cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5311] Fixing compact serialization if OOB ceks are used, refactoring abstract JWE helpers, adding empty encryption and signature properties which can be used to enforce that only specific encryption/sign algo props were used
Date Fri, 06 Jun 2014 12:31:27 GMT
Repository: cxf
Updated Branches:
  refs/heads/master ac556b7cf -> 117061fed


[CXF-5311] Fixing compact serialization if OOB ceks are used, refactoring abstract JWE helpers,
adding empty encryption and signature properties which can be used to enforce that only specific
encryption/sign algo props were used


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/117061fe
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/117061fe
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/117061fe

Branch: refs/heads/master
Commit: 117061fed2242b6a927467e2b6488c9fb111565a
Parents: ac556b7
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Jun 6 13:30:21 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Jun 6 13:30:21 2014 +0100

----------------------------------------------------------------------
 .../oauth2/jwe/AbstractJweDecryptor.java        | 52 +++-----------------
 .../oauth2/jwe/AbstractJweEncryptor.java        | 52 ++++----------------
 .../oauth2/jwe/DirectKeyJweDecryptor.java       | 15 +++++-
 .../oauth2/jwe/DirectKeyJweEncryptor.java       |  3 ++
 .../security/oauth2/jwe/JweCompactConsumer.java | 16 +++++-
 .../security/oauth2/jwe/JweCompactProducer.java |  4 +-
 .../rs/security/oauth2/jwe/RSAJweDecryptor.java | 12 +++--
 .../oauth2/jwe/WrappedKeyJweDecryptor.java      | 39 +++++++++++++--
 .../oauth2/jwe/WrappedKeyJweEncryptor.java      | 35 +++++++++++--
 .../security/oauth2/jws/JwsCompactConsumer.java | 19 +++++--
 .../rs/security/oauth2/jwt/JwtTokenReader.java  |  1 -
 .../oauth2/jwt/JwtTokenReaderWriter.java        |  3 +-
 .../security/oauth2/utils/Base64UrlUtility.java |  9 +++-
 13 files changed, 151 insertions(+), 109 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
index cff7f28..4b9614f 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java
@@ -18,52 +18,20 @@
  */
 package org.apache.cxf.rs.security.oauth2.jwe;
 
-import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
 
 import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public abstract class AbstractJweDecryptor {
     private JweCompactConsumer jweConsumer;
-    private Key cekDecryptionKey;
-    private byte[] contentDecryptionKey;
-    private boolean unwrap;
     private CeProvider ceProvider = new CeProvider();
-    protected AbstractJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap)
{    
-        this.jweConsumer = new JweCompactConsumer(jweContent);
-        this.cekDecryptionKey = cekDecryptionKey;
-        this.unwrap = unwrap;
-    }
-    protected AbstractJweDecryptor(String jweContent, Key contentDecryptionKey) {    
-        this(jweContent, null, false);
-        this.contentDecryptionKey = contentDecryptionKey.getEncoded();
-    }
-    protected Key getCekDecryptionKey() {
-        return cekDecryptionKey;
+    protected AbstractJweDecryptor(String jweContent, JweCryptoProperties props) {    
+        this.jweConsumer = new JweCompactConsumer(jweContent, props);
     }
     
-    protected byte[] getContentEncryptionKey() {
-        // This can be overridden if needed
-        if (contentDecryptionKey != null) {
-            return contentDecryptionKey;
-        }
-        
-        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
-        if (!unwrap) {
-            keyProps.setBlockSize(getKeyCipherBlockSize());
-            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(),
keyProps);
-        } else {
-            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), 
-                                               getContentEncryptionAlgorithm(), 
-                                               getCekDecryptionKey(), 
-                                               keyProps).getEncoded();
-        }
-    }
-    protected int getKeyCipherBlockSize() {
-        return -1;
-    }
+    protected abstract byte[] getContentEncryptionKey();
+    
     public byte[] getDecryptedContent() {
         
         return jweConsumer.getDecryptedContent(ceProvider);
@@ -72,24 +40,20 @@ public abstract class AbstractJweDecryptor {
     public String getDecryptedContentText() {
         return jweConsumer.getDecryptedContentText(ceProvider);
     }
-    public JweHeaders getJweHeaders() {
+    public JweHeaders getHeaders() {
         return getJweConsumer().getJweHeaders();
     }
     
     protected AlgorithmParameterSpec getContentDecryptionCipherSpec() {
-        // this can be overridden if needed
         return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(),

                                                    getContentEncryptionCipherInitVector());
     }
-    protected String getKeyEncryptionAlgorithm() {
-        return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
-    }
-    protected String getContentEncryptionAlgorithm() {
-        return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm());
-    }
     protected byte[] getEncryptedContentEncryptionKey() {
         return getJweConsumer().getEncryptedContentEncryptionKey();
     }
+    protected String getContentEncryptionAlgorithm() {
+        return Algorithm.toJavaName(getHeaders().getContentEncryptionAlgorithm());
+    }
     protected byte[] getContentEncryptionCipherAAD() {
         return getJweConsumer().getContentEncryptionCipherAAD();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
index 44987f9..2427cc1 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java
@@ -19,7 +19,6 @@
 package org.apache.cxf.rs.security.oauth2.jwe;
 
 import java.io.UnsupportedEncodingException;
-import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
 
 import javax.crypto.SecretKey;
@@ -33,13 +32,11 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 public abstract class AbstractJweEncryptor {
     protected static final int DEFAULT_IV_SIZE = 96;
     protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
-    private Key cekEncryptionKey;
     private JweHeaders headers;
     private JwtHeadersWriter writer = new JwtTokenReaderWriter();
     private byte[] cek;
     private byte[] iv;
     private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
-    private boolean wrap;
     
     protected AbstractJweEncryptor(SecretKey cek, byte[] iv) {
         this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv);
@@ -53,24 +50,12 @@ public abstract class AbstractJweEncryptor {
         this(headers, cek, iv);
         this.authTagLen = authTagLen;
     }
-    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
+    protected AbstractJweEncryptor(JweHeaders headers) {
         this.headers = headers;
-        this.cekEncryptionKey = cekEncryptionKey;
     }
-    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek,
byte[] iv) {
-        this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH);
-        this.cekEncryptionKey = cekEncryptionKey;
-    }
-    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek,
byte[] iv, 
-                                   int authTagLen, boolean wrap) {
+    protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen,

+                                   JwtHeadersWriter writer) {
         this(headers, cek, iv, authTagLen);
-        this.cekEncryptionKey = cekEncryptionKey;
-        this.wrap = wrap;
-    }
-    
-    protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek,
byte[] iv, int authTagLen, 
-                                   boolean wrap, JwtHeadersWriter writer) {
-        this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
         if (writer != null) {
             this.writer = writer;
         }
@@ -85,31 +70,11 @@ public abstract class AbstractJweEncryptor {
     }
     
     protected byte[] getContentEncryptionKey() {
-        if (cek == null && cekEncryptionKey != null) {
-            String algo = headers.getContentEncryptionAlgorithm();
-            return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
-        } else {
-            return cek;
-        }
+        return cek;
     }
     
-    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
-        if (cekEncryptionKey == null) {
-            return cek;
-        } else {
-            KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
-            if (!wrap) {
-                return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
-            } else {
-                return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,

-                                                 secretKeyProperties.getKeyAlgo());
-            }
-        }
-    }
+    protected abstract byte[] getEncryptedContentEncryptionKey(byte[] theCek);
     
-    protected String getContentEncryptionKeyEncryptionAlgo() {
-        return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
-    }
     protected String getContentEncryptionAlgo() {
         return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
     }
@@ -117,11 +82,11 @@ public abstract class AbstractJweEncryptor {
     protected int getAuthTagLen() {
         return authTagLen;
     }
-    
+    protected JweHeaders getJweHeaders() {
+        return headers;
+    }
     public String getJweContent(byte[] content) {
         byte[] theCek = getContentEncryptionKey();
-        byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
-        
         String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
         KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
         byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer);
@@ -136,6 +101,7 @@ public abstract class AbstractJweEncryptor {
             CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName),
             keyProps);
         
+        byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
         JweCompactProducer producer = new JweCompactProducer(headers, 
                                              jweContentEncryptionKey,
                                              theIv,

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
index fd98333..be9378f 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java
@@ -21,7 +21,20 @@ package org.apache.cxf.rs.security.oauth2.jwe;
 import java.security.Key;
 
 public class DirectKeyJweDecryptor extends AbstractJweDecryptor {
+    private byte[] contentDecryptionKey;
     public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey) {    
-        super(jweContent, contentDecryptionKey);
+        this(jweContent, contentDecryptionKey, null);
+    }
+    public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey, JweCryptoProperties
props) {    
+        super(jweContent, props);
+        this.contentDecryptionKey = contentDecryptionKey.getEncoded();
+    }
+    @Override
+    protected byte[] getContentEncryptionKey() {
+        byte[] encryptedCEK = getEncryptedContentEncryptionKey();
+        if (encryptedCEK != null && encryptedCEK.length > 0) {
+            throw new SecurityException();
+        }
+        return contentDecryptionKey;
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
index e2b0e43..8872d81 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java
@@ -32,4 +32,7 @@ public class DirectKeyJweEncryptor extends AbstractJweEncryptor {
     public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen)
{
         super(headers, cek, iv, authTagLen);
     }
+    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+        return new byte[0];
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
index 9c11dcf..042ceda 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java
@@ -26,6 +26,7 @@ import java.security.spec.AlgorithmParameterSpec;
 import org.apache.cxf.common.util.Base64Exception;
 import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersReader;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
 import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
@@ -40,6 +41,12 @@ public class JweCompactConsumer {
     private byte[] authTag;
     private JweHeaders jweHeaders;
     public JweCompactConsumer(String jweContent) {
+        this(jweContent, null);
+    }
+    public JweCompactConsumer(String jweContent, JweCryptoProperties props) {
+        this(jweContent, props, new JwtTokenReaderWriter());
+    }
+    public JweCompactConsumer(String jweContent, JweCryptoProperties props, JwtHeadersReader
reader) {
         String[] parts = jweContent.split("\\.");
         if (parts.length != 5) {
             throw new SecurityException("5 JWE parts are expected");
@@ -54,12 +61,19 @@ public class JweCompactConsumer {
             encryptedContentWithTag = new byte[cipherText.length + authTag.length];
             System.arraycopy(cipherText, 0, encryptedContentWithTag, 0, cipherText.length);
             System.arraycopy(authTag, 0, encryptedContentWithTag, cipherText.length, authTag.length);
-            jweHeaders = new JweHeaders(new JwtTokenReaderWriter().fromJsonHeaders(headersJson).asMap());
+            jweHeaders = new JweHeaders(reader.fromJsonHeaders(headersJson).asMap());
+            enforceJweCryptoProperties(props);
         } catch (Base64Exception ex) {
             throw new SecurityException(ex);
         }
     }
     
+    private void enforceJweCryptoProperties(JweCryptoProperties props) {
+        if (props != null) {
+            //TODO: Validate
+        }
+    }
+    
     public String getDecodedJsonHeaders() {
         return headersJson;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
index cb61690..82945b7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java
@@ -89,9 +89,9 @@ public class JweCompactProducer {
         StringBuilder sb = new StringBuilder();
         return sb.append(encodedHeaders)
                  .append('.')
-                 .append(encodedContentEncryptionKey)
+                 .append(encodedContentEncryptionKey == null ? "" : encodedContentEncryptionKey)
                  .append('.')
-                 .append(encodedInitVector)
+                 .append(encodedInitVector == null ? "" : encodedInitVector)
                  .append('.')
                  .append(encodedEncryptedContent)
                  .append('.')

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
index cb4666f..17a53d1 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
@@ -23,12 +23,18 @@ import java.security.interfaces.RSAPublicKey;
 
 
 public class RSAJweDecryptor extends WrappedKeyJweDecryptor {
-    public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) {
   
-        super(jweContent, privateKey, unwrap);
-    }
+    
     public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey) {    
         this(jweContent, privateKey, true);
     }
+    public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) {
   
+        this(jweContent, privateKey, unwrap, null);
+    }
+    public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap,
+                           JweCryptoProperties props) {    
+        super(jweContent, privateKey, unwrap, props);
+    }
+    
     protected int getKeyCipherBlockSize() {
         return ((RSAPublicKey)getCekDecryptionKey()).getModulus().toByteArray().length;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
index 0145909..1798c55 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java
@@ -20,11 +20,44 @@ package org.apache.cxf.rs.security.oauth2.jwe;
 
 import java.security.Key;
 
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
 public class WrappedKeyJweDecryptor extends AbstractJweDecryptor {
-    public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap)
{    
-        super(jweContent, cekDecryptionKey, unwrap);
-    }
+    private Key cekDecryptionKey;
+    private boolean unwrap;
     public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey) {    
         this(jweContent, cekDecryptionKey, true);
     }
+    public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap)
{    
+        this(jweContent, cekDecryptionKey, unwrap, null);
+    }
+    public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap,
+                                  JweCryptoProperties props) {    
+        super(jweContent, props);
+        this.cekDecryptionKey = cekDecryptionKey;
+        this.unwrap = unwrap;
+    }
+    protected byte[] getContentEncryptionKey() {
+        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm());
+        if (!unwrap) {
+            keyProps.setBlockSize(getKeyCipherBlockSize());
+            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(),
keyProps);
+        } else {
+            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), 
+                                               getContentEncryptionAlgorithm(), 
+                                               getCekDecryptionKey(), 
+                                               keyProps).getEncoded();
+        }
+    }
+    protected Key getCekDecryptionKey() {
+        return cekDecryptionKey;
+    }
+    protected int getKeyCipherBlockSize() {
+        return -1;
+    }
+    protected String getKeyEncryptionAlgorithm() {
+        return Algorithm.toJavaName(getHeaders().getKeyEncryptionAlgorithm());
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
index 6486604..ad6b905 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java
@@ -20,22 +20,49 @@ package org.apache.cxf.rs.security.oauth2.jwe;
 
 import java.security.Key;
 
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public class WrappedKeyJweEncryptor extends AbstractJweEncryptor {
+    private Key cekEncryptionKey;
+    private boolean wrap;
     public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
-        super(headers, cekEncryptionKey);
+        this(headers, cekEncryptionKey, null, null);
     }
     public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[]
iv) {
-        super(headers, cekEncryptionKey, cek, iv);
+        this(headers, cekEncryptionKey, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true);
     }
     public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[]
iv, 
                                    int authTagLen, boolean wrap) {
-        super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
+        this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, null);
     }
     
     public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[]
iv, int authTagLen, 
                                    boolean wrap, JwtHeadersWriter writer) {
-        super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, writer);
+        super(headers, cek, iv, authTagLen, writer);
+        this.cekEncryptionKey = cekEncryptionKey;
+        this.wrap = wrap;
+    }
+    protected byte[] getContentEncryptionKey() {
+        byte[] theCek = super.getContentEncryptionKey();
+        if (theCek == null) {
+            String algo = getContentEncryptionAlgo();
+            theCek = CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded();
+        }
+        return theCek;
+    }
+    protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
+        KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo());
+        if (!wrap) {
+            return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties);
+        } else {
+            return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey,

+                                             secretKeyProperties.getKeyAlgo());
+        }
+    }
+    protected String getContentEncryptionKeyEncryptionAlgo() {
+        return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm());
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
index abec1a6..d149587 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java
@@ -37,14 +37,21 @@ public class JwsCompactConsumer {
     private String headersJson;
     private String claimsJson;
     private JwtToken token;
+    private JwsSignatureProperties props;
     public JwsCompactConsumer(String encodedJws) {
-        this(encodedJws, null);
+        this(encodedJws, null, null);
+    }
+    public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props) {
+        this(encodedJws, props, null);
     }
     public JwsCompactConsumer(String encodedJws, JwtTokenReader r) {
+        this(encodedJws, null, r);
+    }
+    public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props, JwtTokenReader
r) {
         if (r != null) {
             this.reader = r;
         }
-        
+        this.props = props;
         String[] parts = encodedJws.split("\\.");
         if (parts.length != 3) {
             if (parts.length == 2 && encodedJws.endsWith(".")) {
@@ -87,16 +94,22 @@ public class JwsCompactConsumer {
     }
     public JwtToken getJwtToken() {
         if (token == null) {
-            token = reader.fromJson(headersJson, claimsJson);
+            token = reader.fromJson(new JwtTokenJson(headersJson, claimsJson));
         }
         return token;
     }
     public boolean verifySignatureWith(JwsSignatureVerifier validator) {
+        enforceJweSignatureProperties();
         if (!validator.verify(getJwtHeaders(), getUnsignedEncodedToken(), getDecodedSignature()))
{
             throw new SecurityException();
         }
         return true;
     }
+    private void enforceJweSignatureProperties() {
+        if (props != null) {
+            //TODO:
+        }
+    }
     private static String decodeToString(String encoded) {
         try {
             return new String(decode(encoded), "UTF-8");

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
index 9be3a0a..f916df7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java
@@ -21,6 +21,5 @@ package org.apache.cxf.rs.security.oauth2.jwt;
 
 public interface JwtTokenReader extends JwtHeadersReader {
     JwtClaims fromJsonClaims(String jsonClaims);
-    JwtToken fromJson(String jsonHeaders, String jsonClaims);
     JwtToken fromJson(JwtTokenJson jsonPair);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
index 9d95771..d8d6dd4 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java
@@ -68,8 +68,7 @@ public class JwtTokenReaderWriter implements JwtTokenReader, JwtTokenWriter
{
         
     }
     
-    @Override
-    public JwtToken fromJson(String headersJson, String claimsJson) {
+    private JwtToken fromJson(String headersJson, String claimsJson) {
         JwtHeaders headers = fromJsonHeaders(headersJson);
         JwtClaims claims = fromJsonClaims(claimsJson);
         return new JwtToken(headers, claims);

http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
index 9b5db48..d8d795c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
@@ -73,8 +73,13 @@ public final class Base64UrlUtility {
     }
 
     public static String encodeChunk(byte[] id, int offset, int length) {
-        String encoded = new String(Base64Utility.encodeChunk(id, offset, length));
-        return encoded.replace("+", "-").replace('/', '_').replace("=", "");
+        char[] chunk = Base64Utility.encodeChunk(id, offset, length);
+        if (chunk != null) {
+            String encoded = new String(chunk);
+            return encoded.replace("+", "-").replace('/', '_').replace("=", "");
+        } else {
+            return null;
+        }
     }
      
 


Mime
View raw message