cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5944] Optionally restricting validators/decryptors to supporting single algorithms only
Date Fri, 26 Sep 2014 13:09:24 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 4e7539b28 -> 8b495fae9


[CXF-5944] Optionally restricting validators/decryptors to supporting single algorithms only


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8b495fae
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8b495fae
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8b495fae

Branch: refs/heads/master
Commit: 8b495fae96b7e6731ea4fb1b1da93972f8ac46b7
Parents: 4e7539b
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Sep 26 14:09:08 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Sep 26 14:09:08 2014 +0100

----------------------------------------------------------------------
 .../jose/jaxrs/AbstractJweDecryptingFilter.java | 15 ++++++++---
 .../cxf/rs/security/jose/jwa/Algorithm.java     | 22 ++++++++++++++---
 .../jose/jwe/AbstractJweDecryption.java         |  3 ++-
 .../jose/jwe/AesCbcHmacJweDecryption.java       | 18 ++++++++++++--
 .../jose/jwe/AesCbcHmacJweEncryption.java       | 10 +-------
 .../jwe/AesGcmContentDecryptionAlgorithm.java   | 16 +++++++++++-
 .../jwe/AesGcmContentEncryptionAlgorithm.java   | 10 +-------
 .../jwe/AesGcmWrapKeyDecryptionAlgorithm.java   | 21 +++++++++++++---
 .../jose/jwe/AesWrapKeyDecryptionAlgorithm.java | 25 +++++++++++++++----
 .../jose/jwe/ContentDecryptionAlgorithm.java    |  2 +-
 .../jose/jwe/DirectKeyJweDecryption.java        |  8 +++---
 .../jose/jwe/DirectKeyJweEncryption.java        | 12 +++------
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 11 ++++++---
 .../jose/jwe/RSAOaepKeyDecryptionAlgorithm.java | 18 +++++++++++---
 .../jose/jwe/WrappedKeyDecryptionAlgorithm.java | 17 ++++++++++---
 .../jose/jwe/WrappedKeyJweDecryption.java       | 21 +++-------------
 .../jose/jws/AbstractJwsSignatureProvider.java  | 10 +++-----
 .../jose/jws/EcDsaJwsSignatureProvider.java     | 14 ++++-------
 .../jose/jws/EcDsaJwsSignatureVerifier.java     | 13 ++++++++--
 .../jose/jws/HmacJwsSignatureProvider.java      | 19 +++++++-------
 .../jose/jws/HmacJwsSignatureVerifier.java      | 19 +++++++++++++-
 .../cxf/rs/security/jose/jws/JwsUtils.java      |  6 ++---
 .../jws/PrivateKeyJwsSignatureProvider.java     | 26 +++++++++-----------
 .../jose/jws/PublicKeyJwsSignatureVerifier.java | 22 ++++++++++++++---
 .../jose/jwe/JweCompactReaderWriterTest.java    |  8 +++---
 .../jose/jwe/JwePbeHmacAesWrapTest.java         |  3 ++-
 26 files changed, 236 insertions(+), 133 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
index 31fc28b..635919e 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
@@ -31,6 +31,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption;
+import org.apache.cxf.rs.security.jose.jwe.AesGcmContentDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
@@ -45,6 +46,7 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 public class AbstractJweDecryptingFilter {
     private static final String RSSEC_ENCRYPTION_IN_PROPS = "rs.security.encryption.in.properties";
     private static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties";
+    private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm";
     private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm";    
     private JweDecryptionProvider decryption;
     private String defaultMediaType;
@@ -77,7 +79,9 @@ public class AbstractJweDecryptingFilter {
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
-                keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk);
+                keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk,
+                                                                           getKeyEncryptionAlgo(props, 
+                                                                                                jwk.getAlgorithm()));
             } else {
                 keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(
                     (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER));
@@ -88,9 +92,10 @@ public class AbstractJweDecryptingFilter {
             String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
             boolean isAesHmac = Algorithm.isAesCbcHmac(contentEncryptionAlgo);
             if (isAesHmac) { 
-                return new AesCbcHmacJweDecryption(keyDecryptionProvider);
+                return new AesCbcHmacJweDecryption(keyDecryptionProvider, contentEncryptionAlgo);
             } else {
-                return new WrappedKeyJweDecryption(keyDecryptionProvider);
+                return new WrappedKeyJweDecryption(keyDecryptionProvider, 
+                                                   new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo));
             }
             
         } catch (SecurityException ex) {
@@ -100,6 +105,10 @@ public class AbstractJweDecryptingFilter {
         }
         
     }
+    
+    private String getKeyEncryptionAlgo(Properties props, String algo) {
+        return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo;
+    }
 
     public String getDefaultMediaType() {
         return defaultMediaType;

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
index b17918a..89ac29d 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java
@@ -185,6 +185,10 @@ public enum Algorithm {
         }
         return javaName;
     }
+    public static boolean isRsaOaep(String algo) {
+        return JoseConstants.RSA_OAEP_ALGO.equals(algo)
+               || JoseConstants.RSA_OAEP_256_ALGO.equals(algo);
+    }
     public static boolean isAesKeyWrap(String algo) {
         return JoseConstants.A128KW_ALGO.equals(algo)
                || JoseConstants.A192KW_ALGO.equals(algo)
@@ -200,14 +204,24 @@ public enum Algorithm {
                || JoseConstants.A192GCM_ALGO.equals(algo)
                || JoseConstants.A256GCM_ALGO.equals(algo);
     }
+    public static boolean isAesCbcHmac(String algo) {
+        return JoseConstants.A128CBC_HS256_ALGO.equals(algo)
+            || JoseConstants.A192CBC_HS384_ALGO.equals(algo)
+            || JoseConstants.A256CBC_HS512_ALGO.equals(algo); 
+    }
     public static boolean isHmacSign(String algo) {
         return JoseConstants.HMAC_SHA_256_ALGO.equals(algo)
             || JoseConstants.HMAC_SHA_384_ALGO.equals(algo)
             || JoseConstants.HMAC_SHA_512_ALGO.equals(algo); 
     }
-    public static boolean isAesCbcHmac(String algo) {
-        return JoseConstants.A128CBC_HS256_ALGO.equals(algo)
-            || JoseConstants.A192CBC_HS384_ALGO.equals(algo)
-            || JoseConstants.A256CBC_HS512_ALGO.equals(algo); 
+    public static boolean isRsaShaSign(String algo) {
+        return JoseConstants.RS_SHA_256_ALGO.equals(algo)
+            || JoseConstants.RS_SHA_384_ALGO.equals(algo)
+            || JoseConstants.RS_SHA_512_ALGO.equals(algo); 
+    }
+    public static boolean isEcDsaSign(String algo) {
+        return JoseConstants.ES_SHA_256_ALGO.equals(algo)
+            || JoseConstants.ES_SHA_384_ALGO.equals(algo)
+            || JoseConstants.ES_SHA_512_ALGO.equals(algo); 
     }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
index 292422e..987ebb7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
@@ -85,7 +85,8 @@ public abstract class AbstractJweDecryption implements JweDecryptionProvider {
         return contentDecryptionAlgo.getAdditionalAuthenticationData(consumer.getDecodedJsonHeaders());
     }
     protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) {
-        return contentDecryptionAlgo.getEncryptedSequence(consumer.getEncryptedContent(), 
+        return contentDecryptionAlgo.getEncryptedSequence(consumer.getJweHeaders(),
+                                                          consumer.getEncryptedContent(), 
                                                           getEncryptionAuthenticationTag(consumer));
     }
     protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) { 

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
index 2db84f5..bf110f3 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
@@ -24,14 +24,21 @@ import java.util.Arrays;
 import javax.crypto.spec.IvParameterSpec;
 
 import org.apache.cxf.rs.security.jose.JoseHeadersReader;
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 
 public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
+    private String supportedAlgo;
     public AesCbcHmacJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo) {
         this(keyDecryptionAlgo, null);
     }
+    public AesCbcHmacJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo, String supportedAlgo) {
+        this(keyDecryptionAlgo, supportedAlgo, null);
+    }
     public AesCbcHmacJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
+                                   String supportedAlgo,
                                    JoseHeadersReader reader) {
         super(reader, keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm());
+        this.supportedAlgo = null;
     }
     protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) {
         validateAuthenticationTag(consumer, cek);
@@ -39,6 +46,7 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
     }
     @Override
     protected byte[] getActualCek(byte[] theCek, String algoJwt) {
+        validateCekAlgorithm(algoJwt);
         return AesCbcHmacJweEncryption.doGetActualCek(theCek, algoJwt);
     }
     protected void validateAuthenticationTag(JweCompactConsumer consumer, byte[] theCek) {
@@ -67,9 +75,15 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
             return null;
         }
         @Override
-        public byte[] getEncryptedSequence(byte[] cipher, byte[] authTag) {
+        public byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag) {
             return cipher;
         }
     }
-    
+    private String validateCekAlgorithm(String cekAlgo) {
+        if (!Algorithm.isAesCbcHmac(cekAlgo) 
+            || supportedAlgo != null && !supportedAlgo.equals(cekAlgo)) {
+            throw new SecurityException();
+        }
+        return cekAlgo;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index b58f93d..111641e 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -20,11 +20,8 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.nio.ByteBuffer;
 import java.security.spec.AlgorithmParameterSpec;
-import java.util.Arrays;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Map;
-import java.util.Set;
 
 import javax.crypto.Mac;
 import javax.crypto.spec.IvParameterSpec;
@@ -34,10 +31,6 @@ import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils;
 
 public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
-    private static final Set<String> SUPPORTED_CEK_ALGORITHMS = new HashSet<String>(
-        Arrays.asList(Algorithm.A128CBC_HS256.getJwtName(),
-                      Algorithm.A192CBC_HS384.getJwtName(),
-                      Algorithm.A256CBC_HS512.getJwtName()));
     private static final Map<String, String> AES_HMAC_MAP;
     private static final Map<String, Integer> AES_CEK_SIZE_MAP;
     static {
@@ -159,7 +152,6 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
             public byte[] getTag() {
                 return signAndGetTag(macState);
             }
-            
         };
     }
     
@@ -188,7 +180,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
     }
     
     private static String validateCekAlgorithm(String cekAlgo) {
-        if (!SUPPORTED_CEK_ALGORITHMS.contains(cekAlgo)) {
+        if (!Algorithm.isAesCbcHmac(cekAlgo)) {
             throw new SecurityException();
         }
         return cekAlgo;

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
index 05d77ea..70b3a00 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
@@ -18,13 +18,27 @@
  */
 package org.apache.cxf.rs.security.jose.jwe;
 
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+
 
 
 public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties
     implements ContentDecryptionAlgorithm {
+    private String supportedAlgo; 
+    public AesGcmContentDecryptionAlgorithm() {
+        this(null);
+    }
+    public AesGcmContentDecryptionAlgorithm(String supportedAlgo) {
+        this.supportedAlgo = supportedAlgo;
+    }
 
     @Override
-    public byte[] getEncryptedSequence(byte[] cipher, byte[] authTag) {
+    public byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag) {
+        String algo = headers.getContentEncryptionAlgorithm();
+        if (!Algorithm.isAesGcm(algo)
+            || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+            throw new SecurityException();
+        }
         return JweCompactConsumer.getCipherWithAuthTag(cipher, authTag);
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
index fd028c1..65575ac 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -18,10 +18,6 @@
  */
 package org.apache.cxf.rs.security.jose.jwe;
 
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
-
 import javax.crypto.SecretKey;
 
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
@@ -29,10 +25,6 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 
 public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm {
-    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
-        Arrays.asList(Algorithm.A128GCM.getJwtName(),
-                      Algorithm.A192GCM.getJwtName(),
-                      Algorithm.A256GCM.getJwtName()));
     private static final int DEFAULT_IV_SIZE = 96;
     public AesGcmContentEncryptionAlgorithm(String algo) {
         this((byte[])null, null, algo);
@@ -50,7 +42,7 @@ public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionA
         return DEFAULT_IV_SIZE;
     }
     private static String checkAlgorithm(String algo) {
-        if (SUPPORTED_ALGORITHMS.contains(algo)) {       
+        if (Algorithm.isAesGcm(algo)) {       
             return algo;
         }
         throw new SecurityException();

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
index 6137e56..c05bafa 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
@@ -28,13 +28,22 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public AesGcmWrapKeyDecryptionAlgorithm(String encodedKey) {    
-        this(CryptoUtils.decodeSequence(encodedKey));
+        this(encodedKey, null);
+    }
+    public AesGcmWrapKeyDecryptionAlgorithm(String encodedKey, String supportedAlgo) {    
+        this(CryptoUtils.decodeSequence(encodedKey), supportedAlgo);
     }
     public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey) {    
-        this(CryptoUtils.createSecretKeySpec(secretKey, Algorithm.AES_ALGO_JAVA));
+        this(secretKey, null);
+    }
+    public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey, String supportedAlgo) {    
+        this(CryptoUtils.createSecretKeySpec(secretKey, Algorithm.AES_ALGO_JAVA), supportedAlgo);
     }
     public AesGcmWrapKeyDecryptionAlgorithm(SecretKey secretKey) {    
-        super(secretKey, true);
+        this(secretKey, null);
+    }
+    public AesGcmWrapKeyDecryptionAlgorithm(SecretKey secretKey, String supportedAlgo) {    
+        super(secretKey, supportedAlgo);
     }
     @Override
     protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
@@ -54,4 +63,10 @@ public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgori
             throw new SecurityException(ex);
         }
     }
+    protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
+        super.validateKeyEncryptionAlgorithm(keyAlgo);
+        if (!Algorithm.isAesGcmKeyWrap(keyAlgo)) {
+            throw new SecurityException();
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
index 14c273f..0ee79b4 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
@@ -25,14 +25,29 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AesWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public AesWrapKeyDecryptionAlgorithm(String encodedKey) {    
-        this(CryptoUtils.decodeSequence(encodedKey));
+        this(encodedKey, null);
+    }
+    public AesWrapKeyDecryptionAlgorithm(String encodedKey, String supportedAlgo) {    
+        this(CryptoUtils.decodeSequence(encodedKey), supportedAlgo);
     }
     public AesWrapKeyDecryptionAlgorithm(byte[] secretKey) {    
-        this(CryptoUtils.createSecretKeySpec(secretKey, Algorithm.AES_WRAP_ALGO_JAVA));
+        this(secretKey, null);
     }
-    public AesWrapKeyDecryptionAlgorithm(SecretKey secretKey) {    
-        super(secretKey, true);
+    public AesWrapKeyDecryptionAlgorithm(byte[] secretKey, String supportedAlgo) {    
+        this(CryptoUtils.createSecretKeySpec(secretKey, Algorithm.AES_WRAP_ALGO_JAVA), supportedAlgo);
+    }
+    public AesWrapKeyDecryptionAlgorithm(SecretKey secretKey) {
+        this(secretKey, null);
+    }
+    public AesWrapKeyDecryptionAlgorithm(SecretKey secretKey, String supportedAlgo) {    
+        super(secretKey, supportedAlgo);
+    }
+    @Override
+    protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
+        super.validateKeyEncryptionAlgorithm(keyAlgo);
+        if (!Algorithm.isAesKeyWrap(keyAlgo)) {
+            throw new SecurityException();
+        }
     }
-    
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
index eaf6f61..ccba40b 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
@@ -20,5 +20,5 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 
 interface ContentDecryptionAlgorithm extends ContentEncryptionCipherProperties {
-    byte[] getEncryptedSequence(byte[] cipher, byte[] authTag);
+    byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
index 1ab9e9f..6c822ea 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
@@ -23,11 +23,9 @@ import java.security.Key;
 import org.apache.cxf.rs.security.jose.JoseHeadersReader;
 
 public class DirectKeyJweDecryption extends AbstractJweDecryption {
-    public DirectKeyJweDecryption(Key contentDecryptionKey) {    
-        this(contentDecryptionKey, null);
-    }
-    public DirectKeyJweDecryption(Key contentDecryptionKey, JoseHeadersReader reader) {    
-        this(contentDecryptionKey, reader, new AesGcmContentDecryptionAlgorithm());
+    public DirectKeyJweDecryption(Key contentDecryptionKey, 
+                                  ContentDecryptionAlgorithm cipherProps) {
+        this(contentDecryptionKey, null, cipherProps);
     }
     public DirectKeyJweDecryption(Key contentDecryptionKey, 
                                   JoseHeadersReader reader,

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java
index fdd8658..b343cf4 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java
@@ -18,17 +18,11 @@
  */
 package org.apache.cxf.rs.security.jose.jwe;
 
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 
 public class DirectKeyJweEncryption extends AbstractJweEncryption {
-    public DirectKeyJweEncryption(SecretKey cek, byte[] iv) {
-        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(),
-                                                cek.getEncoded().length * 8)), cek.getEncoded(), iv);
-    }
-    public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) {
-        this(headers, new AesGcmContentEncryptionAlgorithm(cek, iv, headers.getContentEncryptionAlgorithm()));
+    
+    public DirectKeyJweEncryption(ContentEncryptionAlgorithm ceAlgo) {
+        this(new JweHeaders(ceAlgo.getAlgorithm()), ceAlgo);
     }
     public DirectKeyJweEncryption(JweHeaders headers, ContentEncryptionAlgorithm ceAlgo) {
         super(headers, ceAlgo, new DirectKeyEncryptionAlgorithm());

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 4cf96e7..e7e1289 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -50,15 +50,20 @@ public final class JweUtils {
         return keyEncryptionProvider;
     }
     public static KeyDecryptionAlgorithm getKeyDecryptionAlgorithm(JsonWebKey jwk) {
+        return getKeyDecryptionAlgorithm(jwk, null);
+    }
+    public static KeyDecryptionAlgorithm getKeyDecryptionAlgorithm(JsonWebKey jwk, String defaultAlgorithm) {
+        String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
         KeyDecryptionAlgorithm keyDecryptionProvider = null;
         if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
-            keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk));
+            keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk), 
+                                                                      keyEncryptionAlgo);
         } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) {
             SecretKey key = JwkUtils.toSecretKey(jwk);
             if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) {
-                keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key);
+                keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key, keyEncryptionAlgo);
             } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) {
-                keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key);
+                keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key, keyEncryptionAlgo);
             } 
         } else {
             // TODO: support elliptic curve keys

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java
index c0e2f28..a0ea63d 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java
@@ -20,14 +20,26 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.interfaces.RSAPrivateKey;
 
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+
 public class RSAOaepKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {    
-        this(privateKey, true);
+        this(privateKey, null);
+    }
+    public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey, String supportedAlgo) {    
+        this(privateKey, supportedAlgo, true);
     }
-    public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey, boolean unwrap) {    
-        super(privateKey, unwrap);
+    public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey, String supportedAlgo, boolean unwrap) {    
+        super(privateKey, supportedAlgo, unwrap);
     }
     protected int getKeyCipherBlockSize() {
         return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length;
     }
+    @Override
+    protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
+        super.validateKeyEncryptionAlgorithm(keyAlgo);
+        if (!Algorithm.isRsaOaep(keyAlgo)) {
+            throw new SecurityException();
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
index 789e8cd..4566f61 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
@@ -28,11 +28,16 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
     private Key cekDecryptionKey;
     private boolean unwrap;
+    private String supportedAlgo;
     public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey) {    
-        this(cekDecryptionKey, true);
+        this(cekDecryptionKey, null);
     }
-    public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, boolean unwrap) {    
+    public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, String supportedAlgo) {    
+        this(cekDecryptionKey, supportedAlgo, true);
+    }
+    public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, String supportedAlgo, boolean unwrap) {    
         this.cekDecryptionKey = cekDecryptionKey;
+        this.supportedAlgo = supportedAlgo;
         this.unwrap = unwrap;
     }
     public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
@@ -60,7 +65,13 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
         return -1;
     }
     protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
-        return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm());
+        String keyAlgo = consumer.getJweHeaders().getKeyEncryptionAlgorithm();
+        return Algorithm.toJavaName(keyAlgo);
+    }
+    protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
+        if (keyAlgo == null || supportedAlgo != null && supportedAlgo.equals(keyAlgo)) {
+            throw new SecurityException();
+        }
     }
     protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
         return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java
index c2c730b..c74e880 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java
@@ -18,28 +18,13 @@
  */
 package org.apache.cxf.rs.security.jose.jwe;
 
-import java.security.Key;
-
 import org.apache.cxf.rs.security.jose.JoseHeadersReader;
 
 public class WrappedKeyJweDecryption extends AbstractJweDecryption {
-    public WrappedKeyJweDecryption(Key cekDecryptionKey) {    
-        this(cekDecryptionKey, true);
-    }
-    public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap) {    
-        this(cekDecryptionKey, unwrap, null);
-    }
-    public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap,
-                                   JoseHeadersReader reader) {    
-        this(new WrappedKeyDecryptionAlgorithm(cekDecryptionKey, unwrap),
-             reader);
-    }
-    public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo) {    
-        this(keyDecryptionAlgo, null);
-    }
+    
     public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
-                                   JoseHeadersReader reader) {    
-        this(keyDecryptionAlgo, reader, new AesGcmContentDecryptionAlgorithm());
+                                   ContentDecryptionAlgorithm contentDecryptionAlgo) {    
+        this(keyDecryptionAlgo, null, contentDecryptionAlgo);
     }
     public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
                                    JoseHeadersReader reader,

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
index e6a7139..fd1a390 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
@@ -18,14 +18,11 @@
  */
 package org.apache.cxf.rs.security.jose.jws;
 
-import java.util.Set;
 
 public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvider {
-    private Set<String> supportedAlgorithms;
     private String algorithm;
     
-    protected AbstractJwsSignatureProvider(Set<String> supportedAlgorithms, String algo) {
-        this.supportedAlgorithms = supportedAlgorithms;
+    protected AbstractJwsSignatureProvider(String algo) {
         this.algorithm = algo;
     }
     
@@ -53,11 +50,10 @@ public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvid
     
     protected abstract JwsSignature doCreateJwsSignature(JwsHeaders headers);
     
-    protected String checkAlgorithm(String algo) {
-        if (algo == null || !supportedAlgorithms.contains(algo)) {
+    protected void checkAlgorithm(String algo) {
+        if (algo == null) {
             throw new SecurityException();
         }
-        return algo;
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
index e52edec..b6da904 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
@@ -21,18 +21,10 @@ package org.apache.cxf.rs.security.jose.jws;
 import java.security.SecureRandom;
 import java.security.interfaces.ECPrivateKey;
 import java.security.spec.AlgorithmParameterSpec;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
 
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 
 public class EcDsaJwsSignatureProvider extends PrivateKeyJwsSignatureProvider {
-    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
-        Arrays.asList(Algorithm.SHA256withECDSA.getJwtName(),
-                      Algorithm.SHA384withECDSA.getJwtName(),
-                      Algorithm.SHA512withECDSA.getJwtName())); 
-    
     public EcDsaJwsSignatureProvider(ECPrivateKey key, String algo) {
         this(key, null, algo);
     }
@@ -41,6 +33,10 @@ public class EcDsaJwsSignatureProvider extends PrivateKeyJwsSignatureProvider {
     }
     public EcDsaJwsSignatureProvider(ECPrivateKey key, SecureRandom random, AlgorithmParameterSpec spec, 
                                      String algo) {
-        super(key, random, spec, SUPPORTED_ALGORITHMS, algo);
+        super(key, random, spec, algo);
+    }
+    @Override
+    protected boolean isValidAlgorithmFamily(String algo) {
+        return Algorithm.isEcDsaSign(algo);
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
index 98c72b6..97a8991 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
@@ -21,11 +21,20 @@ package org.apache.cxf.rs.security.jose.jws;
 import java.security.PublicKey;
 import java.security.spec.AlgorithmParameterSpec;
 
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+
 public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier {
     public EcDsaJwsSignatureVerifier(PublicKey key) {
         this(key, null);
     }
-    public EcDsaJwsSignatureVerifier(PublicKey key, AlgorithmParameterSpec spec) {
-        super(key, spec);
+    public EcDsaJwsSignatureVerifier(PublicKey key, String supportedAlgo) {
+        this(key, null, supportedAlgo);
+    }
+    public EcDsaJwsSignatureVerifier(PublicKey key, AlgorithmParameterSpec spec, String supportedAlgo) {
+        super(key, spec, supportedAlgo);
+    }
+    @Override
+    protected boolean isValidAlgorithmFamily(String algo) {
+        return Algorithm.isEcDsaSign(algo);
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
index 19fa062..2d09bb1 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
@@ -19,9 +19,6 @@
 package org.apache.cxf.rs.security.jose.jws;
 
 import java.security.spec.AlgorithmParameterSpec;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
 
 import javax.crypto.Mac;
 
@@ -31,10 +28,6 @@ import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils;
 
 public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
-    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
-        Arrays.asList(Algorithm.HmacSHA256.getJwtName(),
-                      Algorithm.HmacSHA384.getJwtName(),
-                      Algorithm.HmacSHA512.getJwtName())); 
     private byte[] key;
     private AlgorithmParameterSpec hmacSpec;
     
@@ -42,12 +35,12 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
         this(key, null, algo);
     }
     public HmacJwsSignatureProvider(byte[] key, AlgorithmParameterSpec spec, String algo) {
-        super(SUPPORTED_ALGORITHMS, algo);
+        super(algo);
         this.key = key;
         this.hmacSpec = spec;
     }
     public HmacJwsSignatureProvider(String encodedKey, String algo) {
-        super(SUPPORTED_ALGORITHMS, algo);
+        super(algo);
         try {
             this.key = Base64UrlUtility.decode(encodedKey);
         } catch (Base64Exception ex) {
@@ -72,5 +65,11 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
             
         };
     }
-
+    @Override
+    protected void checkAlgorithm(String algo) {
+        super.checkAlgorithm(algo);
+        if (!Algorithm.isHmacSign(algo)) {
+            throw new SecurityException();
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
index d3274da..a58f161 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
@@ -30,20 +30,29 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils;
 public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
     private byte[] key;
     private AlgorithmParameterSpec hmacSpec;
+    private String supportedAlgo;
     
     public HmacJwsSignatureVerifier(byte[] key) {
         this(key, null);
     }
     public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec) {
+        this(key, spec, null);
+    }
+    public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec, String supportedAlgo) {
         this.key = key;
         this.hmacSpec = spec;
+        this.supportedAlgo = supportedAlgo;
     }
     public HmacJwsSignatureVerifier(String encodedKey) {
+        this(encodedKey, null);
+    }
+    public HmacJwsSignatureVerifier(String encodedKey, String supportedAlgo) {
         try {
             this.key = Base64UrlUtility.decode(encodedKey);
         } catch (Base64Exception ex) {
             throw new SecurityException();
         }
+        this.supportedAlgo = supportedAlgo;
     }
     
     @Override
@@ -54,9 +63,17 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
     
     private byte[] computeMac(JwtHeaders headers, String text) {
         return HmacUtils.computeHmac(key, 
-                                     Algorithm.toJavaName(headers.getAlgorithm()),
+                                     Algorithm.toJavaName(checkAlgorithm(headers.getAlgorithm())),
                                      hmacSpec,
                                      text);
     }
     
+    protected String checkAlgorithm(String algo) {
+        if (algo == null 
+            || !Algorithm.isHmacSign(algo)
+            || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+            throw new SecurityException();
+        }
+        return algo;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 1076134..08c59c1 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -53,13 +53,13 @@ public final class JwsUtils {
         String rsaSignatureAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
         JwsSignatureVerifier theVerifier = null;
         if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
-            theVerifier = new PublicKeyJwsSignatureVerifier(JwkUtils.toRSAPublicKey(jwk));
+            theVerifier = new PublicKeyJwsSignatureVerifier(JwkUtils.toRSAPublicKey(jwk), rsaSignatureAlgo);
         } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) 
             && Algorithm.isHmacSign(rsaSignatureAlgo)) {
             theVerifier = 
-                new HmacJwsSignatureVerifier((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE));
+                new HmacJwsSignatureVerifier((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE), rsaSignatureAlgo);
         } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) {
-            theVerifier = new EcDsaJwsSignatureVerifier(JwkUtils.toECPublicKey(jwk));
+            theVerifier = new EcDsaJwsSignatureVerifier(JwkUtils.toECPublicKey(jwk), rsaSignatureAlgo);
         }
         return theVerifier;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
index 57389eb..f5693c4 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
@@ -23,18 +23,11 @@ import java.security.SecureRandom;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.security.spec.AlgorithmParameterSpec;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
 
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider {
-    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
-        Arrays.asList(Algorithm.SHA256withRSA.getJwtName(),
-                      Algorithm.SHA384withRSA.getJwtName(),
-                      Algorithm.SHA512withRSA.getJwtName())); 
     private PrivateKey key;
     private SecureRandom random; 
     private AlgorithmParameterSpec signatureSpec;
@@ -47,14 +40,7 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
     }
     public PrivateKeyJwsSignatureProvider(PrivateKey key, SecureRandom random, 
                                           AlgorithmParameterSpec spec, String algo) {
-        this(key, random, spec, SUPPORTED_ALGORITHMS, algo);
-    }
-    protected PrivateKeyJwsSignatureProvider(PrivateKey key, 
-                                             SecureRandom random, 
-                                             AlgorithmParameterSpec spec,
-                                             Set<String> supportedAlgorithms,
-                                             String algo) {
-        super(supportedAlgorithms, algo);
+        super(algo);
         this.key = key;
         this.random = random;
         this.signatureSpec = spec;
@@ -86,6 +72,16 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
             
         };
     }
+    @Override
+    protected void checkAlgorithm(String algo) {
+        super.checkAlgorithm(algo);
+        if (!isValidAlgorithmFamily(algo)) {
+            throw new SecurityException();
+        }
+    }
     
+    protected boolean isValidAlgorithmFamily(String algo) {
+        return Algorithm.isRsaShaSign(algo);
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
index c4748e0..546ce1b 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
@@ -28,12 +28,18 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
     private PublicKey key;
     private AlgorithmParameterSpec signatureSpec;
+    private String supportedAlgo;
+    
     public PublicKeyJwsSignatureVerifier(PublicKey key) {
         this(key, null);
     }
-    public PublicKeyJwsSignatureVerifier(PublicKey key, AlgorithmParameterSpec spec) {
+    public PublicKeyJwsSignatureVerifier(PublicKey key, String supportedAlgorithm) {
+        this(key, null, supportedAlgorithm);
+    }
+    public PublicKeyJwsSignatureVerifier(PublicKey key, AlgorithmParameterSpec spec, String supportedAlgo) {
         this.key = key;
         this.signatureSpec = spec;
+        this.supportedAlgo = supportedAlgo;
     }
     @Override
     public boolean verify(JwtHeaders headers, String unsignedText, byte[] signature) {
@@ -41,12 +47,22 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
             return CryptoUtils.verifySignature(unsignedText.getBytes("UTF-8"), 
                                                signature, 
                                                key, 
-                                               Algorithm.toJavaName(headers.getAlgorithm()),
+                                               Algorithm.toJavaName(checkAlgorithm(headers.getAlgorithm())),
                                                signatureSpec);
         } catch (Exception ex) {
             throw new SecurityException(ex);
         }
     }
-    
+    protected String checkAlgorithm(String algo) {
+        if (algo == null 
+            || !isValidAlgorithmFamily(algo)
+            || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+            throw new SecurityException();
+        }
+        return algo;
+    }
+    protected boolean isValidAlgorithmFamily(String algo) {
+        return Algorithm.isRsaShaSign(algo);
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
index 28cd22c..c1f30f6 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java
@@ -181,18 +181,20 @@ public class JweCompactReaderWriterTest extends Assert {
         return encryptor.encrypt(content.getBytes("UTF-8"), null);
     }
     private String encryptContentDirect(SecretKey key, String content) throws Exception {
-        DirectKeyJweEncryption encryptor = new DirectKeyJweEncryption(key, INIT_VECTOR_A1);
+        DirectKeyJweEncryption encryptor = new DirectKeyJweEncryption(
+            new AesGcmContentEncryptionAlgorithm(key, INIT_VECTOR_A1, JoseConstants.A128GCM_ALGO));
         return encryptor.encrypt(content.getBytes("UTF-8"), null);
     }
     private void decrypt(String jweContent, String plainContent, boolean unwrap) throws Exception {
         RSAPrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1, 
                                                                 RSA_PRIVATE_EXPONENT_ENCODED_A1);
-        JweDecryptionProvider decryptor = new WrappedKeyJweDecryption(new RSAOaepKeyDecryptionAlgorithm(privateKey));
+        JweDecryptionProvider decryptor = new WrappedKeyJweDecryption(new RSAOaepKeyDecryptionAlgorithm(privateKey),
+                                                                      new AesGcmContentDecryptionAlgorithm());
         String decryptedText = decryptor.decrypt(jweContent).getContentText();
         assertEquals(decryptedText, plainContent);
     }
     private void decryptDirect(SecretKey key, String jweContent, String plainContent) throws Exception {
-        DirectKeyJweDecryption decryptor = new DirectKeyJweDecryption(key);
+        DirectKeyJweDecryption decryptor = new DirectKeyJweDecryption(key, new AesGcmContentDecryptionAlgorithm());
         String decryptedText = decryptor.decrypt(jweContent).getContentText();
         assertEquals(decryptedText, plainContent);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b495fae/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java b/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
index 4b059c4..05d53c2 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java
@@ -70,7 +70,8 @@ public class JwePbeHmacAesWrapTest extends Assert {
             new AesGcmContentEncryptionAlgorithm(Algorithm.A128GCM.getJwtName()));
         String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
         PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password);
-        JweDecryptionProvider decryption = new WrappedKeyJweDecryption(keyDecryption);
+        JweDecryptionProvider decryption = new WrappedKeyJweDecryption(keyDecryption, 
+                                                                       new AesGcmContentDecryptionAlgorithm());
         String decryptedText = decryption.decrypt(jweContent).getContentText();
         assertEquals(specPlainText, decryptedText);
         


Mime
View raw message