You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/07/24 15:26:56 UTC
git commit: [CXF-5902] Initial test code, to be optimized later
Repository: cxf
Updated Branches:
refs/heads/master fae074f22 -> 7134c4858
[CXF-5902] Initial test code, to be optimized later
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7134c485
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7134c485
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7134c485
Branch: refs/heads/master
Commit: 7134c48583ce728f103535529e4c5090294183d9
Parents: fae074f
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Thu Jul 24 16:26:35 2014 +0300
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Thu Jul 24 16:26:35 2014 +0300
----------------------------------------------------------------------
.../cxf/rs/security/oauth2/jwt/Algorithm.java | 21 +++++-
.../rs/security/oauth2/jwt/JwtConstants.java | 9 +++
.../oauth2/jwe/JweCompactReaderWriterTest.java | 73 ++++++++++++++++++++
3 files changed, 102 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/7134c485/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java
index 19382db..4f115a7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java
@@ -41,10 +41,18 @@ public enum Algorithm {
// Key Encryption
RSA_OAEP(JwtConstants.RSA_OAEP_ALGO, "RSA/ECB/OAEPWithSHA-1AndMGF1Padding", -1),
+ RSA_OAEP_256(JwtConstants.RSA_OAEP_256_ALGO, "RSA/ECB/OAEPWithSHA-256AndMGF1Padding", -1),
+ RSA_1_5(JwtConstants.RSA_1_5_ALGO, "RSA/ECB/PKCS1Padding", -1),
+ A128KW(JwtConstants.A128KW_ALGO, "AESWrap", 128),
+ A192KW(JwtConstants.A192KW_ALGO, "AESWrap", 192),
+ A256KW(JwtConstants.A256KW_ALGO, "AESWrap", 256),
// Content Encryption
A128GCM(JwtConstants.A128GCM_ALGO, "AES/GCM/NoPadding", 128),
A192GCM(JwtConstants.A192GCM_ALGO, "AES/GCM/NoPadding", 192),
- A256GCM(JwtConstants.A256GCM_ALGO, "AES/GCM/NoPadding", 256);
+ A256GCM(JwtConstants.A256GCM_ALGO, "AES/GCM/NoPadding", 256),
+ A128CBC_HS256(JwtConstants.A128CBC_HS256_ALGO, "AES/CBC/PKCS7Padding", 128),
+ A192CBC_HS354(JwtConstants.A192CBC_HS354_ALGO, "AES/CBC/PKCS7Padding", 192),
+ A256CBC_HS512(JwtConstants.A256CBC_HS512_ALGO, "AES/CBC/PKCS7Padding", 256);
public static final String HMAC_SHA_256_JAVA = "HmacSHA256";
public static final String HMAC_SHA_384_JAVA = "HmacSHA384";
@@ -59,7 +67,9 @@ public enum Algorithm {
public static final String RSA_OAEP_256_ALGO_JAVA = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
public static final String RSA_1_5_ALGO_JAVA = "RSA/ECB/PKCS1Padding";
public static final String AES_ALGO_JAVA = "AES";
+ public static final String AES_WRAP_ALGO_JAVA = "AESWrap";
public static final String AES_GCM_ALGO_JAVA = "AES/GCM/NoPadding";
+ public static final String AES_CBC_ALGO_JAVA = "AES/CBC/PKCS7Padding";
private static final Map<String, String> JAVA_TO_JWT_NAMES;
private static final Map<String, String> JWT_TO_JAVA_NAMES;
@@ -77,6 +87,12 @@ public enum Algorithm {
JAVA_TO_JWT_NAMES.put(RSA_OAEP_ALGO_JAVA, JwtConstants.RSA_OAEP_ALGO);
JAVA_TO_JWT_NAMES.put(RSA_OAEP_256_ALGO_JAVA, JwtConstants.RSA_OAEP_256_ALGO);
JAVA_TO_JWT_NAMES.put(RSA_1_5_ALGO_JAVA, JwtConstants.RSA_1_5_ALGO);
+ JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JwtConstants.A256GCM_ALGO);
+ JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JwtConstants.A192GCM_ALGO);
+ JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JwtConstants.A128GCM_ALGO);
+ JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JwtConstants.A128CBC_HS256_ALGO);
+ JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JwtConstants.A192CBC_HS354_ALGO);
+ JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JwtConstants.A256CBC_HS512_ALGO);
JWT_TO_JAVA_NAMES = new HashMap<String, String>();
JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_256_ALGO, HMAC_SHA_256_JAVA);
JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_384_ALGO, HMAC_SHA_384_JAVA);
@@ -93,6 +109,9 @@ public enum Algorithm {
JWT_TO_JAVA_NAMES.put(JwtConstants.A256GCM_ALGO, AES_GCM_ALGO_JAVA);
JWT_TO_JAVA_NAMES.put(JwtConstants.A192GCM_ALGO, AES_GCM_ALGO_JAVA);
JWT_TO_JAVA_NAMES.put(JwtConstants.A128GCM_ALGO, AES_GCM_ALGO_JAVA);
+ JWT_TO_JAVA_NAMES.put(JwtConstants.A128CBC_HS256_ALGO, AES_CBC_ALGO_JAVA);
+ JWT_TO_JAVA_NAMES.put(JwtConstants.A192CBC_HS354_ALGO, AES_CBC_ALGO_JAVA);
+ JWT_TO_JAVA_NAMES.put(JwtConstants.A256CBC_HS512_ALGO, AES_CBC_ALGO_JAVA);
}
private final String jwtName;
private final String javaName;
http://git-wip-us.apache.org/repos/asf/cxf/blob/7134c485/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java
index e6eee3d..0356fab 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java
@@ -60,10 +60,19 @@ public final class JwtConstants {
public static final String ES_SHA_256_ALGO = "ES256";
public static final String ES_SHA_384_ALGO = "ES384";
public static final String ES_SHA_512_ALGO = "ES512";
+
+ // Key Encryption
public static final String RSA_OAEP_ALGO = "RSA-OAEP";
public static final String RSA_OAEP_256_ALGO = "RSA-OAEP-256";
public static final String RSA_1_5_ALGO = "RSA1_5";
+ public static final String A128KW_ALGO = "A128KW";
+ public static final String A192KW_ALGO = "A192KW";
+ public static final String A256KW_ALGO = "A256KW";
+ // Content Encryption
+ public static final String A128CBC_HS256_ALGO = "A128CBC-HS256";
+ public static final String A192CBC_HS354_ALGO = "A192CBC-HS354";
+ public static final String A256CBC_HS512_ALGO = "A256CBC-HS512";
public static final String A128GCM_ALGO = "A128GCM";
public static final String A192GCM_ALGO = "A192GCM";
public static final String A256GCM_ALGO = "A256GCM";
http://git-wip-us.apache.org/repos/asf/cxf/blob/7134c485/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
index ec7506b..5ec0115 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
@@ -18,16 +18,24 @@
*/
package org.apache.cxf.rs.security.oauth2.jwe;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
import java.security.Security;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import javax.crypto.Cipher;
+import javax.crypto.Mac;
import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
import org.apache.cxf.rs.security.oauth2.jws.JwsCompactReaderWriterTest;
import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.AfterClass;
@@ -41,6 +49,21 @@ public class JweCompactReaderWriterTest extends Assert {
115, 63, (byte)180, 3, (byte)255, 107, (byte)154, (byte)212, (byte)246,
(byte)138, 7, 110, 91, 112, 46, 34, 105, 47,
(byte)130, (byte)203, 46, 122, (byte)234, 64, (byte)252};
+
+ private static final byte[] CONTENT_ENCRYPTION_KEY_A3 = {
+ 4, (byte)211, 31, (byte)197, 84, (byte)157, (byte)252, (byte)254, 11, 100,
+ (byte)157, (byte)250, 63, (byte)170, 106, (byte)206, 107, 124, (byte)212,
+ 45, 111, 107, 9, (byte)219, (byte)200, (byte)177, 0, (byte)240, (byte)143,
+ (byte)156, 44, (byte)207};
+ private static final byte[] INIT_VECTOR_A3 = {
+ 3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 101};
+ private static final String KEY_ENCRYPTION_KEY_A3 = "GawgguFyGrWKav7AX4VKUg";
+ private static final String JWE_OUTPUT_A3 =
+ "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0"
+ + ".6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"
+ + ".AxY8DCtDaGlsbGljb3RoZQ"
+ + ".KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY"
+ + ".U0m_YmjN04DJvceFICbCVQ";
private static final String RSA_MODULUS_ENCODED = "oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW"
+ "cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S"
+ "psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a"
@@ -73,7 +96,56 @@ public class JweCompactReaderWriterTest extends Assert {
public static void unregisterBouncyCastleIfNeeded() throws Exception {
Security.removeProvider(BouncyCastleProvider.class.getName());
}
+
+ @Test
+ public void testEncryptDecryptA128CBCHS256() throws Exception {
+ final String specPlainText = "Live long and prosper.";
+ byte[] macKey = new byte[16];
+ System.arraycopy(CONTENT_ENCRYPTION_KEY_A3, 0, macKey, 0, 16);
+ byte[] encKey = new byte[16];
+ System.arraycopy(CONTENT_ENCRYPTION_KEY_A3, 16, encKey, 0, 16);
+ SecretKey secretEncKey =
+ CryptoUtils.createSecretKeySpec(encKey, Algorithm.A128CBC_HS256.getJavaAlgoName());
+ KeyProperties keyProps = new KeyProperties(Algorithm.AES_CBC_ALGO_JAVA);
+ keyProps.setAlgoSpec(new IvParameterSpec(INIT_VECTOR_A3));
+ byte[] cipher = CryptoUtils.encryptBytes(specPlainText.getBytes("UTF-8"), secretEncKey, keyProps);
+
+ JweHeaders headers = new JweHeaders();
+ headers.setAlgorithm(Algorithm.A128KW.getJwtName());
+ headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName());
+
+ SecretKey secretCompleteCek = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY_A3,
+ Algorithm.A128CBC_HS256.getJavaAlgoName());
+ byte[] wrapperKeyBytes = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
+ SecretKey secretWrapperKey =
+ CryptoUtils.createSecretKeySpec(wrapperKeyBytes, Algorithm.A128KW.getJavaAlgoName());
+ byte[] defaultAesWrapIv = new BigInteger("A6A6A6A6A6A6A6A6", 16).toByteArray();
+ KeyProperties wrapperkeyProps = new KeyProperties(Algorithm.A128KW.getJavaName());
+ keyProps.setAlgoSpec(new IvParameterSpec(defaultAesWrapIv));
+ byte[] encryptedCek = CryptoUtils.wrapSecretKey(secretCompleteCek, secretWrapperKey, wrapperkeyProps);
+ byte[] aad = headers.toCipherAdditionalAuthData(new JwtTokenReaderWriter());
+ ByteBuffer buf = ByteBuffer.allocate(8);
+ byte[] al = buf.putInt(0).putInt(aad.length * 8).array();
+
+ Mac mac = HmacUtils.getInitializedMac(macKey, Algorithm.HMAC_SHA_256_JAVA, null);
+ mac.update(aad);
+ mac.update(INIT_VECTOR_A3);
+ mac.update(cipher);
+ mac.update(al);
+ byte[] sig = mac.doFinal();
+ assertEquals(32, sig.length);
+ byte[] authTag = new byte[16];
+ System.arraycopy(sig, 0, authTag, 0, 16);
+
+ JweCompactProducer p = new JweCompactProducer(headers,
+ encryptedCek,
+ INIT_VECTOR_A3,
+ cipher,
+ authTag);
+ assertEquals(JWE_OUTPUT_A3, p.getJweContent());
+ }
+
@Test
public void testEncryptDecryptSpecExample() throws Exception {
final String specPlainText = "The true sign of intelligence is not knowledge but imagination.";
@@ -81,6 +153,7 @@ public class JweCompactReaderWriterTest extends Assert {
decrypt(jweContent, specPlainText, true);
}
+
@Test
public void testDirectKeyEncryptDecrypt() throws Exception {
final String specPlainText = "The true sign of intelligence is not knowledge but imagination.";