You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/02/06 15:32:13 UTC
[1/3] cxf git commit: [CXF-6238] Updating ResponseStatus annotation
to have a typed status array field
Repository: cxf
Updated Branches:
refs/heads/3.0.x-fixes 4370435f6 -> f019b583f
[CXF-6238] Updating ResponseStatus annotation to have a typed status array field
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/14c7b199
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/14c7b199
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/14c7b199
Branch: refs/heads/3.0.x-fixes
Commit: 14c7b1996bf6c77b0ca34be4211ee6af300a627e
Parents: fdad713
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Thu Feb 5 10:25:11 2015 +0000
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Thu Feb 5 10:27:31 2015 +0000
----------------------------------------------------------------------
.../src/main/java/org/apache/cxf/jaxrs/ext/ResponseStatus.java | 4 +++-
.../java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java | 6 +++---
.../test/java/org/apache/cxf/jaxrs/model/wadl/BookStore.java | 3 ++-
3 files changed, 8 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/14c7b199/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/ResponseStatus.java
----------------------------------------------------------------------
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/ResponseStatus.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/ResponseStatus.java
index 19dd4cc..dc1f8ed 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/ResponseStatus.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/ResponseStatus.java
@@ -23,9 +23,11 @@ import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
+import javax.ws.rs.core.Response;
+
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD })
public @interface ResponseStatus {
- int[] value();
+ Response.Status[] value();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/14c7b199/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
----------------------------------------------------------------------
diff --git a/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java b/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
index fd0946d..2d02e42 100644
--- a/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
+++ b/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
@@ -584,7 +584,7 @@ public class WadlGenerator implements ContainerRequestFilter {
setResponseStatus(sb, responseStatus.value());
} else if (isVoid) {
boolean oneway = getMethod(ori).getAnnotation(Oneway.class) != null;
- setResponseStatus(sb, oneway ? 202 : 204);
+ setResponseStatus(sb, oneway ? Response.Status.ACCEPTED : Response.Status.NO_CONTENT);
}
sb.append(">");
handleDocs(anns, sb, DocTarget.RESPONSE, false, isJson);
@@ -602,13 +602,13 @@ public class WadlGenerator implements ContainerRequestFilter {
return resourceTagOpened;
}
- private void setResponseStatus(StringBuilder sb, int... statuses) {
+ private void setResponseStatus(StringBuilder sb, Response.Status... statuses) {
sb.append(" status=\"");
for (int i = 0; i < statuses.length; i++) {
if (i > 0) {
sb.append(" ");
}
- sb.append(statuses[i]);
+ sb.append(statuses[i].getStatusCode());
}
sb.append("\"");
http://git-wip-us.apache.org/repos/asf/cxf/blob/14c7b199/rt/rs/description/src/test/java/org/apache/cxf/jaxrs/model/wadl/BookStore.java
----------------------------------------------------------------------
diff --git a/rt/rs/description/src/test/java/org/apache/cxf/jaxrs/model/wadl/BookStore.java b/rt/rs/description/src/test/java/org/apache/cxf/jaxrs/model/wadl/BookStore.java
index ceb5969..8ff129e 100644
--- a/rt/rs/description/src/test/java/org/apache/cxf/jaxrs/model/wadl/BookStore.java
+++ b/rt/rs/description/src/test/java/org/apache/cxf/jaxrs/model/wadl/BookStore.java
@@ -37,6 +37,7 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
import javax.xml.bind.annotation.XmlTransient;
import org.apache.cxf.aegis.type.java5.IgnoreProperty;
@@ -109,7 +110,7 @@ public class BookStore implements BookDescription {
@Description(value = "Response", target = DocTarget.RESPONSE),
@Description(value = "Resource books/{bookid}", target = DocTarget.RESOURCE)
})
- @ResponseStatus({201, 200 })
+ @ResponseStatus({Status.CREATED, Status.OK })
//CHECKSTYLE:OFF
@POST
@Path("books/{bookid}")
[2/3] cxf git commit: Merge branch '3.0.x-fixes' of
https://git-wip-us.apache.org/repos/asf/cxf into 3.0.x-fixes
Posted by se...@apache.org.
Merge branch '3.0.x-fixes' of https://git-wip-us.apache.org/repos/asf/cxf into 3.0.x-fixes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0c43f884
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0c43f884
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0c43f884
Branch: refs/heads/3.0.x-fixes
Commit: 0c43f88477c1b5098c949840575f7414c16db578
Parents: 14c7b19 4370435
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Fri Feb 6 14:31:16 2015 +0000
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Fri Feb 6 14:31:16 2015 +0000
----------------------------------------------------------------------
rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
[3/3] cxf git commit: [CXF-6085] Refactoring someof existing JWE code
to get it ready to deal with JWE JSON
Posted by se...@apache.org.
[CXF-6085] Refactoring someof existing JWE code to get it ready to deal with JWE JSON
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f019b583
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f019b583
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f019b583
Branch: refs/heads/3.0.x-fixes
Commit: f019b583f4a7b3e8e2de074cb454e5629a85b530
Parents: 0c43f88
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Fri Feb 6 14:30:26 2015 +0000
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Fri Feb 6 14:31:55 2015 +0000
----------------------------------------------------------------------
.../jose/jaxrs/JweWriterInterceptor.java | 2 +-
...stractContentEncryptionCipherProperties.java | 4 +-
.../jose/jwe/AbstractJweDecryption.java | 67 ++++++++++---------
.../jose/jwe/AbstractJweEncryption.java | 23 ++++---
.../jose/jwe/AesCbcHmacJweDecryption.java | 21 +++---
.../jose/jwe/AesCbcHmacJweEncryption.java | 16 ++---
.../jwe/AesGcmWrapKeyDecryptionAlgorithm.java | 14 ++--
.../jwe/ContentEncryptionCipherProperties.java | 2 +-
.../jose/jwe/DirectKeyJweDecryption.java | 8 +--
.../jwe/EcdhAesWrapKeyDecryptionAlgorithm.java | 7 +-
.../jose/jwe/EcdhDirectKeyJweDecryption.java | 6 +-
.../security/jose/jwe/JweCompactConsumer.java | 50 +++++++-------
.../security/jose/jwe/JweDecryptionInput.java | 68 ++++++++++++++++++++
.../jose/jwe/JweDecryptionProvider.java | 2 +-
.../jose/jwe/JweEncryptionProvider.java | 2 +-
.../cxf/rs/security/jose/jwe/JweHeaders.java | 1 -
.../jose/jwe/JweJwtCompactConsumer.java | 2 +-
.../cxf/rs/security/jose/jwe/JweUtils.java | 13 +++-
.../jose/jwe/KeyDecryptionAlgorithm.java | 2 +-
.../PbesHmacAesWrapKeyDecryptionAlgorithm.java | 16 ++---
.../jose/jwe/WrappedKeyDecryptionAlgorithm.java | 26 ++++----
21 files changed, 221 insertions(+), 131 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 36a2c51..ca4f5c9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -70,7 +70,7 @@ public class JweWriterInterceptor implements WriterInterceptor {
}
if (useJweOutputStream) {
- JweEncryptionState encryption = theEncryptionProvider.createJweEncryptionState(jweHeaders);
+ JweEncryptionState encryption = theEncryptionProvider.createJweEncryptionState(jweHeaders, null);
try {
JweCompactProducer.startJweContent(actualOs,
encryption.getHeaders(),
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
index ca2d6b9..e9fc794 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
@@ -33,8 +33,8 @@ public abstract class AbstractContentEncryptionCipherProperties implements Conte
public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) {
return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
}
- public byte[] getAdditionalAuthenticationData(String headersJson) {
- return JweHeaders.toCipherAdditionalAuthData(headersJson);
+ public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
+ return JweUtils.getAdditionalAuthenticationData(headersJson, aad);
}
protected int getAuthTagLen() {
return authTagLen;
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
index a00feaa..ad4fd8e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
@@ -35,61 +35,60 @@ public abstract class AbstractJweDecryption implements JweDecryptionProvider {
this.contentDecryptionAlgo = contentDecryptionAlgo;
}
- protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
- return this.keyDecryptionAlgo.getDecryptedContentEncryptionKey(consumer);
+ protected byte[] getContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ return keyDecryptionAlgo.getDecryptedContentEncryptionKey(jweDecryptionInput);
}
public JweDecryptionOutput decrypt(String content) {
JweCompactConsumer consumer = new JweCompactConsumer(content);
- return doDecrypt(consumer);
+ byte[] cek = getContentEncryptionKey(consumer.getJweDecryptionInput());
+ return doDecrypt(consumer.getJweDecryptionInput(), cek);
}
- public byte[] decrypt(JweCompactConsumer consumer) {
- return doDecrypt(consumer).getContent();
+ public byte[] decrypt(JweDecryptionInput jweDecryptionInput) {
+ byte[] cek = getContentEncryptionKey(jweDecryptionInput);
+ return doDecrypt(jweDecryptionInput, cek).getContent();
}
-
- protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) {
- byte[] cek = getContentEncryptionKey(consumer);
- return doDecrypt(consumer, cek);
- }
- protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) {
- KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(consumer));
- keyProperties.setAdditionalData(getContentEncryptionCipherAAD(consumer));
- AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(consumer);
+ protected JweDecryptionOutput doDecrypt(JweDecryptionInput jweDecryptionInput, byte[] cek) {
+ KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(jweDecryptionInput));
+ keyProperties.setAdditionalData(getContentEncryptionCipherAAD(jweDecryptionInput));
+ AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(jweDecryptionInput);
keyProperties.setAlgoSpec(spec);
boolean compressionSupported =
- JoseConstants.DEFLATE_ZIP_ALGORITHM.equals(consumer.getJweHeaders().getZipAlgorithm());
+ JoseConstants.DEFLATE_ZIP_ALGORITHM.equals(jweDecryptionInput.getJweHeaders().getZipAlgorithm());
keyProperties.setCompressionSupported(compressionSupported);
- byte[] actualCek = getActualCek(cek, consumer.getJweHeaders().getContentEncryptionAlgorithm());
+ byte[] actualCek = getActualCek(cek, jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
Key secretKey = CryptoUtils.createSecretKeySpec(actualCek, keyProperties.getKeyAlgo());
byte[] bytes =
- CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(consumer), secretKey, keyProperties);
- return new JweDecryptionOutput(consumer.getJweHeaders(), bytes);
+ CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(jweDecryptionInput), secretKey, keyProperties);
+ return new JweDecryptionOutput(jweDecryptionInput.getJweHeaders(), bytes);
}
protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
return consumer.getEncryptedContentEncryptionKey();
}
- protected AlgorithmParameterSpec getContentEncryptionCipherSpec(JweCompactConsumer consumer) {
- return contentDecryptionAlgo.getAlgorithmParameterSpec(getContentEncryptionCipherInitVector(consumer));
+ protected AlgorithmParameterSpec getContentEncryptionCipherSpec(JweDecryptionInput jweDecryptionInput) {
+ return contentDecryptionAlgo.getAlgorithmParameterSpec(
+ getContentEncryptionCipherInitVector(jweDecryptionInput));
}
- protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
- return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
+ protected String getContentEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
+ return Algorithm.toJavaName(jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
}
- protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) {
- return contentDecryptionAlgo.getAdditionalAuthenticationData(consumer.getDecodedJsonHeaders());
+ protected byte[] getContentEncryptionCipherAAD(JweDecryptionInput jweDecryptionInput) {
+ return contentDecryptionAlgo.getAdditionalAuthenticationData(
+ jweDecryptionInput.getDecodedJsonHeaders(), jweDecryptionInput.getAad());
}
- protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) {
- return contentDecryptionAlgo.getEncryptedSequence(consumer.getJweHeaders(),
- consumer.getEncryptedContent(),
- getEncryptionAuthenticationTag(consumer));
+ protected byte[] getEncryptedContentWithAuthTag(JweDecryptionInput jweDecryptionInput) {
+ return contentDecryptionAlgo.getEncryptedSequence(jweDecryptionInput.getJweHeaders(),
+ jweDecryptionInput.getEncryptedContent(),
+ getEncryptionAuthenticationTag(jweDecryptionInput));
}
- protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) {
- return consumer.getContentDecryptionCipherInitVector();
+ protected byte[] getContentEncryptionCipherInitVector(JweDecryptionInput jweDecryptionInput) {
+ return jweDecryptionInput.getInitVector();
}
- protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) {
- return consumer.getEncryptionAuthenticationTag();
+ protected byte[] getEncryptionAuthenticationTag(JweDecryptionInput jweDecryptionInput) {
+ return jweDecryptionInput.getAuthTag();
}
- protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) {
- return getEncryptionAuthenticationTag(consumer).length * 8;
+ protected int getEncryptionAuthenticationTagLenBits(JweDecryptionInput jweDecryptionInput) {
+ return getEncryptionAuthenticationTag(jweDecryptionInput).length * 8;
}
protected byte[] getActualCek(byte[] theCek, String algoJwt) {
return theCek;
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index 03ef462..37991d9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -78,11 +78,11 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
protected String getContentEncryptionAlgoJava() {
return Algorithm.toJavaName(getContentEncryptionAlgoJwt());
}
- protected byte[] getAAD(JweHeaders theHeaders) {
- return getContentEncryptionAlgorithm().getAdditionalAuthenticationData(writer.headersToJson(theHeaders));
+ protected byte[] getAAD(String protectedHeaders, byte[] aad) {
+ return getContentEncryptionAlgorithm().getAdditionalAuthenticationData(protectedHeaders, aad);
}
public String encrypt(byte[] content, JweHeaders jweHeaders) {
- JweEncryptionInternal state = getInternalState(jweHeaders);
+ JweEncryptionInternal state = getInternalState(jweHeaders, null);
byte[] cipher = CryptoUtils.encryptBytes(content, createCekSecretKey(state), state.keyProps);
@@ -113,8 +113,8 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
return writer;
}
@Override
- public JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders) {
- JweEncryptionInternal state = getInternalState(jweHeaders);
+ public JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders, byte[] aad) {
+ JweEncryptionInternal state = getInternalState(jweHeaders, aad);
Cipher c = CryptoUtils.initCipher(createCekSecretKey(state), state.keyProps,
Cipher.ENCRYPT_MODE);
return new JweEncryptionState(c,
@@ -136,7 +136,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
return theCek;
}
- private JweEncryptionInternal getInternalState(JweHeaders jweHeaders) {
+ private JweEncryptionInternal getInternalState(JweHeaders jweHeaders, byte[] aad) {
byte[] theCek = getContentEncryptionKey();
String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
@@ -158,9 +158,12 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
theHeaders = new JweHeaders(theHeaders.asMap());
theHeaders.asMap().putAll(jweHeaders.asMap());
}
- byte[] additionalEncryptionParam = getAAD(theHeaders);
- keyProps.setAdditionalData(additionalEncryptionParam);
+ JweHeaders protectedHeaders = theHeaders;
+
+ String protectedHeadersJson = writer.headersToJson(protectedHeaders);
+ byte[] additionalEncryptionParam = getAAD(protectedHeadersJson, aad);
+ keyProps.setAdditionalData(additionalEncryptionParam);
JweEncryptionInternal state = new JweEncryptionInternal();
state.theHeaders = theHeaders;
@@ -168,6 +171,8 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
state.keyProps = keyProps;
state.secretKey = theCek;
state.theIv = theIv;
+ state.protectedHeadersJson = protectedHeadersJson;
+ state.aad = aad;
return state;
}
private boolean compressionRequired(JweHeaders theHeaders) {
@@ -182,5 +187,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
byte[] theIv;
KeyProperties keyProps;
byte[] secretKey;
+ String protectedHeadersJson;
+ byte[] aad;
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
index 84a9fdd..6b902da 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
@@ -35,24 +35,25 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
super(keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm(supportedAlgo));
this.supportedAlgo = supportedAlgo;
}
- protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) {
- validateAuthenticationTag(consumer, cek);
- return super.doDecrypt(consumer, cek);
+ protected JweDecryptionOutput doDecrypt(JweDecryptionInput jweDecryptionInput, byte[] cek) {
+ validateAuthenticationTag(jweDecryptionInput, cek);
+ return super.doDecrypt(jweDecryptionInput, cek);
}
@Override
protected byte[] getActualCek(byte[] theCek, String algoJwt) {
validateCekAlgorithm(algoJwt);
return AesCbcHmacJweEncryption.doGetActualCek(theCek, algoJwt);
}
- protected void validateAuthenticationTag(JweCompactConsumer consumer, byte[] theCek) {
- byte[] actualAuthTag = consumer.getEncryptionAuthenticationTag();
+ protected void validateAuthenticationTag(JweDecryptionInput jweDecryptionInput, byte[] theCek) {
+ byte[] actualAuthTag = jweDecryptionInput.getAuthTag();
final AesCbcHmacJweEncryption.MacState macState =
AesCbcHmacJweEncryption.getInitializedMacState(theCek,
- consumer.getContentDecryptionCipherInitVector(),
- consumer.getJweHeaders(),
- consumer.getDecodedJsonHeaders());
- macState.mac.update(consumer.getEncryptedContent());
+ jweDecryptionInput.getInitVector(),
+ jweDecryptionInput.getAad(),
+ jweDecryptionInput.getJweHeaders(),
+ jweDecryptionInput.getDecodedJsonHeaders());
+ macState.mac.update(jweDecryptionInput.getEncryptedContent());
byte[] expectedAuthTag = AesCbcHmacJweEncryption.signAndGetTag(macState);
if (!Arrays.equals(actualAuthTag, expectedAuthTag)) {
throw new SecurityException();
@@ -69,7 +70,7 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
return new IvParameterSpec(theIv);
}
@Override
- public byte[] getAdditionalAuthenticationData(String headersJson) {
+ public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
return null;
}
@Override
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index 6613625..488466c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -100,13 +100,14 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
return authTag;
}
private MacState getInitializedMacState(final JweEncryptionInternal state) {
- String headersJson = getJwtHeadersWriter().headersToJson(state.theHeaders);
- return getInitializedMacState(state.secretKey, state.theIv, state.theHeaders, headersJson);
+ return getInitializedMacState(state.secretKey, state.theIv, state.aad,
+ state.theHeaders, state.protectedHeadersJson);
}
protected static MacState getInitializedMacState(byte[] secretKey,
byte[] theIv,
- JweHeaders theHeaders,
- String headersJson) {
+ byte[] extraAad,
+ JweHeaders theHeaders,
+ String protectedHeadersJson) {
String algoJwt = theHeaders.getContentEncryptionAlgorithm();
int size = getFullCekKeySize(algoJwt) / 2;
byte[] macKey = new byte[size];
@@ -115,8 +116,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
String hmacAlgoJava = AES_HMAC_MAP.get(algoJwt);
Mac mac = HmacUtils.getInitializedMac(macKey, hmacAlgoJava, null);
-
- byte[] aad = JweHeaders.toCipherAdditionalAuthData(headersJson);
+ byte[] aad = JweUtils.getAdditionalAuthenticationData(protectedHeadersJson, extraAad);
ByteBuffer buf = ByteBuffer.allocate(8);
final byte[] al = buf.putInt(0).putInt(aad.length * 8).array();
@@ -125,7 +125,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
MacState macState = new MacState();
macState.mac = mac;
macState.al = al;
- macState.headersJson = headersJson;
+ macState.headersJson = protectedHeadersJson;
return macState;
}
@@ -160,7 +160,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
return new IvParameterSpec(theIv);
}
@Override
- public byte[] getAdditionalAuthenticationData(String headersJson) {
+ public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
return null;
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
index 0043ec2..6180014 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
@@ -46,18 +46,18 @@ public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgori
super(secretKey, supportedAlgo);
}
@Override
- protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
- byte[] encryptedCekKey = super.getEncryptedContentEncryptionKey(consumer);
- byte[] tag = getDecodedBytes(consumer, "tag");
+ protected byte[] getEncryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ byte[] encryptedCekKey = super.getEncryptedContentEncryptionKey(jweDecryptionInput);
+ byte[] tag = getDecodedBytes(jweDecryptionInput, "tag");
return JweCompactConsumer.getCipherWithAuthTag(encryptedCekKey, tag);
}
- protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) {
- byte[] iv = getDecodedBytes(consumer, "iv");
+ protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweDecryptionInput jweDecryptionInput) {
+ byte[] iv = getDecodedBytes(jweDecryptionInput, "iv");
return CryptoUtils.getContentEncryptionCipherSpec(128, iv);
}
- private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) {
+ private byte[] getDecodedBytes(JweDecryptionInput jweDecryptionInput, String headerName) {
try {
- Object ivHeader = consumer.getJweHeaders().getHeader(headerName);
+ Object ivHeader = jweDecryptionInput.getJweHeaders().getHeader(headerName);
return Base64UrlUtility.decode(ivHeader.toString());
} catch (Exception ex) {
throw new SecurityException(ex);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
index 89d70f4..e75eecc 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
@@ -23,6 +23,6 @@ import java.security.spec.AlgorithmParameterSpec;
public interface ContentEncryptionCipherProperties {
String getAlgorithm();
- byte[] getAdditionalAuthenticationData(String headersJson);
+ byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad);
AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
index e57ee32..576cdaa 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
@@ -39,16 +39,16 @@ public class DirectKeyJweDecryption extends AbstractJweDecryption {
this.contentDecryptionKey = contentDecryptionKey;
}
@Override
- public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
- validateKeyEncryptionKey(consumer);
+ public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ validateKeyEncryptionKey(jweDecryptionInput);
return contentDecryptionKey;
}
@Override
public String getAlgorithm() {
return null;
}
- protected void validateKeyEncryptionKey(JweCompactConsumer consumer) {
- byte[] encryptedCEK = consumer.getEncryptedContentEncryptionKey();
+ protected void validateKeyEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ byte[] encryptedCEK = jweDecryptionInput.getEncryptedCEK();
if (encryptedCEK != null && encryptedCEK.length > 0) {
throw new SecurityException();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
index 025d2db..fd72fa9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
@@ -33,15 +33,16 @@ public class EcdhAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm
this.algo = algo;
}
@Override
- public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
+ public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
byte[] derivedKey =
- EcdhDirectKeyJweDecryption.getDecryptedContentEncryptionKeyFromHeaders(consumer.getJweHeaders(), key);
+ EcdhDirectKeyJweDecryption.getDecryptedContentEncryptionKeyFromHeaders(
+ jweDecryptionInput.getJweHeaders(), key);
KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey) {
protected boolean isValidAlgorithmFamily(String wrapAlgo) {
return Algorithm.isEcdhEsWrap(wrapAlgo);
}
};
- return aesWrap.getDecryptedContentEncryptionKey(consumer);
+ return aesWrap.getDecryptedContentEncryptionKey(jweDecryptionInput);
}
@Override
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
index 37049ea..584c54f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
@@ -49,10 +49,10 @@ public class EcdhDirectKeyJweDecryption extends DirectKeyJweDecryption {
this.privateKey = privateKey;
}
@Override
- public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
- super.validateKeyEncryptionKey(consumer);
+ public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ super.validateKeyEncryptionKey(jweDecryptionInput);
- return getDecryptedContentEncryptionKeyFromHeaders(consumer.getJweHeaders(), privateKey);
+ return getDecryptedContentEncryptionKeyFromHeaders(jweDecryptionInput.getJweHeaders(), privateKey);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
index fb7be1a..229ab78 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
@@ -28,12 +28,7 @@ import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
public class JweCompactConsumer {
- private String headersJson;
- private byte[] encryptedCEK;
- private byte[] initVector;
- private byte[] encryptedContent;
- private byte[] authTag;
- private JweHeaders jweHeaders;
+ private JweDecryptionInput jweDecryptionInput;
public JweCompactConsumer(String jweContent) {
if (jweContent.startsWith("\"") && jweContent.endsWith("\"")) {
jweContent = jweContent.substring(1, jweContent.length() - 1);
@@ -43,18 +38,24 @@ public class JweCompactConsumer {
throw new SecurityException("5 JWE parts are expected");
}
try {
- headersJson = new String(Base64UrlUtility.decode(parts[0]));
- encryptedCEK = Base64UrlUtility.decode(parts[1]);
- initVector = Base64UrlUtility.decode(parts[2]);
-
- encryptedContent = Base64UrlUtility.decode(parts[3]);
- authTag = Base64UrlUtility.decode(parts[4]);
+ String headersJson = new String(Base64UrlUtility.decode(parts[0]));
+ byte[] encryptedCEK = Base64UrlUtility.decode(parts[1]);
+ byte[] initVector = Base64UrlUtility.decode(parts[2]);
+ byte[] encryptedContent = Base64UrlUtility.decode(parts[3]);
+ byte[] authTag = Base64UrlUtility.decode(parts[4]);
JoseHeadersReaderWriter reader = new JoseHeadersReaderWriter();
JoseHeaders joseHeaders = reader.fromJsonHeaders(headersJson);
if (joseHeaders.getUpdateCount() != null) {
throw new SecurityException("Duplicate headers have been detected");
}
- jweHeaders = new JweHeaders(joseHeaders);
+ JweHeaders jweHeaders = new JweHeaders(joseHeaders);
+ jweDecryptionInput = new JweDecryptionInput(encryptedCEK,
+ initVector,
+ encryptedContent,
+ authTag,
+ null,
+ headersJson,
+ jweHeaders);
} catch (Base64Exception ex) {
throw new SecurityException(ex);
@@ -62,37 +63,39 @@ public class JweCompactConsumer {
}
public String getDecodedJsonHeaders() {
- return headersJson;
+ return jweDecryptionInput.getDecodedJsonHeaders();
}
public JweHeaders getJweHeaders() {
- return jweHeaders;
+ return jweDecryptionInput.getJweHeaders();
}
public byte[] getEncryptedContentEncryptionKey() {
- return encryptedCEK;
+ return jweDecryptionInput.getEncryptedCEK();
}
public byte[] getContentDecryptionCipherInitVector() {
- return initVector;
+ return jweDecryptionInput.getInitVector();
}
public byte[] getContentEncryptionCipherAAD() {
- return JweHeaders.toCipherAdditionalAuthData(headersJson);
+ return JweHeaders.toCipherAdditionalAuthData(jweDecryptionInput.getDecodedJsonHeaders());
}
public byte[] getEncryptionAuthenticationTag() {
- return authTag;
+ return jweDecryptionInput.getAuthTag();
}
public byte[] getEncryptedContent() {
- return encryptedContent;
+ return jweDecryptionInput.getEncryptedContent();
}
public byte[] getEncryptedContentWithAuthTag() {
- return getCipherWithAuthTag(encryptedContent, authTag);
+ return getCipherWithAuthTag(getEncryptedContent(), getEncryptionAuthenticationTag());
+ }
+ public JweDecryptionInput getJweDecryptionInput() {
+ return jweDecryptionInput;
}
-
public static byte[] getCipherWithAuthTag(byte[] cipher, byte[] authTag) {
byte[] encryptedContentWithTag = new byte[cipher.length + authTag.length];
System.arraycopy(cipher, 0, encryptedContentWithTag, 0, cipher.length);
@@ -101,7 +104,8 @@ public class JweCompactConsumer {
}
public byte[] getDecryptedContent(JweDecryptionProvider decryption) {
- return decryption.decrypt(this);
+ // temp workaround
+ return decryption.decrypt(jweDecryptionInput);
}
public String getDecryptedContentText(JweDecryptionProvider decryption) {
try {
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java
new file mode 100644
index 0000000..8d7f00f
--- /dev/null
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+
+public class JweDecryptionInput {
+ private String headersJson;
+ private byte[] encryptedCEK;
+ private byte[] initVector;
+ private byte[] encryptedContent;
+ private byte[] authTag;
+ private byte[] aad;
+ private JweHeaders jweHeaders;
+
+ public JweDecryptionInput(byte[] encryptedCEK,
+ byte[] initVector,
+ byte[] encryptedContent,
+ byte[] authTag,
+ byte[] aad,
+ String headersJson,
+ JweHeaders jweHeaders) {
+ this.encryptedCEK = encryptedCEK;
+ this.initVector = initVector;
+ this.encryptedContent = encryptedContent;
+ this.aad = aad;
+ this.authTag = authTag;
+ this.headersJson = headersJson;
+ this.jweHeaders = jweHeaders;
+ }
+
+ public byte[] getEncryptedCEK() {
+ return encryptedCEK;
+ }
+ public byte[] getInitVector() {
+ return initVector;
+ }
+ public byte[] getEncryptedContent() {
+ return encryptedContent;
+ }
+ public byte[] getAuthTag() {
+ return authTag;
+ }
+ public byte[] getAad() {
+ return aad;
+ }
+ public String getDecodedJsonHeaders() {
+ return headersJson;
+ }
+ public JweHeaders getJweHeaders() {
+ return jweHeaders;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
index 006bc03..1f4861a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
@@ -22,5 +22,5 @@ package org.apache.cxf.rs.security.jose.jwe;
public interface JweDecryptionProvider extends JweKeyProperties {
JweDecryptionOutput decrypt(String jweContent);
- byte[] decrypt(JweCompactConsumer consumer);
+ byte[] decrypt(JweDecryptionInput jweInput);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
index addc7b6..df4a0d9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
@@ -25,5 +25,5 @@ public interface JweEncryptionProvider extends JweKeyProperties {
/**
* Prepare JWE state (optional operation)
*/
- JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders);
+ JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders, byte[] aad);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
index 7b0ce21..f049ffb 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
@@ -31,7 +31,6 @@ import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
public class JweHeaders extends JoseHeaders {
-
public JweHeaders() {
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
index 8f4599a..77dcf27 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
@@ -48,7 +48,7 @@ public class JweJwtCompactConsumer {
headers.getContentEncryptionAlgorithm()));
}
public JwtToken decryptWith(JweDecryptionProvider jwe) {
- byte[] bytes = jwe.decrypt(jweConsumer);
+ byte[] bytes = jwe.decrypt(jweConsumer.getJweDecryptionInput());
JwtClaims claims = new JwtTokenReaderWriter().fromJsonClaims(toString(bytes));
return new JwtToken(headers, claims);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index ae820f6..accd8a3 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -413,7 +413,18 @@ public final class JweUtils {
byte[] keyZ = generateKeyZ(privateKey, peerPublicKey);
return calculateDerivedKey(keyZ, algoName, partyUInfo, partyVInfo, algoKeyBitLen);
}
-
+ public static byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
+ byte[] headersAAD = JweHeaders.toCipherAdditionalAuthData(headersJson);
+ if (aad != null) {
+ // JWE JSON can provide the extra aad
+ byte[] newAAD = Arrays.copyOf(headersAAD, headersAAD.length + 1 + aad.length);
+ newAAD[headersAAD.length] = '.';
+ System.arraycopy(aad, 0, newAAD, headersAAD.length + 1, aad.length);
+ return newAAD;
+ } else {
+ return headersAAD;
+ }
+ }
private static byte[] calculateDerivedKey(byte[] keyZ,
String algoName,
byte[] apuBytes,
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
index 83339ad..f8df934 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
@@ -21,5 +21,5 @@ package org.apache.cxf.rs.security.jose.jwe;
public interface KeyDecryptionAlgorithm {
String getAlgorithm();
- byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer);
+ byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
index 3fb8cb9..3fd9992 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
@@ -44,10 +44,11 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
this.algo = algo;
}
@Override
- public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
- byte[] saltInput = getDecodedBytes(consumer, "p2s");
- int pbesCount = consumer.getJweHeaders().getIntegerHeader("p2c");
- String keyAlgoJwt = consumer.getJweHeaders().getAlgorithm();
+ public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ JweHeaders jweHeaders = jweDecryptionInput.getJweHeaders();
+ byte[] saltInput = getDecodedBytes(jweHeaders.getHeader("p2s"));
+ int pbesCount = jweHeaders.getIntegerHeader("p2c");
+ String keyAlgoJwt = jweHeaders.getAlgorithm();
int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt);
byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm
.createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
@@ -56,12 +57,11 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
return Algorithm.isPbesHsWrap(wrapAlgo);
}
};
- return aesWrap.getDecryptedContentEncryptionKey(consumer);
+ return aesWrap.getDecryptedContentEncryptionKey(jweDecryptionInput);
}
- private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) {
+ private byte[] getDecodedBytes(Object p2sHeader) {
try {
- Object headerValue = consumer.getJweHeaders().getHeader(headerName);
- return Base64UrlUtility.decode(headerValue.toString());
+ return Base64UrlUtility.decode(p2sHeader.toString());
} catch (Exception ex) {
throw new SecurityException(ex);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
index 3775ef7..2980dcc 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
@@ -37,19 +37,19 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
this.supportedAlgo = supportedAlgo;
this.unwrap = unwrap;
}
- public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
- KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer));
- AlgorithmParameterSpec spec = getAlgorithmParameterSpec(consumer);
+ public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(jweDecryptionInput));
+ AlgorithmParameterSpec spec = getAlgorithmParameterSpec(jweDecryptionInput);
if (spec != null) {
keyProps.setAlgoSpec(spec);
}
if (!unwrap) {
keyProps.setBlockSize(getKeyCipherBlockSize());
- return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer),
+ return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(jweDecryptionInput),
getCekDecryptionKey(), keyProps);
} else {
- return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer),
- getContentEncryptionAlgorithm(consumer),
+ return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(jweDecryptionInput),
+ getContentEncryptionAlgorithm(jweDecryptionInput),
getCekDecryptionKey(),
keyProps).getEncoded();
}
@@ -61,8 +61,8 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
protected int getKeyCipherBlockSize() {
return -1;
}
- protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
- String keyAlgo = consumer.getJweHeaders().getKeyEncryptionAlgorithm();
+ protected String getKeyEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
+ String keyAlgo = jweDecryptionInput.getJweHeaders().getKeyEncryptionAlgorithm();
validateKeyEncryptionAlgorithm(keyAlgo);
return Algorithm.toJavaName(keyAlgo);
}
@@ -71,14 +71,14 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
throw new SecurityException();
}
}
- protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
- return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
+ protected String getContentEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
+ return Algorithm.toJavaName(jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
}
- protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) {
+ protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweDecryptionInput jweDecryptionInput) {
return null;
}
- protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
- return consumer.getEncryptedContentEncryptionKey();
+ protected byte[] getEncryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+ return jweDecryptionInput.getEncryptedCEK();
}
@Override
public String getAlgorithm() {