You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2019/12/20 12:53:00 UTC
[jira] [Resolved] (CXF-8177) JWE API does not support ECDH Direct
Encryption/Decryption
[ https://issues.apache.org/jira/browse/CXF-8177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved CXF-8177.
--------------------------------------
Resolution: Fixed
> JWE API does not support ECDH Direct Encryption/Decryption
> -----------------------------------------------------------
>
> Key: CXF-8177
> URL: https://issues.apache.org/jira/browse/CXF-8177
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.3.4
> Reporter: Frederik Libert
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.4.0, 3.3.5
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Although the Apache CXF implementation of JWE supports ECDH Direct encryption/decryption, the API is not sufficiently open for it.
> A few problems:
> * KeyAlgorithm.getAlgorithm(String) does not support parsing ECDH
> * EcdhDirectKeyDecryptionAlgorithm is a private innerclass so cannot be used from the clientview perspective (different approach for different algorithms, why?)
> * EcdhDirectKeyJweDecryption makes an assumption that AES GCM is used without verifying (could be AES CBC as well)
> * JweUtils.getPrivateKeyDecryptionProvider(PrivateKey,KeyAlgorithm) makes an assumption that AESWrap is used in case of an EC Key without veryfing the KeyAlgorithm (could be Direct as well)
> The API should support proper handling of key algorithm between client and library and should verify what is given as input to decide which key and content decrypters to use.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)