You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/01/03 17:38:33 UTC
[cxf] 03/06: CXF-8185 Generated Ephemeral Public Key missing in JWE
Headers when Json Serialization is used (#617)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 5b8d565e424db6413d2e6ab92d2d59a63ba6bc92
Author: frelibert <fr...@yahoo.com>
AuthorDate: Fri Jan 3 16:50:56 2020 +0100
CXF-8185 Generated Ephemeral Public Key missing in JWE Headers when Json Serialization is used (#617)
(cherry picked from commit c32c69a522ef1c5d5f2845b079a6b754025be846)
---
.../rs/security/jose/jwe/AbstractJweEncryption.java | 4 ++--
.../cxf/rs/security/jose/jwe/JweJsonProducer.java | 20 ++++++++++++++++++--
.../rs/security/jose/jwe/JweJsonProducerTest.java | 5 +++--
3 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index a1b226e..0089224 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -198,7 +198,8 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
JweEncryptionInternal state = new JweEncryptionInternal();
state.jweContentEncryptionKey = getEncryptedContentEncryptionKey(theHeaders, theCek);
-
+ state.theHeaders = theHeaders;
+
if (jweInput.isContentEncryptionRequired()) {
String contentEncryptionAlgoJavaName = getContentEncryptionAlgoJava();
KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
@@ -216,7 +217,6 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
state.keyProps = keyProps;
state.theIv = theIv;
- state.theHeaders = theHeaders;
state.protectedHeadersJson = protectedHeadersJson;
state.aad = jweInput.getAad();
state.secretKey = theCek;
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
index 6bb5fe7..f3dde4e 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
@@ -128,6 +128,22 @@ public class JweJsonProducer {
input.setContentEncryptionRequired(false);
}
JweEncryptionOutput state = encryptor.getEncryptionOutput(input);
+
+ if (state.getHeaders() != null && state.getHeaders().asMap().size() != jsonHeaders.asMap().size()) {
+ // New headers were generated during encryption for recipient
+ Map<String, Object> newHeaders = new LinkedHashMap<String, Object>();
+ state.getHeaders().asMap().forEach((name, value) -> {
+ if (!unionHeaders.containsHeader(name)) {
+ // store recipient header
+ newHeaders.put(name, value);
+ }
+ });
+ Map<String, Object> perRecipientUnprotectedHeaders = (perRecipientUnprotected != null)
+ ? new LinkedHashMap<String, Object>(perRecipientUnprotected.asMap())
+ : new LinkedHashMap<String, Object>();
+ perRecipientUnprotectedHeaders.putAll(newHeaders);
+ perRecipientUnprotected = new JweHeaders(perRecipientUnprotectedHeaders);
+ }
byte[] currentCipherText = state.getEncryptedContent();
byte[] currentAuthTag = state.getAuthTag();
byte[] currentIv = state.getIv();
@@ -152,11 +168,11 @@ public class JweJsonProducer {
entries.add(new JweJsonEncryptionEntry(perRecipientUnprotected, encodedCek));
}
- if (protectedHeader != null) {
+ if (protectedHeader != null && !protectedHeader.asMap().isEmpty()) {
jweJsonMap.put("protected",
Base64UrlUtility.encode(writer.toJson(protectedHeader)));
}
- if (unprotectedHeader != null) {
+ if (unprotectedHeader != null && !unprotectedHeader.asMap().isEmpty()) {
jweJsonMap.put("unprotected", unprotectedHeader);
}
if (entries.size() == 1 && canBeFlat) {
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
index c1a2f35..164dc33 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
@@ -71,7 +71,7 @@ public class JweJsonProducerTest {
+ "\"protected\":\"eyJlbmMiOiJBMTI4R0NNIn0\","
+ "\"recipients\":"
+ "["
- + "{}"
+ + "{\"header\":{\"alg\":\"dir\"}}"
+ "],"
+ "\"iv\":\"48V1_ALb6US04U3b\","
+ "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
@@ -80,6 +80,7 @@ public class JweJsonProducerTest {
static final String SINGLE_RECIPIENT_DIRECT_FLAT_OUTPUT =
"{"
+ "\"protected\":\"eyJlbmMiOiJBMTI4R0NNIn0\","
+ + "\"header\":{\"alg\":\"dir\"},"
+ "\"iv\":\"48V1_ALb6US04U3b\","
+ "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
+ "\"tag\":\"Te59ApbK8wNBDY_1_dgYSw\""
@@ -146,7 +147,7 @@ public class JweJsonProducerTest {
+ "\"protected\":\"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0\","
+ "\"recipients\":"
+ "["
- + "{}"
+ + "{\"header\":{\"alg\":\"dir\"}}"
+ "],"
+ "\"iv\":\"AxY8DCtDaGlsbGljb3RoZQ\","
+ "\"ciphertext\":\"KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY\","