You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2016/05/19 12:47:37 UTC
svn commit: r988612 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-jose.html
Author: buildbot
Date: Thu May 19 12:47:37 2016
New Revision: 988612
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Thu May 19 12:47:37 2016
@@ -119,11 +119,11 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1463590020407 {padding: 0px;}
-div.rbtoc1463590020407 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463590020407 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463662021181 {padding: 0px;}
+div.rbtoc1463662021181 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463662021181 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1463590020407">
+/*]]>*/</style></p><div class="toc-macro rbtoc1463662021181">
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE Policy </a></li><li><a shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</a></li></ul>
@@ -162,7 +162,7 @@ div.rbtoc1463590020407 li {margin-left:
"k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
"kid":"Secret HMAC key"
}</pre>
-</div></div><p>or</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Public Jwk Key</b></div><div class="codeContent panelContent pdl">
+</div></div><p>or</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>Public RSA Key</b></div><div class="codeContent panelContent pdl">
<pre class="brush: js; gutter: false; theme: Default" style="font-size:12px;">{
"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
@@ -174,7 +174,7 @@ div.rbtoc1463590020407 li {margin-left:
"e":"AQAB",
"alg":"RS256",
"kid":"Public RSA Key"}</pre>
-</div></div><p>A 'kid' property can be of special interest as it allows to identify a key but also help with the simple key rotation mechanism realized (ex, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys" rel="nofollow">OIDC Asymmetric Key Rotation</a>).</p><p>A collection of JWK keys is called a JWK Key Set which is represented as JSON array of JWKs.</p><p>CXF offers a utility support for reading and writing JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk" rel="nofollow">this package</a>.</p><p>For example, a key set containing public JWK keys can be seen <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/s
ecurity/certs/jwkPublicSet.txt" rel="nofollow">here</a> and referred to from the <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19" rel="nofollow">configuration properties</a>. The private (test) key set can be represented in a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt" rel="nofollow">clear form</a>, though most likely you'd want a private key set <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt" rel="nofollow">encrypted</a> and referred to <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test
/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19" rel="nofollow">like this</a>. </p><p>One can inline the encrypted key or the key set directly in the configuration properties. For example, here is how an encrypted <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18" rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an encrypted <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18" rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that the JWK keys have been encrypted if a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org
/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java" rel="nofollow">password provider</a> is available in scope, it is typically registered with JAX-RS endpoints. The encryption is done with a password based <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2 algorithm</a>. </p><p>Support for the pluggable strategies for loading JWKs is on the map.</p><p>Here are some code examples:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>JWK examples</b></div><div class="codeContent panelContent pdl">
+</div></div><p>A 'kid' property can be of special interest as it allows to identify a key but also help with the simple key rotation mechanism realized (ex, <a shape="rect" class="external-link" href="http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys" rel="nofollow">OIDC Asymmetric Key Rotation</a>).</p><p>A collection of JWK keys is called a JWK Key Set which is represented as JSON array of JWKs.</p><p>CXF offers a utility support for reading and writing JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk" rel="nofollow">this package</a>.</p><p>For example, a key set containing public JWK keys can be seen <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/s
ecurity/certs/jwkPublicSet.txt" rel="nofollow">here</a> and referred to from the <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19" rel="nofollow">configuration properties</a>. The private (test) key set can be represented in a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt" rel="nofollow">clear form</a>, though most likely you'd want a private key set <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt" rel="nofollow">encrypted</a> and referred to <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test
/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19" rel="nofollow">like this</a>. </p><p>One can inline the encrypted key or the key set directly in the configuration properties. For example, here is how an encrypted <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18" rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an encrypted <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18" rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that the JWK keys have been encrypted if a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org
/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java" rel="nofollow">password provider</a> is available in scope, it is typically registered with JAX-RS endpoints. The encryption is done with a password based <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2 algorithm</a>. </p><p>Support for the pluggable strategies for loading JWKs is on the map.</p><p>For example, here is how you can load a JWK key using its 'kid':</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>JWK examples</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">InputStream is = JsonWebKeyTest.class.getResourceAsStream(fileName);
JsonWebKeys keySet = JwkUtils.readJwkSet(is);
JsonWebKey key = keySet.getKey("Public RSA Key");
@@ -182,33 +182,55 @@ String thumbprint = JwkUtils.getThumbpri
assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs", thumbprint);
KeyType keyType = key.getKeyType();
assertEquals(KeyType.RSA, thumbprint);</pre>
-</div></div><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3 id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</h3><p><a shape="rect" class="external-link" href="https
://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java" rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java" rel="nofollow">JwsSignatureVerifier</a> - validating the signatures.</p><p>Note the signature and verification capabilities are represented by 2 different interfaces - it was done to keep the interfaces minimalistic and have the concerns separated which can be appreciated most in the cases where the code only signs or only validates.</p><p>The following table shows the algorithms and the corresponding providers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowsp
an="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2" rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1" class="confluenceTd"><pre>HmacJwsSignatureProvider</pre></td><td colspan="1" rowspan="1" class="confluenceTd"><pre>HmacJwsSignatureVerifier</pre></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3" rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1" class="confluenceTd">Priva
teKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4" rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1" class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5" rel="nofollow">RSASSA-PSS</a></td><td colspan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="conf
luenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6" rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">none</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either of these providers (except for None) can be initialized with the keys loaded from JWK or JCA stores or from the in-memory representations.</p><p>RS256/384/512 algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation keys available. 'None' algorithm might be useful when a JWS sequence is subsequently JWE-encrypted or when a 2-way TLS (with client and server certificates) is used.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/
html/rfc7515#section-3.3" rel="nofollow">JWS Compact representation</a> is the most often used JOSE sequence. It is the concatenation of Base64URL-encoded sequence if JWS headers (algorithm and other properties),  Base64URL-encoded sequence of the actual data being protected and Base64URL-encoded sequence of the signature algorithm output bytes.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java" rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java" rel="nofollow">JwsCompactConsumer</a> offer a support for producing and consuming compact JWS sequences, protecting the data in JSON or non-JSON formats.</p><p><a shape="rect" class="external-link" href="https:
//github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java" rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java" rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with processing typed JWT Tokens.</p><p> For example, here is how an <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div class="codeContent panelContent pdl">
+</div></div><pre>JsonWebKeys also supports the retrieval of keys by their type (RSA, EC, Octet) and operation (ENCRYPT, SIGN, etc). <br clear="none">Once you have JWK loaded it is typically submitted to JWS or JWE providers.</pre><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws" rel="nofollow">this package</a> and offers a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.o
rg/html/rfc7518#section-3" rel="nofollow">signature algorithms</a>.</p><h3 id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification Providers</h3><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java" rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java" rel="nofollow">JwsSignatureVerifier</a> - validating the signatures.</p><p>Note the signature and verification capabilities are represented by 2 different interfaces - it was done to keep the interfaces minimalistic and have the concerns separated which can be appreciated most in the cases where the code only signs or only validates.</p><p>The following table shows
the algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jws</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2" rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureProvider</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>HmacJwsSignatureVerifier</p></td></tr><tr><td colspan="1" rowspan="1
" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3" rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.4" rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1" class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5" rel="nofollow">RSASSA-PSS</a></td><td
colspan="1" rowspan="1" class="confluenceTd">PS256, PS384, PS512</td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6" rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">none</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either of these providers (except for None) can be initialized with the keys loaded from JWK or Java JKS stores or from the in-memory representations.</p><p>RS256/384/512 algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validati
on keys available. 'None' algorithm might be useful when a JWS sequence is subsequently JWE-encrypted or when a 2-way TLS (with client and server certificates) is used.</p><p>Once you have decided which algorithm needs to be supported you can initialize an appropriate pair of JwsSignatureProvider and JwsSignatureVerifier if both signing the data and the verification are needed. If only the signing is needed - select JwsSignatureProvider, only the verification - select JwsSignatureVerifier. The selected providers are submitted directly or indirectly to JWS Compact or JWS JSON producers or consumers.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3" rel="nofollow">JWS Compact representation</a> is the most often used JOSE sequence. It is the concatenation of Base64URL-encoded sequence if JWS headers (algorithm and other properties),  Base64URL-encoded sequence of the actual data being
protected and Base64URL-encoded sequence of the signature algorithm output bytes.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java" rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java" rel="nofollow">JwsCompactConsumer</a> offer a support for producing and consuming compact JWS sequences, protecting the data in JSON or non-JSON formats.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java" rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/m
aster/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java" rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with processing typed JWT Tokens.</p><p> For example, here is how an <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1" rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">// Sign
-// Algorithm properties are set in the headers
-JoseHeaders headers = new JoseHeaders();
-headers.setAlgorithm(SignatureAlgorithm.HS256);
+// Algorithm properties are set in the headers. In this case JwsHeaders do not have to be directly created
+// (see the next example), JwsCompactProducer will initialize them if needed and set an alorithm by checking
+// JwsSignatureProvider. JwsHeaders need to be initialized directly if not only algorithm but other properties
+// set too
+
+JwsHeaders headers = new JwsHeaders(SignatureAlgorithm.HS256);
// This is the actual data content, JWT in this case, but can be an arbitrary JSON or non-JSON data
JwtClaims claims = new JwtClaims();
claims.setIssuer("joe");
claims.setExpiryTime(1300819380L);
claims.setClaim("http://example.com/is_root", Boolean.TRUE);
-JwtToken token = new JwtToken(headers, claims);
-JwsCompactProducer jws = new JwsJwtCompactProducer(token);
+JwsCompactProducer jwsProducer = new JwsJwtCompactProducer(claims);
-jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
-assertEquals(ENCODED_TOKEN_SIGNED_BY_MAC, jws.getSignedEncodedJws());
+// Load HmacJwsSignatureProvider directly, see the next example for the alternative approach
+String jwsSequence = jwsProducer.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
// validate
-JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_MAC);
+JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(jwsSequence);
+
+// Load HmacJwsSignatureVerifier directly, see the next example for the alternative approach
assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
- SignatureAlgorithm.HS256)));
+ SignatureAlgorithm.HS256)));
+// Get the data
+JwtClaims protectedClaims = jws.getJwtClaims();
+</pre>
+</div></div><p>In the above example, the data (JwtToken) is submitted to an instance of JwsCompactProducer (JwsJwtCompactProducer) and signed with an HMac key.</p><p>Here is another example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">// Sign
+// Algorithm properties are set in the headers
+JwsHeaders headers = new JwsHeaders(SignatureAlgorithm.HS256);
+
+JwsCompactProducer jwsProducer = new JwsJwtCompactProducer(token);
+
+// Load HmacJwsSignatureProvider directly, see the next example for the alternative approach
+String jwsSequence = jwsProducer.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
+
+// validate
+JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(jwsSequence);
+
+// Load HmacJwsSignatureVerifier directly, see the next example for the alternative approach
+assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ SignatureAlgorithm.HS256)));
+// Get the data
JwtToken token = jws.getJwtToken();
-JoseHeaders headers = token.getHeaders();
-assertEquals(SignatureAlgorithm.HS256, headers.getAlgorithm());
-validateClaims(token.getClaims());</pre>
-</div></div><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><p>While JWS Compact is optimized and represents a concatenation of up to 3 Base64URL values, JWS JSON is an open JSON container, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6" rel="nofollow">Appendix 6</a>.</p><p>The most interesting feature of JWS JSON is that allows a content be signed for multiple recipients. For example,  the immediate consumer will validate a signature with one key, forward the payload to the next consumer which will also validate the content with another key, etc.  </p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java" rel="nofollow"></a><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/
JwsJsonProducer.java" rel="nofollow">JwsJsonProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java" rel="nofollow">JwsJsonConsumer</a> support producing and consuming JWS JSON sequences.</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS JSON</b></div><div class="codeContent panelContent pdl">
+</pre>
+</div></div><p>In the above example, the data (JwtToken) is submitted to an instance of JwsCompactProducer (JwsJwtCompactProducer) and signed with an HMac key.</p><p> </p><p> </p><p> </p><p> </p><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><p>While JWS Compact is optimized and represents a concatenation of up to 3 Base64URL values, JWS JSON is an open JSON container, see <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.6" rel="nofollow">Appendix 6</a>.</p><p>The most interesting feature of JWS JSON is that allows a content be signed for multiple recipients. For example,  the immediate consumer will validate a signature with one key, forward the payload to the next consumer which will also validate the content with another key, etc.  </p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProd
ucer.java" rel="nofollow">JwsJsonProducer</a> and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java" rel="nofollow">JwsJsonConsumer</a> support producing and consuming JWS JSON sequences.</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF JWS JSON</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JwsJsonProducer producer = new JwsJsonProducer(UNSIGNED_PLAIN_JSON_DOCUMENT);
JwsHeaders headerEntries = new JwsHeaders(SignatureAlgorithm.HS256);
@@ -226,13 +248,13 @@ assertEquals(2, sigEntries.size());
// 1st signature
String firstKid = (String)sigEntries.get(0).getKeyId();
-JsonWebKey rsaKey = jwks.getKey(firstKid);
-assertTrue(sigEntries.get(0).verifySignatureWith(rsaKey));
+JsonWebKey firstKey = jwks.getKey(firstKid);
+assertTrue(sigEntries.get(0).verifySignatureWith(firstKey));
// 2nd signature
String secondKid = (String)sigEntries.get(1).getKeyId();
-JsonWebKey ecKey = jwks.getKey(secondKid);
-assertTrue(sigEntries.get(1).verifySignatureWith(ecKey));</pre>
-</div></div><p>   </p><h3 id="JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</h3><h3 id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted with a secret key using AesGcm with the actual content encryption key being encrypted using RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe" rel="nofollow">this package</a> and offers
a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4" rel="nofollow">key encryption</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5" rel="nofollow">content encryption</a> algorithms.</p><h3 id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption Providers</h3><p>JWE Encryption process typically involves a content-encryption key being generated with this key being subsequently encrypted/wrapped with a key known to the consumer. Thus CXF offers the providers for supporting the key-encryption algorithms and providers for supporting the content-encryption algorithms. Direct key encryption (where the content-encryption key is established out of band) is also supported.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProv
ider.java" rel="nofollow">KeyEncryptionProvider</a> supports encrypting a content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java" rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following table shows the key encryption algorithms and the corresponding prov,iders:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html
/rfc7518#section-4.2" rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">RSA1_5</pre></td><td colspan="1" rowspan="1" class="confluenceTd"><pre>RSAKeyEncryptionAlgorithm</pre></td><td colspan="1" rowspan="1" class="confluenceTd"><pre>RSAKeyDecryptionAlgorithm</pre></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3" rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">RSA-OAEP, RSA-OAEP-256</pre></td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.4" rel="nofollow">AES Key Wrap</a></td><td colspan="1" rowspan="1" class="
confluenceTd"><pre class="newpage">A128KW, A192KW, A256KW</pre></td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5" rel="nofollow">Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd">dir</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">ECDH-ES+A128KW (+A192KW, +256KW)</pre></td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyEn
cryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">ECDH-ES</pre></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.7" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">A128GCMKW, A192GCMKW, A256GCMKW</pre></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyEncryptionAlgorithm</td><td colspan="1" rowsp
an="1" class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">PBES2-HS256+A128KW </pre><pre class="newpage">PBES2-HS384+A192KW</pre><pre class="newpage">PBES2-HS512+A256KW </pre></td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p>RSA-OAEP algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation keys available.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org
/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java" rel="nofollow">ContentEncryptionProvider</a> supports encrypting a generated content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java" rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The following table shows the content encryption algorithms and the corresponding providers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'enc'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class
="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">AES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">A128CBC-HS256(-HS384, -HS512)</pre></td><td colspan="1" rowspan="1" class="confluenceTd"><pre>AesCbcHmacJweEncryption,</pre></td><td colspan="1" rowspan="1" class="confluenceTd"><pre>AesCbcHmacJweDecryption</pre></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre class="newpage">A128GCM, A92GCM, A256GCM</pre></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All of the above providers can be initialized with the keys loaded from
JWK or JCA stores or from the in-memory representations.</p><h3 id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a> - decrypting the content. Encryptors and Decryptors for all of JWE algorithms are shipped.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><
b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
+JsonWebKey secondKey = jwks.getKey(secondKid);
+assertTrue(sigEntries.get(1).verifySignatureWith(secondKey));</pre>
+</div></div><p>   </p><h3 id="JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</h3><h3 id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516#appendix-A.1" rel="nofollow">Appendix A1</a> shows how the content can be encrypted with a secret key using AesGcm with the actual content encryption key being encrypted using RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe" rel="nofollow">this package</a> and offers
a support for all of JWA <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4" rel="nofollow">key encryption</a> and <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5" rel="nofollow">content encryption</a> algorithms.</p><h3 id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption Providers</h3><p>JWE Encryption process typically involves a content-encryption key being generated with this key being subsequently encrypted/wrapped with a key known to the consumer. Thus CXF offers the providers for supporting the key-encryption algorithms and providers for supporting the content-encryption algorithms. Direct key encryption (where the content-encryption key is established out of band) is also supported.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProv
ider.java" rel="nofollow">KeyEncryptionProvider</a> supports encrypting a content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java" rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following table shows the key encryption algorithms and the corresponding providers (<span class="pl-smi">org.apache.cxf.rs.security.jose.jwe</span> package):</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'alg'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd
"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.2" rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA1_5</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyEncryptionAlgorithm</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>RSAKeyDecryptionAlgorithm</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3" rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">RSA-OAEP, RSA-OAEP-256</p></td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.4" rel="nofollow"
>AES Key Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128KW, A192KW, A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5" rel="nofollow">Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd">dir</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Wrap</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES+A128KW (+A192KW, +256KW)</p></td><td colspan="1"
rowspan="1" class="confluenceTd">EcdhAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15" rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">ECDH-ES</p></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1" class="confluenceTd"><span class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.7" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCMKW, A192GCMKW, A256GCMKW</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyEncr
yptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8" rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">PBES2-HS256+A128KW</p><p class="newpage">PBES2-HS384+A192KW</p><p class="newpage">PBES2-HS512+A256KW</p></td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p>RSA-OAEP algorithms are likely to be used most often at the moment due to existing JKS stores being available everywhere and a relatively easy way of making the public validation keys available.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-pa
rent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java" rel="nofollow">ContentEncryptionProvider</a> supports encrypting a generated content-encryption key, <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java" rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The following table shows the content encryption algorithms and the corresponding providers:</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>JWE Header 'enc'</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td colspan="1" rowspan="1" class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td co
lspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2" rel="nofollow">AES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128CBC-HS256(-HS384, -HS512)</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweEncryption,</p></td><td colspan="1" rowspan="1" class="confluenceTd"><p>AesCbcHmacJweDecryption</p></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3" rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1" class="confluenceTd"><p class="newpage">A128GCM, A92GCM, A256GCM</p></td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1" rowspan="1" class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All of the above providers can be initialized with the keys
loaded from JWK or Java JKS stores or from the in-memory representations.</p><h3 id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD">JweEncryptionProvider</a> supports encrypting the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a> - decrypting the content. Encryptors and Decryptors for all of JWE algorithms are shipped.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-botto
m-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">final String specPlainText = "Live long and prosper.";
byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);