithm();
}