cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5311] Initial attempt to introduce some 'safety' into the encryption/decryption process, with more refactoring due for abstract classes
Date Thu, 05 Jun 2014 16:32:09 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 567f9862f -> fc8331eae


[CXF-5311] Initial attempt to introduce some 'safety' into the encryption/decryption process,
with more refactoring due for abstract classes


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fc8331ea
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fc8331ea
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fc8331ea

Branch: refs/heads/master
Commit: fc8331eaefef02740849f4cac51bc45c58f22ac4
Parents: 567f986
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Thu Jun 5 17:31:50 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Thu Jun 5 17:31:50 2014 +0100

----------------------------------------------------------------------
 .../oauth2/jwe/AbstractJweDecryptor.java        | 127 +++++++++++++++
 .../oauth2/jwe/AbstractJweEncryptor.java        | 156 +++++++++++++++++++
 .../oauth2/jwe/DirectKeyJweDecryptor.java       |  27 ++++
 .../oauth2/jwe/DirectKeyJweEncryptor.java       |  35 +++++
 .../rs/security/oauth2/jwe/JweDecryptor.java    | 127 ---------------
 .../rs/security/oauth2/jwe/JweEncryptor.java    | 156 -------------------
 .../rs/security/oauth2/jwe/RSAJweDecryptor.java |   2 +-
 .../rs/security/oauth2/jwe/RSAJweEncryptor.java |   2 +-
 .../oauth2/jwe/WrappedKeyJweDecryptor.java      |  30 ++++
 .../oauth2/jwe/WrappedKeyJweEncryptor.java      |  41 +++++
 .../oauth2/jwe/JweCompactReaderWriterTest.java  |   4 +-
 11 files changed, 420 insertions(+), 287 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
new file mode 100644
index 0000000..cff7f28
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public abstract class AbstractJweDecryptor {
+    private JweCompactConsumer jweConsumer;
+    private Key cekDecryptionKey;
+    private byte[] contentDecryptionKey;
+    private boolean unwrap;
+    private CeProvider ceProvider = new CeProvider();
+    protected AbstractJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap)
{    
+        this.jweConsumer = new JweCompactConsumer(jweContent);
+        this.cekDecryptionKey = cekDecryptionKey;
+        this.unwrap = unwrap;
+    }
+    protected AbstractJweDecryptor(String jweContent, Key contentDecryptionKey) {    
+        this(jweContent, null, false);
+        this.contentDecryptionKey = contentDecryptionKey.getEncoded();
+    }
+    protected Key getCekDecryptionKey() {
+        return cekDecryptionKey;
+    }
+    
+    protected byte[] getContentEncryptionKey() {
+        // This can be overridden if needed
+        if (contentDecryptionKey != null) {
+            return contentDecryptionKey;
+        }
+        
+        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
+        if (!unwrap) {
+            keyProps.setBlockSize(getKeyCipherBlockSize());
+            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(),
keyProps);
+        } else {
+            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), 
+                                               getContentEncryptionAlgorithm(), 
+                                               getCekDecryptionKey(), 
+                                               keyProps).getEncoded();
+        }
+    }
+    protected int getKeyCipherBlockSize() {
+        return -1;
+    }
+    public byte[] getDecryptedContent() {
+        
+        return jweConsumer.getDecryptedContent(ceProvider);
+        
+    }
+    public String getDecryptedContentText() {
+        return jweConsumer.getDecryptedContentText(ceProvider);
+    }
+    public JweHeaders getJweHeaders() {
+        return getJweConsumer().getJweHeaders();
+    }
+    
+    protected AlgorithmParameterSpec getContentDecryptionCipherSpec() {
+        // this can be overridden if needed
+        return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(),

+                                                   getContentEncryptionCipherInitVector());
+    }
+    protected String getKeyEncryptionAlgorithm() {
+        return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
+    }
+    protected String getContentEncryptionAlgorithm() {
+        return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm());
+    }
+    protected byte[] getEncryptedContentEncryptionKey() {
+        return getJweConsumer().getEncryptedContentEncryptionKey();
+    }
+    protected byte[] getContentEncryptionCipherAAD() {
+        return getJweConsumer().getContentEncryptionCipherAAD();
+    }
+    protected byte[] getEncryptedContentWithAuthTag() {
+        return getJweConsumer().getEncryptedContentWithAuthTag();
+    }
+    protected byte[] getContentEncryptionCipherInitVector() { 
+        return getJweConsumer().getContentDecryptionCipherInitVector();
+    }
+    protected byte[] getEncryptionAuthenticationTag() {
+        return getJweConsumer().getEncryptionAuthenticationTag();
+    }
+    protected int getEncryptionAuthenticationTagLenBits() {
+        return getEncryptionAuthenticationTag().length * 8;
+    }
+    protected JweCompactConsumer getJweConsumer() { 
+        return jweConsumer;
+    }
+    
+    private class CeProvider implements ContentEncryptionProvider {
+
+        @Override
+        public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
+            return AbstractJweDecryptor.this.getContentEncryptionKey();
+        }
+
+        @Override
+        public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
+                                                                     int authTagLength,
+                                                                     byte[] initVector) {
+            return getContentDecryptionCipherSpec();
+        }
+        
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
new file mode 100644
index 0000000..44987f9
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
@@ -0,0 +1,156 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public abstract class AbstractJweEncryptor {
+    protected static final int DEFAULT_IV_SIZE = 96;
+    protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
+    private Key cekEncryptionKey;
+    private JweHeaders headers;
+    private JwtHeadersWriter writer = new JwtTokenReaderWriter();
+    private byte[] cek;
+    private byte[] iv;
+    private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
+    private boolean wrap;
+    
+    protected AbstractJweEncryptor(SecretKey cek, byte[] iv) {
+        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
+    }
+    protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
+        this.headers = headers;
+        this.cek = cek;
+        this.iv = iv;
+    }
+    protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen)
{
+        this(headers, cek, iv);
+        this.authTagLen = authTagLen;
+    }
+    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
+        this.headers = headers;
+        this.cekEncryptionKey = cekEncryptionKey;
+    }
+    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek,
byte[] iv) {
+        this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH);
+        this.cekEncryptionKey = cekEncryptionKey;
+    }
+    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek,
byte[] iv, 
+                                   int authTagLen, boolean wrap) {
+        this(headers, cek, iv, authTagLen);
+        this.cekEncryptionKey = cekEncryptionKey;
+        this.wrap = wrap;
+    }
+    
+    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek,
byte[] iv, int authTagLen, 
+                                   boolean wrap, JwtHeadersWriter writer) {
+        this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
+        if (writer != null) {
+            this.writer = writer;
+        }
+    }
+    
+    protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
+        return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
+    }
+    
+    protected byte[] getContentEncryptionCipherInitVector() {
+        return iv == null ? CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE) : iv;
+    }
+    
+    protected byte[] getContentEncryptionKey() {
+        if (cek == null && cekEncryptionKey != null) {
+            String algo = headers.getContentEncryptionAlgorithm();
+            return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
+        } else {
+            return cek;
+        }
+    }
+    
+    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+        if (cekEncryptionKey == null) {
+            return cek;
+        } else {
+            KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
+            if (!wrap) {
+                return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
+            } else {
+                return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,

+                                                 secretKeyProperties.getKeyAlgo());
+            }
+        }
+    }
+    
+    protected String getContentEncryptionKeyEncryptionAlgo() {
+        return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
+    }
+    protected String getContentEncryptionAlgo() {
+        return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
+    }
+    
+    protected int getAuthTagLen() {
+        return authTagLen;
+    }
+    
+    public String getJweContent(byte[] content) {
+        byte[] theCek = getContentEncryptionKey();
+        byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
+        
+        String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
+        KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
+        byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer);
+        keyProps.setAdditionalData(additionalEncryptionParam);
+        
+        byte[] theIv = getContentEncryptionCipherInitVector();
+        AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
+        keyProps.setAlgoSpec(specParams);
+        
+        byte[] cipherText = CryptoUtils.encryptBytes(
+            content, 
+            CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName),
+            keyProps);
+        
+        JweCompactProducer producer = new JweCompactProducer(headers, 
+                                             jweContentEncryptionKey,
+                                             theIv,
+                                             cipherText,
+                                             getAuthTagLen());
+        return producer.getJweContent();
+    }
+    
+    public String getJweContent(String text) {
+        try {
+            return getJweContent(text.getBytes("UTF-8"));
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
new file mode 100644
index 0000000..fd98333
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+public class DirectKeyJweDecryptor extends AbstractJweDecryptor {
+    public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey) {    
+        super(jweContent, contentDecryptionKey);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
new file mode 100644
index 0000000..e2b0e43
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+
+public class DirectKeyJweEncryptor extends AbstractJweEncryptor {
+    public DirectKeyJweEncryptor(SecretKey cek, byte[] iv) {
+        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
+    }
+    public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
+        super(headers, cek, iv);
+    }
+    public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen)
{
+        super(headers, cek, iv, authTagLen);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
deleted file mode 100644
index 31c432c..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-import java.security.spec.AlgorithmParameterSpec;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class JweDecryptor {
-    private JweCompactConsumer jweConsumer;
-    private Key cekDecryptionKey;
-    private byte[] contentDecryptionKey;
-    private boolean unwrap;
-    private CeProvider ceProvider = new CeProvider();
-    public JweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) {    
-        this.jweConsumer = new JweCompactConsumer(jweContent);
-        this.cekDecryptionKey = cekDecryptionKey;
-        this.unwrap = unwrap;
-    }
-    public JweDecryptor(String jweContent, Key contentDecryptionKey) {    
-        this(jweContent, null, false);
-        this.contentDecryptionKey = contentDecryptionKey.getEncoded();
-    }
-    protected Key getCekDecryptionKey() {
-        return cekDecryptionKey;
-    }
-    
-    protected byte[] getContentEncryptionKey() {
-        // This can be overridden if needed
-        if (contentDecryptionKey != null) {
-            return contentDecryptionKey;
-        }
-        
-        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
-        if (!unwrap) {
-            keyProps.setBlockSize(getKeyCipherBlockSize());
-            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(),
keyProps);
-        } else {
-            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), 
-                                               getContentEncryptionAlgorithm(), 
-                                               getCekDecryptionKey(), 
-                                               keyProps).getEncoded();
-        }
-    }
-    protected int getKeyCipherBlockSize() {
-        return -1;
-    }
-    public byte[] getDecryptedContent() {
-        
-        return jweConsumer.getDecryptedContent(ceProvider);
-        
-    }
-    public String getDecryptedContentText() {
-        return jweConsumer.getDecryptedContentText(ceProvider);
-    }
-    public JweHeaders getJweHeaders() {
-        return getJweConsumer().getJweHeaders();
-    }
-    
-    protected AlgorithmParameterSpec getContentDecryptionCipherSpec() {
-        // this can be overridden if needed
-        return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(),

-                                                   getContentEncryptionCipherInitVector());
-    }
-    protected String getKeyEncryptionAlgorithm() {
-        return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
-    }
-    protected String getContentEncryptionAlgorithm() {
-        return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm());
-    }
-    protected byte[] getEncryptedContentEncryptionKey() {
-        return getJweConsumer().getEncryptedContentEncryptionKey();
-    }
-    protected byte[] getContentEncryptionCipherAAD() {
-        return getJweConsumer().getContentEncryptionCipherAAD();
-    }
-    protected byte[] getEncryptedContentWithAuthTag() {
-        return getJweConsumer().getEncryptedContentWithAuthTag();
-    }
-    protected byte[] getContentEncryptionCipherInitVector() { 
-        return getJweConsumer().getContentDecryptionCipherInitVector();
-    }
-    protected byte[] getEncryptionAuthenticationTag() {
-        return getJweConsumer().getEncryptionAuthenticationTag();
-    }
-    protected int getEncryptionAuthenticationTagLenBits() {
-        return getEncryptionAuthenticationTag().length * 8;
-    }
-    protected JweCompactConsumer getJweConsumer() { 
-        return jweConsumer;
-    }
-    
-    private class CeProvider implements ContentEncryptionProvider {
-
-        @Override
-        public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) {
-            return JweDecryptor.this.getContentEncryptionKey();
-        }
-
-        @Override
-        public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers,
-                                                                     int authTagLength,
-                                                                     byte[] initVector) {
-            return getContentDecryptionCipherSpec();
-        }
-        
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
deleted file mode 100644
index 600eed3..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.io.UnsupportedEncodingException;
-import java.security.Key;
-import java.security.spec.AlgorithmParameterSpec;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public class JweEncryptor {
-    protected static final int DEFAULT_IV_SIZE = 96;
-    protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
-    private Key cekEncryptionKey;
-    private JweHeaders headers;
-    private JwtHeadersWriter writer = new JwtTokenReaderWriter();
-    private byte[] cek;
-    private byte[] iv;
-    private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
-    private boolean wrap;
-    
-    public JweEncryptor(SecretKey cek, byte[] iv) {
-        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
-    }
-    public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
-        this.headers = headers;
-        this.cek = cek;
-        this.iv = iv;
-    }
-    public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) {
-        this(headers, cek, iv);
-        this.authTagLen = authTagLen;
-    }
-    public JweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
-        this.headers = headers;
-        this.cekEncryptionKey = cekEncryptionKey;
-    }
-    public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv)
{
-        this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH);
-        this.cekEncryptionKey = cekEncryptionKey;
-    }
-    public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,

-                                   int authTagLen, boolean wrap) {
-        this(headers, cek, iv, authTagLen);
-        this.cekEncryptionKey = cekEncryptionKey;
-        this.wrap = wrap;
-    }
-    
-    public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv,
int authTagLen, 
-                                   boolean wrap, JwtHeadersWriter writer) {
-        this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
-        if (writer != null) {
-            this.writer = writer;
-        }
-    }
-    
-    protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
-        return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
-    }
-    
-    protected byte[] getContentEncryptionCipherInitVector() {
-        return iv == null ? CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE) : iv;
-    }
-    
-    protected byte[] getContentEncryptionKey() {
-        if (cek == null && cekEncryptionKey != null) {
-            String algo = headers.getContentEncryptionAlgorithm();
-            return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
-        } else {
-            return cek;
-        }
-    }
-    
-    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
-        if (cekEncryptionKey == null) {
-            return cek;
-        } else {
-            KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
-            if (!wrap) {
-                return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
-            } else {
-                return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,

-                                                 secretKeyProperties.getKeyAlgo());
-            }
-        }
-    }
-    
-    protected String getContentEncryptionKeyEncryptionAlgo() {
-        return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
-    }
-    protected String getContentEncryptionAlgo() {
-        return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
-    }
-    
-    protected int getAuthTagLen() {
-        return authTagLen;
-    }
-    
-    public String getJweContent(byte[] content) {
-        byte[] theCek = getContentEncryptionKey();
-        byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
-        
-        String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
-        KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
-        byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer);
-        keyProps.setAdditionalData(additionalEncryptionParam);
-        
-        byte[] theIv = getContentEncryptionCipherInitVector();
-        AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
-        keyProps.setAlgoSpec(specParams);
-        
-        byte[] cipherText = CryptoUtils.encryptBytes(
-            content, 
-            CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName),
-            keyProps);
-        
-        JweCompactProducer producer = new JweCompactProducer(headers, 
-                                             jweContentEncryptionKey,
-                                             theIv,
-                                             cipherText,
-                                             getAuthTagLen());
-        return producer.getJweContent();
-    }
-    
-    public String getJweContent(String text) {
-        try {
-            return getJweContent(text.getBytes("UTF-8"));
-        } catch (UnsupportedEncodingException ex) {
-            throw new SecurityException(ex);
-        }
-    }
-    
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
index cce3cb5..cb4666f 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
@@ -22,7 +22,7 @@ import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 
 
-public class RSAJweDecryptor extends JweDecryptor {
+public class RSAJweDecryptor extends WrappedKeyJweDecryptor {
     public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) {
   
         super(jweContent, privateKey, unwrap);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
index 22c2f7e..7739379 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java
@@ -25,7 +25,7 @@ import javax.crypto.SecretKey;
 import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
 
-public class RSAJweEncryptor extends JweEncryptor {
+public class RSAJweEncryptor extends WrappedKeyJweEncryptor {
     public RSAJweEncryptor(RSAPublicKey publicKey, String contentEncryptionAlgo) {
         super(new JweHeaders(Algorithm.RSA_OAEP_ALGO.getJwtName(),
                              contentEncryptionAlgo), publicKey);

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
new file mode 100644
index 0000000..0145909
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
@@ -0,0 +1,30 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+public class WrappedKeyJweDecryptor extends AbstractJweDecryptor {
+    public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap)
{    
+        super(jweContent, cekDecryptionKey, unwrap);
+    }
+    public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey) {    
+        this(jweContent, cekDecryptionKey, true);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
new file mode 100644
index 0000000..6486604
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+
+public class WrappedKeyJweEncryptor extends AbstractJweEncryptor {
+    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
+        super(headers, cekEncryptionKey);
+    }
+    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[]
iv) {
+        super(headers, cekEncryptionKey, cek, iv);
+    }
+    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[]
iv, 
+                                   int authTagLen, boolean wrap) {
+        super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
+    }
+    
+    public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[]
iv, int authTagLen, 
+                                   boolean wrap, JwtHeadersWriter writer) {
+        super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, writer);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
index 9d1b06f..eed51d8 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
@@ -104,7 +104,7 @@ public class JweCompactReaderWriterTest extends Assert {
     }
     private String encryptContentDirect(String content) throws Exception {
         SecretKey key = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES");
-        JweEncryptor encryptor = new JweEncryptor(key, INIT_VECTOR);
+        DirectKeyJweEncryptor encryptor = new DirectKeyJweEncryptor(key, INIT_VECTOR);
         return encryptor.getJweContent(content);
     }
     private void decrypt(String jweContent, String plainContent) throws Exception {
@@ -115,7 +115,7 @@ public class JweCompactReaderWriterTest extends Assert {
     }
     private void decryptDirect(String jweContent, String plainContent) throws Exception {
         SecretKey key = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES");
-        JweDecryptor decryptor = new JweDecryptor(jweContent, key);
+        DirectKeyJweDecryptor decryptor = new DirectKeyJweDecryptor(jweContent, key);
         String decryptedText = decryptor.getDecryptedContentText();
         assertEquals(decryptedText, plainContent);
     }


Mime
View raw message