cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5902] More refactoring to make it easier to provide a utility code for composite algorithms
Date Tue, 12 Aug 2014 20:05:46 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes cf39ffeff -> e455d4f27


[CXF-5902] More refactoring to make it easier to provide a utility code for composite algorithms


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e455d4f2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e455d4f2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e455d4f2

Branch: refs/heads/3.0.x-fixes
Commit: e455d4f2723f67dbb51d1dfa7d709b2582d2c7fa
Parents: cf39ffe
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Thu Jul 31 17:19:36 2014 +0300
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Aug 12 21:04:55 2014 +0100

----------------------------------------------------------------------
 .../jwe/AbstractContentEncryptionAlgorithm.java | 66 ++++++++++++++
 .../oauth2/jwe/AbstractJweEncryption.java       | 64 ++++---------
 .../oauth2/jwe/AbstractWrapKeyAlgorithm.java    | 95 ++++++++++++++++++++
 .../oauth2/jwe/AbstractWrapKeyEncryption.java   | 95 --------------------
 .../jwe/AesGcmContentEncryptionAlgorithm.java   | 31 +++++++
 .../oauth2/jwe/AesWrapKeyAlgorithm.java         | 45 ++++++++++
 .../oauth2/jwe/AesWrapKeyEncryption.java        | 45 ----------
 .../oauth2/jwe/ContentEncryptionAlgorithm.java  | 28 ++++++
 .../security/oauth2/jwe/DirectKeyAlgorithm.java | 29 ++++++
 .../oauth2/jwe/DirectKeyEncryption.java         | 29 ------
 .../oauth2/jwe/DirectKeyJweEncryption.java      |  5 +-
 .../security/oauth2/jwe/RSAJweEncryption.java   | 11 ++-
 .../oauth2/jwe/RSAOaepKeyEncryption.java        |  2 +-
 .../oauth2/jwe/WrappedKeyJweEncryption.java     | 26 +-----
 .../oauth2/jwe/JweCompactReaderWriterTest.java  |  2 +-
 15 files changed, 324 insertions(+), 249 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java
new file mode 100644
index 0000000..7baa98c
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.concurrent.atomic.AtomicInteger;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+
+
+public abstract class AbstractContentEncryptionAlgorithm implements ContentEncryptionAlgorithm
{
+    private static final int DEFAULT_IV_SIZE = 96;
+    private static final int DEFAULT_AUTH_TAG_LENGTH = 128;
+    private byte[] cek;
+    private byte[] iv;
+    private AtomicInteger providedIvUsageCount;
+    private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
+    protected AbstractContentEncryptionAlgorithm(SecretKey key, byte[] iv) { 
+        this(key.getEncoded(), iv);    
+    }
+    protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv) { 
+        this.cek = cek;
+        this.iv = iv;
+        if (iv != null && iv.length > 0) {
+            providedIvUsageCount = new AtomicInteger();
+        }    
+    }
+    
+    
+    public byte[] getContentEncryptionKey(JweHeaders headers) {
+        return cek;
+    }
+    public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) {
+        return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
+    }
+    public byte[] getInitVector() {
+        if (iv == null) {
+            return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE);
+        } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1)
{
+            throw new SecurityException();
+        } else {
+            return iv;
+        }
+    }
+    protected int getAuthTagLen() {
+        return authTagLen;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
index e8728c7..389bb42 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
@@ -19,7 +19,6 @@
 package org.apache.cxf.rs.security.oauth2.jwe;
 
 import java.security.spec.AlgorithmParameterSpec;
-import java.util.concurrent.atomic.AtomicInteger;
 
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
@@ -32,67 +31,42 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public abstract class AbstractJweEncryption implements JweEncryptionProvider {
-    protected static final int DEFAULT_IV_SIZE = 96;
-    protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
+    private static final int DEFAULT_AUTH_TAG_LENGTH = 128;
     private JweHeaders headers;
     private JwtHeadersWriter writer;
-    private byte[] cek;
-    private byte[] iv;
-    private AtomicInteger providedIvUsageCount;
-    private int authTagLen;
+    private ContentEncryptionAlgorithm contentEncryptionAlgo;
     private KeyEncryptionAlgorithm keyEncryptionAlgo;
     
-    protected AbstractJweEncryption(SecretKey cek, byte[] iv, KeyEncryptionAlgorithm keyEncryptionAlgo)
{
-        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
-                                                cek.getEncoded().length * 8)),
-                                                cek.getEncoded(), iv, keyEncryptionAlgo);
-    }
-    protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, 
-                                    KeyEncryptionAlgorithm keyEncryptionAlgo) {
-        this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgo);
-    }
-    protected AbstractJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen,
+    protected AbstractJweEncryption(JweHeaders headers, 
+                                    ContentEncryptionAlgorithm contentEncryptionAlgo,
                                     KeyEncryptionAlgorithm keyEncryptionAlgo) {
-        this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgo, null);
-    }
-    protected AbstractJweEncryption(JweHeaders headers, KeyEncryptionAlgorithm keyEncryptionAlgo)
{
-        this(headers, null, null, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgo, null);
+        this(headers, contentEncryptionAlgo, keyEncryptionAlgo, null);
     }
     protected AbstractJweEncryption(JweHeaders headers, 
-                                    byte[] cek, 
-                                    byte[] iv, 
-                                    int authTagLen, 
+                                    ContentEncryptionAlgorithm contentEncryptionAlgo, 
                                     KeyEncryptionAlgorithm keyEncryptionAlgo,
                                     JwtHeadersWriter writer) {
         this.headers = headers;
-        this.cek = cek;
-        this.iv = iv;
-        if (iv != null && iv.length > 0) {
-            providedIvUsageCount = new AtomicInteger();
-        }
-        this.authTagLen = authTagLen;
         this.writer = writer;
         if (this.writer == null) {
             this.writer = new JwtTokenReaderWriter();
         }
         this.keyEncryptionAlgo = keyEncryptionAlgo;
+        this.contentEncryptionAlgo = contentEncryptionAlgo;
     }
     
-    protected AlgorithmParameterSpec getContentEncryptionCipherSpec(byte[] theIv) {
-        return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
-    }
-    
-    protected byte[] getContentEncryptionCipherInitVector() {
-        if (iv == null) {
-            return CryptoUtils.generateSecureRandomBytes(DEFAULT_IV_SIZE);
-        } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1)
{
-            throw new SecurityException();
-        } else {
-            return iv;
-        }
+    protected AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) {
+        return contentEncryptionAlgo.getAlgorithmParameterSpec(theIv);
     }
     
     protected byte[] getContentEncryptionKey() {
+        byte[] cek = contentEncryptionAlgo.getContentEncryptionKey(headers);
+        if (cek == null) {
+            String algoJava = getContentEncryptionAlgoJava();
+            String algoJwt = getContentEncryptionAlgoJwt();
+            cek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava), 
+                Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded();
+        }
         return cek;
     }
     
@@ -108,7 +82,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
     }
     
     protected int getAuthTagLen() {
-        return authTagLen;
+        return DEFAULT_AUTH_TAG_LENGTH;
     }
     protected JweHeaders getJweHeaders() {
         return headers;
@@ -154,8 +128,8 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
         byte[] additionalEncryptionParam = theHeaders.toCipherAdditionalAuthData(writer);
         keyProps.setAdditionalData(additionalEncryptionParam);
         
-        byte[] theIv = getContentEncryptionCipherInitVector();
-        AlgorithmParameterSpec specParams = getContentEncryptionCipherSpec(theIv);
+        byte[] theIv = contentEncryptionAlgo.getInitVector();
+        AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv);
         keyProps.setAlgoSpec(specParams);
         byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
         JweEncryptionInternal state = new JweEncryptionInternal();

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java
new file mode 100644
index 0000000..024ac8f
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyAlgorithm.java
@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.Set;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public abstract class AbstractWrapKeyAlgorithm implements KeyEncryptionAlgorithm {
+    private Key keyEncryptionKey;
+    private boolean wrap;
+    private String algorithm;
+    private Set<String> supportedAlgorithms;
+    protected AbstractWrapKeyAlgorithm(Key key, Set<String> supportedAlgorithms) {
+        this(key, null, true, supportedAlgorithms);
+    }
+    protected AbstractWrapKeyAlgorithm(Key key, boolean wrap, Set<String> supportedAlgorithms)
{
+        this(key, null, wrap, supportedAlgorithms);
+    }
+    protected AbstractWrapKeyAlgorithm(Key key, String jweAlgo, Set<String> supportedAlgorithms)
{
+        this(key, jweAlgo, true, supportedAlgorithms);
+    }
+    protected AbstractWrapKeyAlgorithm(Key key, String jweAlgo, boolean wrap, Set<String>
supportedAlgorithms) {
+        this.keyEncryptionKey = key;
+        this.algorithm = jweAlgo;
+        this.wrap = wrap;
+        this.supportedAlgorithms = supportedAlgorithms;
+    }
+    @Override
+    public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
+        checkAlgorithms(headers, algorithm);
+        KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers));
+        AlgorithmParameterSpec spec = getAlgorithmParameterSpec(); 
+        if (spec != null) {
+            secretKeyProperties.setAlgoSpec(spec);
+        }
+        if (!wrap) {
+            return CryptoUtils.encryptBytes(cek, keyEncryptionKey, secretKeyProperties);
+        } else {
+            return CryptoUtils.wrapSecretKey(cek, 
+                                             getContentEncryptionAlgoJava(headers),
+                                             keyEncryptionKey, 
+                                             secretKeyProperties);
+        }
+    }
+    protected String getKeyEncryptionAlgoJava(JweHeaders headers) {
+        return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
+    }
+    protected String getContentEncryptionAlgoJava(JweHeaders headers) {
+        return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
+    }
+    protected AlgorithmParameterSpec getAlgorithmParameterSpec() {
+        return null;
+    }
+    private static String checkAlgorithm(Set<String> supportedAlgorithms, String algo)
{
+        if (algo != null && !supportedAlgorithms.contains(algo)) {
+            throw new SecurityException();
+        }
+        return algo;
+    }
+    private void checkAlgorithms(JweHeaders headers, String defaultAlgo) {
+        String providedAlgo = headers.getKeyEncryptionAlgorithm();
+        if ((providedAlgo == null && defaultAlgo == null)
+            || (providedAlgo != null && defaultAlgo != null && !providedAlgo.equals(defaultAlgo)))
{
+            throw new SecurityException();
+        }
+        if (providedAlgo != null) {
+            checkAlgorithm(supportedAlgorithms, providedAlgo);
+        } else {
+            checkAlgorithms(headers, defaultAlgo);
+            headers.setKeyEncryptionAlgorithm(defaultAlgo);
+        }
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java
deleted file mode 100644
index 8ab04c5..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryption.java
+++ /dev/null
@@ -1,95 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.security.Key;
-import java.security.spec.AlgorithmParameterSpec;
-import java.util.Set;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
-
-public abstract class AbstractWrapKeyEncryption implements KeyEncryptionAlgorithm {
-    private Key keyEncryptionKey;
-    private boolean wrap;
-    private String algorithm;
-    private Set<String> supportedAlgorithms;
-    protected AbstractWrapKeyEncryption(Key key, Set<String> supportedAlgorithms) {
-        this(key, null, true, supportedAlgorithms);
-    }
-    protected AbstractWrapKeyEncryption(Key key, boolean wrap, Set<String> supportedAlgorithms)
{
-        this(key, null, wrap, supportedAlgorithms);
-    }
-    protected AbstractWrapKeyEncryption(Key key, String jweAlgo, Set<String> supportedAlgorithms)
{
-        this(key, jweAlgo, true, supportedAlgorithms);
-    }
-    protected AbstractWrapKeyEncryption(Key key, String jweAlgo, boolean wrap, Set<String>
supportedAlgorithms) {
-        this.keyEncryptionKey = key;
-        this.algorithm = jweAlgo;
-        this.wrap = wrap;
-        this.supportedAlgorithms = supportedAlgorithms;
-    }
-    @Override
-    public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
-        checkAlgorithms(headers, algorithm);
-        KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers));
-        AlgorithmParameterSpec spec = getAlgorithmParameterSpec(); 
-        if (spec != null) {
-            secretKeyProperties.setAlgoSpec(spec);
-        }
-        if (!wrap) {
-            return CryptoUtils.encryptBytes(cek, keyEncryptionKey, secretKeyProperties);
-        } else {
-            return CryptoUtils.wrapSecretKey(cek, 
-                                             getContentEncryptionAlgoJava(headers),
-                                             keyEncryptionKey, 
-                                             secretKeyProperties);
-        }
-    }
-    protected String getKeyEncryptionAlgoJava(JweHeaders headers) {
-        return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm());
-    }
-    protected String getContentEncryptionAlgoJava(JweHeaders headers) {
-        return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
-    }
-    protected AlgorithmParameterSpec getAlgorithmParameterSpec() {
-        return null;
-    }
-    private static String checkAlgorithm(Set<String> supportedAlgorithms, String algo)
{
-        if (algo != null && !supportedAlgorithms.contains(algo)) {
-            throw new SecurityException();
-        }
-        return algo;
-    }
-    private void checkAlgorithms(JweHeaders headers, String defaultAlgo) {
-        String providedAlgo = headers.getKeyEncryptionAlgorithm();
-        if ((providedAlgo == null && defaultAlgo == null)
-            || (providedAlgo != null && defaultAlgo != null && !providedAlgo.equals(defaultAlgo)))
{
-            throw new SecurityException();
-        }
-        if (providedAlgo != null) {
-            checkAlgorithm(supportedAlgorithms, providedAlgo);
-        } else {
-            checkAlgorithms(headers, defaultAlgo);
-            headers.setKeyEncryptionAlgorithm(defaultAlgo);
-        }
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java
new file mode 100644
index 0000000..c1f89aa
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import javax.crypto.SecretKey;
+
+
+public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm
{
+    public AesGcmContentEncryptionAlgorithm(SecretKey key, byte[] iv) { 
+        this(key.getEncoded(), iv);    
+    }
+    public AesGcmContentEncryptionAlgorithm(byte[] cek, byte[] iv) { 
+        super(cek, iv);    
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java
new file mode 100644
index 0000000..3f67d31
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyAlgorithm.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+
+public class AesWrapKeyAlgorithm extends AbstractWrapKeyAlgorithm {
+    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
+        Arrays.asList(Algorithm.A128KW.getJwtName(),
+                      Algorithm.A192KW.getJwtName(),
+                      Algorithm.A256KW.getJwtName()));
+    public AesWrapKeyAlgorithm(byte[] keyBytes, String keyAlgoJwt) {
+        this(CryptoUtils.createSecretKeySpec(keyBytes, Algorithm.toJavaName(keyAlgoJwt)),
+             keyAlgoJwt);
+    }
+    public AesWrapKeyAlgorithm(SecretKey key, String keyAlgoJwt) {
+        super(key, keyAlgoJwt, SUPPORTED_ALGORITHMS);
+    }
+    
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java
deleted file mode 100644
index ec4aa87..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesWrapKeyEncryption.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-
-public class AesWrapKeyEncryption extends AbstractWrapKeyEncryption {
-    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
-        Arrays.asList(Algorithm.A128KW.getJwtName(),
-                      Algorithm.A192KW.getJwtName(),
-                      Algorithm.A256KW.getJwtName()));
-    public AesWrapKeyEncryption(byte[] keyBytes, String keyAlgoJwt) {
-        this(CryptoUtils.createSecretKeySpec(keyBytes, Algorithm.toJavaName(keyAlgoJwt)),
-             keyAlgoJwt);
-    }
-    public AesWrapKeyEncryption(SecretKey key, String keyAlgoJwt) {
-        super(key, keyAlgoJwt, SUPPORTED_ALGORITHMS);
-    }
-    
-    
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java
new file mode 100644
index 0000000..7b93ef8
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+
+interface ContentEncryptionAlgorithm {
+    byte[] getInitVector();
+    byte[] getContentEncryptionKey(JweHeaders headers);
+    AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java
new file mode 100644
index 0000000..5e9088e
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyAlgorithm.java
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+
+public class DirectKeyAlgorithm implements KeyEncryptionAlgorithm {
+    public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] theCek) {
+        if (headers.getKeyEncryptionAlgorithm() != null) {
+            throw new SecurityException();
+        }
+        return new byte[0];
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java
deleted file mode 100644
index b81cbb3..0000000
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyEncryption.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.jwe;
-
-
-public class DirectKeyEncryption implements KeyEncryptionAlgorithm {
-    public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] theCek) {
-        if (headers.getKeyEncryptionAlgorithm() != null) {
-            throw new SecurityException();
-        }
-        return new byte[0];
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
index 978fd8a..53e54e6 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryption.java
@@ -28,9 +28,6 @@ public class DirectKeyJweEncryption extends AbstractJweEncryption {
                                                 cek.getEncoded().length * 8)), cek.getEncoded(),
iv);
     }
     public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) {
-        this(headers, cek, iv, AbstractJweEncryption.DEFAULT_AUTH_TAG_LENGTH);
-    }
-    public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen)
{
-        super(headers, cek, iv, authTagLen, new DirectKeyEncryption());
+        super(headers, new AesGcmContentEncryptionAlgorithm(cek, iv), new DirectKeyAlgorithm());
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
index d00b8ed..1010e3d 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweEncryption.java
@@ -33,7 +33,7 @@ public class RSAJweEncryption extends WrappedKeyJweEncryption {
               new RSAOaepKeyEncryption(publicKey, keyEncryptionJwtAlgo));
     }
     public RSAJweEncryption(RSAPublicKey publicKey, JweHeaders headers, byte[] cek, byte[]
iv) {
-        this(publicKey, headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true, null);
+        this(publicKey, headers, cek, iv, true, null);
     }
     public RSAJweEncryption(RSAPublicKey publicKey, 
                             String keyEncryptionJwtAlgo,
@@ -42,21 +42,20 @@ public class RSAJweEncryption extends WrappedKeyJweEncryption {
                             byte[] iv) {
         this(publicKey, 
              new JweHeaders(keyEncryptionJwtAlgo, secretKeyJwtAlgo),
-             secretKey != null ? secretKey.getEncoded() : null, iv, DEFAULT_AUTH_TAG_LENGTH,
true, null);
+             secretKey != null ? secretKey.getEncoded() : null, iv, true, null);
     }
     
     public RSAJweEncryption(RSAPublicKey publicKey, 
                             JweHeaders headers, 
                             byte[] cek, 
                             byte[] iv, 
-                            int authTagLen,
                             boolean wrap,
                             JwtHeadersWriter writer) {
-        this(new RSAOaepKeyEncryption(publicKey, wrap), headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH,
writer);
+        this(new RSAOaepKeyEncryption(publicKey, wrap), headers, cek, iv, writer);
     }
     public RSAJweEncryption(RSAOaepKeyEncryption keyEncryptionAlgorithm, JweHeaders headers,
byte[] cek, 
-                            byte[] iv, int authTagLen, JwtHeadersWriter writer) {
-        super(headers, cek, iv, authTagLen, keyEncryptionAlgorithm, writer);
+                            byte[] iv, JwtHeadersWriter writer) {
+        super(headers, cek, iv, keyEncryptionAlgorithm, writer);
     }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java
index bdd9dd6..eea1851 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryption.java
@@ -25,7 +25,7 @@ import java.util.Set;
 
 import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 
-public class RSAOaepKeyEncryption extends AbstractWrapKeyEncryption {
+public class RSAOaepKeyEncryption extends AbstractWrapKeyAlgorithm {
     private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
         Arrays.asList(Algorithm.RSA_OAEP.getJwtName(),
                       Algorithm.RSA_OAEP_256.getJwtName()));

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
index e7c09bc..d57f490 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java
@@ -18,44 +18,24 @@
  */
 package org.apache.cxf.rs.security.oauth2.jwe;
 
-import java.util.concurrent.atomic.AtomicInteger;
-
-import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class WrappedKeyJweEncryption extends AbstractJweEncryption {
-    private AtomicInteger providedCekUsageCount;
     public WrappedKeyJweEncryption(JweHeaders headers, 
                                    KeyEncryptionAlgorithm keyEncryptionAlgorithm) {
         this(headers, null, null, keyEncryptionAlgorithm);
     }
     public WrappedKeyJweEncryption(JweHeaders headers, byte[] cek, 
                                    byte[] iv, KeyEncryptionAlgorithm keyEncryptionAlgorithm)
{
-        this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH, keyEncryptionAlgorithm, null);
+        this(headers, cek, iv, keyEncryptionAlgorithm, null);
     }
     public WrappedKeyJweEncryption(JweHeaders headers, 
                                    byte[] cek, 
                                    byte[] iv, 
-                                   int authTagLen, 
                                    KeyEncryptionAlgorithm keyEncryptionAlgorithm,
                                    JwtHeadersWriter writer) {
-        super(headers, cek, iv, authTagLen, keyEncryptionAlgorithm, writer);
-        if (cek != null) {
-            providedCekUsageCount = new AtomicInteger();
-        }
-    }
-    protected byte[] getContentEncryptionKey() {
-        byte[] theCek = super.getContentEncryptionKey();
-        if (theCek == null) {
-            String algoJava = getContentEncryptionAlgoJava();
-            String algoJwt = getContentEncryptionAlgoJwt();
-            theCek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava), 
-                Algorithm.valueOf(algoJwt).getKeySizeBits()).getEncoded();
-        } else if (providedCekUsageCount.addAndGet(1) > 1) {
-            throw new SecurityException();
-        }
-        return theCek;
+        super(headers, new AesGcmContentEncryptionAlgorithm(cek, iv), keyEncryptionAlgorithm,
writer);
     }
     
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e455d4f2/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
index b432d9c..091ea1a 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
@@ -112,7 +112,7 @@ public class JweCompactReaderWriterTest extends Assert {
         headers.setAlgorithm(Algorithm.A128KW.getJwtName());
         headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName());
         
-        AesWrapKeyEncryption keyEncryption = new AesWrapKeyEncryption(Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3),

+        AesWrapKeyAlgorithm keyEncryption = new AesWrapKeyAlgorithm(Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3),

                                                                       Algorithm.A128KW.getJwtName());
         byte[] encryptedCek = keyEncryption.getEncryptedContentEncryptionKey(headers, CONTENT_ENCRYPTION_KEY_A3);
         


Mime
View raw message