cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5944] Making it simpler to create algo implementations from JWK
Date Thu, 18 Sep 2014 20:46:24 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 22e5d261a -> 6ce2f6a37


[CXF-5944] Making it simpler to create algo implementations from JWK


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6ce2f6a3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6ce2f6a3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6ce2f6a3

Branch: refs/heads/master
Commit: 6ce2f6a373781e4f2dbc1cb66bf1243072b039ef
Parents: 22e5d26
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Thu Sep 18 21:46:04 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Thu Sep 18 21:46:04 2014 +0100

----------------------------------------------------------------------
 .../jose/jaxrs/AbstractJweDecryptingFilter.java | 23 ++-----
 .../jose/jaxrs/AbstractJwsReaderProvider.java   | 21 +++---
 .../jose/jaxrs/AbstractJwsWriterProvider.java   | 26 +++-----
 .../jose/jaxrs/JweWriterInterceptor.java        | 21 +-----
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 68 ++++++++++++++++++++
 .../cxf/rs/security/jose/jwk/JsonWebKey.java    | 53 ---------------
 .../cxf/rs/security/jose/jwk/JwkUtils.java      | 61 ++++++++++++++++++
 .../cxf/rs/security/jose/jws/JwsUtils.java      | 61 ++++++++++++++++++
 .../rs/security/jose/jwk/JsonWebKeyTest.java    |  6 +-
 9 files changed, 216 insertions(+), 124 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
index fbd91d4..1906622 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
@@ -23,8 +23,6 @@ import java.io.InputStream;
 import java.security.interfaces.RSAPrivateKey;
 import java.util.Properties;
 
-import javax.crypto.SecretKey;
-
 import org.apache.cxf.Bus;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
@@ -33,14 +31,13 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption;
-import org.apache.cxf.rs.security.jose.jwe.AesGcmWrapKeyDecryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.AesWrapKeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.JweCryptoProperties;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyDecryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.WrappedKeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweDecryption;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
@@ -78,23 +75,11 @@ public class AbstractJweDecryptingFilter {
         }
         Bus bus = m.getExchange().getBus();
         try {
-            WrappedKeyDecryptionAlgorithm keyDecryptionProvider = null;
+            KeyDecryptionAlgorithm keyDecryptionProvider = null;
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
-                //TODO: Private JWK sets can be JWE encrypted
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
-                if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
-                    keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(jwk.toRSAPrivateKey());
-                } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) {
-                    SecretKey key = jwk.toSecretKey();
-                    if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) {
-                        keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key);
-                    } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) {
-                        keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key);
-                    } 
-                } else {
-                    // TODO: support elliptic curve keys
-                }
+                keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk);
             } else {
                 keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(
                     (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER));

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
index 0a39c6b..ac9366a 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
@@ -26,18 +26,19 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
-import org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureProperties;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jws.PublicKeyJwsSignatureVerifier;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AbstractJwsReaderProvider {
     private static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties";
     private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties";
+    private static final String JSON_WEB_SIGNATURE_ALGO_PROP = "rs.security.jws.content.signature.algorithm";
+    
     
     private JwsSignatureVerifier sigVerifier;
     private JwsSignatureProperties sigProperties;
@@ -70,17 +71,11 @@ public class AbstractJwsReaderProvider {
         try {
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
             JwsSignatureVerifier theVerifier = null;
+            String rsaSignatureAlgo = null;
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY);
-                if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
-                    theVerifier = new PublicKeyJwsSignatureVerifier(jwk.toRSAPublicKey());
-                } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) 
-                    && Algorithm.isHmacSign(jwk.getAlgorithm())) {
-                    theVerifier = 
-                        new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE));
-                } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) {
-                    theVerifier = new PublicKeyJwsSignatureVerifier(jwk.toECPublicKey());
-                }
+                rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
+                theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo);
                 
             } else {
                 theVerifier = new PublicKeyJwsSignatureVerifier(
@@ -102,5 +97,7 @@ public class AbstractJwsReaderProvider {
         this.defaultMediaType = defaultMediaType;
     }
     
-    
+    private String getSignatureAlgo(Properties props, String algo) {
+        return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
index 6fc81f0..701e058 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
@@ -29,13 +29,11 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
-import org.apache.cxf.rs.security.jose.jws.EcDsaJwsSignatureProvider;
-import org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jws.PrivateKeyJwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jwt.JwtHeaders;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
@@ -66,30 +64,19 @@ public class AbstractJwsWriterProvider {
             JwsSignatureProvider theSigProvider = null; 
             String rsaSignatureAlgo = null;
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
-                //TODO: Private JWK sets can be JWE encrypted
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN);
-                rsaSignatureAlgo = jwk.getAlgorithm();
-                if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
-                    theSigProvider = new PrivateKeyJwsSignatureProvider(jwk.toRSAPrivateKey());
-                } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) 
-                    && Algorithm.isHmacSign(rsaSignatureAlgo)) {
-                    theSigProvider = 
-                        new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE));
-                } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) {
-                    theSigProvider = new EcDsaJwsSignatureProvider(jwk.toECPrivateKey());
-                }
+                rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
+                theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo);
             } else {
+                rsaSignatureAlgo = getSignatureAlgo(props, null);
                 RSAPrivateKey pk = (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, 
                                                               CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER);
                 theSigProvider = new PrivateKeyJwsSignatureProvider(pk);
             }
-            if (rsaSignatureAlgo == null) {
-                rsaSignatureAlgo = props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP);
-            }
-            headers.setAlgorithm(rsaSignatureAlgo);
             if (theSigProvider == null) {
                 throw new SecurityException();
             }
+            headers.setAlgorithm(rsaSignatureAlgo);
             return theSigProvider;
         } catch (SecurityException ex) {
             throw ex;
@@ -102,4 +89,7 @@ public class AbstractJwsWriterProvider {
         p.signWith(theSigProvider);
         IOUtils.copy(new ByteArrayInputStream(p.getSignedEncodedJws().getBytes("UTF-8")),
os);
     }
+    private String getSignatureAlgo(Properties props, String algo) {
+        return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 1daf285..9d5fc9c 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -26,7 +26,6 @@ import java.util.Properties;
 import java.util.zip.DeflaterOutputStream;
 
 import javax.annotation.Priority;
-import javax.crypto.SecretKey;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.ext.WriterInterceptor;
@@ -42,13 +41,12 @@ import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption;
 import org.apache.cxf.rs.security.jose.jwe.AesGcmContentEncryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.AesGcmWrapKeyEncryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.AesWrapKeyEncryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionState;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
 import org.apache.cxf.rs.security.jose.jwe.JweOutputStream;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyEncryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweEncryption;
@@ -138,21 +136,8 @@ public class JweWriterInterceptor implements WriterInterceptor {
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
-                keyEncryptionAlgo = jwk.getAlgorithm();
-                // TODO: Put it into some factory code
-                if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
-                    keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(jwk.toRSAPublicKey(),
-                                                getKeyEncryptionAlgo(props, keyEncryptionAlgo));
-                } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) {
-                    SecretKey key = jwk.toSecretKey();
-                    if (Algorithm.isAesKeyWrap(keyEncryptionAlgo)) {
-                        keyEncryptionProvider = new AesWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo);
-                    } else if (Algorithm.isAesGcmKeyWrap(keyEncryptionAlgo)) {
-                        keyEncryptionProvider = new AesGcmWrapKeyEncryptionAlgorithm(key,
keyEncryptionAlgo);
-                    }
-                } else {
-                    // TODO: support elliptic curve keys
-                }
+                keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
+                keyEncryptionProvider = JweUtils.getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo);
                 
             } else {
                 keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
new file mode 100644
index 0000000..c3aa6d4
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
+
+public final class JweUtils {
+    private JweUtils() {
+        
+    }
+    public static KeyEncryptionAlgorithm getKeyEncryptionAlgorithm(JsonWebKey jwk) {
+        return getKeyEncryptionAlgorithm(jwk, null);
+    }
+    public static KeyEncryptionAlgorithm getKeyEncryptionAlgorithm(JsonWebKey jwk, String
defaultAlgorithm) {
+        String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
+        KeyEncryptionAlgorithm keyEncryptionProvider = null;
+        if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
+            keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(JwkUtils.toRSAPublicKey(jwk),

+                                                                      keyEncryptionAlgo);
+        } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) {
+            SecretKey key = JwkUtils.toSecretKey(jwk);
+            if (Algorithm.isAesKeyWrap(keyEncryptionAlgo)) {
+                keyEncryptionProvider = new AesWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo);
+            } else if (Algorithm.isAesGcmKeyWrap(keyEncryptionAlgo)) {
+                keyEncryptionProvider = new AesGcmWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo);
+            }
+        } else {
+            // TODO: support elliptic curve keys
+        }
+        return keyEncryptionProvider;
+    }
+    public static KeyDecryptionAlgorithm getKeyDecryptionAlgorithm(JsonWebKey jwk) {
+        KeyDecryptionAlgorithm keyDecryptionProvider = null;
+        if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
+            keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk));
+        } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) {
+            SecretKey key = JwkUtils.toSecretKey(jwk);
+            if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) {
+                keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key);
+            } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) {
+                keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key);
+            } 
+        } else {
+            // TODO: support elliptic curve keys
+        }
+        return keyDecryptionProvider;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
index 510e7a7..63c1008 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
@@ -18,20 +18,12 @@
  */
 package org.apache.cxf.rs.security.jose.jwk;
 
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
 import java.util.List;
 import java.util.Map;
 
-import javax.crypto.SecretKey;
-
 import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwt.AbstractJwtObject;
 import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 
 public class JsonWebKey extends AbstractJwtObject {
@@ -165,49 +157,4 @@ public class JsonWebKey extends AbstractJwtObject {
         return super.getValue(name);
     }
     
-    public RSAPublicKey toRSAPublicKey() {
-        String encodedModulus = (String)super.getValue(RSA_MODULUS);
-        String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP);
-        return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent);
-    }
-    public RSAPrivateKey toRSAPrivateKey() {
-        String encodedModulus = (String)super.getValue(RSA_MODULUS);
-        String encodedPrivateExponent = (String)super.getValue(RSA_PRIVATE_EXP);
-        String encodedPrimeP = (String)super.getValue(RSA_FIRST_PRIME_FACTOR);
-        if (encodedPrimeP == null) {
-            return CryptoUtils.getRSAPrivateKey(encodedModulus, encodedPrivateExponent);
-        } else {
-            String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP);
-            String encodedPrimeQ = (String)super.getValue(RSA_SECOND_PRIME_FACTOR);
-            String encodedPrimeExpP = (String)super.getValue(RSA_FIRST_PRIME_CRT);
-            String encodedPrimeExpQ = (String)super.getValue(RSA_SECOND_PRIME_CRT);
-            String encodedCrtCoefficient = (String)super.getValue(RSA_FIRST_CRT_COEFFICIENT);
-            return CryptoUtils.getRSAPrivateKey(encodedModulus, 
-                                                encodedPublicExponent,
-                                                encodedPrivateExponent,
-                                                encodedPrimeP,
-                                                encodedPrimeQ,
-                                                encodedPrimeExpP,
-                                                encodedPrimeExpQ,
-                                                encodedCrtCoefficient);
-        }
-    }
-    public ECPublicKey toECPublicKey() {
-        String eCurve = (String)super.getValue(EC_CURVE);
-        String encodedXCoord = (String)super.getValue(EC_X_COORDINATE);
-        String encodedYCoord = (String)super.getValue(EC_Y_COORDINATE);
-        return CryptoUtils.getECPublicKey(eCurve, encodedXCoord, encodedYCoord);
-    }
-    public ECPrivateKey toECPrivateKey() {
-        String eCurve = (String)super.getValue(EC_CURVE);
-        String encodedPrivateKey = (String)super.getValue(EC_PRIVATE_KEY);
-        return CryptoUtils.getECPrivateKey(eCurve, encodedPrivateKey);
-    }
-    
-    public SecretKey toSecretKey() {
-        return CryptoUtils.createSecretKeySpec((String)getProperty(OCTET_KEY_VALUE), 
-                                               Algorithm.toJavaName(getAlgorithm()));
-    }
-    
-    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index 8b5b0e9..3e61fd4 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -20,10 +20,16 @@ package org.apache.cxf.rs.security.jose.jwk;
 
 import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
 import java.util.Collections;
 import java.util.List;
 import java.util.Properties;
 
+import javax.crypto.SecretKey;
+
 import org.apache.cxf.Bus;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
@@ -47,6 +53,18 @@ public final class JwkUtils {
     private JwkUtils() {
         
     }
+    public static JsonWebKey readJwkKey(String jwkJson) {
+        return new DefaultJwkReaderWriter().jsonToJwk(jwkJson);
+    }
+    public static JsonWebKeys readJwkSet(String jwksJson) {
+        return new DefaultJwkReaderWriter().jsonToJwkSet(jwksJson);
+    }
+    public static String jwkKeyToJson(JsonWebKey jwkKey) {
+        return new DefaultJwkReaderWriter().jwkToJson(jwkKey);
+    }
+    public static String jwkSetToJson(JsonWebKeys jwkSet) {
+        return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet);
+    }
     public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) {
         return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter());
     }
@@ -178,6 +196,49 @@ public final class JwkUtils {
         }
         return null;
     }
+    public static RSAPublicKey toRSAPublicKey(JsonWebKey jwk) {
+        String encodedModulus = (String)jwk.getProperty(JsonWebKey.RSA_MODULUS);
+        String encodedPublicExponent = (String)jwk.getProperty(JsonWebKey.RSA_PUBLIC_EXP);
+        return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent);
+    }
+    public static RSAPrivateKey toRSAPrivateKey(JsonWebKey jwk) {
+        String encodedModulus = (String)jwk.getProperty(JsonWebKey.RSA_MODULUS);
+        String encodedPrivateExponent = (String)jwk.getProperty(JsonWebKey.RSA_PRIVATE_EXP);
+        String encodedPrimeP = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR);
+        if (encodedPrimeP == null) {
+            return CryptoUtils.getRSAPrivateKey(encodedModulus, encodedPrivateExponent);
+        } else {
+            String encodedPublicExponent = (String)jwk.getProperty(JsonWebKey.RSA_PUBLIC_EXP);
+            String encodedPrimeQ = (String)jwk.getProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR);
+            String encodedPrimeExpP = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_PRIME_CRT);
+            String encodedPrimeExpQ = (String)jwk.getProperty(JsonWebKey.RSA_SECOND_PRIME_CRT);
+            String encodedCrtCoefficient = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT);
+            return CryptoUtils.getRSAPrivateKey(encodedModulus, 
+                                                encodedPublicExponent,
+                                                encodedPrivateExponent,
+                                                encodedPrimeP,
+                                                encodedPrimeQ,
+                                                encodedPrimeExpP,
+                                                encodedPrimeExpQ,
+                                                encodedCrtCoefficient);
+        }
+    }
+    public static ECPublicKey toECPublicKey(JsonWebKey jwk) {
+        String eCurve = (String)jwk.getProperty(JsonWebKey.EC_CURVE);
+        String encodedXCoord = (String)jwk.getProperty(JsonWebKey.EC_X_COORDINATE);
+        String encodedYCoord = (String)jwk.getProperty(JsonWebKey.EC_Y_COORDINATE);
+        return CryptoUtils.getECPublicKey(eCurve, encodedXCoord, encodedYCoord);
+    }
+    public static ECPrivateKey toECPrivateKey(JsonWebKey jwk) {
+        String eCurve = (String)jwk.getProperty(JsonWebKey.EC_CURVE);
+        String encodedPrivateKey = (String)jwk.getProperty(JsonWebKey.EC_PRIVATE_KEY);
+        return CryptoUtils.getECPrivateKey(eCurve, encodedPrivateKey);
+    }
+    
+    public static SecretKey toSecretKey(JsonWebKey jwk) {
+        return CryptoUtils.createSecretKeySpec((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE),

+                                               Algorithm.toJavaName(jwk.getAlgorithm()));
+    }
     private static byte[] stringToBytes(String str) {
         try {
             return str.getBytes("UTF-8");

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
new file mode 100644
index 0000000..a8b81c0
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jws;
+
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
+
+public final class JwsUtils {
+    private JwsUtils() {
+        
+    }
+    public static JwsSignatureProvider getSignatureProvider(JsonWebKey jwk) {
+        return getSignatureProvider(jwk, null);
+    }
+    public static JwsSignatureProvider getSignatureProvider(JsonWebKey jwk, String defaultAlgorithm)
{
+        String rsaSignatureAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
+        JwsSignatureProvider theSigProvider = null;
+        if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
+            theSigProvider = new PrivateKeyJwsSignatureProvider(JwkUtils.toRSAPrivateKey(jwk));
+        } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) 
+            && Algorithm.isHmacSign(rsaSignatureAlgo)) {
+            theSigProvider = 
+                new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE));
+        } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) {
+            theSigProvider = new EcDsaJwsSignatureProvider(JwkUtils.toECPrivateKey(jwk));
+        }
+        return theSigProvider;
+    }
+    public static JwsSignatureVerifier getSignatureVerifier(JsonWebKey jwk, String defaultAlgorithm)
{
+        String rsaSignatureAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
+        JwsSignatureVerifier theVerifier = null;
+        if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
+            theVerifier = new PublicKeyJwsSignatureVerifier(JwkUtils.toRSAPublicKey(jwk));
+        } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) 
+            && Algorithm.isHmacSign(rsaSignatureAlgo)) {
+            theVerifier = 
+                new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE));
+        } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) {
+            theVerifier = new PublicKeyJwsSignatureVerifier(JwkUtils.toECPublicKey(jwk));
+        }
+        return theVerifier;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
index d4e460b..d0fadf3 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java
@@ -214,11 +214,9 @@ public class JsonWebKeyTest extends Assert {
     public JsonWebKeys readKeySet(String fileName) throws Exception {
         InputStream is = JsonWebKeyTest.class.getResourceAsStream(fileName);
         String s = IOUtils.readStringFromStream(is);
-        JwkReaderWriter reader = new DefaultJwkReaderWriter();
-        return reader.jsonToJwkSet(s);
+        return JwkUtils.readJwkSet(s);
     }
     public JsonWebKey readKey(String key) throws Exception {
-        JwkReaderWriter reader = new DefaultJwkReaderWriter();
-        return reader.jsonToJwk(key);
+        return JwkUtils.readJwkKey(key);
     }
 }


Mime
View raw message