Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9673BCC0F for ; Thu, 5 Jun 2014 16:32:09 +0000 (UTC) Received: (qmail 63299 invoked by uid 500); 5 Jun 2014 16:32:09 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 63236 invoked by uid 500); 5 Jun 2014 16:32:09 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 63229 invoked by uid 99); 5 Jun 2014 16:32:09 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jun 2014 16:32:09 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 3FF5394C0C5; Thu, 5 Jun 2014 16:32:09 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <187fad30205c4bb0aafc2ccea3e242d1@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-5311] Initial attempt to introduce some 'safety' into the encryption/decryption process, with more refactoring due for abstract classes Date: Thu, 5 Jun 2014 16:32:09 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master 567f9862f -> fc8331eae [CXF-5311] Initial attempt to introduce some 'safety' into the encryption/decryption process, with more refactoring due for abstract classes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fc8331ea Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fc8331ea Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fc8331ea Branch: refs/heads/master Commit: fc8331eaefef02740849f4cac51bc45c58f22ac4 Parents: 567f986 Author: Sergey Beryozkin Authored: Thu Jun 5 17:31:50 2014 +0100 Committer: Sergey Beryozkin Committed: Thu Jun 5 17:31:50 2014 +0100 ---------------------------------------------------------------------- .../oauth2/jwe/AbstractJweDecryptor.java | 127 +++++++++++++++ .../oauth2/jwe/AbstractJweEncryptor.java | 156 +++++++++++++++++++ .../oauth2/jwe/DirectKeyJweDecryptor.java | 27 ++++ .../oauth2/jwe/DirectKeyJweEncryptor.java | 35 +++++ .../rs/security/oauth2/jwe/JweDecryptor.java | 127 --------------- .../rs/security/oauth2/jwe/JweEncryptor.java | 156 ------------------- .../rs/security/oauth2/jwe/RSAJweDecryptor.java | 2 +- .../rs/security/oauth2/jwe/RSAJweEncryptor.java | 2 +- .../oauth2/jwe/WrappedKeyJweDecryptor.java | 30 ++++ .../oauth2/jwe/WrappedKeyJweEncryptor.java | 41 +++++ .../oauth2/jwe/JweCompactReaderWriterTest.java | 4 +- 11 files changed, 420 insertions(+), 287 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java new file mode 100644 index 0000000..cff7f28 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java @@ -0,0 +1,127 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.Key; +import java.security.spec.AlgorithmParameterSpec; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; +import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; + +public abstract class AbstractJweDecryptor { + private JweCompactConsumer jweConsumer; + private Key cekDecryptionKey; + private byte[] contentDecryptionKey; + private boolean unwrap; + private CeProvider ceProvider = new CeProvider(); + protected AbstractJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) { + this.jweConsumer = new JweCompactConsumer(jweContent); + this.cekDecryptionKey = cekDecryptionKey; + this.unwrap = unwrap; + } + protected AbstractJweDecryptor(String jweContent, Key contentDecryptionKey) { + this(jweContent, null, false); + this.contentDecryptionKey = contentDecryptionKey.getEncoded(); + } + protected Key getCekDecryptionKey() { + return cekDecryptionKey; + } + + protected byte[] getContentEncryptionKey() { + // This can be overridden if needed + if (contentDecryptionKey != null) { + return contentDecryptionKey; + } + + KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm()); + if (!unwrap) { + keyProps.setBlockSize(getKeyCipherBlockSize()); + return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps); + } else { + return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), + getContentEncryptionAlgorithm(), + getCekDecryptionKey(), + keyProps).getEncoded(); + } + } + protected int getKeyCipherBlockSize() { + return -1; + } + public byte[] getDecryptedContent() { + + return jweConsumer.getDecryptedContent(ceProvider); + + } + public String getDecryptedContentText() { + return jweConsumer.getDecryptedContentText(ceProvider); + } + public JweHeaders getJweHeaders() { + return getJweConsumer().getJweHeaders(); + } + + protected AlgorithmParameterSpec getContentDecryptionCipherSpec() { + // this can be overridden if needed + return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(), + getContentEncryptionCipherInitVector()); + } + protected String getKeyEncryptionAlgorithm() { + return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm()); + } + protected String getContentEncryptionAlgorithm() { + return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm()); + } + protected byte[] getEncryptedContentEncryptionKey() { + return getJweConsumer().getEncryptedContentEncryptionKey(); + } + protected byte[] getContentEncryptionCipherAAD() { + return getJweConsumer().getContentEncryptionCipherAAD(); + } + protected byte[] getEncryptedContentWithAuthTag() { + return getJweConsumer().getEncryptedContentWithAuthTag(); + } + protected byte[] getContentEncryptionCipherInitVector() { + return getJweConsumer().getContentDecryptionCipherInitVector(); + } + protected byte[] getEncryptionAuthenticationTag() { + return getJweConsumer().getEncryptionAuthenticationTag(); + } + protected int getEncryptionAuthenticationTagLenBits() { + return getEncryptionAuthenticationTag().length * 8; + } + protected JweCompactConsumer getJweConsumer() { + return jweConsumer; + } + + private class CeProvider implements ContentEncryptionProvider { + + @Override + public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) { + return AbstractJweDecryptor.this.getContentEncryptionKey(); + } + + @Override + public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers, + int authTagLength, + byte[] initVector) { + return getContentDecryptionCipherSpec(); + } + + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java new file mode 100644 index 0000000..44987f9 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java @@ -0,0 +1,156 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.io.UnsupportedEncodingException; +import java.security.Key; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; +import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; +import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; + +public abstract class AbstractJweEncryptor { + protected static final int DEFAULT_IV_SIZE = 96; + protected static final int DEFAULT_AUTH_TAG_LENGTH = 128; + private Key cekEncryptionKey; + private JweHeaders headers; + private JwtHeadersWriter writer = new JwtTokenReaderWriter(); + private byte[] cek; + private byte[] iv; + private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; + private boolean wrap; + + protected AbstractJweEncryptor(SecretKey cek, byte[] iv) { + this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv); + } + protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) { + this.headers = headers; + this.cek = cek; + this.iv = iv; + } + protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) { + this(headers, cek, iv); + this.authTagLen = authTagLen; + } + protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey) { + this.headers = headers; + this.cekEncryptionKey = cekEncryptionKey; + } + protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) { + this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH); + this.cekEncryptionKey = cekEncryptionKey; + } + protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, + int authTagLen, boolean wrap) { + this(headers, cek, iv, authTagLen); + this.cekEncryptionKey = cekEncryptionKey; + this.wrap = wrap; + } + + protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, + boolean wrap, JwtHeadersWriter writer) { + this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap); + if (writer != null) { + this.writer = writer; + } + } + + protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) { + return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); + } + + protected byte[] getContentEncryptionCipherInitVector() { + return iv == null ? CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE) : iv; + } + + protected byte[] getContentEncryptionKey() { + if (cek == null && cekEncryptionKey != null) { + String algo = headers.getContentEncryptionAlgorithm(); + return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded(); + } else { + return cek; + } + } + + protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) { + if (cekEncryptionKey == null) { + return cek; + } else { + KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo()); + if (!wrap) { + return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties); + } else { + return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey, + secretKeyProperties.getKeyAlgo()); + } + } + } + + protected String getContentEncryptionKeyEncryptionAlgo() { + return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm()); + } + protected String getContentEncryptionAlgo() { + return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); + } + + protected int getAuthTagLen() { + return authTagLen; + } + + public String getJweContent(byte[] content) { + byte[] theCek = getContentEncryptionKey(); + byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); + + String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); + KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName); + byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer); + keyProps.setAdditionalData(additionalEncryptionParam); + + byte[] theIv = getContentEncryptionCipherInitVector(); + AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv); + keyProps.setAlgoSpec(specParams); + + byte[] cipherText = CryptoUtils.encryptBytes( + content, + CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName), + keyProps); + + JweCompactProducer producer = new JweCompactProducer(headers, + jweContentEncryptionKey, + theIv, + cipherText, + getAuthTagLen()); + return producer.getJweContent(); + } + + public String getJweContent(String text) { + try { + return getJweContent(text.getBytes("UTF-8")); + } catch (UnsupportedEncodingException ex) { + throw new SecurityException(ex); + } + } + + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java new file mode 100644 index 0000000..fd98333 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java @@ -0,0 +1,27 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.Key; + +public class DirectKeyJweDecryptor extends AbstractJweDecryptor { + public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey) { + super(jweContent, contentDecryptionKey); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java new file mode 100644 index 0000000..e2b0e43 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java @@ -0,0 +1,35 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; + +public class DirectKeyJweEncryptor extends AbstractJweEncryptor { + public DirectKeyJweEncryptor(SecretKey cek, byte[] iv) { + this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv); + } + public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) { + super(headers, cek, iv); + } + public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) { + super(headers, cek, iv, authTagLen); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java deleted file mode 100644 index 31c432c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java +++ /dev/null @@ -1,127 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public class JweDecryptor { - private JweCompactConsumer jweConsumer; - private Key cekDecryptionKey; - private byte[] contentDecryptionKey; - private boolean unwrap; - private CeProvider ceProvider = new CeProvider(); - public JweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) { - this.jweConsumer = new JweCompactConsumer(jweContent); - this.cekDecryptionKey = cekDecryptionKey; - this.unwrap = unwrap; - } - public JweDecryptor(String jweContent, Key contentDecryptionKey) { - this(jweContent, null, false); - this.contentDecryptionKey = contentDecryptionKey.getEncoded(); - } - protected Key getCekDecryptionKey() { - return cekDecryptionKey; - } - - protected byte[] getContentEncryptionKey() { - // This can be overridden if needed - if (contentDecryptionKey != null) { - return contentDecryptionKey; - } - - KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm()); - if (!unwrap) { - keyProps.setBlockSize(getKeyCipherBlockSize()); - return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps); - } else { - return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), - getContentEncryptionAlgorithm(), - getCekDecryptionKey(), - keyProps).getEncoded(); - } - } - protected int getKeyCipherBlockSize() { - return -1; - } - public byte[] getDecryptedContent() { - - return jweConsumer.getDecryptedContent(ceProvider); - - } - public String getDecryptedContentText() { - return jweConsumer.getDecryptedContentText(ceProvider); - } - public JweHeaders getJweHeaders() { - return getJweConsumer().getJweHeaders(); - } - - protected AlgorithmParameterSpec getContentDecryptionCipherSpec() { - // this can be overridden if needed - return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(), - getContentEncryptionCipherInitVector()); - } - protected String getKeyEncryptionAlgorithm() { - return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm()); - } - protected String getContentEncryptionAlgorithm() { - return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm()); - } - protected byte[] getEncryptedContentEncryptionKey() { - return getJweConsumer().getEncryptedContentEncryptionKey(); - } - protected byte[] getContentEncryptionCipherAAD() { - return getJweConsumer().getContentEncryptionCipherAAD(); - } - protected byte[] getEncryptedContentWithAuthTag() { - return getJweConsumer().getEncryptedContentWithAuthTag(); - } - protected byte[] getContentEncryptionCipherInitVector() { - return getJweConsumer().getContentDecryptionCipherInitVector(); - } - protected byte[] getEncryptionAuthenticationTag() { - return getJweConsumer().getEncryptionAuthenticationTag(); - } - protected int getEncryptionAuthenticationTagLenBits() { - return getEncryptionAuthenticationTag().length * 8; - } - protected JweCompactConsumer getJweConsumer() { - return jweConsumer; - } - - private class CeProvider implements ContentEncryptionProvider { - - @Override - public byte[] getContentEncryptionKey(JweHeaders headers, byte[] encryptedKey) { - return JweDecryptor.this.getContentEncryptionKey(); - } - - @Override - public AlgorithmParameterSpec getContentEncryptionCipherSpec(JweHeaders headers, - int authTagLength, - byte[] initVector) { - return getContentDecryptionCipherSpec(); - } - - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java deleted file mode 100644 index 600eed3..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java +++ /dev/null @@ -1,156 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.io.UnsupportedEncodingException; -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public class JweEncryptor { - protected static final int DEFAULT_IV_SIZE = 96; - protected static final int DEFAULT_AUTH_TAG_LENGTH = 128; - private Key cekEncryptionKey; - private JweHeaders headers; - private JwtHeadersWriter writer = new JwtTokenReaderWriter(); - private byte[] cek; - private byte[] iv; - private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; - private boolean wrap; - - public JweEncryptor(SecretKey cek, byte[] iv) { - this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv); - } - public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) { - this.headers = headers; - this.cek = cek; - this.iv = iv; - } - public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) { - this(headers, cek, iv); - this.authTagLen = authTagLen; - } - public JweEncryptor(JweHeaders headers, Key cekEncryptionKey) { - this.headers = headers; - this.cekEncryptionKey = cekEncryptionKey; - } - public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) { - this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH); - this.cekEncryptionKey = cekEncryptionKey; - } - public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, - int authTagLen, boolean wrap) { - this(headers, cek, iv, authTagLen); - this.cekEncryptionKey = cekEncryptionKey; - this.wrap = wrap; - } - - public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, - boolean wrap, JwtHeadersWriter writer) { - this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap); - if (writer != null) { - this.writer = writer; - } - } - - protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) { - return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); - } - - protected byte[] getContentEncryptionCipherInitVector() { - return iv == null ? CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE) : iv; - } - - protected byte[] getContentEncryptionKey() { - if (cek == null && cekEncryptionKey != null) { - String algo = headers.getContentEncryptionAlgorithm(); - return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded(); - } else { - return cek; - } - } - - protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) { - if (cekEncryptionKey == null) { - return cek; - } else { - KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo()); - if (!wrap) { - return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties); - } else { - return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey, - secretKeyProperties.getKeyAlgo()); - } - } - } - - protected String getContentEncryptionKeyEncryptionAlgo() { - return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm()); - } - protected String getContentEncryptionAlgo() { - return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); - } - - protected int getAuthTagLen() { - return authTagLen; - } - - public String getJweContent(byte[] content) { - byte[] theCek = getContentEncryptionKey(); - byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); - - String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); - KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName); - byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer); - keyProps.setAdditionalData(additionalEncryptionParam); - - byte[] theIv = getContentEncryptionCipherInitVector(); - AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv); - keyProps.setAlgoSpec(specParams); - - byte[] cipherText = CryptoUtils.encryptBytes( - content, - CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName), - keyProps); - - JweCompactProducer producer = new JweCompactProducer(headers, - jweContentEncryptionKey, - theIv, - cipherText, - getAuthTagLen()); - return producer.getJweContent(); - } - - public String getJweContent(String text) { - try { - return getJweContent(text.getBytes("UTF-8")); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - } - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java index cce3cb5..cb4666f 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java @@ -22,7 +22,7 @@ import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; -public class RSAJweDecryptor extends JweDecryptor { +public class RSAJweDecryptor extends WrappedKeyJweDecryptor { public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) { super(jweContent, privateKey, unwrap); } http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java index 22c2f7e..7739379 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryptor.java @@ -25,7 +25,7 @@ import javax.crypto.SecretKey; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; -public class RSAJweEncryptor extends JweEncryptor { +public class RSAJweEncryptor extends WrappedKeyJweEncryptor { public RSAJweEncryptor(RSAPublicKey publicKey, String contentEncryptionAlgo) { super(new JweHeaders(Algorithm.RSA_OAEP_ALGO.getJwtName(), contentEncryptionAlgo), publicKey); http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java new file mode 100644 index 0000000..0145909 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java @@ -0,0 +1,30 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.Key; + +public class WrappedKeyJweDecryptor extends AbstractJweDecryptor { + public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) { + super(jweContent, cekDecryptionKey, unwrap); + } + public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey) { + this(jweContent, cekDecryptionKey, true); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java new file mode 100644 index 0000000..6486604 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java @@ -0,0 +1,41 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.Key; + +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; + +public class WrappedKeyJweEncryptor extends AbstractJweEncryptor { + public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) { + super(headers, cekEncryptionKey); + } + public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) { + super(headers, cekEncryptionKey, cek, iv); + } + public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, + int authTagLen, boolean wrap) { + super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap); + } + + public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, + boolean wrap, JwtHeadersWriter writer) { + super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, writer); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/fc8331ea/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java index 9d1b06f..eed51d8 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java @@ -104,7 +104,7 @@ public class JweCompactReaderWriterTest extends Assert { } private String encryptContentDirect(String content) throws Exception { SecretKey key = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES"); - JweEncryptor encryptor = new JweEncryptor(key, INIT_VECTOR); + DirectKeyJweEncryptor encryptor = new DirectKeyJweEncryptor(key, INIT_VECTOR); return encryptor.getJweContent(content); } private void decrypt(String jweContent, String plainContent) throws Exception { @@ -115,7 +115,7 @@ public class JweCompactReaderWriterTest extends Assert { } private void decryptDirect(String jweContent, String plainContent) throws Exception { SecretKey key = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES"); - JweDecryptor decryptor = new JweDecryptor(jweContent, key); + DirectKeyJweDecryptor decryptor = new DirectKeyJweDecryptor(jweContent, key); String decryptedText = decryptor.getDecryptedContentText(); assertEquals(decryptedText, plainContent); }