You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by re...@apache.org on 2023/02/05 17:41:37 UTC

[cxf] branch 3.6.x-fixes updated: Fix Jwe compression (#1106)

This is an automated email from the ASF dual-hosted git repository.

reta pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.6.x-fixes by this push:
     new fbcb6d348b Fix Jwe compression (#1106)
fbcb6d348b is described below

commit fbcb6d348be7c01dfe49607fc28fc6ad4e467c49
Author: Egor Puzanov <ep...@users.noreply.github.com>
AuthorDate: Sun Feb 5 17:42:13 2023 +0100

    Fix Jwe compression (#1106)
    
    CXF-8816: Deflater and Inflater initialized with different 'nowrap' value
---
 .../apache/cxf/common/util/CompressionUtils.java   |  2 +-
 .../apache/cxf/rt/security/crypto/CryptoUtils.java |  4 +-
 .../cxf/rt/security/crypto/CryptoUtilsTest.java    | 56 ++++++++++++++++++++++
 3 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java b/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java
index ea4ce34e7b..85477f2a19 100644
--- a/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java
@@ -35,7 +35,7 @@ public final class CompressionUtils {
     }
     public static InputStream inflate(byte[] deflatedToken, boolean nowrap)
         throws DataFormatException {
-        Inflater inflater = new Inflater(true);
+        Inflater inflater = new Inflater(nowrap);
         inflater.setInput(deflatedToken);
 
         byte[] buffer = new byte[deflatedToken.length];
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
index 847200bcda..5735b8bae4 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
@@ -546,7 +546,7 @@ public final class CryptoUtils {
                                       int mode)  throws SecurityException {
         boolean compressionSupported = keyProps != null && keyProps.isCompressionSupported();
         if (compressionSupported && mode == Cipher.ENCRYPT_MODE) {
-            bytes = CompressionUtils.deflate(bytes, false);
+            bytes = CompressionUtils.deflate(bytes, true);
         }
         try {
             Cipher c = initCipher(secretKey, keyProps, mode);
@@ -580,7 +580,7 @@ public final class CryptoUtils {
                 }
             }
             if (compressionSupported && mode == Cipher.DECRYPT_MODE) {
-                result = IOUtils.readBytesFromStream(CompressionUtils.inflate(result, false));
+                result = IOUtils.readBytesFromStream(CompressionUtils.inflate(result, true));
             }
             return result;
         } catch (Exception ex) {
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/crypto/CryptoUtilsTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/crypto/CryptoUtilsTest.java
new file mode 100644
index 0000000000..646636684c
--- /dev/null
+++ b/rt/security/src/test/java/org/apache/cxf/rt/security/crypto/CryptoUtilsTest.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.crypto;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Collection;
+
+import javax.crypto.SecretKey;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import static org.junit.Assert.assertArrayEquals;
+
+@RunWith(Parameterized.class)
+public class CryptoUtilsTest {
+    private final boolean compression;
+
+    public CryptoUtilsTest(boolean compression) {
+        this.compression = compression;
+    }
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> compression() {
+        return Arrays.asList(new Object[][] {{true}, {false}});
+    }
+
+    @Test
+    public void testCompression() {
+        byte[] bytes = "testString".getBytes(StandardCharsets.UTF_8);
+        KeyProperties keyProps = new KeyProperties("AES");
+        keyProps.setCompressionSupported(compression);
+        SecretKey secretKey = CryptoUtils.getSecretKey(keyProps);
+        byte[] encryptedBytes = CryptoUtils.encryptBytes(bytes, secretKey, keyProps);
+        byte[] decryptedBytes = CryptoUtils.decryptBytes(encryptedBytes, secretKey, keyProps);
+        assertArrayEquals(bytes, decryptedBytes);
+    }
+}