You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/04/03 15:39:25 UTC
cxf git commit: [CXF-6133] Finalizing for now with replacing
SecurityException with JweException in the jwe code, to be continued later on
Repository: cxf
Updated Branches:
refs/heads/master 32899b7ce -> 2e79c7e1f
[CXF-6133] Finalizing for now with replacing SecurityException with JweException in the jwe code, to be continued later on
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e79c7e1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e79c7e1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e79c7e1
Branch: refs/heads/master
Commit: 2e79c7e1fae7bd3d5e7a219bfb07b2be3816f657
Parents: 32899b7
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Fri Apr 3 14:39:09 2015 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Fri Apr 3 14:39:09 2015 +0100
----------------------------------------------------------------------
.../jose/jaxrs/JweWriterInterceptor.java | 7 +++-
.../security/jose/jaxrs/KeyManagementUtils.java | 36 ++++++++++++++------
.../jwe/AbstractContentEncryptionAlgorithm.java | 3 +-
...stractContentEncryptionCipherProperties.java | 4 +++
.../jose/jwe/AbstractJweDecryption.java | 5 +++
.../jose/jwe/AbstractJweEncryption.java | 15 +++++---
.../jwe/AbstractWrapKeyEncryptionAlgorithm.java | 16 +++++----
.../jose/jwe/AesCbcHmacJweDecryption.java | 6 ++--
.../jose/jwe/AesCbcHmacJweEncryption.java | 3 +-
.../jwe/AesGcmContentDecryptionAlgorithm.java | 3 +-
.../jwe/AesGcmContentEncryptionAlgorithm.java | 3 +-
.../jwe/AesGcmWrapKeyDecryptionAlgorithm.java | 11 ++++--
.../jose/jwe/AesWrapKeyDecryptionAlgorithm.java | 6 ++--
.../jose/jwe/DirectKeyDecryptionAlgorithm.java | 6 +++-
.../jose/jwe/DirectKeyEncryptionAlgorithm.java | 11 +++---
.../security/jose/jwe/JweCompactConsumer.java | 15 +++++---
.../security/jose/jwe/JweDecryptionOutput.java | 4 ++-
.../cxf/rs/security/jose/jwe/JweException.java | 2 +-
.../rs/security/jose/jwe/JweJsonConsumer.java | 23 +++++++++----
.../rs/security/jose/jwe/JweJsonProducer.java | 19 +++++++----
.../rs/security/jose/jwe/JweOutputStream.java | 6 +++-
.../cxf/rs/security/jose/jwe/JweUtils.java | 18 +++++++---
.../PbesHmacAesWrapKeyDecryptionAlgorithm.java | 5 +--
.../PbesHmacAesWrapKeyEncryptionAlgorithm.java | 15 +++++---
.../jose/jwe/RSAKeyDecryptionAlgorithm.java | 4 +--
.../jose/jwe/WrappedKeyDecryptionAlgorithm.java | 12 +++++--
26 files changed, 184 insertions(+), 74 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 58cab8e..108a15f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -21,6 +21,7 @@ package org.apache.cxf.rs.security.jose.jaxrs;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
+import java.util.logging.Logger;
import java.util.zip.DeflaterOutputStream;
import javax.annotation.Priority;
@@ -29,6 +30,7 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.ext.WriterInterceptor;
import javax.ws.rs.ext.WriterInterceptorContext;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.io.CachedOutputStream;
@@ -38,12 +40,14 @@ import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionInput;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionOutput;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweException;
import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
import org.apache.cxf.rs.security.jose.jwe.JweOutputStream;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
@Priority(Priorities.JWE_WRITE_PRIORITY)
public class JweWriterInterceptor implements WriterInterceptor {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JweWriterInterceptor.class);
private JweEncryptionProvider encryptionProvider;
private boolean contentTypeRequired = true;
private boolean useJweOutputStream;
@@ -79,7 +83,8 @@ public class JweWriterInterceptor implements WriterInterceptor {
encryption.getContentEncryptionKey(),
encryption.getIv());
} catch (IOException ex) {
- throw new SecurityException(ex);
+ LOG.warning("JWE encryption error");
+ throw new JweException(JweException.Error.CONTENT_ENCRYPTION_FAILURE, ex);
}
OutputStream wrappedStream = null;
JweOutputStream jweOutputStream = new JweOutputStream(actualOs, encryption.getCipher(),
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
index cad54f8..5a1fe60 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
@@ -40,14 +40,17 @@ import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import java.util.Properties;
+import java.util.logging.Logger;
import org.apache.cxf.Bus;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.PropertyUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.jaxrs.utils.ResourceUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.security.SecurityContext;
@@ -68,6 +71,7 @@ public final class KeyManagementUtils {
public static final String RSSEC_DECRYPT_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider";
public static final String RSSEC_DEFAULT_ALGORITHMS = "rs.security.default.algorithms";
public static final String RSSEC_REPORT_KEY_PROP = "rs.security.report.public.key";
+ private static final Logger LOG = LogUtils.getL7dLogger(KeyManagementUtils.class);
private KeyManagementUtils() {
}
@@ -89,7 +93,8 @@ public final class KeyManagementUtils {
return new X509Certificate[]{(X509Certificate)CryptoUtils.loadCertificate(keyStore, alias)};
}
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("X509 Certificates can not be created");
+ throw new JoseException(ex);
}
}
@@ -107,7 +112,8 @@ public final class KeyManagementUtils {
Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus);
return KeyManagementUtils.loadPublicKey(m, props);
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Public key can not be loaded");
+ throw new JoseException(ex);
}
}
private static String getMessageProperty(Message m, String keyStoreLocPropPreferred,
@@ -115,7 +121,8 @@ public final class KeyManagementUtils {
String propLoc =
(String)MessageUtils.getContextualProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault);
if (propLoc == null) {
- throw new SecurityException();
+ LOG.warning("Properties resource is not identified");
+ throw new JoseException();
}
return propLoc;
}
@@ -219,7 +226,8 @@ public final class KeyManagementUtils {
InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
return CryptoUtils.loadKeyStore(is, keyStorePswd.toCharArray(), keyStoreType);
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Key store can not be loaded");
+ throw new JoseException(ex);
}
}
public static List<String> encodeX509CertificateChain(X509Certificate[] chain) {
@@ -231,7 +239,8 @@ public final class KeyManagementUtils {
try {
encodedChain.add(CryptoUtils.encodeCertificate(cert));
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("X509 Certificate can not be encoded");
+ throw new JoseException(ex);
}
}
return encodedChain;
@@ -243,7 +252,8 @@ public final class KeyManagementUtils {
try {
certs.add((X509Certificate)CryptoUtils.decodeCertificate(encodedCert));
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("X509 Certificate can not be decoded");
+ throw new JoseException(ex);
}
}
return certs;
@@ -269,7 +279,8 @@ public final class KeyManagementUtils {
CertPath certPath = buildResult.getCertPath();
CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Certificate path validation error");
+ throw new JoseException(ex);
}
}
public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
@@ -288,7 +299,7 @@ public final class KeyManagementUtils {
String storeProp1, String storeProp2) {
if (m == null) {
if (required) {
- throw new SecurityException();
+ throw new JoseException();
}
return null;
}
@@ -299,7 +310,8 @@ public final class KeyManagementUtils {
try {
props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Properties resource is not identified");
+ throw new JoseException(ex);
}
} else {
String keyFile = (String)m.getContextualProperty(RSSEC_KEY_STORE_FILE);
@@ -314,7 +326,8 @@ public final class KeyManagementUtils {
}
}
if (props == null && required) {
- throw new SecurityException();
+ LOG.warning("Properties resource is not identified");
+ throw new JoseException();
}
return props;
}
@@ -337,7 +350,8 @@ public final class KeyManagementUtils {
return loadPrivateKey(ks, m, props, keyOper, alias);
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Private key can not be loaded");
+ throw new JoseException(ex);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
index 7627b94..bf7a68c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
@@ -48,7 +48,8 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
if (iv == null) {
return CryptoUtils.generateSecureRandomBytes(getIvSize() / 8);
} else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) {
- throw new SecurityException();
+ LOG.warning("Custom IV is recommeded to be used once");
+ throw new JweException(JweException.Error.CUSTOM_IV_REUSED);
} else {
return iv;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
index f7eb38c..4f9eecd 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
@@ -19,12 +19,16 @@
package org.apache.cxf.rs.security.jose.jwe;
import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties {
+ protected static final Logger LOG = LogUtils.getL7dLogger(AbstractContentEncryptionCipherProperties.class);
+
private static final int DEFAULT_AUTH_TAG_LENGTH = 128;
private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
private ContentAlgorithm algo;
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
index d49359c..88cde87 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
@@ -20,15 +20,20 @@ package org.apache.cxf.rs.security.jose.jwe;
import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.common.util.crypto.KeyProperties;
import org.apache.cxf.rs.security.jose.JoseConstants;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
public abstract class AbstractJweDecryption implements JweDecryptionProvider {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JwsUtils.class);
+
private KeyDecryptionAlgorithm keyDecryptionAlgo;
private ContentDecryptionAlgorithm contentDecryptionAlgo;
protected AbstractJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index 613dd2c..171ecc6 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -20,10 +20,12 @@ package org.apache.cxf.rs.security.jose.jwe;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
+import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.common.util.crypto.KeyProperties;
import org.apache.cxf.rs.security.jose.JoseConstants;
@@ -33,6 +35,7 @@ import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public abstract class AbstractJweEncryption implements JweEncryptionProvider {
+ protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJweEncryption.class);
protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
private ContentEncryptionProvider contentEncryptionAlgo;
private KeyEncryptionProvider keyEncryptionAlgo;
@@ -165,10 +168,14 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
if (jweInHeaders != null) {
if (jweInHeaders.getKeyEncryptionAlgorithm() != null
&& (getKeyAlgorithm() == null
- || !getKeyAlgorithm().getJwaName().equals(jweInHeaders.getKeyEncryptionAlgorithm()))
- || jweInHeaders.getContentEncryptionAlgorithm() != null
- && !getContentEncryptionAlgoJwt().equals(jweInHeaders.getContentEncryptionAlgorithm())) {
- throw new SecurityException();
+ || !getKeyAlgorithm().getJwaName().equals(jweInHeaders.getKeyEncryptionAlgorithm()))) {
+ LOG.warning("Invalid key encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
+ }
+ if (jweInHeaders.getContentEncryptionAlgorithm() != null
+ && !getContentEncryptionAlgoJwt().equals(jweInHeaders.getContentEncryptionAlgorithm())) {
+ LOG.warning("Invalid content encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
theHeaders.asMap().putAll(jweInHeaders.asMap());
protectedHeaders = jweInHeaders.getProtectedHeaders() != null
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
index 3797b64..642fcf6 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
@@ -21,13 +21,16 @@ package org.apache.cxf.rs.security.jose.jwe;
import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Set;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.common.util.crypto.KeyProperties;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider {
+ protected static final Logger LOG = LogUtils.getL7dLogger(AbstractWrapKeyEncryptionAlgorithm.class);
private Key keyEncryptionKey;
private boolean wrap;
private KeyAlgorithm algorithm;
@@ -80,21 +83,22 @@ public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptio
}
protected String checkAlgorithm(String algo) {
if (algo != null && !supportedAlgorithms.contains(algo)) {
- throw new SecurityException();
+ LOG.warning("Invalid key encryption algorithm: " + algo);
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
return algo;
}
protected void checkAlgorithms(JweHeaders headers) {
String providedAlgo = headers.getKeyEncryptionAlgorithm();
- if ((providedAlgo == null && algorithm == null)
- || (providedAlgo != null && algorithm != null && !providedAlgo.equals(algorithm.getJwaName()))) {
- throw new SecurityException();
+ if (providedAlgo != null && !providedAlgo.equals(algorithm.getJwaName())) {
+ LOG.warning("Invalid key encryption algorithm: " + providedAlgo);
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
if (providedAlgo != null) {
checkAlgorithm(providedAlgo);
- } else if (algorithm != null) {
- headers.setKeyEncryptionAlgorithm(algorithm.getJwaName());
+ } else {
checkAlgorithm(algorithm.getJwaName());
+ headers.setKeyEncryptionAlgorithm(algorithm.getJwaName());
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
index b39b787..c89ffd1 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
@@ -57,7 +57,8 @@ public class AesCbcHmacJweDecryption extends JweDecryption {
macState.mac.update(jweDecryptionInput.getEncryptedContent());
byte[] expectedAuthTag = AesCbcHmacJweEncryption.signAndGetTag(macState);
if (!Arrays.equals(actualAuthTag, expectedAuthTag)) {
- throw new SecurityException();
+ LOG.warning("Invalid authentication tag");
+ throw new JweException(JweException.Error.CONTENT_DECRYPTION_FAILURE);
}
}
@@ -82,7 +83,8 @@ public class AesCbcHmacJweDecryption extends JweDecryption {
private String validateCekAlgorithm(String cekAlgo) {
if (!AlgorithmUtils.isAesCbcHmac(cekAlgo)
|| supportedAlgo != null && !supportedAlgo.equals(cekAlgo)) {
- throw new SecurityException();
+ LOG.warning("Invalid content encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
return cekAlgo;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index d3de1c7..8ac33e4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -167,7 +167,8 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
private static ContentAlgorithm validateCekAlgorithm(ContentAlgorithm cekAlgo) {
if (!AlgorithmUtils.isAesCbcHmac(cekAlgo.getJwaName())) {
- throw new SecurityException();
+ LOG.warning("Invalid content encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
return cekAlgo;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
index f1a75ea..c588c5e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
@@ -33,7 +33,8 @@ public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionC
public byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag) {
String algo = headers.getContentEncryptionAlgorithm();
if (!AlgorithmUtils.isAesGcm(algo) || !getAlgorithm().getJwaName().equals(algo)) {
- throw new SecurityException();
+ LOG.warning("Invalid content encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
return JweCompactConsumer.getCipherWithAuthTag(cipher, authTag);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
index f5788d9..0b4dd1e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -46,6 +46,7 @@ public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionA
if (AlgorithmUtils.isAesGcm(algo.getJwaName())) {
return algo;
}
- throw new SecurityException();
+ LOG.warning("Invalid content encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
index 8d8ec23..f0529f2 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
@@ -19,15 +19,19 @@
package org.apache.cxf.rs.security.jose.jwe;
import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
import javax.crypto.SecretKey;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
+ protected static final Logger LOG = LogUtils.getL7dLogger(AesGcmWrapKeyDecryptionAlgorithm.class);
public AesGcmWrapKeyDecryptionAlgorithm(String encodedKey) {
this(encodedKey, null);
}
@@ -35,7 +39,7 @@ public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgori
this(CryptoUtils.decodeSequence(encodedKey), supportedAlgo);
}
public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey) {
- this(secretKey, null);
+ this(secretKey, KeyAlgorithm.A128GCMKW);
}
public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey, KeyAlgorithm supportedAlgo) {
this(CryptoUtils.createSecretKeySpec(secretKey, AlgorithmUtils.AES), supportedAlgo);
@@ -61,13 +65,14 @@ public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgori
Object ivHeader = jweDecryptionInput.getJweHeaders().getHeader(headerName);
return Base64UrlUtility.decode(ivHeader.toString());
} catch (Exception ex) {
- throw new SecurityException(ex);
+ throw new JoseException(ex);
}
}
protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
super.validateKeyEncryptionAlgorithm(keyAlgo);
if (!AlgorithmUtils.isAesGcmKeyWrap(keyAlgo)) {
- throw new SecurityException();
+ LOG.warning("Invalid key encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
index 7cfe880..2ef461f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
@@ -26,13 +26,13 @@ import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public class AesWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
public AesWrapKeyDecryptionAlgorithm(String encodedKey) {
- this(encodedKey, null);
+ this(encodedKey, KeyAlgorithm.A128KW);
}
public AesWrapKeyDecryptionAlgorithm(String encodedKey, KeyAlgorithm supportedAlgo) {
this(CryptoUtils.decodeSequence(encodedKey), supportedAlgo);
}
public AesWrapKeyDecryptionAlgorithm(byte[] secretKey) {
- this(secretKey, null);
+ this(secretKey, KeyAlgorithm.A128KW);
}
public AesWrapKeyDecryptionAlgorithm(byte[] secretKey, KeyAlgorithm supportedAlgo) {
this(CryptoUtils.createSecretKeySpec(secretKey, AlgorithmUtils.AES_WRAP_ALGO_JAVA),
@@ -48,7 +48,7 @@ public class AesWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm
protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
super.validateKeyEncryptionAlgorithm(keyAlgo);
if (!isValidAlgorithmFamily(keyAlgo)) {
- throw new SecurityException();
+ reportInvalidKeyAlgorithm(keyAlgo);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
index 0d08f2d..6bf953d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
@@ -19,10 +19,13 @@
package org.apache.cxf.rs.security.jose.jwe;
import java.security.Key;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public class DirectKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
+ private static final Logger LOG = LogUtils.getL7dLogger(DirectKeyDecryptionAlgorithm.class);
private byte[] contentDecryptionKey;
public DirectKeyDecryptionAlgorithm(Key contentDecryptionKey) {
this(contentDecryptionKey.getEncoded());
@@ -42,7 +45,8 @@ public class DirectKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
protected void validateKeyEncryptionKey(JweDecryptionInput jweDecryptionInput) {
byte[] encryptedCEK = jweDecryptionInput.getEncryptedCEK();
if (encryptedCEK != null && encryptedCEK.length > 0) {
- throw new SecurityException();
+ LOG.warning("Unexpected content encryption key");
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
index e878beb..2f038a9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
@@ -18,18 +18,21 @@
*/
package org.apache.cxf.rs.security.jose.jwe;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public class DirectKeyEncryptionAlgorithm implements KeyEncryptionProvider {
+ private static final Logger LOG = LogUtils.getL7dLogger(DirectKeyEncryptionAlgorithm.class);
public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] theCek) {
- if (headers.getKeyEncryptionAlgorithm() != null) {
- throw new SecurityException();
- }
+ checkKeyEncryptionAlgorithm(headers);
return new byte[0];
}
protected void checkKeyEncryptionAlgorithm(JweHeaders headers) {
if (headers.getKeyEncryptionAlgorithm() != null) {
- throw new SecurityException();
+ LOG.warning("Key encryption algorithm header is set");
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
}
@Override
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
index 229ab78..4fb17b4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
@@ -20,14 +20,18 @@
package org.apache.cxf.rs.security.jose.jwe;
import java.io.UnsupportedEncodingException;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
public class JweCompactConsumer {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JweCompactConsumer.class);
private JweDecryptionInput jweDecryptionInput;
public JweCompactConsumer(String jweContent) {
if (jweContent.startsWith("\"") && jweContent.endsWith("\"")) {
@@ -35,7 +39,8 @@ public class JweCompactConsumer {
}
String[] parts = jweContent.split("\\.");
if (parts.length != 5) {
- throw new SecurityException("5 JWE parts are expected");
+ LOG.warning("5 JWE parts are expected");
+ throw new JweException(JweException.Error.INVALID_COMPACT_JWE);
}
try {
String headersJson = new String(Base64UrlUtility.decode(parts[0]));
@@ -46,7 +51,8 @@ public class JweCompactConsumer {
JoseHeadersReaderWriter reader = new JoseHeadersReaderWriter();
JoseHeaders joseHeaders = reader.fromJsonHeaders(headersJson);
if (joseHeaders.getUpdateCount() != null) {
- throw new SecurityException("Duplicate headers have been detected");
+ LOG.warning("Duplicate headers have been detected");
+ throw new JweException(JweException.Error.INVALID_COMPACT_JWE);
}
JweHeaders jweHeaders = new JweHeaders(joseHeaders);
jweDecryptionInput = new JweDecryptionInput(encryptedCEK,
@@ -58,7 +64,8 @@ public class JweCompactConsumer {
jweHeaders);
} catch (Base64Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Incorrect Base64 URL encoding");
+ throw new JweException(JweException.Error.INVALID_COMPACT_JWE);
}
}
@@ -111,7 +118,7 @@ public class JweCompactConsumer {
try {
return new String(getDecryptedContent(decryption), "UTF-8");
} catch (UnsupportedEncodingException ex) {
- throw new SecurityException(ex);
+ throw new JoseException(ex);
}
}
public boolean validateCriticalHeaders() {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
index f3cf255..7e2b290 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
@@ -20,6 +20,8 @@ package org.apache.cxf.rs.security.jose.jwe;
import java.io.UnsupportedEncodingException;
+import org.apache.cxf.rs.security.jose.JoseException;
+
public class JweDecryptionOutput {
private JweHeaders headers;
private byte[] content;
@@ -37,7 +39,7 @@ public class JweDecryptionOutput {
try {
return new String(getContent(), "UTF-8");
} catch (UnsupportedEncodingException ex) {
- throw new SecurityException(ex);
+ throw new JoseException(ex);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
index fdfd4ca..5b3dae5 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
@@ -39,7 +39,7 @@ public class JweException extends JoseException {
NO_DECRYPTOR,
NO_INIT_PROPERTIES,
KEY_ALGORITHM_NOT_SET,
- CONTENT_ALGORITHM_NOT_SET,
+ CUSTOM_IV_REUSED,
INVALID_KEY_ALGORITHM,
INVALID_CONTENT_ALGORITHM,
INVALID_CONTENT_KEY,
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
index 24ab37a..b13d367 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
@@ -24,12 +24,16 @@ import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.JoseUtils;
public class JweJsonConsumer {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JweJsonConsumer.class);
private String protectedHeaderJson;
private JweHeaders protectedHeaderJwe;
private JweHeaders sharedUnprotectedHeader;
@@ -58,12 +62,14 @@ public class JweJsonConsumer {
}
private JweDecryptionInput getJweDecryptionInput(JweDecryptionProvider jwe, JweJsonEncryptionEntry entry) {
- if (jwe == null || entry == null) {
- throw new SecurityException();
+ if (entry == null) {
+ LOG.warning("JWE JSON Entry is not available");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
JweHeaders unionHeaders = recipientsMap.get(entry);
if (unionHeaders == null) {
- throw new SecurityException();
+ LOG.warning("JWE JSON Entry union headers are not available");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
JweDecryptionInput input = new JweDecryptionInput(entry.getEncryptedKey(),
iv,
@@ -99,7 +105,8 @@ public class JweJsonConsumer {
List<Map<String, Object>> encryptionArray = CastUtils.cast((List<?>)jsonObjectMap.get("recipients"));
if (encryptionArray != null) {
if (jsonObjectMap.containsKey("encryption_key")) {
- throw new SecurityException("Invalid JWE JSON sequence");
+ LOG.warning("JWE JSON encryption_key is missing");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
for (Map<String, Object> encryptionEntry : encryptionArray) {
this.recipients.add(getEncryptionObject(encryptionEntry));
@@ -126,14 +133,16 @@ public class JweJsonConsumer {
if (sharedUnprotectedHeader != null) {
if (!Collections.disjoint(unionHeaders.asMap().keySet(),
sharedUnprotectedHeader.asMap().keySet())) {
- throw new SecurityException("Protected and unprotected headers have duplicate values");
+ LOG.warning("Protected and unprotected headers have duplicate values");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
unionHeaders.asMap().putAll(sharedUnprotectedHeader.asMap());
}
if (recipientUnprotected != null) {
if (!Collections.disjoint(unionHeaders.asMap().keySet(),
recipientUnprotected.asMap().keySet())) {
- throw new SecurityException("Protected and unprotected headers have duplicate values");
+ LOG.warning("Union and recipient unprotected headers have duplicate values");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
unionHeaders.asMap().putAll(recipientUnprotected.asMap());
}
@@ -168,7 +177,7 @@ public class JweJsonConsumer {
try {
return new String(aad, "UTF-8");
} catch (UnsupportedEncodingException ex) {
- throw new SecurityException(ex);
+ throw new JoseException(ex);
}
}
public List<JweJsonEncryptionEntry> getRecipients() {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
index b722d08..4fbf737 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
@@ -25,12 +25,15 @@ import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.rs.security.jose.JoseConstants;
import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
public class JweJsonProducer {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JweJsonProducer.class);
private JoseHeadersReaderWriter writer = new JoseHeadersReaderWriter();
private JweHeaders protectedHeader;
private JweHeaders unprotectedHeader;
@@ -81,7 +84,8 @@ public class JweJsonProducer {
if (unprotectedHeader != null) {
if (!Collections.disjoint(unionHeaders.asMap().keySet(),
unprotectedHeader.asMap().keySet())) {
- throw new SecurityException("Protected and unprotected headers have duplicate values");
+ LOG.warning("Protected and unprotected headers have duplicate values");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
checkCriticalHeaders(unprotectedHeader);
unionHeaders.asMap().putAll(unprotectedHeader.asMap());
@@ -101,7 +105,8 @@ public class JweJsonProducer {
checkCriticalHeaders(perRecipientUnprotected);
if (!Collections.disjoint(unionHeaders.asMap().keySet(),
perRecipientUnprotected.asMap().keySet())) {
- throw new SecurityException("Protected and unprotected headers have duplicate values");
+ LOG.warning("union and recipient unprotected headers have duplicate values");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
jsonHeaders = new JweHeaders(unionHeaders.asMap());
jsonHeaders.asMap().putAll(perRecipientUnprotected.asMap());
@@ -130,8 +135,8 @@ public class JweJsonProducer {
byte[] encryptedCek = state.getContentEncryptionKey();
if (encryptedCek.length == 0 && encryptor.getKeyAlgorithm() != null) {
- // can be null only if it is the direct key encryption
- throw new SecurityException();
+ LOG.warning("Unexpected key encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
String encodedCek = encryptedCek.length == 0 ? null : Base64UrlUtility.encode(encryptedCek);
entries.add(new JweJsonEncryptionEntry(perRecipientUnprotected, encodedCek));
@@ -173,13 +178,15 @@ public class JweJsonProducer {
set.add(encryptor.getContentAlgorithm().getJwaName());
}
if (set.size() != 1) {
- throw new SecurityException("Invalid content encryption algorithm");
+ LOG.warning("Invalid content encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
return set.iterator().next();
}
private static void checkCriticalHeaders(JweHeaders unprotected) {
if (unprotected.asMap().containsKey(JoseConstants.HEADER_CRITICAL)) {
- throw new SecurityException();
+ LOG.warning("Unprotected headers contain critical headers");
+ throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
index e8faa37..1a0447d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
@@ -22,12 +22,15 @@ import java.io.FilterOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.ByteBuffer;
+import java.util.logging.Logger;
import javax.crypto.Cipher;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
public class JweOutputStream extends FilterOutputStream {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JweOutputStream.class);
private Cipher encryptingCipher;
private int blockSize;
private AuthenticationTagProducer authTagProducer;
@@ -126,7 +129,8 @@ public class JweOutputStream extends FilterOutputStream {
encodeAndWrite(authTag, 0, authTagLengthBits / 8, true);
}
} catch (Exception ex) {
- throw new SecurityException();
+ LOG.warning("Content encryption failure");
+ throw new JweException(JweException.Error.CONTENT_ENCRYPTION_FAILURE, ex);
}
flushed = true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 95aa785..2980137 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -28,10 +28,12 @@ import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
+import java.util.logging.Logger;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.common.util.crypto.MessageDigestUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
@@ -48,6 +50,7 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
public final class JweUtils {
+ private static final Logger LOG = LogUtils.getL7dLogger(JweUtils.class);
private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm";
private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm";
private static final String JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP = "rs.security.jwe.zip.algorithm";
@@ -462,7 +465,8 @@ public final class JweUtils {
final byte[] emptyPartyInfo = new byte[4];
if (apuBytes != null && apvBytes != null && Arrays.equals(apuBytes, apvBytes)) {
- throw new SecurityException();
+ LOG.warning("Derived key calculation problem: apu equals to apv");
+ throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
}
byte[] algorithmId = concatenateDatalenAndData(StringUtils.toBytesASCII(algoName));
byte[] partyUInfo = apuBytes == null ? emptyPartyInfo : concatenateDatalenAndData(apuBytes);
@@ -488,7 +492,8 @@ public final class JweUtils {
byte[] round1Hash = MessageDigestUtils.createDigest(concatKDF, MessageDigestUtils.ALGO_SHA_256);
return Arrays.copyOf(round1Hash, algoKeyBitLen / 8);
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Derived key calculation problem: round hash1 error");
+ throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
}
}
private static byte[] generateKeyZ(ECPrivateKey privateKey, ECPublicKey publicKey) {
@@ -498,7 +503,8 @@ public final class JweUtils {
ka.doPhase(publicKey, true);
return ka.generateSecret();
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Derived key calculation problem");
+ throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
}
}
private static byte[] concatenateDatalenAndData(byte[] bytesASCII) {
@@ -530,7 +536,8 @@ public final class JweUtils {
String contentEncryptionAlgo,
String compression) {
if (keyEncryptionProvider == null && ctEncryptionProvider == null) {
- throw new SecurityException();
+ LOG.warning("Key or content encryptor is not available");
+ throw new JweException(JweException.Error.NO_ENCRYPTOR);
}
JweHeaders headers =
prepareJweHeaders(keyEncryptionProvider != null ? keyEncryptionProvider.getAlgorithm().getJwaName() : null,
@@ -545,7 +552,8 @@ public final class JweUtils {
SecretKey ctDecryptionKey,
String contentDecryptionAlgo) {
if (keyDecryptionProvider == null && ctDecryptionKey == null) {
- throw new SecurityException();
+ LOG.warning("Key or content encryptor is not available");
+ throw new JweException(JweException.Error.NO_ENCRYPTOR);
}
if (keyDecryptionProvider != null) {
return createJweDecryptionProvider(keyDecryptionProvider, contentDecryptionAlgo);
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
index 020d9b01..80fd2db 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rs.security.jose.jwe;
import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
@@ -54,7 +55,7 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt);
byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm
.createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
- KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey) {
+ KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey, algo) {
protected boolean isValidAlgorithmFamily(String wrapAlgo) {
return AlgorithmUtils.isPbesHsWrap(wrapAlgo);
}
@@ -65,7 +66,7 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
try {
return Base64UrlUtility.decode(p2sHeader.toString());
} catch (Exception ex) {
- throw new SecurityException(ex);
+ throw new JoseException(ex);
}
}
@Override
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
index 6e678c7..d2d4ff4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
@@ -23,7 +23,9 @@ import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
@@ -38,6 +40,7 @@ import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator;
import org.bouncycastle.crypto.params.KeyParameter;
public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider {
+ protected static final Logger LOG = LogUtils.getL7dLogger(PbesHmacAesWrapKeyEncryptionAlgorithm.class);
private static final Map<String, Integer> PBES_HMAC_MAP;
private static final Map<String, String> PBES_AES_MAP;
private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP;
@@ -92,13 +95,15 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvi
static byte[] validatePassword(byte[] p, String keyAlgoJwt, boolean hashLargePasswords) {
int minLen = DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
if (p.length < minLen || p.length > 128) {
- throw new SecurityException();
+ LOG.warning("Invalid password length: " + p.length);
+ throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
}
if (p.length > minLen && hashLargePasswords) {
try {
return MessageDigestUtils.createDigest(p, MessageDigestUtils.ALGO_SHA_256);
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Password hash calculation error");
+ throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE, ex);
}
} else {
return p;
@@ -157,13 +162,15 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvi
}
static KeyAlgorithm validateKeyAlgorithm(KeyAlgorithm algo) {
if (!AlgorithmUtils.isPbesHsWrap(algo.getJwaName())) {
- throw new SecurityException();
+ LOG.warning("Invalid key encryption algorithm");
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
return algo;
}
static int validatePbesCount(int count) {
if (count < 1000) {
- throw new SecurityException();
+ LOG.warning("Iteration count is too low");
+ throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
}
return count;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
index b1809c8..d29b442 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
@@ -25,7 +25,7 @@ import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {
- this(privateKey, null);
+ this(privateKey, KeyAlgorithm.RSA_OAEP);
}
public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey, KeyAlgorithm supportedAlgo) {
this(privateKey, supportedAlgo, true);
@@ -40,7 +40,7 @@ public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
super.validateKeyEncryptionAlgorithm(keyAlgo);
if (!AlgorithmUtils.isRsaKeyWrap(keyAlgo)) {
- throw new SecurityException();
+ reportInvalidKeyAlgorithm(keyAlgo);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e79c7e1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
index 4e5f74e..6414461 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
@@ -20,13 +20,16 @@ package org.apache.cxf.rs.security.jose.jwe;
import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.common.util.crypto.KeyProperties;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
+ protected static final Logger LOG = LogUtils.getL7dLogger(WrappedKeyDecryptionAlgorithm.class);
private Key cekDecryptionKey;
private boolean unwrap;
private KeyAlgorithm supportedAlgo;
@@ -68,10 +71,15 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
return AlgorithmUtils.toJavaName(keyAlgo);
}
protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
- if (keyAlgo == null || supportedAlgo != null && !supportedAlgo.getJwaName().equals(keyAlgo)) {
- throw new SecurityException();
+ if (keyAlgo == null
+ || !supportedAlgo.getJwaName().equals(keyAlgo)) {
+ reportInvalidKeyAlgorithm(keyAlgo);
}
}
+ protected void reportInvalidKeyAlgorithm(String keyAlgo) {
+ LOG.warning("Invalid key encryption algorithm: " + keyAlgo);
+ throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
+ }
protected String getContentEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
return AlgorithmUtils.toJavaName(jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
}