You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/07/15 15:02:31 UTC
[2/2] git commit: [CXF-5311] Working toward finalizing the interfaces
[CXF-5311] Working toward finalizing the interfaces
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/50c57d9b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/50c57d9b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/50c57d9b
Branch: refs/heads/master
Commit: 50c57d9bec5f088086548d00afb70796cd0a7e91
Parents: 217d41a
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Tue Jul 15 14:02:15 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Tue Jul 15 14:02:15 2014 +0100
----------------------------------------------------------------------
.../oauth2/jwe/AbstractJweDecryption.java | 89 +++++++++
.../oauth2/jwe/AbstractJweDecryptor.java | 89 ---------
.../oauth2/jwe/AbstractJweEncryption.java | 169 +++++++++++++++++
.../oauth2/jwe/AbstractJweEncryptor.java | 184 -------------------
.../oauth2/jwe/DirectKeyJweDecryption.java | 40 ++++
.../oauth2/jwe/DirectKeyJweDecryptor.java | 40 ----
.../oauth2/jwe/DirectKeyJweEncryption.java | 39 ++++
.../oauth2/jwe/DirectKeyJweEncryptor.java | 39 ----
.../rs/security/oauth2/jwe/JweDecryption.java | 24 +++
.../rs/security/oauth2/jwe/JweDecryptor.java | 24 ---
.../rs/security/oauth2/jwe/JweEncryption.java | 60 ++++++
.../oauth2/jwe/JweEncryptionProvider.java | 26 +++
.../rs/security/oauth2/jwe/JweEncryptor.java | 27 ---
.../security/oauth2/jwe/RSAJweDecryption.java | 40 ++++
.../rs/security/oauth2/jwe/RSAJweDecryptor.java | 40 ----
.../security/oauth2/jwe/RSAJweEncryption.java | 62 +++++++
.../rs/security/oauth2/jwe/RSAJweEncryptor.java | 62 -------
.../oauth2/jwe/WrappedKeyJweDecryption.java | 67 +++++++
.../oauth2/jwe/WrappedKeyJweDecryptor.java | 67 -------
.../oauth2/jwe/WrappedKeyJweEncryption.java | 77 ++++++++
.../oauth2/jwe/WrappedKeyJweEncryptor.java | 77 --------
.../jws/AbstractJwsSignatureProvider.java | 26 +--
.../oauth2/jws/HmacJwsSignatureProvider.java | 12 +-
.../security/oauth2/jws/JwsCompactProducer.java | 12 +-
.../rs/security/oauth2/jws/JwsOutputStream.java | 4 +-
.../rs/security/oauth2/jws/JwsSignature.java | 25 +++
.../oauth2/jws/JwsSignatureProvider.java | 6 +-
.../oauth2/jws/JwsSignatureProviderWorker.java | 25 ---
.../jws/PrivateKeyJwsSignatureProvider.java | 19 +-
.../jwt/jaxrs/AbstractJweDecryptingFilter.java | 20 +-
.../oauth2/jwt/jaxrs/JweWriterInterceptor.java | 50 ++++-
.../oauth2/jwt/jaxrs/JwsWriterInterceptor.java | 19 +-
.../oauth2/jwe/JweCompactReaderWriterTest.java | 8 +-
33 files changed, 811 insertions(+), 757 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java
new file mode 100644
index 0000000..5837e66
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+
+public abstract class AbstractJweDecryption implements JweDecryption {
+ private JweCryptoProperties props;
+ protected AbstractJweDecryption(JweCryptoProperties props) {
+ this.props = props;
+ }
+
+ protected abstract byte[] getContentEncryptionKey(JweCompactConsumer consumer);
+
+ public JweDecryptionOutput decrypt(String content) {
+ JweCompactConsumer consumer = new JweCompactConsumer(content, props);
+ return doDecrypt(consumer);
+ }
+
+ protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) {
+ CeProvider ceProvider = new CeProvider(consumer);
+ byte[] bytes = consumer.getDecryptedContent(ceProvider);
+ return new JweDecryptionOutput(consumer.getJweHeaders(), bytes);
+ }
+ protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
+ return consumer.getEncryptedContentEncryptionKey();
+ }
+ protected AlgorithmParameterSpec getContentDecryptionCipherSpec(JweCompactConsumer consumer) {
+ return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(consumer),
+ getContentEncryptionCipherInitVector(consumer));
+ }
+ protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
+ return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
+ }
+ protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) {
+ return consumer.getContentEncryptionCipherAAD();
+ }
+ protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) {
+ return consumer.getEncryptedContentWithAuthTag();
+ }
+ protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) {
+ return consumer.getContentDecryptionCipherInitVector();
+ }
+ protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) {
+ return consumer.getEncryptionAuthenticationTag();
+ }
+ protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) {
+ return getEncryptionAuthenticationTag(consumer).length * 8;
+ }
+
+ protected class CeProvider implements ContentEncryptionProvider {
+
+ private JweCompactConsumer consumer;
+ public CeProvider(JweCompactConsumer consumer) {
+ this.consumer = consumer;
+ }
+ @Override
+ public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
+ return AbstractJweDecryption.this.getContentEncryptionKey(consumer);
+ }
+
+ @Override
+ public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
+ int authTagLength,
+ byte[] initVector) {
+ return getContentDecryptionCipherSpec(consumer);
+ }
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
deleted file mode 100644
index 1279e7f..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.spec.AlgorithmParameterSpec;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-
-public abstract class AbstractJweDecryptor implements JweDecryptor {
- private JweCryptoProperties props;
- protected AbstractJweDecryptor(JweCryptoProperties props) {
- this.props = props;
- }
-
- protected abstract byte[] getContentEncryptionKey(JweCompactConsumer consumer);
-
- public JweDecryptionOutput decrypt(String content) {
- JweCompactConsumer consumer = new JweCompactConsumer(content, props);
- return doDecrypt(consumer);
- }
-
- protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) {
- CeProvider ceProvider = new CeProvider(consumer);
- byte[] bytes = consumer.getDecryptedContent(ceProvider);
- return new JweDecryptionOutput(consumer.getJweHeaders(), bytes);
- }
- protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
- return consumer.getEncryptedContentEncryptionKey();
- }
- protected AlgorithmParameterSpec getContentDecryptionCipherSpec(JweCompactConsumer consumer) {
- return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(consumer),
- getContentEncryptionCipherInitVector(consumer));
- }
- protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
- return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
- }
- protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) {
- return consumer.getContentEncryptionCipherAAD();
- }
- protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) {
- return consumer.getEncryptedContentWithAuthTag();
- }
- protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) {
- return consumer.getContentDecryptionCipherInitVector();
- }
- protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) {
- return consumer.getEncryptionAuthenticationTag();
- }
- protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) {
- return getEncryptionAuthenticationTag(consumer).length * 8;
- }
-
- protected class CeProvider implements ContentEncryptionProvider {
-
- private JweCompactConsumer consumer;
- public CeProvider(JweCompactConsumer consumer) {
- this.consumer = consumer;
- }
- @Override
- public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
- return AbstractJweDecryptor.this.getContentEncryptionKey(consumer);
- }
-
- @Override
- public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
- int authTagLength,
- byte[] initVector) {
- return getContentDecryptionCipherSpec(consumer);
- }
-
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
new file mode 100644
index 0000000..871bfd8
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
@@ -0,0 +1,169 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public abstract class AbstractJweEncryption implements JweEncryptionProvider {
+ protected static final int DEFAULT_IV_SIZE = 96;
+ protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
+ private JweHeaders headers;
+ private JwtHeadersWriter writer = new JwtTokenReaderWriter();
+ private byte[] cek;
+ private byte[] iv;
+ private AtomicInteger providedIvUsageCount;
+ private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
+
+ protected AbstractJweEncryption(SecretKey cek, byte[] iv) {
+ this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
+ cek.getEncoded().length * 8)),
+ cek.getEncoded(), iv);
+ }
+ protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) {
+ this.headers = headers;
+ this.cek = cek;
+ this.iv = iv;
+ if (iv != null && iv.length > 0) {
+ providedIvUsageCount = new AtomicInteger();
+ }
+ }
+ protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
+ this(headers, cek, iv);
+ this.authTagLen = authTagLen;
+ }
+ protected AbstractJweEncryption(JweHeaders headers) {
+ this.headers = headers;
+ }
+ protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen,
+ JwtHeadersWriter writer) {
+ this(headers, cek, iv, authTagLen);
+ if (writer != null) {
+ this.writer = writer;
+ }
+ }
+
+ protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
+ return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
+ }
+
+ protected byte[] getContentEncryptionCipherInitVector() {
+ if (iv == null) {
+ return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE);
+ } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) {
+ throw new SecurityException();
+ } else {
+ return iv;
+ }
+ }
+
+ protected byte[] getContentEncryptionKey() {
+ return cek;
+ }
+
+ protected abstract byte[] getEncryptedContentEncryptionKey(byte[] theCek);
+
+ protected String getContentEncryptionAlgoJwt() {
+ return headers.getContentEncryptionAlgorithm();
+ }
+ protected String getContentEncryptionAlgoJava() {
+ return Algorithm.toJavaName(getContentEncryptionAlgoJwt());
+ }
+
+ protected int getAuthTagLen() {
+ return authTagLen;
+ }
+ protected JweHeaders getJweHeaders() {
+ return headers;
+ }
+ public String encrypt(byte[] content, String contentType) {
+ JweEncryptionInternal state = getInternalState(contentType);
+
+ byte[] cipherText = CryptoUtils.encryptBytes(
+ content,
+ state.secretKey,
+ state.keyProps);
+
+
+ JweCompactProducer producer = new JweCompactProducer(state.theHeaders,
+ writer,
+ state.jweContentEncryptionKey,
+ state.theIv,
+ cipherText,
+ getAuthTagLen());
+ return producer.getJweContent();
+ }
+
+ @Override
+ public JweEncryption createJweEncryption(String contentType) {
+ JweEncryptionInternal state = getInternalState(contentType);
+ Cipher c = CryptoUtils.initCipher(state.secretKey, state.keyProps,
+ Cipher.ENCRYPT_MODE);
+ return new JweEncryption(c, getAuthTagLen(), state.theHeaders, state.jweContentEncryptionKey,
+ state.theIv, state.keyProps.isCompressionSupported());
+ }
+
+ private JweEncryptionInternal getInternalState(String contentType) {
+ JweHeaders theHeaders = headers;
+ if (contentType != null) {
+ theHeaders = new JweHeaders(theHeaders.asMap());
+ theHeaders.setContentType(contentType);
+ }
+
+ byte[] theCek = getContentEncryptionKey();
+ String contentEncryptionAlgoJavaName = Algorithm.toJavaName(theHeaders.getContentEncryptionAlgorithm());
+ KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
+ keyProps.setCompressionSupported(compressionRequired(theHeaders));
+ byte[] additionalEncryptionParam = theHeaders.toCipherAdditionalAuthData(writer);
+ keyProps.setAdditionalData(additionalEncryptionParam);
+
+ byte[] theIv = getContentEncryptionCipherInitVector();
+ AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
+ keyProps.setAlgoSpec(specParams);
+ byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
+ JweEncryptionInternal state = new JweEncryptionInternal();
+ state.theHeaders = theHeaders;
+ state.jweContentEncryptionKey = jweContentEncryptionKey;
+ state.keyProps = keyProps;
+ state.secretKey = CryptoUtils.createSecretKeySpec(theCek,
+ contentEncryptionAlgoJavaName);
+ state.theIv = theIv;
+ return state;
+ }
+ private boolean compressionRequired(JweHeaders theHeaders) {
+ return JwtConstants.DEFLATE_ZIP_ALGORITHM.equals(theHeaders.getZipAlgorithm());
+ }
+ private static class JweEncryptionInternal {
+ JweHeaders theHeaders;
+ byte[] jweContentEncryptionKey;
+ byte[] theIv;
+ KeyProperties keyProps;
+ SecretKey secretKey;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
deleted file mode 100644
index 3d5231d..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
+++ /dev/null
@@ -1,184 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.security.spec.AlgorithmParameterSpec;
-import java.util.concurrent.atomic.AtomicInteger;
-import java.util.zip.DeflaterOutputStream;
-
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public abstract class AbstractJweEncryptor implements JweEncryptor {
- protected static final int DEFAULT_IV_SIZE = 96;
- protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
- private JweHeaders headers;
- private JwtHeadersWriter writer = new JwtTokenReaderWriter();
- private byte[] cek;
- private byte[] iv;
- private AtomicInteger providedIvUsageCount;
- private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
-
- protected AbstractJweEncryptor(SecretKey cek, byte[] iv) {
- this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
- cek.getEncoded().length * 8)),
- cek.getEncoded(), iv);
- }
- protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
- this.headers = headers;
- this.cek = cek;
- this.iv = iv;
- if (iv != null && iv.length > 0) {
- providedIvUsageCount = new AtomicInteger();
- }
- }
- protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
- this(headers, cek, iv);
- this.authTagLen = authTagLen;
- }
- protected AbstractJweEncryptor(JweHeaders headers) {
- this.headers = headers;
- }
- protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen,
- JwtHeadersWriter writer) {
- this(headers, cek, iv, authTagLen);
- if (writer != null) {
- this.writer = writer;
- }
- }
-
- protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
- return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
- }
-
- protected byte[] getContentEncryptionCipherInitVector() {
- if (iv == null) {
- return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE);
- } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) {
- throw new SecurityException();
- } else {
- return iv;
- }
- }
-
- protected byte[] getContentEncryptionKey() {
- return cek;
- }
-
- protected abstract byte[] getEncryptedContentEncryptionKey(byte[] theCek);
-
- protected String getContentEncryptionAlgoJwt() {
- return headers.getContentEncryptionAlgorithm();
- }
- protected String getContentEncryptionAlgoJava() {
- return Algorithm.toJavaName(getContentEncryptionAlgoJwt());
- }
-
- protected int getAuthTagLen() {
- return authTagLen;
- }
- protected JweHeaders getJweHeaders() {
- return headers;
- }
- public String encrypt(byte[] content, String contentType) {
- JweEncryptorInternalState state = getInternalState(contentType);
-
- byte[] cipherText = CryptoUtils.encryptBytes(
- content,
- state.secretKey,
- state.keyProps);
-
-
- JweCompactProducer producer = new JweCompactProducer(state.theHeaders,
- writer,
- state.jweContentEncryptionKey,
- state.theIv,
- cipherText,
- getAuthTagLen());
- return producer.getJweContent();
- }
-
- @Override
- public OutputStream createJweStream(OutputStream os, String contentType) {
- JweEncryptorInternalState state = getInternalState(contentType);
- Cipher c = CryptoUtils.initCipher(state.secretKey, state.keyProps,
- Cipher.ENCRYPT_MODE);
- try {
- JweCompactProducer.startJweContent(os,
- state.theHeaders,
- writer,
- state.jweContentEncryptionKey,
- state.theIv);
- } catch (IOException ex) {
- throw new SecurityException(ex);
- }
- OutputStream jweStream = new JweOutputStream(os, c, getAuthTagLen());
- if (state.keyProps.isCompressionSupported()) {
- jweStream = new DeflaterOutputStream(jweStream);
- }
- return jweStream;
- }
-
- private JweEncryptorInternalState getInternalState(String contentType) {
- JweHeaders theHeaders = headers;
- if (contentType != null) {
- theHeaders = new JweHeaders(theHeaders.asMap());
- theHeaders.setContentType(contentType);
- }
-
- byte[] theCek = getContentEncryptionKey();
- String contentEncryptionAlgoJavaName = Algorithm.toJavaName(theHeaders.getContentEncryptionAlgorithm());
- KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
- keyProps.setCompressionSupported(compressionRequired(theHeaders));
- byte[] additionalEncryptionParam = theHeaders.toCipherAdditionalAuthData(writer);
- keyProps.setAdditionalData(additionalEncryptionParam);
-
- byte[] theIv = getContentEncryptionCipherInitVector();
- AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
- keyProps.setAlgoSpec(specParams);
- byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
- JweEncryptorInternalState state = new JweEncryptorInternalState();
- state.theHeaders = theHeaders;
- state.jweContentEncryptionKey = jweContentEncryptionKey;
- state.keyProps = keyProps;
- state.secretKey = CryptoUtils.createSecretKeySpec(theCek,
- contentEncryptionAlgoJavaName);
- state.theIv = theIv;
- return state;
- }
- private boolean compressionRequired(JweHeaders theHeaders) {
- return JwtConstants.DEFLATE_ZIP_ALGORITHM.equals(theHeaders.getZipAlgorithm());
- }
- private static class JweEncryptorInternalState {
- JweHeaders theHeaders;
- byte[] jweContentEncryptionKey;
- byte[] theIv;
- KeyProperties keyProps;
- SecretKey secretKey;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java
new file mode 100644
index 0000000..d7f3801
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+public class DirectKeyJweDecryption extends AbstractJweDecryption {
+ private byte[] contentDecryptionKey;
+ public DirectKeyJweDecryption(Key contentDecryptionKey) {
+ this(contentDecryptionKey, null);
+ }
+ public DirectKeyJweDecryption(Key contentDecryptionKey, JweCryptoProperties props) {
+ super(props);
+ this.contentDecryptionKey = contentDecryptionKey.getEncoded();
+ }
+ @Override
+ protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
+ byte[] encryptedCEK = getEncryptedContentEncryptionKey(consumer);
+ if (encryptedCEK != null && encryptedCEK.length > 0) {
+ throw new SecurityException();
+ }
+ return contentDecryptionKey;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
deleted file mode 100644
index b733031..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-
-public class DirectKeyJweDecryptor extends AbstractJweDecryptor {
- private byte[] contentDecryptionKey;
- public DirectKeyJweDecryptor(Key contentDecryptionKey) {
- this(contentDecryptionKey, null);
- }
- public DirectKeyJweDecryptor(Key contentDecryptionKey, JweCryptoProperties props) {
- super(props);
- this.contentDecryptionKey = contentDecryptionKey.getEncoded();
- }
- @Override
- protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
- byte[] encryptedCEK = getEncryptedContentEncryptionKey(consumer);
- if (encryptedCEK != null && encryptedCEK.length > 0) {
- throw new SecurityException();
- }
- return contentDecryptionKey;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
new file mode 100644
index 0000000..88caeec
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+
+public class DirectKeyJweEncryption extends AbstractJweEncryption {
+ public DirectKeyJweEncryption(SecretKey cek, byte[] iv) {
+ this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
+ cek.getEncoded().length * 8)), cek.getEncoded(), iv);
+ }
+ public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) {
+ super(headers, cek, iv);
+ }
+ public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
+ super(headers, cek, iv, authTagLen);
+ }
+ protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+ return new byte[0];
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
deleted file mode 100644
index 7f1b59d..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-
-public class DirectKeyJweEncryptor extends AbstractJweEncryptor {
- public DirectKeyJweEncryptor(SecretKey cek, byte[] iv) {
- this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
- cek.getEncoded().length * 8)), cek.getEncoded(), iv);
- }
- public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
- super(headers, cek, iv);
- }
- public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
- super(headers, cek, iv, authTagLen);
- }
- protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
- return new byte[0];
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java
new file mode 100644
index 0000000..814c0a7
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryption.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+
+public interface JweDecryption {
+ JweDecryptionOutput decrypt(String jweContent);
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
deleted file mode 100644
index e1e2f4d..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-
-public interface JweDecryptor {
- JweDecryptionOutput decrypt(String jweContent);
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java
new file mode 100644
index 0000000..66ce657
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryption.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import javax.crypto.Cipher;
+
+public class JweEncryption {
+ private Cipher cipher;
+ private int authTagLen;
+ private JweHeaders headers;
+ private byte[] contentEncryptionKey;
+ private byte[] iv;
+ private boolean compressionSupported;
+
+ public JweEncryption(Cipher cipher, int authTagLen, JweHeaders headers,
+ byte[] contentEncryptionKey,
+ byte[] iv, boolean compressionSupported) {
+ this.cipher = cipher;
+ this.authTagLen = authTagLen;
+ this.headers = headers;
+ this.contentEncryptionKey = contentEncryptionKey;
+ this.iv = iv;
+ this.compressionSupported = compressionSupported;
+ }
+ public Cipher getCipher() {
+ return cipher;
+ }
+ public JweHeaders getHeaders() {
+ return headers;
+ }
+ public byte[] getContentEncryptionKey() {
+ return contentEncryptionKey;
+ }
+ public byte[] getIv() {
+ return iv;
+ }
+ public boolean isCompressionSupported() {
+ return compressionSupported;
+ }
+ public int getAuthTagLen() {
+ return authTagLen;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java
new file mode 100644
index 0000000..71bd02e
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionProvider.java
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+
+
+public interface JweEncryptionProvider {
+ String encrypt(byte[] jweContent, String contentType);
+ JweEncryption createJweEncryption(String contentType);
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
deleted file mode 100644
index c304dbf..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.io.OutputStream;
-
-
-public interface JweEncryptor {
- String encrypt(byte[] jweContent, String contentType);
- OutputStream createJweStream(OutputStream os, String contentType);
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java
new file mode 100644
index 0000000..15b46ce
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryption.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.interfaces.RSAPrivateKey;
+
+
+public class RSAJweDecryption extends WrappedKeyJweDecryption {
+
+ public RSAJweDecryption(RSAPrivateKey privateKey) {
+ this(privateKey, true);
+ }
+ public RSAJweDecryption(RSAPrivateKey privateKey, boolean unwrap) {
+ this(privateKey, unwrap, null);
+ }
+ public RSAJweDecryption(RSAPrivateKey privateKey, boolean unwrap,
+ JweCryptoProperties props) {
+ super(privateKey, unwrap, props);
+ }
+
+ protected int getKeyCipherBlockSize() {
+ return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
deleted file mode 100644
index 0bba471..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.interfaces.RSAPrivateKey;
-
-
-public class RSAJweDecryptor extends WrappedKeyJweDecryptor {
-
- public RSAJweDecryptor(RSAPrivateKey privateKey) {
- this(privateKey, true);
- }
- public RSAJweDecryptor(RSAPrivateKey privateKey, boolean unwrap) {
- this(privateKey, unwrap, null);
- }
- public RSAJweDecryptor(RSAPrivateKey privateKey, boolean unwrap,
- JweCryptoProperties props) {
- super(privateKey, unwrap, props);
- }
-
- protected int getKeyCipherBlockSize() {
- return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
new file mode 100644
index 0000000..b45c800
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.interfaces.RSAPublicKey;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+
+public class RSAJweEncryption extends WrappedKeyJweEncryption {
+ public RSAJweEncryption(RSAPublicKey publicKey, String contentEncryptionAlgo) {
+ super(new JweHeaders(Algorithm.RSA_OAEP.getJwtName(),
+ contentEncryptionAlgo), publicKey);
+ }
+ public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv) {
+ this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
+ }
+ public RSAJweEncryption(RSAPublicKey publicKey, SecretKey secretKey, String secretKeyJwtAlgorithm,
+ byte[] iv) {
+ this(publicKey,
+ new JweHeaders(Algorithm.RSA_OAEP.getJwtName(), secretKeyJwtAlgorithm),
+ secretKey != null ? secretKey.getEncoded() : null, iv, DEFAULT_AUTH_TAG_LENGTH, true);
+ }
+ public RSAJweEncryption(RSAPublicKey publicKey, SecretKey secretKey, byte[] iv) {
+ this(publicKey, secretKey,
+ Algorithm.toJwtName(secretKey.getAlgorithm(),
+ secretKey.getEncoded().length * 8), iv);
+ }
+
+ public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv,
+ int authTagLen, boolean wrap) {
+ this(publicKey, headers, cek, iv, authTagLen, wrap, null);
+ }
+
+ public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv,
+ JwtHeadersWriter writer) {
+ this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true, null);
+ }
+ public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv,
+ int authTagLen, boolean wrap, JwtHeadersWriter writer) {
+ super(headers, publicKey, cek, iv, authTagLen, wrap, writer);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
deleted file mode 100644
index e0974f1..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.interfaces.RSAPublicKey;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-
-public class RSAJweEncryptor extends WrappedKeyJweEncryptor {
- public RSAJweEncryptor(RSAPublicKey publicKey, String contentEncryptionAlgo) {
- super(new JweHeaders(Algorithm.RSA_OAEP.getJwtName(),
- contentEncryptionAlgo), publicKey);
- }
- public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv) {
- this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
- }
- public RSAJweEncryptor(RSAPublicKey publicKey, SecretKey secretKey, String secretKeyJwtAlgorithm,
- byte[] iv) {
- this(publicKey,
- new JweHeaders(Algorithm.RSA_OAEP.getJwtName(), secretKeyJwtAlgorithm),
- secretKey != null ? secretKey.getEncoded() : null, iv, DEFAULT_AUTH_TAG_LENGTH, true);
- }
- public RSAJweEncryptor(RSAPublicKey publicKey, SecretKey secretKey, byte[] iv) {
- this(publicKey, secretKey,
- Algorithm.toJwtName(secretKey.getAlgorithm(),
- secretKey.getEncoded().length * 8), iv);
- }
-
- public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv,
- int authTagLen, boolean wrap) {
- this(publicKey, headers, cek, iv, authTagLen, wrap, null);
- }
-
- public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv,
- JwtHeadersWriter writer) {
- this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true, null);
- }
- public RSAJweEncryptor(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv,
- int authTagLen, boolean wrap, JwtHeadersWriter writer) {
- super(headers, publicKey, cek, iv, authTagLen, wrap, writer);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
new file mode 100644
index 0000000..62a69eb
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public class WrappedKeyJweDecryption extends AbstractJweDecryption {
+ private Key cekDecryptionKey;
+ private boolean unwrap;
+ public WrappedKeyJweDecryption(Key cekDecryptionKey) {
+ this(cekDecryptionKey, true);
+ }
+ public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap) {
+ this(cekDecryptionKey, unwrap, null);
+ }
+ public WrappedKeyJweDecryption(Key cekDecryptionKey, JweCryptoProperties props) {
+ this(cekDecryptionKey, true, props);
+ }
+ public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap,
+ JweCryptoProperties props) {
+ super(props);
+ this.cekDecryptionKey = cekDecryptionKey;
+ this.unwrap = unwrap;
+ }
+ protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
+ KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer));
+ if (!unwrap) {
+ keyProps.setBlockSize(getKeyCipherBlockSize());
+ return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer),
+ getCekDecryptionKey(), keyProps);
+ } else {
+ return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer),
+ getContentEncryptionAlgorithm(consumer),
+ getCekDecryptionKey(),
+ keyProps).getEncoded();
+ }
+ }
+ protected Key getCekDecryptionKey() {
+ return cekDecryptionKey;
+ }
+ protected int getKeyCipherBlockSize() {
+ return -1;
+ }
+ protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
+ return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm());
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
deleted file mode 100644
index 6688670..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class WrappedKeyJweDecryptor extends AbstractJweDecryptor {
- private Key cekDecryptionKey;
- private boolean unwrap;
- public WrappedKeyJweDecryptor(Key cekDecryptionKey) {
- this(cekDecryptionKey, true);
- }
- public WrappedKeyJweDecryptor(Key cekDecryptionKey, boolean unwrap) {
- this(cekDecryptionKey, unwrap, null);
- }
- public WrappedKeyJweDecryptor(Key cekDecryptionKey, JweCryptoProperties props) {
- this(cekDecryptionKey, true, props);
- }
- public WrappedKeyJweDecryptor(Key cekDecryptionKey, boolean unwrap,
- JweCryptoProperties props) {
- super(props);
- this.cekDecryptionKey = cekDecryptionKey;
- this.unwrap = unwrap;
- }
- protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
- KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer));
- if (!unwrap) {
- keyProps.setBlockSize(getKeyCipherBlockSize());
- return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer),
- getCekDecryptionKey(), keyProps);
- } else {
- return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer),
- getContentEncryptionAlgorithm(consumer),
- getCekDecryptionKey(),
- keyProps).getEncoded();
- }
- }
- protected Key getCekDecryptionKey() {
- return cekDecryptionKey;
- }
- protected int getKeyCipherBlockSize() {
- return -1;
- }
- protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
- return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm());
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
new file mode 100644
index 0000000..9b37515
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public class WrappedKeyJweEncryption extends AbstractJweEncryption {
+ private Key cekEncryptionKey;
+ private boolean wrap;
+ private AtomicInteger providedCekUsageCount;
+ public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey) {
+ this(headers, cekEncryptionKey, null, null);
+ }
+ public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
+ this(headers, cekEncryptionKey, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
+ }
+ public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
+ int authTagLen, boolean wrap) {
+ this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, null);
+ }
+
+ public WrappedKeyJweEncryption(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen,
+ boolean wrap, JwtHeadersWriter writer) {
+ super(headers, cek, iv, authTagLen, writer);
+ this.cekEncryptionKey = cekEncryptionKey;
+ this.wrap = wrap;
+ if (cek != null) {
+ providedCekUsageCount = new AtomicInteger();
+ }
+ }
+ protected byte[] getContentEncryptionKey() {
+ byte[] theCek = super.getContentEncryptionKey();
+ if (theCek == null) {
+ String algoJava = getContentEncryptionAlgoJava();
+ String algoJwt = getContentEncryptionAlgoJwt();
+ theCek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava),
+ Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded();
+ } else if (providedCekUsageCount.addAndGet(1) > 1) {
+ throw new SecurityException();
+ }
+ return theCek;
+ }
+ protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+ KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
+ if (!wrap) {
+ return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
+ } else {
+ return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgoJava(), cekEncryptionKey,
+ secretKeyProperties.getKeyAlgo());
+ }
+ }
+ protected String getContentEncryptionKeyEncryptionAlgo() {
+ return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
deleted file mode 100644
index 998be77..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-import java.util.concurrent.atomic.AtomicInteger;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class WrappedKeyJweEncryptor extends AbstractJweEncryptor {
- private Key cekEncryptionKey;
- private boolean wrap;
- private AtomicInteger providedCekUsageCount;
- public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
- this(headers, cekEncryptionKey, null, null);
- }
- public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) {
- this(headers, cekEncryptionKey, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
- }
- public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
- int authTagLen, boolean wrap) {
- this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, null);
- }
-
- public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen,
- boolean wrap, JwtHeadersWriter writer) {
- super(headers, cek, iv, authTagLen, writer);
- this.cekEncryptionKey = cekEncryptionKey;
- this.wrap = wrap;
- if (cek != null) {
- providedCekUsageCount = new AtomicInteger();
- }
- }
- protected byte[] getContentEncryptionKey() {
- byte[] theCek = super.getContentEncryptionKey();
- if (theCek == null) {
- String algoJava = getContentEncryptionAlgoJava();
- String algoJwt = getContentEncryptionAlgoJwt();
- theCek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava),
- Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded();
- } else if (providedCekUsageCount.addAndGet(1) > 1) {
- throw new SecurityException();
- }
- return theCek;
- }
- protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
- KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
- if (!wrap) {
- return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
- } else {
- return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgoJava(), cekEncryptionKey,
- secretKeyProperties.getKeyAlgo());
- }
- }
- protected String getContentEncryptionKeyEncryptionAlgo() {
- return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
index b78c63b..1e0ceee 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java
@@ -18,12 +18,9 @@
*/
package org.apache.cxf.rs.security.oauth2.jws;
-import java.io.OutputStream;
import java.util.Set;
import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
-import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvider {
private Set<String> supportedAlgorithms;
@@ -32,8 +29,8 @@ public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvid
protected AbstractJwsSignatureProvider(Set<String> supportedAlgorithms) {
this.supportedAlgorithms = supportedAlgorithms;
}
- @Override
- public JwtHeaders prepareHeaders(JwtHeaders headers) {
+
+ protected JwtHeaders prepareHeaders(JwtHeaders headers) {
if (headers == null) {
headers = new JwtHeaders();
}
@@ -47,24 +44,11 @@ public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvid
}
@Override
- public JwsOutputStream createJwsStream(OutputStream os, String contentType) {
- JwtHeaders headers = prepareHeaders(null);
- if (contentType != null) {
- headers.setContentType(contentType);
- }
- JwsSignatureProviderWorker worker = createJwsSignatureWorker(headers);
- JwsOutputStream jwsStream = new JwsOutputStream(os, worker);
- try {
- byte[] headerBytes = new JwtTokenReaderWriter().headersToJson(headers).getBytes("UTF-8");
- Base64UrlUtility.encodeAndStream(headerBytes, 0, headerBytes.length, jwsStream);
- jwsStream.write(new byte[]{'.'});
- } catch (Exception ex) {
- throw new SecurityException(ex);
- }
- return jwsStream;
+ public JwsSignature createJwsSignature(JwtHeaders headers) {
+ return doCreateJwsSignature(prepareHeaders(headers));
}
- protected abstract JwsSignatureProviderWorker createJwsSignatureWorker(JwtHeaders headers);
+ protected abstract JwsSignature doCreateJwsSignature(JwtHeaders headers);
public void setDefaultJwtAlgorithm(String algo) {
this.defaultJwtAlgorithm = algo;
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
index aa387fb..a71da3b 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java
@@ -56,13 +56,6 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider imple
}
}
-
- @Override
- public byte[] sign(JwtHeaders headers, String unsignedText) {
- headers = prepareHeaders(headers);
- return computeMac(headers, unsignedText);
- }
-
@Override
public boolean verify(JwtHeaders headers, String unsignedText, byte[] signature) {
byte[] expected = computeMac(headers, unsignedText);
@@ -75,11 +68,10 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider imple
hmacSpec,
text);
}
- @Override
- protected JwsSignatureProviderWorker createJwsSignatureWorker(JwtHeaders headers) {
+ protected JwsSignature doCreateJwsSignature(JwtHeaders headers) {
final Mac mac = HmacUtils.getInitializedMac(key, Algorithm.toJavaName(headers.getAlgorithm()),
hmacSpec);
- return new JwsSignatureProviderWorker() {
+ return new JwsSignature() {
@Override
public void update(byte[] src, int off, int len) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
index 0e0b1f7..55259d9 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java
@@ -71,9 +71,15 @@ public class JwsCompactProducer {
}
public String signWith(JwsSignatureProvider signer) {
- signer.prepareHeaders(getHeaders());
- signWith(signer.sign(getHeaders(), getUnsignedEncodedJws()));
- return getSignedEncodedJws();
+ JwsSignature worker = signer.createJwsSignature(getHeaders());
+ try {
+ byte[] bytes = getUnsignedEncodedJws().getBytes("UTF-8");
+ worker.update(bytes, 0, bytes.length);
+ signWith(worker.sign());
+ return getSignedEncodedJws();
+ } catch (Exception ex) {
+ throw new SecurityException();
+ }
}
public String signWith(String signatureText) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
index 26268d1..00d7c55 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsOutputStream.java
@@ -27,8 +27,8 @@ import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
public class JwsOutputStream extends FilterOutputStream {
private boolean flushed;
- private JwsSignatureProviderWorker signature;
- public JwsOutputStream(OutputStream out, JwsSignatureProviderWorker signature) {
+ private JwsSignature signature;
+ public JwsOutputStream(OutputStream out, JwsSignature signature) {
super(out);
this.signature = signature;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java
new file mode 100644
index 0000000..2d1581d
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignature.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jws;
+
+
+public interface JwsSignature {
+ void update(byte[] src, int off, int len);
+ byte[] sign();
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
index 4f97f91..1b25f48 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java
@@ -18,12 +18,8 @@
*/
package org.apache.cxf.rs.security.oauth2.jws;
-import java.io.OutputStream;
-
import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders;
public interface JwsSignatureProvider {
- JwtHeaders prepareHeaders(JwtHeaders headers);
- byte[] sign(JwtHeaders headers, String unsignedText);
- JwsOutputStream createJwsStream(OutputStream os, String contentType);
+ JwsSignature createJwsSignature(JwtHeaders headers);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/50c57d9b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java
deleted file mode 100644
index ca768d5..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProviderWorker.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jws;
-
-
-public interface JwsSignatureProviderWorker {
- void update(byte[] src, int off, int len);
- byte[] sign();
-}