You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2019/11/21 13:10:00 UTC

[jira] [Work logged] (CXF-8162) JWE with multiple recipients does not work for AES CBC Encryption

     [ https://issues.apache.org/jira/browse/CXF-8162?focusedWorklogId=347395&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-347395 ]

ASF GitHub Bot logged work on CXF-8162:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 21/Nov/19 13:09
            Start Date: 21/Nov/19 13:09
    Worklog Time Spent: 10m 
      Work Description: frelibert commented on pull request #604: [CXF-8162] JWE with multiple recipients does not work for AES CBC Encryption
URL: https://github.com/apache/cxf/pull/604
 
 
   Fixed:
   - System.arraycopy src position
   - exposed AesCbcContentEncryptionAlgorithm to make cek and iv reusable for all recipients
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 347395)
    Remaining Estimate: 0h
            Time Spent: 10m

> JWE with multiple recipients does not work for AES CBC Encryption
> -----------------------------------------------------------------
>
>                 Key: CXF-8162
>                 URL: https://issues.apache.org/jira/browse/CXF-8162
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.3.4
>            Reporter: Frederik Libert
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When encrypting for multiple recipients, the plaintext, the CEK, JWE Initialization Vector, and JWE Protected Header are shared by all recipients (which must be the case, since
>  the ciphertext and Authentication Tag are also shared).
> The Apache CXF API for encrypting the content with AES GCM allows this by initializing a ContentEncryptionProvider of type AesGcmContentEncryptionAlgorithm which can be used as reference when initializing the list of JweEncryptionProviders (which take a KeyEncryptionProvider and an ContentEncryptionProvider).
> When using AES CBC, the API is different.
> The class AesCbcContentEncryptionAlgorithm is a private innerclass of  JweEncryptionProvider AesCbcHmacJweEncryption so you can't initialize it once and reuse it in all JweEncryptionProviders of the list.
> There is a workaround as the API allows to build the CEK and InitializationVector yourself (not very nice) but this method leads to an ArrayIndexOutOfBoundsException as there is a typo in the AesCbcHmacJweEncryption  when copying the CEK byte by byte internally.
> This typo should be fixed but more importantly, the API for AES CBC encryption should allow the initialization of the ContentEncryptionProvider from outside the JweEncryptionProvider so it can be referenced in all JweEncryptionProviders.
> Without that, you can only encrypt for 1 recipient or the validation will fail (invalid authentication tag) for all but 1 recipient.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)