You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2017/03/01 14:36:38 UTC
cxf git commit: [CXF-6728] Updating JweUtils to use EC Key algo if
needed and not accepting in headers algo for the decryption
Repository: cxf
Updated Branches:
refs/heads/master d187ef6f3 -> 6d7985f39
[CXF-6728] Updating JweUtils to use EC Key algo if needed and not accepting in headers algo for the decryption
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6d7985f3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6d7985f3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6d7985f3
Branch: refs/heads/master
Commit: 6d7985f39b83d28b0ca3e485be8de8f986d6f6c1
Parents: d187ef6
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Mar 1 14:36:24 2017 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Mar 1 14:36:24 2017 +0000
----------------------------------------------------------------------
.../cxf/rs/security/jose/jwe/JweUtils.java | 50 +++++++++++++++-----
.../jaxrs/security/oidc/UserInfoTest.java | 2 +-
2 files changed, 39 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/6d7985f3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 715d05b..e5828be 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -158,6 +158,9 @@ public final class JweUtils {
public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key,
Properties props,
KeyAlgorithm algo) {
+ if (algo == null) {
+ algo = getDefaultPublicKeyAlgorithm(key);
+ }
if (key instanceof RSAPublicKey) {
return new RSAKeyEncryptionAlgorithm((RSAPublicKey)key, algo);
} else if (key instanceof ECPublicKey) {
@@ -176,6 +179,24 @@ public final class JweUtils {
return null;
}
+ private static KeyAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
+ if (key instanceof RSAPublicKey) {
+ return KeyAlgorithm.RSA_OAEP;
+ } else if (key instanceof ECPublicKey) {
+ return KeyAlgorithm.ECDH_ES_A128KW;
+ } else {
+ return null;
+ }
+ }
+ private static KeyAlgorithm getDefaultPrivateKeyAlgorithm(PrivateKey key) {
+ if (key instanceof RSAPrivateKey) {
+ return KeyAlgorithm.RSA_OAEP;
+ } else if (key instanceof ECPrivateKey) {
+ return KeyAlgorithm.ECDH_ES_A128KW;
+ } else {
+ return null;
+ }
+ }
public static KeyEncryptionProvider getSecretKeyEncryptionAlgorithm(SecretKey key, KeyAlgorithm algo) {
if (AlgorithmUtils.isAesKeyWrap(algo.getJwaName())) {
return new AesWrapKeyEncryptionAlgorithm(key, algo);
@@ -415,9 +436,12 @@ public final class JweUtils {
X509Certificate cert = chain == null ? null : chain.get(0);
PrivateKey privateKey =
KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT);
+ if (keyAlgo == null) {
+ keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
+ }
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
- keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey,
- inHeaders.getKeyEncryptionAlgorithm());
+
+ keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
} else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
X509Certificate foundCert =
KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(),
@@ -426,9 +450,11 @@ public final class JweUtils {
if (foundCert != null) {
PrivateKey privateKey =
KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
+ if (keyAlgo == null) {
+ keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
+ }
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
- keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey,
- inHeaders.getKeyEncryptionAlgorithm());
+ keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
} else {
if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
@@ -450,9 +476,11 @@ public final class JweUtils {
keyDecryptionProvider = getKeyDecryptionProvider(jwk, keyAlgo);
}
} else {
- keyDecryptionProvider = getPrivateKeyDecryptionProvider(
- KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.DECRYPT),
- keyAlgo);
+ PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.DECRYPT);
+ if (keyAlgo == null) {
+ keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
+ }
+ keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
}
return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey,
@@ -733,10 +761,6 @@ public final class JweUtils {
public static KeyAlgorithm getKeyEncryptionAlgorithm(Message m, Properties props,
KeyAlgorithm algo, KeyAlgorithm defaultAlgo) {
if (algo == null) {
- if (defaultAlgo == null) {
- defaultAlgo = KeyAlgorithm.RSA_OAEP;
- }
-
algo = getKeyEncryptionAlgorithm(m, props, defaultAlgo);
}
return algo;
@@ -755,8 +779,10 @@ public final class JweUtils {
KeyType keyType = jwk.getKeyType();
if (KeyType.OCTET == keyType) {
return KeyAlgorithm.A128GCMKW;
- } else {
+ } else if (KeyType.RSA == keyType) {
return KeyAlgorithm.RSA_OAEP;
+ } else {
+ return KeyAlgorithm.ECDH_ES_A128KW;
}
}
public static ContentAlgorithm getContentEncryptionAlgorithm(Message m,
http://git-wip-us.apache.org/repos/asf/cxf/blob/6d7985f3/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/UserInfoTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/UserInfoTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/UserInfoTest.java
index f8011ef..c7052fe 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/UserInfoTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/UserInfoTest.java
@@ -214,7 +214,7 @@ public class UserInfoTest extends AbstractBusClientServerTestBase {
userInfoClient.header("Authorization", "Bearer " + accessToken.getTokenKey());
Response serviceResponse = userInfoClient.get();
- assertEquals(serviceResponse.getStatus(), 200);
+ assertEquals(200, serviceResponse.getStatus());
String token = serviceResponse.readEntity(String.class);
assertNotNull(token);