Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6148611A79 for ; Thu, 31 Jul 2014 14:19:57 +0000 (UTC) Received: (qmail 80919 invoked by uid 500); 31 Jul 2014 14:19:57 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 80859 invoked by uid 500); 31 Jul 2014 14:19:57 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 80848 invoked by uid 99); 31 Jul 2014 14:19:57 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Jul 2014 14:19:57 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id A22929BBAC8; Thu, 31 Jul 2014 14:19:56 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <1cc73a8eedcc403096b0f82191f9f08c@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-5902] More refactoring to make it easier to provide a utility code for composite algorithms Date: Thu, 31 Jul 2014 14:19:56 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master 131c3fdba -> 646b27ac7 [CXF-5902] More refactoring to make it easier to provide a utility code for composite algorithms Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/646b27ac Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/646b27ac Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/646b27ac Branch: refs/heads/master Commit: 646b27ac7b8fdbcaa79859ce361e1321b8d9ef28 Parents: 131c3fd Author: Sergey Beryozkin Authored: Thu Jul 31 17:19:36 2014 +0300 Committer: Sergey Beryozkin Committed: Thu Jul 31 17:19:36 2014 +0300 ---------------------------------------------------------------------- .../jwe/AbstractContentEncryptionAlgorithm.java | 66 ++++++++++++++ .../oauth2/jwe/AbstractJweEncryption.java | 64 ++++--------- .../oauth2/jwe/AbstractWrapKeyAlgorithm.java | 95 ++++++++++++++++++++ .../oauth2/jwe/AbstractWrapKeyEncryption.java | 95 -------------------- .../jwe/AesGcmContentEncryptionAlgorithm.java | 31 +++++++ .../oauth2/jwe/AesWrapKeyAlgorithm.java | 45 ++++++++++ .../oauth2/jwe/AesWrapKeyEncryption.java | 45 ---------- .../oauth2/jwe/ContentEncryptionAlgorithm.java | 28 ++++++ .../security/oauth2/jwe/DirectKeyAlgorithm.java | 29 ++++++ .../oauth2/jwe/DirectKeyEncryption.java | 29 ------ .../oauth2/jwe/DirectKeyJweEncryption.java | 5 +- .../security/oauth2/jwe/RSAJweEncryption.java | 11 ++- .../oauth2/jwe/RSAOaepKeyEncryption.java | 2 +- .../oauth2/jwe/WrappedKeyJweEncryption.java | 26 +----- .../oauth2/jwe/JweCompactReaderWriterTest.java | 2 +- 15 files changed, 324 insertions(+), 249 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java new file mode 100644 index 0000000..7baa98c --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java @@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.spec.AlgorithmParameterSpec; +import java.util.concurrent.atomic.AtomicInteger; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; + + +public abstract class AbstractContentEncryptionAlgorithm implements ContentEncryptionAlgorithm { + private static final int DEFAULT_IV_SIZE = 96; + private static final int DEFAULT_AUTH_TAG_LENGTH = 128; + private byte[] cek; + private byte[] iv; + private AtomicInteger providedIvUsageCount; + private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; + protected AbstractContentEncryptionAlgorithm(SecretKey key, byte[] iv) { + this(key.getEncoded(), iv); + } + protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv) { + this.cek = cek; + this.iv = iv; + if (iv != null && iv.length > 0) { + providedIvUsageCount = new AtomicInteger(); + } + } + + + public byte[] getContentEncryptionKey(JweHeaders headers) { + return cek; + } + public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { + return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); + } + public byte[] getInitVector() { + if (iv == null) { + return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE); + } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) { + throw new SecurityException(); + } else { + return iv; + } + } + protected int getAuthTagLen() { + return authTagLen; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java index e8728c7..389bb42 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java @@ -19,7 +19,6 @@ package org.apache.cxf.rs.security.oauth2.jwe; import java.security.spec.AlgorithmParameterSpec; -import java.util.concurrent.atomic.AtomicInteger; import javax.crypto.Cipher; import javax.crypto.SecretKey; @@ -32,67 +31,42 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; public abstract class AbstractJweEncryption implements JweEncryptionProvider { - protected static final int DEFAULT_IV_SIZE = 96; - protected static final int DEFAULT_AUTH_TAG_LENGTH = 128; + private static final int DEFAULT_AUTH_TAG_LENGTH = 128; private JweHeaders headers; private JwtHeadersWriter writer; - private byte[] cek; - private byte[] iv; - private AtomicInteger providedIvUsageCount; - private int authTagLen; + private ContentEncryptionAlgorithm contentEncryptionAlgo; private KeyEncryptionAlgorithm keyEncryptionAlgo; - protected AbstractJweEncryption(SecretKey cek, byte[] iv, KeyEncryptionAlgorithm keyEncryptionAlgo) { - this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(), - cek.getEncoded().length * 8)), - cek.getEncoded(), iv, keyEncryptionAlgo); - } - protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, - KeyEncryptionAlgorithm keyEncryptionAlgo) { - this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgo); - } - protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen, + protected AbstractJweEncryption(JweHeaders headers, + ContentEncryptionAlgorithm contentEncryptionAlgo, KeyEncryptionAlgorithm keyEncryptionAlgo) { - this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgo, null); - } - protected AbstractJweEncryption(JweHeaders headers, KeyEncryptionAlgorithm keyEncryptionAlgo) { - this(headers, null, null, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgo, null); + this(headers, contentEncryptionAlgo, keyEncryptionAlgo, null); } protected AbstractJweEncryption(JweHeaders headers, - byte[] cek, - byte[] iv, - int authTagLen, + ContentEncryptionAlgorithm contentEncryptionAlgo, KeyEncryptionAlgorithm keyEncryptionAlgo, JwtHeadersWriter writer) { this.headers = headers; - this.cek = cek; - this.iv = iv; - if (iv != null && iv.length > 0) { - providedIvUsageCount = new AtomicInteger(); - } - this.authTagLen = authTagLen; this.writer = writer; if (this.writer == null) { this.writer = new JwtTokenReaderWriter(); } this.keyEncryptionAlgo = keyEncryptionAlgo; + this.contentEncryptionAlgo = contentEncryptionAlgo; } - protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) { - return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); - } - - protected byte[] getContentEncryptionCipherInitVector() { - if (iv == null) { - return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE); - } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) { - throw new SecurityException(); - } else { - return iv; - } + protected AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { + return contentEncryptionAlgo.getAlgorithmParameterSpec(theIv); } protected byte[] getContentEncryptionKey() { + byte[] cek = contentEncryptionAlgo.getContentEncryptionKey(headers); + if (cek == null) { + String algoJava = getContentEncryptionAlgoJava(); + String algoJwt = getContentEncryptionAlgoJwt(); + cek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava), + Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded(); + } return cek; } @@ -108,7 +82,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider { } protected int getAuthTagLen() { - return authTagLen; + return DEFAULT_AUTH_TAG_LENGTH; } protected JweHeaders getJweHeaders() { return headers; @@ -154,8 +128,8 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider { byte[] additionalEncryptionParam = theHeaders.toCipherAdditionalAuthData(writer); keyProps.setAdditionalData(additionalEncryptionParam); - byte[] theIv = getContentEncryptionCipherInitVector(); - AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv); + byte[] theIv = contentEncryptionAlgo.getInitVector(); + AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv); keyProps.setAlgoSpec(specParams); byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); JweEncryptionInternal state = new JweEncryptionInternal(); http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java new file mode 100644 index 0000000..024ac8f --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java @@ -0,0 +1,95 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.Key; +import java.security.spec.AlgorithmParameterSpec; +import java.util.Set; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; +import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; + +public abstract class AbstractWrapKeyAlgorithm implements KeyEncryptionAlgorithm { + private Key keyEncryptionKey; + private boolean wrap; + private String algorithm; + private Set supportedAlgorithms; + protected AbstractWrapKeyAlgorithm(Key key, Set supportedAlgorithms) { + this(key, null, true, supportedAlgorithms); + } + protected AbstractWrapKeyAlgorithm(Key key, boolean wrap, Set supportedAlgorithms) { + this(key, null, wrap, supportedAlgorithms); + } + protected AbstractWrapKeyAlgorithm(Key key, String jweAlgo, Set supportedAlgorithms) { + this(key, jweAlgo, true, supportedAlgorithms); + } + protected AbstractWrapKeyAlgorithm(Key key, String jweAlgo, boolean wrap, Set supportedAlgorithms) { + this.keyEncryptionKey = key; + this.algorithm = jweAlgo; + this.wrap = wrap; + this.supportedAlgorithms = supportedAlgorithms; + } + @Override + public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { + checkAlgorithms(headers, algorithm); + KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers)); + AlgorithmParameterSpec spec = getAlgorithmParameterSpec(); + if (spec != null) { + secretKeyProperties.setAlgoSpec(spec); + } + if (!wrap) { + return CryptoUtils.encryptBytes(cek, keyEncryptionKey, secretKeyProperties); + } else { + return CryptoUtils.wrapSecretKey(cek, + getContentEncryptionAlgoJava(headers), + keyEncryptionKey, + secretKeyProperties); + } + } + protected String getKeyEncryptionAlgoJava(JweHeaders headers) { + return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm()); + } + protected String getContentEncryptionAlgoJava(JweHeaders headers) { + return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); + } + protected AlgorithmParameterSpec getAlgorithmParameterSpec() { + return null; + } + private static String checkAlgorithm(Set supportedAlgorithms, String algo) { + if (algo != null && !supportedAlgorithms.contains(algo)) { + throw new SecurityException(); + } + return algo; + } + private void checkAlgorithms(JweHeaders headers, String defaultAlgo) { + String providedAlgo = headers.getKeyEncryptionAlgorithm(); + if ((providedAlgo == null && defaultAlgo == null) + || (providedAlgo != null && defaultAlgo != null && !providedAlgo.equals(defaultAlgo))) { + throw new SecurityException(); + } + if (providedAlgo != null) { + checkAlgorithm(supportedAlgorithms, providedAlgo); + } else { + checkAlgorithms(headers, defaultAlgo); + headers.setKeyEncryptionAlgorithm(defaultAlgo); + } + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java deleted file mode 100644 index 8ab04c5..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java +++ /dev/null @@ -1,95 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; -import java.util.Set; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public abstract class AbstractWrapKeyEncryption implements KeyEncryptionAlgorithm { - private Key keyEncryptionKey; - private boolean wrap; - private String algorithm; - private Set supportedAlgorithms; - protected AbstractWrapKeyEncryption(Key key, Set supportedAlgorithms) { - this(key, null, true, supportedAlgorithms); - } - protected AbstractWrapKeyEncryption(Key key, boolean wrap, Set supportedAlgorithms) { - this(key, null, wrap, supportedAlgorithms); - } - protected AbstractWrapKeyEncryption(Key key, String jweAlgo, Set supportedAlgorithms) { - this(key, jweAlgo, true, supportedAlgorithms); - } - protected AbstractWrapKeyEncryption(Key key, String jweAlgo, boolean wrap, Set supportedAlgorithms) { - this.keyEncryptionKey = key; - this.algorithm = jweAlgo; - this.wrap = wrap; - this.supportedAlgorithms = supportedAlgorithms; - } - @Override - public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { - checkAlgorithms(headers, algorithm); - KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers)); - AlgorithmParameterSpec spec = getAlgorithmParameterSpec(); - if (spec != null) { - secretKeyProperties.setAlgoSpec(spec); - } - if (!wrap) { - return CryptoUtils.encryptBytes(cek, keyEncryptionKey, secretKeyProperties); - } else { - return CryptoUtils.wrapSecretKey(cek, - getContentEncryptionAlgoJava(headers), - keyEncryptionKey, - secretKeyProperties); - } - } - protected String getKeyEncryptionAlgoJava(JweHeaders headers) { - return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm()); - } - protected String getContentEncryptionAlgoJava(JweHeaders headers) { - return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); - } - protected AlgorithmParameterSpec getAlgorithmParameterSpec() { - return null; - } - private static String checkAlgorithm(Set supportedAlgorithms, String algo) { - if (algo != null && !supportedAlgorithms.contains(algo)) { - throw new SecurityException(); - } - return algo; - } - private void checkAlgorithms(JweHeaders headers, String defaultAlgo) { - String providedAlgo = headers.getKeyEncryptionAlgorithm(); - if ((providedAlgo == null && defaultAlgo == null) - || (providedAlgo != null && defaultAlgo != null && !providedAlgo.equals(defaultAlgo))) { - throw new SecurityException(); - } - if (providedAlgo != null) { - checkAlgorithm(supportedAlgorithms, providedAlgo); - } else { - checkAlgorithms(headers, defaultAlgo); - headers.setKeyEncryptionAlgorithm(defaultAlgo); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java new file mode 100644 index 0000000..c1f89aa --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java @@ -0,0 +1,31 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import javax.crypto.SecretKey; + + +public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm { + public AesGcmContentEncryptionAlgorithm(SecretKey key, byte[] iv) { + this(key.getEncoded(), iv); + } + public AesGcmContentEncryptionAlgorithm(byte[] cek, byte[] iv) { + super(cek, iv); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java new file mode 100644 index 0000000..3f67d31 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java @@ -0,0 +1,45 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; + +public class AesWrapKeyAlgorithm extends AbstractWrapKeyAlgorithm { + private static final Set SUPPORTED_ALGORITHMS = new HashSet( + Arrays.asList(Algorithm.A128KW.getJwtName(), + Algorithm.A192KW.getJwtName(), + Algorithm.A256KW.getJwtName())); + public AesWrapKeyAlgorithm(byte[] keyBytes, String keyAlgoJwt) { + this(CryptoUtils.createSecretKeySpec(keyBytes, Algorithm.toJavaName(keyAlgoJwt)), + keyAlgoJwt); + } + public AesWrapKeyAlgorithm(SecretKey key, String keyAlgoJwt) { + super(key, keyAlgoJwt, SUPPORTED_ALGORITHMS); + } + + + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java deleted file mode 100644 index ec4aa87..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AesWrapKeyEncryption extends AbstractWrapKeyEncryption { - private static final Set SUPPORTED_ALGORITHMS = new HashSet( - Arrays.asList(Algorithm.A128KW.getJwtName(), - Algorithm.A192KW.getJwtName(), - Algorithm.A256KW.getJwtName())); - public AesWrapKeyEncryption(byte[] keyBytes, String keyAlgoJwt) { - this(CryptoUtils.createSecretKeySpec(keyBytes, Algorithm.toJavaName(keyAlgoJwt)), - keyAlgoJwt); - } - public AesWrapKeyEncryption(SecretKey key, String keyAlgoJwt) { - super(key, keyAlgoJwt, SUPPORTED_ALGORITHMS); - } - - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java new file mode 100644 index 0000000..7b93ef8 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java @@ -0,0 +1,28 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.spec.AlgorithmParameterSpec; + + +interface ContentEncryptionAlgorithm { + byte[] getInitVector(); + byte[] getContentEncryptionKey(JweHeaders headers); + AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv); +} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java new file mode 100644 index 0000000..5e9088e --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java @@ -0,0 +1,29 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + + +public class DirectKeyAlgorithm implements KeyEncryptionAlgorithm { + public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] theCek) { + if (headers.getKeyEncryptionAlgorithm() != null) { + throw new SecurityException(); + } + return new byte[0]; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java deleted file mode 100644 index b81cbb3..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java +++ /dev/null @@ -1,29 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - - -public class DirectKeyEncryption implements KeyEncryptionAlgorithm { - public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] theCek) { - if (headers.getKeyEncryptionAlgorithm() != null) { - throw new SecurityException(); - } - return new byte[0]; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java index 978fd8a..53e54e6 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java @@ -28,9 +28,6 @@ public class DirectKeyJweEncryption extends AbstractJweEncryption { cek.getEncoded().length * 8)), cek.getEncoded(), iv); } public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) { - this(headers, cek, iv, AbstractJweEncryption.DEFAULT_AUTH_TAG_LENGTH); - } - public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) { - super(headers, cek, iv, authTagLen, new DirectKeyEncryption()); + super(headers, new AesGcmContentEncryptionAlgorithm(cek, iv), new DirectKeyAlgorithm()); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java index d00b8ed..1010e3d 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java @@ -33,7 +33,7 @@ public class RSAJweEncryption extends WrappedKeyJweEncryption { new RSAOaepKeyEncryption(publicKey, keyEncryptionJwtAlgo)); } public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv) { - this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true, null); + this(publicKey, headers, cek, iv, true, null); } public RSAJweEncryption(RSAPublicKey publicKey, String keyEncryptionJwtAlgo, @@ -42,21 +42,20 @@ public class RSAJweEncryption extends WrappedKeyJweEncryption { byte[] iv) { this(publicKey, new JweHeaders(keyEncryptionJwtAlgo, secretKeyJwtAlgo), - secretKey != null ? secretKey.getEncoded() : null, iv, DEFAULT_AUTH_TAG_LENGTH, true, null); + secretKey != null ? secretKey.getEncoded() : null, iv, true, null); } public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[] iv, - int authTagLen, boolean wrap, JwtHeadersWriter writer) { - this(new RSAOaepKeyEncryption(publicKey, wrap), headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, writer); + this(new RSAOaepKeyEncryption(publicKey, wrap), headers, cek, iv, writer); } public RSAJweEncryption(RSAOaepKeyEncryption keyEncryptionAlgorithm, JweHeaders headers, byte[] cek, - byte[] iv, int authTagLen, JwtHeadersWriter writer) { - super(headers, cek, iv, authTagLen, keyEncryptionAlgorithm, writer); + byte[] iv, JwtHeadersWriter writer) { + super(headers, cek, iv, keyEncryptionAlgorithm, writer); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java index bdd9dd6..eea1851 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java @@ -25,7 +25,7 @@ import java.util.Set; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -public class RSAOaepKeyEncryption extends AbstractWrapKeyEncryption { +public class RSAOaepKeyEncryption extends AbstractWrapKeyAlgorithm { private static final Set SUPPORTED_ALGORITHMS = new HashSet( Arrays.asList(Algorithm.RSA_OAEP.getJwtName(), Algorithm.RSA_OAEP_256.getJwtName())); http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java index e7c09bc..d57f490 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java @@ -18,44 +18,24 @@ */ package org.apache.cxf.rs.security.oauth2.jwe; -import java.util.concurrent.atomic.AtomicInteger; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; public class WrappedKeyJweEncryption extends AbstractJweEncryption { - private AtomicInteger providedCekUsageCount; public WrappedKeyJweEncryption(JweHeaders headers, KeyEncryptionAlgorithm keyEncryptionAlgorithm) { this(headers, null, null, keyEncryptionAlgorithm); } public WrappedKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, KeyEncryptionAlgorithm keyEncryptionAlgorithm) { - this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgorithm, null); + this(headers, cek, iv, keyEncryptionAlgorithm, null); } public WrappedKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, - int authTagLen, KeyEncryptionAlgorithm keyEncryptionAlgorithm, JwtHeadersWriter writer) { - super(headers, cek, iv, authTagLen, keyEncryptionAlgorithm, writer); - if (cek != null) { - providedCekUsageCount = new AtomicInteger(); - } - } - protected byte[] getContentEncryptionKey() { - byte[] theCek = super.getContentEncryptionKey(); - if (theCek == null) { - String algoJava = getContentEncryptionAlgoJava(); - String algoJwt = getContentEncryptionAlgoJwt(); - theCek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava), - Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded(); - } else if (providedCekUsageCount.addAndGet(1) > 1) { - throw new SecurityException(); - } - return theCek; + super(headers, new AesGcmContentEncryptionAlgorithm(cek, iv), keyEncryptionAlgorithm, writer); } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/646b27ac/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java index b432d9c..091ea1a 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java @@ -112,7 +112,7 @@ public class JweCompactReaderWriterTest extends Assert { headers.setAlgorithm(Algorithm.A128KW.getJwtName()); headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName()); - AesWrapKeyEncryption keyEncryption = new AesWrapKeyEncryption(Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3), + AesWrapKeyAlgorithm keyEncryption = new AesWrapKeyAlgorithm(Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3), Algorithm.A128KW.getJwtName()); byte[] encryptedCek = keyEncryption.getEncryptedContentEncryptionKey(headers, CONTENT_ENCRYPTION_KEY_A3);