You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/02/20 23:24:33 UTC
cxf git commit: Updating JOSE password handling
Repository: cxf
Updated Branches:
refs/heads/master 6e3224606 -> 6641d5892
Updating JOSE password handling
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6641d589
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6641d589
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6641d589
Branch: refs/heads/master
Commit: 6641d5892b25949723fd7a5f1b59a2f457f9ecc6
Parents: 6e32246
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Fri Feb 20 22:24:16 2015 +0000
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Fri Feb 20 22:24:16 2015 +0000
----------------------------------------------------------------------
.../PbesHmacAesWrapKeyDecryptionAlgorithm.java | 18 +++++-----
.../PbesHmacAesWrapKeyEncryptionAlgorithm.java | 36 +++++++++++++++-----
.../rs/security/jose/jwk/JsonWebKeyTest.java | 10 +++---
.../jaxrs/security/jwt/JAXRSJweJwsTest.java | 13 +++++--
.../jwt/PrivateKeyPasswordProviderImpl.java | 9 ++++-
.../cxf/systest/jaxrs/security/jwt/server.xml | 5 ++-
.../security/certs/encryptedJwkPrivateSet.txt | 2 +-
.../secret.aescbchmac.inlinejwk.properties | 5 +--
.../secret.aescbchmac.inlineset.properties | 15 +-------
9 files changed, 67 insertions(+), 46 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
index 3fd9992..3ab9623 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
@@ -25,22 +25,22 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
private byte[] password;
private String algo;
public PbesHmacAesWrapKeyDecryptionAlgorithm(String password) {
- this(password, Algorithm.PBES2_HS256_A128KW.getJwtName());
+ this(password, Algorithm.PBES2_HS256_A128KW.getJwtName(), false);
}
- public PbesHmacAesWrapKeyDecryptionAlgorithm(String password, String algo) {
- this(PbesHmacAesWrapKeyEncryptionAlgorithm.stringToBytes(password), algo);
+ public PbesHmacAesWrapKeyDecryptionAlgorithm(String password, String algo, boolean hashLargePasswords) {
+ this(PbesHmacAesWrapKeyEncryptionAlgorithm.stringToBytes(password), algo, hashLargePasswords);
}
public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password) {
- this(password, Algorithm.PBES2_HS256_A128KW.getJwtName());
+ this(password, Algorithm.PBES2_HS256_A128KW.getJwtName(), false);
}
- public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password, String algo) {
- this(PbesHmacAesWrapKeyEncryptionAlgorithm.charsToBytes(password), algo);
+ public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password, String algo, boolean hashLargePasswords) {
+ this(PbesHmacAesWrapKeyEncryptionAlgorithm.charsToBytes(password), algo, hashLargePasswords);
}
public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password) {
- this(password, Algorithm.PBES2_HS256_A128KW.getJwtName());
+ this(password, Algorithm.PBES2_HS256_A128KW.getJwtName(), false);
}
- public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password, String algo) {
- this.password = password;
+ public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password, String algo, boolean hashLargePasswords) {
+ this.password = PbesHmacAesWrapKeyEncryptionAlgorithm.validatePassword(password, algo, hashLargePasswords);
this.algo = algo;
}
@Override
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
index 2089859..ecb9aa0 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
@@ -27,6 +27,7 @@ import java.util.Map;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.common.util.crypto.MessageDigestUtils;
import org.apache.cxf.rs.security.jose.jwa.Algorithm;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.SHA256Digest;
@@ -36,7 +37,6 @@ import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator;
import org.bouncycastle.crypto.params.KeyParameter;
public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgorithm {
-
private static final Map<String, Integer> PBES_HMAC_MAP;
private static final Map<String, String> PBES_AES_MAP;
private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP;
@@ -64,24 +64,42 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgor
public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, String keyAlgoJwt) {
this(stringToBytes(password), keyAlgoJwt);
}
- public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, int pbesCount, String keyAlgoJwt) {
- this(stringToBytes(password), pbesCount, keyAlgoJwt);
+ public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, int pbesCount, String keyAlgoJwt,
+ boolean hashLargePasswords) {
+ this(stringToBytes(password), pbesCount, keyAlgoJwt, hashLargePasswords);
}
public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, String keyAlgoJwt) {
- this(password, 4096, keyAlgoJwt);
+ this(password, 4096, keyAlgoJwt, false);
}
- public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, int pbesCount, String keyAlgoJwt) {
- this(charsToBytes(password), pbesCount, keyAlgoJwt);
+ public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, int pbesCount, String keyAlgoJwt,
+ boolean hashLargePasswords) {
+ this(charsToBytes(password), pbesCount, keyAlgoJwt, hashLargePasswords);
}
public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, String keyAlgoJwt) {
- this(password, 4096, keyAlgoJwt);
+ this(password, 4096, keyAlgoJwt, false);
}
- public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, int pbesCount, String keyAlgoJwt) {
- this.password = password;
+ public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, int pbesCount, String keyAlgoJwt,
+ boolean hashLargePasswords) {
this.keyAlgoJwt = validateKeyAlgorithm(keyAlgoJwt);
+ this.password = validatePassword(password, keyAlgoJwt, hashLargePasswords);
this.pbesCount = validatePbesCount(pbesCount);
}
+ static byte[] validatePassword(byte[] p, String keyAlgoJwt, boolean hashLargePasswords) {
+ int minLen = DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
+ if (p.length < minLen || p.length > 128) {
+ throw new SecurityException();
+ }
+ if (p.length > minLen && hashLargePasswords) {
+ try {
+ return MessageDigestUtils.createDigest(p, MessageDigestUtils.ALGO_SHA_256);
+ } catch (Exception ex) {
+ throw new SecurityException(ex);
+ }
+ } else {
+ return p;
+ }
+ }
@Override
public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
int keySize = getKeySize(keyAlgoJwt);
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
index 15ade7d..ba92742 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
@@ -121,18 +121,19 @@ public class JsonWebKeyTest extends Assert {
}
@Test
public void testEncryptDecryptPrivateSet() throws Exception {
+ final String password = "Thus from my lips, by yours, my sin is purged.";
Security.addProvider(new BouncyCastleProvider());
try {
JsonWebKeys jwks = readKeySet("jwkPrivateSet.txt");
validatePrivateSet(jwks);
- String encryptedKeySet = JwkUtils.encryptJwkSet(jwks, "password".toCharArray());
+ String encryptedKeySet = JwkUtils.encryptJwkSet(jwks, password.toCharArray());
JweCompactConsumer c = new JweCompactConsumer(encryptedKeySet);
assertEquals("jwk-set+json", c.getJweHeaders().getContentType());
assertEquals(Algorithm.PBES2_HS256_A128KW.getJwtName(), c.getJweHeaders().getKeyEncryptionAlgorithm());
assertEquals(Algorithm.A128CBC_HS256.getJwtName(), c.getJweHeaders().getContentEncryptionAlgorithm());
assertNotNull(c.getJweHeaders().getHeader("p2s"));
assertNotNull(c.getJweHeaders().getHeader("p2c"));
- jwks = JwkUtils.decryptJwkSet(encryptedKeySet, "password".toCharArray());
+ jwks = JwkUtils.decryptJwkSet(encryptedKeySet, password.toCharArray());
validatePrivateSet(jwks);
} finally {
Security.removeProvider(BouncyCastleProvider.class.getName());
@@ -140,6 +141,7 @@ public class JsonWebKeyTest extends Assert {
}
@Test
public void testEncryptDecryptPrivateKey() throws Exception {
+ final String password = "Thus from my lips, by yours, my sin is purged.";
final String key = "{\"kty\":\"oct\","
+ "\"alg\":\"A128KW\","
+ "\"k\":\"GawgguFyGrWKav7AX4VKUg\","
@@ -148,14 +150,14 @@ public class JsonWebKeyTest extends Assert {
try {
JsonWebKey jwk = readKey(key);
validateSecretAesKey(jwk);
- String encryptedKey = JwkUtils.encryptJwkKey(jwk, "password".toCharArray());
+ String encryptedKey = JwkUtils.encryptJwkKey(jwk, password.toCharArray());
JweCompactConsumer c = new JweCompactConsumer(encryptedKey);
assertEquals("jwk+json", c.getJweHeaders().getContentType());
assertEquals(Algorithm.PBES2_HS256_A128KW.getJwtName(), c.getJweHeaders().getKeyEncryptionAlgorithm());
assertEquals(Algorithm.A128CBC_HS256.getJwtName(), c.getJweHeaders().getContentEncryptionAlgorithm());
assertNotNull(c.getJweHeaders().getHeader("p2s"));
assertNotNull(c.getJweHeaders().getHeader("p2c"));
- jwk = JwkUtils.decryptJwkKey(encryptedKey, "password".toCharArray());
+ jwk = JwkUtils.decryptJwkKey(encryptedKey, password.toCharArray());
validateSecretAesKey(jwk);
} finally {
Security.removeProvider(BouncyCastleProvider.class.getName());
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
index ba1c033..976fde0 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
@@ -169,7 +169,8 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
providers.add(new JweClientResponseFilter());
bean.setProviders(providers);
bean.getProperties(true).put("rs.security.encryption.properties", propFile);
- PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl();
+ PrivateKeyPasswordProvider provider =
+ new PrivateKeyPasswordProviderImpl("Thus from my lips, by yours, my sin is purged.");
bean.getProperties(true).put("rs.security.key.password.provider", provider);
BookStore bs = bean.create(BookStore.class);
String text = bs.echoText("book");
@@ -406,10 +407,16 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
}
private static class PrivateKeyPasswordProviderImpl implements PrivateKeyPasswordProvider {
-
+ private String password = "password";
+ public PrivateKeyPasswordProviderImpl() {
+
+ }
+ public PrivateKeyPasswordProviderImpl(String password) {
+ this.password = password;
+ }
@Override
public char[] getPassword(Properties storeProperties) {
- return "password".toCharArray();
+ return password.toCharArray();
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/PrivateKeyPasswordProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/PrivateKeyPasswordProviderImpl.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/PrivateKeyPasswordProviderImpl.java
index 9fbdc81..f86417f 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/PrivateKeyPasswordProviderImpl.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/PrivateKeyPasswordProviderImpl.java
@@ -24,9 +24,16 @@ import org.apache.cxf.rs.security.jose.jaxrs.PrivateKeyPasswordProvider;
public class PrivateKeyPasswordProviderImpl implements PrivateKeyPasswordProvider {
+ private String password = "password";
+ public PrivateKeyPasswordProviderImpl() {
+
+ }
+ public PrivateKeyPasswordProviderImpl(String password) {
+ this.password = password;
+ }
@Override
public char[] getPassword(Properties storeProperties) {
- return "password".toCharArray();
+ return password.toCharArray();
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
index 155cf69..bd81abb 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
@@ -74,6 +74,9 @@ under the License.
<bean id="jwsInFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter"/>
<bean id="jwsOutFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsWriterInterceptor"/>
<bean id="keyPasswordProvider" class="org.apache.cxf.systest.jaxrs.security.jwt.PrivateKeyPasswordProviderImpl"/>
+ <bean id="keyPasswordProvider2" class="org.apache.cxf.systest.jaxrs.security.jwt.PrivateKeyPasswordProviderImpl">
+ <constructor-arg value="Thus from my lips, by yours, my sin is purged."/>
+ </bean>
<jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jwejwsrsa">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
@@ -170,7 +173,7 @@ under the License.
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties"/>
- <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
+ <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider2"/>
</jaxrs:properties>
</jaxrs:server>
<jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jwejwshmac">
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
index 0865b39..1848c11 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
@@ -1 +1 @@
-eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiSmZmRmp6YzhGUHhRVlFPSlVYbXZuZyIsInAyYyI6NDA5NiwiY3R5IjoiandrLXNldCtqc29uIn0.osOgt-dpiYVRkJO_jYkrC7wIzAUi_HMRzW-XjvwHJbXECJGlmzFeMw.lYcyfoR4xxkHscyZ8--p9g.x0QTLYtwBtMmfRjH_wxUTsUiR2DIHFbY4SwZGKXW9E5hIfz0YJn2syO5c7ozIJrL3Al4OeCVRTg--aif0WXtLW728KdU1qDrQ3Pj8GW0J8eCUonLDJZEMssWFdroyhBvHIu-Jlpx0lnsjTStdMwwx9pL8OM4jtsOziDMjpuUqKCqfii8UfG1dKaH6FPRKsRe4K08D02XXKDopyZ1XUXNCj3ov4kgo2o_sUWcVcy8Oo56_77IvIL5CY-Itclv0EUWfI_Sd0Q9_n6m14ZyVbcU1r9NMwcruGTj-6ef5-dST58rPg_D-0ngp9zJg5cfzsI9_UWAw1xQtTKQQ07vQhvIHjRDc-M58_dZ3xp__hTjrZtqAufnGrYLK-ZaQO5-5VYZglbtDtPbNA6WAUxxBBsI6FMo0y5nM0ZFo2JV1vnwoQKLERn91IwVUJbtOr1_y2osWWvwxF7iRuClKaV1XJ3Zg_F8bawstSe-gzdKMmv9AYMMrAh2TSbTvOxi5s4bvWX_vjbFN5vINzVLj-o40BT36o-V6LXylxXFOToBBuRNUrHg8bhLGxZR3zVE_0panv1ruebnpWNGCwgpBK0NYornbV-i1RfreFhzWcOyHbE8hmFqMQhsuGvyrbszuxJ9rpryJsKjAxrsPb_SuhzVb-2WFsNynpTciAcGp6xjb_pm2-25u4iBjOfL9PlQcaEcrIxzihb9PGzJFOfBIvteAqCOJx4iiNfutcGxBEcnV1VOLGSp8uJPoWE3n6dROYu5pqO
-ztLH-mfU9IjC6K7J5ulRtbZU2_qxVpcNTClRjT5BPWMgVElfvUIkHry-X6CjUUm3dh6B-zH5hTT3NTPOL7EwtebAtkiK509GOvO6pDOuqtn8-Dn92RDlh2fecDJOycjRInyt71SkrI6WhiVylhRNiZvt720Nesg41OqMweWxpgu4TGZflX9fB8sG-RBO0I1hP00Zk_c4t7t4k0-qKtV56zt3LJVE6K-hGBCB_0HtPDRbWUdkKbqkJ51JUda6RnXYBe7tLlVIzcLubd1YrikKeg0JnrFNafXqMoOWmUm2Q11EHuAZUiIJkBejgSEnbgfCjUc9gckQ0vOBP7ERhQJ4scpDCrG4fE5SPKo484qLxZuLhZBAntPdLCfKIav6WUg_Vbd0M7pP1vb53LdsZAsPidk_AB7_3TQdCct4xvK5C6MdHNQArlKzE9oMahQdyDWcYe7YbAu2ROwoz6xU3jKsrzJv-XI-Svw10eaE-KTlQwi8GaWw168-0Jnv23nSk5jGHh681iK8R0zbCIO2TNGZLe_jnJjiOlM-F3N-li73YEl8p30y2i0BUYTrPZYkwLUhFedlSX0hwR1jQpIoV0njzGeyf-pfySAUHXOhHRA00O3BzPZAXNBDTYCi54d6ng8QtlvG_IrhLbGkVTKJt8S6bfbsdvZvK8VW8_D0zf8uMoWBTAAoOkEz2a3x-UJ120LYq8LwzksuEFPRJ56m-YRLMO39vfMnQZbOxHsjzGsIZPgcaMhsYQugCMfU_TIJLc4zQx0DCC5VVnOwumXBz8lV0LHUOx79TXFzYMF0-VhzO0I.P-GdQKruCwb8-iDagtZIqQ
\ No newline at end of file
+eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiTWJlR0VTekk2MURJaHFncnc4ZG9TZyIsInAyYyI6NDA5Nn0.MVJlK1vV0lWLt2ySU2WB_nphsWZqf6jhVfb2mGuf05mXnxqistGBng.x6itAzrmrAn9KetfUl1ZPg.2if8qkLqADwsF0li0BzhPX8Q9LLYrUE_uHfv-qo23BwOryGm_cOSj01_TVZnO58N30wYBMJZ_mgYIQTYGL_6VUJJv8_qzP_wmBUkV99VPWOrEYLf75VWvJSMwyFjGljzpYoWONvrp6QwfrKjdum8_xEOs1dgurq8Spct-y1Ueqk9YCO_6fvklAzLPxgyyPXw5HwSIw1f4wtDN9XVHfmphvuNLNXrzxI-b1Xi4t1FIZBgX6LephgwL3LpJeP0MrKQlPpe4RI3fXfoe6yo432gH72kGCui6WgoIAZUrX2ShaS_ephxIrB3s24-QcG4pcfRcaHuIc1VhnsFSgC1IvNh1QnDnlxQ7PCVhBifXaf_7Vy9LZQYhRJ8Wj_NClPJT8NNYQOZTcXEjzLYRMxCUI8C-KZBUaZd14oZhWgTVi9xre6EyUq5lQbMl55x_f_5FXzO-dJB9EG3MtRLm1CSmPaH4slUKhk45fKTzowqYgD0ueVcqvT8JtnlxRSj2NPC0vPy4r_3H3HzKvvtICQeaR6ZP5g_UMyvLju08tZMYSqeFzYxDKuExzC8l00tc8GlFM_K15A-J7TGQXGGDZtcn8raNOMgCzq4ijr5z6hyniNzu1j8sjKZH9FX3okfINRy6kW6W168r4GSvRAFf01sCNBvcSi3gsC0djTZdeyzbcEq_oqYHdBS3Ur4bXFw_5fLVKi4oaYG4AdWgAYiPp7uATO1k3VPoxIjJyRaUt4ZG-RX3eMULUF31OAV2owfthhyFzdOhg2RBPHhpiH5lbldTHRuP3PtQKt
M6J0wbOoKwHdNSQUuRFJ3Ypqol2kxFl7e6NCTlvJrPX93b4JLYMpGeK43IXqnGzdUKCUEwsqz5m_x-eawlp34VHugxrAyW23hWXivbM_2p0nBYURd-DhdEErpzv6abGo89HQ_cOocI9JNIrfJejdMvVF1SxWPfwV9xvGqYcOvECUAJ_DRs3BxHEE83gLVEvs16JvLb-UVbNul7M-2R6McfH1tLc3GXOxtIIimpz0pu0PIEf_ptwSpsXPuhUo-GzJSqN_XOqS1FAn7ELOAuxTzw4P8fQpMB3IChwEJQDo4fApstbg9hsQrW8oOO1puFFYscuNYKgFGu_fVroZtgxPveoEYsB8JvPXgAGeiblaCYcUZiuOfj14B6GAsoqzCETxmNDe5ouHWjJ10QxdPWRjQUmlS0Pe_sjXWfYuian-WodiNDpVtDhBdWI7klifiJpRUL2xyOvMODJRSLVQck5ifHXAjb05Us6JTdDJU4MjNhPsNnnuy92I0JWW6MIV-DFfkSgt8J1kxaltyhyPdNBDSgTTSEZQjRmvbt93opbejkRT8yTL96Q59Cw32SK3cKwiaDJsVctcgpsHcHK7ImcoqvzcPFwwb3v32o14oqC4KS0WZw7wW-FlYhUjkh-orlka90_rw1687nKx0D5EV8wtMpQ69n8vTSme3hjoDIBxIxUrI0k3sv6UvjfH7qQLey0eIckPtRGDzR0ydFBVfKcj2BJQPCeTj08aOzU1f26dovhO9XKbOAYvtkOYO5Q2Sp4TvcC8fezQGYqRNX-k.BIKOj0XbCIfOv_qePGSEcg
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
index 1c172a1..2455204 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
@@ -15,9 +15,6 @@
# specific language governing permissions and limitations
# under the License.
rs.security.keystore.type=jwk
-rs.security.keystore.jwkkey=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoi\
-dk5QZzk4emFVT2RxZEJRbzhfZU5OUSIsInAyYyI6NDA5NiwiY3R5IjoiandrK2pzb24ifQ.8RodwuWBWWZp9fj5FB93D5Qf9y27eyQiqR\
-Hq0sbezF8m8ZIWjFqdgA.E5r-EbVtVttblREyU2mMVg.xI7gboooFhAcbnhBfsJD8-lbmf0sp0ZABNGLOf7ETs1TbHtRJ1qZlxczfwP2WG0\
-YggD9PsYMTllG7JeVU6xG2mF4t8kpquMiC3e4JlGJlvM.-XoyywZ0D2D9hk5w4RjnmA
+rs.security.keystore.jwkkey=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiaXVHOExqSkNrN3FtcnVGRUdyMHVuUSIsInAyYyI6NDA5Nn0.TuUE2NnCsl3ZWJY7sl0uqEWxFV2ZHw5tw-0ri8Qyst5Gn6YzuPGKJw.aaesJ4e-rLFYIdxA6gMdMw.lnncuqaZ2o3lPRX9bfFh4huW5llDWXC0Gg5987pNSte0SyY7gJcg4EFPHrPdO1YSAZJmPC3hEEmcwqh42w8g2rWiyUqcJ8Z4PqEj7HkNUdE.NccysFtj5AoMMSEk2Sa6oQ
rs.security.keystore.alias.jwe=AesWrapKey
rs.security.jwe.content.encryption.algorithm=A128CBC-HS256
http://git-wip-us.apache.org/repos/asf/cxf/blob/6641d589/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
index 3968284..e00378f 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
@@ -15,19 +15,6 @@
# specific language governing permissions and limitations
# under the License.
rs.security.keystore.type=jwk
-rs.security.keystore.jwkset=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiSmZmRmp6YzhGUHhRVlFPSlVYbXZuZ\
-yIsInAyYyI6NDA5NiwiY3R5IjoiandrLXNldCtqc29uIn0.osOgt-dpiYVRkJO_jYkrC7wIzAUi_HMRzW-XjvwHJbXECJGlmzFeMw.lYcyfoR4xxkHscyZ8--p9g.x0QTLYtwB\
-tMmfRjH_wxUTsUiR2DIHFbY4SwZGKXW9E5hIfz0YJn2syO5c7ozIJrL3Al4OeCVRTg--aif0WXtLW728KdU1qDrQ3Pj8GW0J8eCUonLDJZEMssWFdroyhBvHIu-Jlpx0lnsjTSt\
-dMwwx9pL8OM4jtsOziDMjpuUqKCqfii8UfG1dKaH6FPRKsRe4K08D02XXKDopyZ1XUXNCj3ov4kgo2o_sUWcVcy8Oo56_77IvIL5CY-Itclv0EUWfI_Sd0Q9_n6m14ZyVbcU1r9\
-NMwcruGTj-6ef5-dST58rPg_D-0ngp9zJg5cfzsI9_UWAw1xQtTKQQ07vQhvIHjRDc-M58_dZ3xp__hTjrZtqAufnGrYLK-ZaQO5-5VYZglbtDtPbNA6WAUxxBBsI6FMo0y5nM0Z\
-Fo2JV1vnwoQKLERn91IwVUJbtOr1_y2osWWvwxF7iRuClKaV1XJ3Zg_F8bawstSe-gzdKMmv9AYMMrAh2TSbTvOxi5s4bvWX_vjbFN5vINzVLj-o40BT36o-V6LXylxXFOToBBuRN\
-UrHg8bhLGxZR3zVE_0panv1ruebnpWNGCwgpBK0NYornbV-i1RfreFhzWcOyHbE8hmFqMQhsuGvyrbszuxJ9rpryJsKjAxrsPb_SuhzVb-2WFsNynpTciAcGp6xjb_pm2-25u4iB\
-jOfL9PlQcaEcrIxzihb9PGzJFOfBIvteAqCOJx4iiNfutcGxBEcnV1VOLGSp8uJPoWE3n6dROYu5pqO-ztLH-mfU9IjC6K7J5ulRtbZU2_qxVpcNTClRjT5BPWMgVElfvUIkHry-X\
-6CjUUm3dh6B-zH5hTT3NTPOL7EwtebAtkiK509GOvO6pDOuqtn8-Dn92RDlh2fecDJOycjRInyt71SkrI6WhiVylhRNiZvt720Nesg41OqMweWxpgu4TGZflX9fB8sG-RBO0I1hP00\
-Zk_c4t7t4k0-qKtV56zt3LJVE6K-hGBCB_0HtPDRbWUdkKbqkJ51JUda6RnXYBe7tLlVIzcLubd1YrikKeg0JnrFNafXqMoOWmUm2Q11EHuAZUiIJkBejgSEnbgfCjUc9gckQ0vOBP\
-7ERhQJ4scpDCrG4fE5SPKo484qLxZuLhZBAntPdLCfKIav6WUg_Vbd0M7pP1vb53LdsZAsPidk_AB7_3TQdCct4xvK5C6MdHNQArlKzE9oMahQdyDWcYe7YbAu2ROwoz6xU3jKsrzJ\
-v-XI-Svw10eaE-KTlQwi8GaWw168-0Jnv23nSk5jGHh681iK8R0zbCIO2TNGZLe_jnJjiOlM-F3N-li73YEl8p30y2i0BUYTrPZYkwLUhFedlSX0hwR1jQpIoV0njzGeyf-pfySAUH\
-XOhHRA00O3BzPZAXNBDTYCi54d6ng8QtlvG_IrhLbGkVTKJt8S6bfbsdvZvK8VW8_D0zf8uMoWBTAAoOkEz2a3x-UJ120LYq8LwzksuEFPRJ56m-YRLMO39vfMnQZbOxHsjzGsIZPg\
-caMhsYQugCMfU_TIJLc4zQx0DCC5VVnOwumXBz8lV0LHUOx79TXFzYMF0-VhzO0I.P-GdQKruCwb8-iDagtZIqQ
+rs.security.keystore.jwkset=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiTWJlR0VTekk2MURJaHFncnc4ZG9TZyIsInAyYyI6NDA5Nn0.MVJlK1vV0lWLt2ySU2WB_nphsWZqf6jhVfb2mGuf05mXnxqistGBng.x6itAzrmrAn9KetfUl1ZPg.2if8qkLqADwsF0li0BzhPX8Q9LLYrUE_uHfv-qo23BwOryGm_cOSj01_TVZnO58N30wYBMJZ_mgYIQTYGL_6VUJJv8_qzP_wmBUkV99VPWOrEYLf75VWvJSMwyFjGljzpYoWONvrp6QwfrKjdum8_xEOs1dgurq8Spct-y1Ueqk9YCO_6fvklAzLPxgyyPXw5HwSIw1f4wtDN9XVHfmphvuNLNXrzxI-b1Xi4t1FIZBgX6LephgwL3LpJeP0MrKQlPpe4RI3fXfoe6yo432gH72kGCui6WgoIAZUrX2ShaS_ephxIrB3s24-QcG4pcfRcaHuIc1VhnsFSgC1IvNh1QnDnlxQ7PCVhBifXaf_7Vy9LZQYhRJ8Wj_NClPJT8NNYQOZTcXEjzLYRMxCUI8C-KZBUaZd14oZhWgTVi9xre6EyUq5lQbMl55x_f_5FXzO-dJB9EG3MtRLm1CSmPaH4slUKhk45fKTzowqYgD0ueVcqvT8JtnlxRSj2NPC0vPy4r_3H3HzKvvtICQeaR6ZP5g_UMyvLju08tZMYSqeFzYxDKuExzC8l00tc8GlFM_K15A-J7TGQXGGDZtcn8raNOMgCzq4ijr5z6hyniNzu1j8sjKZH9FX3okfINRy6kW6W168r4GSvRAFf01sCNBvcSi3gsC0djTZdeyzbcEq_oqYHdBS3Ur4bXFw_5fLVKi4oaYG4AdWgAYiPp7uATO1k3VPoxIjJyRaUt4ZG-RX3eMULUF31OAV2owfthhyFzd
Ohg2RBPHhpiH5lbldTHRuP3PtQKtM6J0wbOoKwHdNSQUuRFJ3Ypqol2kxFl7e6NCTlvJrPX93b4JLYMpGeK43IXqnGzdUKCUEwsqz5m_x-eawlp34VHugxrAyW23hWXivbM_2p0nBYURd-DhdEErpzv6abGo89HQ_cOocI9JNIrfJejdMvVF1SxWPfwV9xvGqYcOvECUAJ_DRs3BxHEE83gLVEvs16JvLb-UVbNul7M-2R6McfH1tLc3GXOxtIIimpz0pu0PIEf_ptwSpsXPuhUo-GzJSqN_XOqS1FAn7ELOAuxTzw4P8fQpMB3IChwEJQDo4fApstbg9hsQrW8oOO1puFFYscuNYKgFGu_fVroZtgxPveoEYsB8JvPXgAGeiblaCYcUZiuOfj14B6GAsoqzCETxmNDe5ouHWjJ10QxdPWRjQUmlS0Pe_sjXWfYuian-WodiNDpVtDhBdWI7klifiJpRUL2xyOvMODJRSLVQck5ifHXAjb05Us6JTdDJU4MjNhPsNnnuy92I0JWW6MIV-DFfkSgt8J1kxaltyhyPdNBDSgTTSEZQjRmvbt93opbejkRT8yTL96Q59Cw32SK3cKwiaDJsVctcgpsHcHK7ImcoqvzcPFwwb3v32o14oqC4KS0WZw7wW-FlYhUjkh-orlka90_rw1687nKx0D5EV8wtMpQ69n8vTSme3hjoDIBxIxUrI0k3sv6UvjfH7qQLey0eIckPtRGDzR0ydFBVfKcj2BJQPCeTj08aOzU1f26dovhO9XKbOAYvtkOYO5Q2Sp4TvcC8fezQGYqRNX-k.BIKOj0XbCIfOv_qePGSEcg
rs.security.keystore.alias.jwe=AesWrapKey
rs.security.jwe.content.encryption.algorithm=A128CBC-HS256