cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [7/9] [CXF-5944] Changing packages and the module name based on the feedback from Luigi Lo Iacono
Date Wed, 17 Sep 2014 17:21:33 GMT
http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
new file mode 100644
index 0000000..7fe91d6
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Map;
+
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtHeaders;
+import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+
+
+
+public class JweHeaders extends JwtHeaders {
+    
+    public JweHeaders() {
+    }
+    
+    public JweHeaders(Map<String, Object> values) {
+        super(values);
+    }
+    public JweHeaders(String keyEncAlgo, String ctEncAlgo) {
+        this(keyEncAlgo, ctEncAlgo, false);
+    }
+    public JweHeaders(String ctEncAlgo) {
+        this(null, ctEncAlgo, false);
+    }
+    public JweHeaders(String ctEncAlgo, boolean deflate) {
+        this(null, ctEncAlgo, deflate);
+    }
+    public JweHeaders(String keyEncAlgo, String ctEncAlgo, boolean deflate) {
+        init(keyEncAlgo, ctEncAlgo, deflate);
+    }
+    private void init(String keyEncAlgo, String ctEncAlgo, boolean deflate) {
+        if (keyEncAlgo != null) {
+            setKeyEncryptionAlgorithm(keyEncAlgo);    
+        }
+        setContentEncryptionAlgorithm(ctEncAlgo);
+        if (deflate) {
+            setZipAlgorithm(JwtConstants.DEFLATE_ZIP_ALGORITHM);
+        }
+    }
+    
+    public void setKeyEncryptionAlgorithm(String type) {
+        super.setAlgorithm(type);
+    }
+    
+    public String getKeyEncryptionAlgorithm() {
+        return super.getAlgorithm();
+    }
+    
+    public void setContentEncryptionAlgorithm(String type) {
+        setHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM, type);
+    }
+    
+    public String getContentEncryptionAlgorithm() {
+        return (String)getHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM);
+    }
+    
+    public void setZipAlgorithm(String type) {
+        setHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM, type);
+    }
+    
+    public String getZipAlgorithm() {
+        return (String)getHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM);
+    }
+    
+    @Override
+    public JwtHeaders setHeader(String name, Object value) {
+        return (JwtHeaders)super.setHeader(name, value);
+    }
+    public byte[] toCipherAdditionalAuthData(JwtHeadersWriter writer) { 
+        return toCipherAdditionalAuthData(writer.headersToJson(this));
+    }
+    public static byte[] toCipherAdditionalAuthData(String headersJson) { 
+        try {
+            String base64UrlHeadersInJson = Base64UrlUtility.encode(headersJson.getBytes("UTF-8"));
+            return base64UrlHeadersInJson.getBytes("US-ASCII");
+        } catch (UnsupportedEncodingException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
new file mode 100644
index 0000000..5abe38c
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
@@ -0,0 +1,145 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+
+import javax.crypto.Cipher;
+
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+public class JweOutputStream extends FilterOutputStream {
+    private Cipher encryptingCipher;
+    private int blockSize;
+    private AuthenticationTagProducer authTagProducer;
+    private byte[] lastRawDataChunk;
+    private byte[] lastEncryptedDataChunk;
+    private boolean flushed;
+    public JweOutputStream(OutputStream out, 
+                           Cipher encryptingCipher, 
+                           AuthenticationTagProducer authTagProducer) {
+        super(out);
+        this.encryptingCipher = encryptingCipher;
+        this.blockSize = encryptingCipher.getBlockSize(); 
+        this.authTagProducer = authTagProducer;
+    }
+
+    @Override
+    public void write(int value) throws IOException {
+        byte[] bytes = ByteBuffer.allocate(Integer.SIZE / 8).putInt(value).array();
+        write(bytes, 0, bytes.length);
+    }
+    
+    @Override
+    public void write(byte b[], int off, int len) throws IOException {
+        if (lastRawDataChunk != null) {
+            int remaining = blockSize - lastRawDataChunk.length;
+            int lenToCopy = remaining < len ? remaining : len;
+            lastRawDataChunk = newArray(lastRawDataChunk, 0, lastRawDataChunk.length, b, off, lenToCopy);
+            off = off + lenToCopy;
+            len -= lenToCopy;
+            if (lastRawDataChunk.length < blockSize) {
+                return;
+            } else {
+                encryptAndWrite(lastRawDataChunk, 0, lastRawDataChunk.length);
+                lastRawDataChunk = null;
+            }
+        } 
+        int offset = 0;
+        int chunkSize = blockSize > len ? blockSize : blockSize * (len / blockSize);
+        for (; offset + chunkSize <= len; offset += chunkSize, off += chunkSize) {
+            encryptAndWrite(b, off, chunkSize);
+        }
+        if (offset < len) {
+            lastRawDataChunk = newArray(b, off, len - offset);
+        }
+        
+    }
+    
+    private void encryptAndWrite(byte[] chunk, int off, int len) throws IOException {
+        byte[] encrypted = encryptingCipher.update(chunk, off, len);
+        if (authTagProducer != null) {
+            authTagProducer.update(encrypted, 0, encrypted.length);
+        }
+        encodeAndWrite(encrypted, 0, encrypted.length, false);
+    }
+    private void encodeAndWrite(byte[] encryptedChunk, int off, int len, boolean finalWrite) throws IOException {
+        byte[] theChunk = lastEncryptedDataChunk;
+        int lenToEncode = len;
+        if (theChunk != null) {
+            theChunk = newArray(theChunk, 0, theChunk.length, encryptedChunk, off, len);
+            lenToEncode = theChunk.length;
+            off = 0;
+        } else {
+            theChunk = encryptedChunk;
+        }
+        int rem = finalWrite ? 0 : lenToEncode % 3; 
+        Base64UrlUtility.encodeAndStream(theChunk, off, lenToEncode - rem, out);
+        
+        if (rem > 0) {
+            lastEncryptedDataChunk = newArray(theChunk, lenToEncode - rem, rem);
+        } else {
+            lastEncryptedDataChunk = null;
+        }
+    }
+    
+    @Override
+    public void flush() throws IOException {
+        if (flushed) {
+            return;
+        }
+        try {
+            byte[] finalBytes = lastRawDataChunk == null 
+                ? encryptingCipher.doFinal()
+                : encryptingCipher.doFinal(lastRawDataChunk, 0, lastRawDataChunk.length);
+            final int authTagLengthBits = 128;
+            if (authTagProducer != null) {
+                authTagProducer.update(finalBytes, 0, finalBytes.length);
+                encodeAndWrite(finalBytes, 0, finalBytes.length, true);
+            } else {
+                encodeAndWrite(finalBytes, 0, finalBytes.length - authTagLengthBits / 8, true);
+            }
+            out.write(new byte[]{'.'});
+            
+            if (authTagProducer == null) {
+                encodeAndWrite(finalBytes, finalBytes.length - authTagLengthBits / 8, authTagLengthBits / 8, true);
+            } else {
+                byte[] authTag = authTagProducer.getTag();
+                encodeAndWrite(authTag, 0, authTagLengthBits / 8, true);
+            }
+        } catch (Exception ex) {
+            throw new SecurityException();
+        }
+        flushed = true;
+    }
+    private byte[] newArray(byte[] src, int srcPos, int srcLen) {
+        byte[] buf = new byte[srcLen];
+        System.arraycopy(src, srcPos, buf, 0, srcLen);
+        return buf;
+    }
+    private byte[] newArray(byte[] src, int srcPos, int srcLen, byte[] src2, int srcPos2, int srcLen2) {
+        byte[] buf = new byte[srcLen + srcLen2];
+        System.arraycopy(src, srcPos, buf, 0, srcLen);
+        System.arraycopy(src2, srcPos2, buf, srcLen, srcLen2);
+        return buf;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
new file mode 100644
index 0000000..9932ab2
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+
+public interface KeyDecryptionAlgorithm {
+    byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java
new file mode 100644
index 0000000..a6a147b
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java
@@ -0,0 +1,24 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+
+public interface KeyEncryptionAlgorithm {
+    byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
new file mode 100644
index 0000000..ac66535
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
+    private byte[] password;
+    public PbesHmacAesWrapKeyDecryptionAlgorithm(String password) {    
+        this(PbesHmacAesWrapKeyEncryptionAlgorithm.stringToBytes(password));
+    }
+    public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password) {    
+        this(PbesHmacAesWrapKeyEncryptionAlgorithm.charsToBytes(password));
+    }
+    public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password) {    
+        this.password = password;
+    }
+    @Override
+    public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
+        byte[] saltInput = getDecodedBytes(consumer, "p2s");
+        int pbesCount = consumer.getJweHeaders().getIntegerHeader("p2c");
+        String keyAlgoJwt = consumer.getJweHeaders().getAlgorithm();
+        int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt);
+        byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm
+            .createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
+        KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey);
+        return aesWrap.getDecryptedContentEncryptionKey(consumer);
+    }    
+    private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) {
+        try {
+            Object headerValue = consumer.getJweHeaders().getHeader(headerName);
+            return Base64UrlUtility.decode(headerValue.toString());
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
new file mode 100644
index 0000000..b67332d
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
@@ -0,0 +1,169 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.nio.ByteBuffer;
+import java.nio.CharBuffer;
+import java.nio.charset.Charset;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.crypto.digests.SHA384Digest;
+import org.bouncycastle.crypto.digests.SHA512Digest;
+import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator;
+import org.bouncycastle.crypto.params.KeyParameter;
+
+public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgorithm {
+    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
+        Arrays.asList(Algorithm.PBES2_HS256_A128KW.getJwtName(),
+                      Algorithm.PBES2_HS384_A192KW.getJwtName(),
+                      Algorithm.PBES2_HS512_A256KW.getJwtName()));
+    private static final Map<String, Integer> PBES_HMAC_MAP;
+    private static final Map<String, String> PBES_AES_MAP;
+    private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP;
+    static {
+        PBES_HMAC_MAP = new HashMap<String, Integer>();
+        PBES_HMAC_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), 256);
+        PBES_HMAC_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), 384);
+        PBES_HMAC_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), 512);
+        
+        PBES_AES_MAP = new HashMap<String, String>();
+        PBES_AES_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), Algorithm.A128KW.getJwtName());
+        PBES_AES_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), Algorithm.A192KW.getJwtName());
+        PBES_AES_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), Algorithm.A256KW.getJwtName());
+        
+        DERIVED_KEY_SIZE_MAP = new HashMap<String, Integer>();
+        DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), 16);
+        DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), 24);
+        DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), 32);
+    }
+    
+    
+    private byte[] password;
+    private int pbesCount;
+    private String keyAlgoJwt;
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, String keyAlgoJwt) {
+        this(stringToBytes(password), keyAlgoJwt);
+    }
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, int pbesCount, String keyAlgoJwt) {
+        this(stringToBytes(password), pbesCount, keyAlgoJwt);
+    }
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, String keyAlgoJwt) {
+        this(password, 4096, keyAlgoJwt);
+    }
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, int pbesCount, String keyAlgoJwt) {
+        this(charsToBytes(password), pbesCount, keyAlgoJwt);
+    }
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, String keyAlgoJwt) {
+        this(password, 4096, keyAlgoJwt);
+    }
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, int pbesCount, String keyAlgoJwt) {
+        this.password = password;
+        this.keyAlgoJwt = validateKeyAlgorithm(keyAlgoJwt);
+        this.pbesCount = validatePbesCount(pbesCount);
+    }
+    
+    @Override
+    public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
+        int keySize = getKeySize(keyAlgoJwt);
+        byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize);
+        byte[] derivedKey = createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
+        
+        headers.setHeader("p2s", Base64UrlUtility.encode(saltInput));
+        headers.setIntegerHeader("p2c", pbesCount);
+        
+        final String aesAlgoJwt = PBES_AES_MAP.get(keyAlgoJwt);
+        KeyEncryptionAlgorithm aesWrap = new AesWrapKeyEncryptionAlgorithm(derivedKey, aesAlgoJwt) {
+            protected void checkAlgorithms(JweHeaders headers, String defaultAlgo) {
+                // complete
+            }
+            protected String getKeyEncryptionAlgoJava(JweHeaders headers) {
+                return Algorithm.AES_WRAP_ALGO_JAVA;
+            }
+        };
+        return aesWrap.getEncryptedContentEncryptionKey(headers, cek);
+        
+        
+    }
+    static int getKeySize(String keyAlgoJwt) {
+        return DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
+    }
+    static byte[] createDerivedKey(String keyAlgoJwt, int keySize,
+                                   byte[] password, byte[] saltInput, int pbesCount) {
+        byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput);
+        Digest digest = null;
+        int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt);
+        if (macSigSize == 256) { 
+            digest = new SHA256Digest();
+        } else if (macSigSize == 384) {
+            digest = new SHA384Digest();
+        } else {
+            digest = new SHA512Digest();
+        }
+        PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
+        gen.init(password, saltValue, pbesCount);
+        return ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey();
+    }
+    
+    
+    private static byte[] createSaltValue(String keyAlgoJwt, byte[] saltInput) {
+        byte[] algoBytes = stringToBytes(keyAlgoJwt);
+        byte[] saltValue = new byte[algoBytes.length + 1 + saltInput.length];
+        System.arraycopy(algoBytes, 0, saltValue, 0, algoBytes.length);
+        saltValue[algoBytes.length] = 0;
+        System.arraycopy(saltInput, 0, saltValue, algoBytes.length + 1, saltInput.length);
+        return saltValue;
+    }
+    static String validateKeyAlgorithm(String algo) {
+        if (!SUPPORTED_ALGORITHMS.contains(algo)) {
+            throw new SecurityException();
+        }
+        return algo;
+    }
+    static int validatePbesCount(int count) {
+        if (count < 1000) {
+            throw new SecurityException();
+        }
+        return count;
+    }    
+    
+    static byte[] stringToBytes(String str) {
+        try {
+            return str.getBytes("UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    static byte[] charsToBytes(char[] chars) {
+        ByteBuffer bb = Charset.forName("UTF-8").encode(CharBuffer.wrap(chars));
+        byte[] b = new byte[bb.remaining()];
+        bb.get(b);
+        return b;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java
new file mode 100644
index 0000000..c0e2f28
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.security.interfaces.RSAPrivateKey;
+
+public class RSAOaepKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
+    public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {    
+        this(privateKey, true);
+    }
+    public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey, boolean unwrap) {    
+        super(privateKey, unwrap);
+    }
+    protected int getKeyCipherBlockSize() {
+        return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java
new file mode 100644
index 0000000..b658e36
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.security.interfaces.RSAPublicKey;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+
+public class RSAOaepKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm {
+    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
+        Arrays.asList(Algorithm.RSA_OAEP.getJwtName(),
+                      Algorithm.RSA_OAEP_256.getJwtName()));
+    public RSAOaepKeyEncryptionAlgorithm(RSAPublicKey publicKey, String jweAlgo) {
+        this(publicKey, jweAlgo, true);
+    }
+    public RSAOaepKeyEncryptionAlgorithm(RSAPublicKey publicKey, String jweAlgo, boolean wrap) {
+        super(publicKey, jweAlgo, wrap, SUPPORTED_ALGORITHMS);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
new file mode 100644
index 0000000..789e8cd
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
+
+public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
+    private Key cekDecryptionKey;
+    private boolean unwrap;
+    public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey) {    
+        this(cekDecryptionKey, true);
+    }
+    public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, boolean unwrap) {    
+        this.cekDecryptionKey = cekDecryptionKey;
+        this.unwrap = unwrap;
+    }
+    public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
+        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer));
+        AlgorithmParameterSpec spec = getAlgorithmParameterSpec(consumer); 
+        if (spec != null) {
+            keyProps.setAlgoSpec(spec);
+        }
+        if (!unwrap) {
+            keyProps.setBlockSize(getKeyCipherBlockSize());
+            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer), 
+                                            getCekDecryptionKey(), keyProps);
+        } else {
+            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer), 
+                                               getContentEncryptionAlgorithm(consumer), 
+                                               getCekDecryptionKey(), 
+                                               keyProps).getEncoded();
+        }
+    }
+    
+    protected Key getCekDecryptionKey() {
+        return cekDecryptionKey;
+    }
+    protected int getKeyCipherBlockSize() {
+        return -1;
+    }
+    protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
+        return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm());
+    }
+    protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
+        return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
+    }
+    protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) {
+        return null;
+    }
+    protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
+        return consumer.getEncryptedContentEncryptionKey();
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java
new file mode 100644
index 0000000..b14effc
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweDecryption.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.security.Key;
+
+import org.apache.cxf.rs.security.jose.jwt.JwtHeadersReader;
+
+public class WrappedKeyJweDecryption extends AbstractJweDecryption {
+    public WrappedKeyJweDecryption(Key cekDecryptionKey) {    
+        this(cekDecryptionKey, true);
+    }
+    public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap) {    
+        this(cekDecryptionKey, unwrap, null);
+    }
+    public WrappedKeyJweDecryption(Key cekDecryptionKey, JweCryptoProperties props) {
+        this(cekDecryptionKey, true, props);
+    }
+    public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap,
+                                  JweCryptoProperties props) {    
+        this(cekDecryptionKey, unwrap, props, null);
+    }
+    public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap,
+                                   JweCryptoProperties props, JwtHeadersReader reader) {    
+        this(new WrappedKeyDecryptionAlgorithm(cekDecryptionKey, unwrap),
+             props, reader);
+    }
+    public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo) {    
+        this(keyDecryptionAlgo, null, null);
+    }
+    public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
+                                   JweCryptoProperties props, JwtHeadersReader reader) {    
+        this(keyDecryptionAlgo, props, reader, new AesGcmContentDecryptionAlgorithm());
+    }
+    public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
+                                   JweCryptoProperties props, JwtHeadersReader reader,
+                                   ContentDecryptionAlgorithm cipherProps) {    
+        super(props, reader, keyDecryptionAlgo, cipherProps);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweEncryption.java
new file mode 100644
index 0000000..98bad90
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyJweEncryption.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter;
+
+public class WrappedKeyJweEncryption extends AbstractJweEncryption {
+    public WrappedKeyJweEncryption(JweHeaders headers, 
+                                   KeyEncryptionAlgorithm keyEncryptionAlgorithm) {
+        this(headers, null, null, keyEncryptionAlgorithm);
+    }
+    public WrappedKeyJweEncryption(JweHeaders headers, byte[] cek, 
+                                   byte[] iv, KeyEncryptionAlgorithm keyEncryptionAlgorithm) {
+        this(headers, cek, iv, keyEncryptionAlgorithm, null);
+    }
+    public WrappedKeyJweEncryption(JweHeaders headers, 
+                                   byte[] cek, 
+                                   byte[] iv, 
+                                   KeyEncryptionAlgorithm keyEncryptionAlgorithm,
+                                   JwtHeadersWriter writer) {
+        super(headers, new AesGcmContentEncryptionAlgorithm(cek, iv), keyEncryptionAlgorithm, writer);
+    }
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
new file mode 100644
index 0000000..be300f4
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwk;
+
+import org.apache.cxf.rs.security.jose.jwt.AbstractJwtObjectReaderWriter;
+
+
+
+
+public class DefaultJwkReaderWriter extends AbstractJwtObjectReaderWriter
+    implements JwkReaderWriter {
+    @Override
+    public String jwkSetToJson(JsonWebKeys jwks) {
+        return toJson(jwks);
+    }
+    @Override
+    public JsonWebKeys jsonToJwkSet(String jwksJson) {
+        JsonWebKeys jwks = new JsonWebKeys();
+        fromJsonInternal(jwks, jwksJson);
+        return jwks;
+    }
+    @Override
+    public String jwkToJson(JsonWebKey jwk) {
+        return toJson(jwk);
+    }
+    @Override
+    public JsonWebKey jsonToJwk(String jwkJson) {
+        JsonWebKey jwk = new JsonWebKey();
+        fromJsonInternal(jwk, jwkJson);
+        return jwk;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
new file mode 100644
index 0000000..510e7a7
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
@@ -0,0 +1,213 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwk;
+
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+import java.util.Map;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.apache.cxf.rs.security.jose.jwt.AbstractJwtObject;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+
+
+public class JsonWebKey extends AbstractJwtObject {
+    
+    public static final String KEY_TYPE = "kty";
+    public static final String PUBLIC_KEY_USE = "use";
+    public static final String KEY_OPERATIONS = "key_ops";
+    public static final String KEY_ALGO = JwtConstants.HEADER_ALGORITHM;
+    public static final String KEY_ID = JwtConstants.HEADER_KEY_ID;
+    public static final String X509_URL = JwtConstants.HEADER_X509_URL;
+    public static final String X509_CHAIN = JwtConstants.HEADER_X509_CHAIN;
+    public static final String X509_THUMBPRINT = JwtConstants.HEADER_X509_THUMBPRINT;
+    public static final String X509_THUMBPRINT_SHA256 = JwtConstants.HEADER_X509_THUMBPRINT_SHA256;
+    
+    public static final String KEY_TYPE_RSA = "RSA";
+    public static final String RSA_MODULUS = "n";
+    public static final String RSA_PUBLIC_EXP = "e";
+    public static final String RSA_PRIVATE_EXP = "d";
+    public static final String RSA_FIRST_PRIME_FACTOR = "p";
+    public static final String RSA_SECOND_PRIME_FACTOR = "q";
+    public static final String RSA_FIRST_PRIME_CRT = "dp";
+    public static final String RSA_SECOND_PRIME_CRT = "dq";
+    public static final String RSA_FIRST_CRT_COEFFICIENT = "qi";
+        
+    public static final String KEY_TYPE_OCTET = "oct";
+    public static final String OCTET_KEY_VALUE = "k";
+    
+    public static final String KEY_TYPE_ELLIPTIC = "EC";
+    public static final String EC_CURVE = "crv";
+    public static final String EC_CURVE_P256 = "P-256";
+    public static final String EC_CURVE_P384 = "P-384";
+    public static final String EC_CURVE_P512 = "P-512";
+    public static final String EC_X_COORDINATE = "x";
+    public static final String EC_Y_COORDINATE = "y";
+    public static final String EC_PRIVATE_KEY = "d";
+    
+    public static final String PUBLIC_KEY_USE_SIGN = "sig";
+    public static final String PUBLIC_KEY_USE_ENCRYPT = "enc";
+    
+    public static final String KEY_OPER_SIGN = "sign";
+    public static final String KEY_OPER_VERIFY = "verify";
+    public static final String KEY_OPER_ENCRYPT = "encrypt";
+    public static final String KEY_OPER_DECRYPT = "decrypt";
+    
+    public JsonWebKey() {
+        
+    }
+    
+    public JsonWebKey(Map<String, Object> values) {
+        super(values);
+    }
+    
+    public void setKeyType(String keyType) {
+        super.setValue(KEY_TYPE, keyType);
+    }
+
+    public String getKeyType() {
+        return (String)super.getValue(KEY_TYPE);
+    }
+
+    public void setPublicKeyUse(String use) {
+        super.setValue(PUBLIC_KEY_USE, use);
+    }
+    
+    public String getPublicKeyUse() {
+        return (String)super.getValue(PUBLIC_KEY_USE);
+    }
+
+    public void setKeyOperation(List<String> keyOperation) {
+        super.setValue(KEY_OPERATIONS, keyOperation);
+    }
+
+    public List<String> getKeyOperation() {
+        return CastUtils.cast((List<?>)super.getValue(KEY_OPERATIONS));
+    }
+    
+    public void setAlgorithm(String algorithm) {
+        super.setValue(KEY_ALGO, algorithm);
+    }
+
+    public String getAlgorithm() {
+        return (String)super.getValue(KEY_ALGO);
+    }
+    
+    public void setKid(String kid) {
+        super.setValue(KEY_ID, kid);
+    }
+
+    public String getKid() {
+        return (String)super.getValue(KEY_ID);
+    }
+    
+    public void setX509Url(String x509Url) {
+        super.setValue(X509_URL, x509Url);
+    }
+    
+    public String getX509Url() {
+        return (String)super.getValue(X509_URL);
+    }
+
+    public void setX509Chain(String x509Chain) {
+        super.setValue(X509_CHAIN, x509Chain);
+    }
+
+    public String getX509Chain() {
+        return (String)super.getValue(X509_CHAIN);
+    }
+    
+    public void setX509Thumbprint(String x509Thumbprint) {
+        super.setValue(X509_THUMBPRINT, x509Thumbprint);
+    }
+    
+    public String getX509Thumbprint() {
+        return (String)super.getValue(X509_THUMBPRINT);
+    }
+    
+    public void setX509ThumbprintSHA256(String x509Thumbprint) {
+        super.setValue(X509_THUMBPRINT_SHA256, x509Thumbprint);
+    }
+    
+    public String getX509ThumbprintSHA256() {
+        return (String)super.getValue(X509_THUMBPRINT_SHA256);
+    }
+    
+    public JsonWebKey setProperty(String name, Object value) {
+        super.setValue(name, value);
+        return this;
+    }
+    
+    public Object getProperty(String name) {
+        return super.getValue(name);
+    }
+    
+    public RSAPublicKey toRSAPublicKey() {
+        String encodedModulus = (String)super.getValue(RSA_MODULUS);
+        String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP);
+        return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent);
+    }
+    public RSAPrivateKey toRSAPrivateKey() {
+        String encodedModulus = (String)super.getValue(RSA_MODULUS);
+        String encodedPrivateExponent = (String)super.getValue(RSA_PRIVATE_EXP);
+        String encodedPrimeP = (String)super.getValue(RSA_FIRST_PRIME_FACTOR);
+        if (encodedPrimeP == null) {
+            return CryptoUtils.getRSAPrivateKey(encodedModulus, encodedPrivateExponent);
+        } else {
+            String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP);
+            String encodedPrimeQ = (String)super.getValue(RSA_SECOND_PRIME_FACTOR);
+            String encodedPrimeExpP = (String)super.getValue(RSA_FIRST_PRIME_CRT);
+            String encodedPrimeExpQ = (String)super.getValue(RSA_SECOND_PRIME_CRT);
+            String encodedCrtCoefficient = (String)super.getValue(RSA_FIRST_CRT_COEFFICIENT);
+            return CryptoUtils.getRSAPrivateKey(encodedModulus, 
+                                                encodedPublicExponent,
+                                                encodedPrivateExponent,
+                                                encodedPrimeP,
+                                                encodedPrimeQ,
+                                                encodedPrimeExpP,
+                                                encodedPrimeExpQ,
+                                                encodedCrtCoefficient);
+        }
+    }
+    public ECPublicKey toECPublicKey() {
+        String eCurve = (String)super.getValue(EC_CURVE);
+        String encodedXCoord = (String)super.getValue(EC_X_COORDINATE);
+        String encodedYCoord = (String)super.getValue(EC_Y_COORDINATE);
+        return CryptoUtils.getECPublicKey(eCurve, encodedXCoord, encodedYCoord);
+    }
+    public ECPrivateKey toECPrivateKey() {
+        String eCurve = (String)super.getValue(EC_CURVE);
+        String encodedPrivateKey = (String)super.getValue(EC_PRIVATE_KEY);
+        return CryptoUtils.getECPrivateKey(eCurve, encodedPrivateKey);
+    }
+    
+    public SecretKey toSecretKey() {
+        return CryptoUtils.createSecretKeySpec((String)getProperty(OCTET_KEY_VALUE), 
+                                               Algorithm.toJavaName(getAlgorithm()));
+    }
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
new file mode 100644
index 0000000..3c79454
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
@@ -0,0 +1,131 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwk;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.rs.security.jose.jwt.AbstractJwtObject;
+
+public class JsonWebKeys extends AbstractJwtObject {
+    public static final String KEYS_PROPERTY = "keys";
+    public List<JsonWebKey> getKeys() {
+        List<?> list = (List<?>)super.getValue(KEYS_PROPERTY);
+        if (list != null && !list.isEmpty()) {
+            Object first = list.get(0);
+            if (first instanceof JsonWebKey) {
+                return CastUtils.cast(list);
+            } else {
+                List<JsonWebKey> keys = new LinkedList<JsonWebKey>();
+                List<Map<String, Object>> listOfMaps = 
+                    CastUtils.cast((List<?>)super.getValue(KEYS_PROPERTY));
+                for (Map<String, Object> map : listOfMaps) {
+                    keys.add(new JsonWebKey(map));
+                }
+                return keys;
+            }
+        } else {
+            return null;
+        }
+    }
+
+    public void setKeys(List<JsonWebKey> keys) {
+        super.setValue(KEYS_PROPERTY, keys);
+    }
+    
+    public Map<String, JsonWebKey> getKeyIdMap() {
+        List<JsonWebKey> keys = getKeys();
+        if (keys == null) {
+            return Collections.emptyMap();
+        }
+        Map<String, JsonWebKey> map = new LinkedHashMap<String, JsonWebKey>();
+        for (JsonWebKey key : keys) {
+            String kid = key.getKid();
+            if (kid != null) {
+                map.put(kid, key);
+            }
+        }
+        return map;
+    }
+    public JsonWebKey getKey(String kid) {
+        return getKeyIdMap().get(kid);
+    }
+    public Map<String, List<JsonWebKey>> getKeyTypeMap() {
+        return getKeyPropertyMap(JsonWebKey.KEY_TYPE);
+    }
+    public Map<String, List<JsonWebKey>> getKeyUseMap() {
+        return getKeyPropertyMap(JsonWebKey.PUBLIC_KEY_USE);
+    }
+    private Map<String, List<JsonWebKey>> getKeyPropertyMap(String propertyName) {
+        List<JsonWebKey> keys = getKeys();
+        if (keys == null) {
+            return Collections.emptyMap();
+        }
+        Map<String, List<JsonWebKey>> map = new LinkedHashMap<String, List<JsonWebKey>>();
+        for (JsonWebKey key : keys) {
+            String propValue = (String)key.getProperty(propertyName);
+            if (propValue != null) {
+                List<JsonWebKey> list = map.get(propValue);
+                if (list == null) {
+                    list = new LinkedList<JsonWebKey>();
+                    map.put(propValue, list);
+                }
+                list.add(key);
+            }
+        }
+        return map;
+    }
+    public Map<String, List<JsonWebKey>> getKeyOperationMap() {
+        List<JsonWebKey> keys = getKeys();
+        if (keys == null) {
+            return Collections.emptyMap();
+        }
+        Map<String, List<JsonWebKey>> map = new LinkedHashMap<String, List<JsonWebKey>>();
+        for (JsonWebKey key : keys) {
+            List<String> ops = key.getKeyOperation();
+            if (ops != null) {
+                for (String op : ops) {
+                    List<JsonWebKey> list = map.get(op);
+                    if (list == null) {
+                        list = new LinkedList<JsonWebKey>();
+                        map.put(op, list);
+                    }
+                    list.add(key);
+                }
+            }
+        }
+        return map;
+    }
+    public List<JsonWebKey> getKeys(String keyType) {
+        return getKeyTypeMap().get(keyType);
+    }
+    public List<JsonWebKey> getRsaKeys() {
+        return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_RSA);
+    }
+    public List<JsonWebKey> getEllipticKeys() {
+        return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_ELLIPTIC);
+    }
+    public List<JsonWebKey> getSecretKeys() {
+        return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_OCTET);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
new file mode 100644
index 0000000..679b7aa
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwk;
+
+
+public interface JwkReaderWriter {
+    String jwkToJson(JsonWebKey jwk);
+    JsonWebKey jsonToJwk(String jwkJson);
+    String jwkSetToJson(JsonWebKeys jwkSet);
+    JsonWebKeys jsonToJwkSet(String jwkSetJson);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
new file mode 100644
index 0000000..9661bdb
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -0,0 +1,190 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwk;
+
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.util.Collections;
+import java.util.List;
+import java.util.Properties;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.ResourceUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption;
+import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyDecryptionAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.PrivateKeyPasswordProvider;
+
+public final class JwkUtils {
+    public static final String JWK_KEY_STORE_TYPE = "jwk";
+    public static final String RSSEC_KEY_STORE_JWKSET = "rs.security.keystore.jwkset";
+    public static final String RSSEC_KEY_STORE_JWKKEY = "rs.security.keystore.jwkkey";
+    private JwkUtils() {
+        
+    }
+    public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) {
+        return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter());
+    }
+    public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password, JwkReaderWriter writer) {
+        return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer);
+    }
+    public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter writer) {
+        return jwe.encrypt(stringToBytes(writer.jwkSetToJson(jwkSet)), "jwk-set+json");
+    }
+    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) {
+        return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password, JwkReaderWriter reader) {
+        return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password), reader);
+    }
+    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe, JwkReaderWriter reader) {
+        return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
+    }
+    public static String encryptJwkKey(JsonWebKey jwk, char[] password) {
+        return encryptJwkKey(jwk, password, new DefaultJwkReaderWriter());
+    }
+    public static String encryptJwkKey(JsonWebKey jwkKey, char[] password, JwkReaderWriter writer) {
+        return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer);
+    }
+    public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter writer) {
+        return jwe.encrypt(stringToBytes(writer.jwkToJson(jwkKey)), "jwk+json");
+    }
+    public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) {
+        return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter reader) {
+        return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader);
+    }
+    public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe, JwkReaderWriter reader) {
+        return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
+    }
+    private static JweEncryptionProvider createDefaultEncryption(char[] password) {
+        KeyEncryptionAlgorithm keyEncryption = 
+            new PbesHmacAesWrapKeyEncryptionAlgorithm(password, Algorithm.PBES2_HS256_A128KW.getJwtName());
+        return new AesCbcHmacJweEncryption(Algorithm.PBES2_HS256_A128KW.getJwtName(),
+                                           Algorithm.A128CBC_HS256.getJwtName(),
+                                           keyEncryption);
+    }
+    private static JweDecryptionProvider createDefaultDecryption(char[] password) {
+        KeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password);
+        return new AesCbcHmacJweDecryption(keyDecryption);
+    }
+    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) {
+        return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb, 
+                                         JwkReaderWriter reader) {
+        JsonWebKeys jwkSet = (JsonWebKeys)m.getExchange().get(props.get(CryptoUtils.RSSEC_KEY_STORE_FILE));
+        if (jwkSet == null) {
+            jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader);
+            m.getExchange().put((String)props.get(CryptoUtils.RSSEC_KEY_STORE_FILE), jwkSet);
+        }
+        return jwkSet;
+    }
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb) {
+        return loadJwkSet(props, bus, cb, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb, 
+                                         JwkReaderWriter reader) {
+        JweDecryptionProvider decryption = cb != null
+            ? new AesCbcHmacJweDecryption(new PbesHmacAesWrapKeyDecryptionAlgorithm(cb.getPassword(props))) : null;
+        return loadJwkSet(props, bus, decryption, reader);
+    }
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe, JwkReaderWriter reader) {
+        String keyContent = null;
+        String keyStoreLoc = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_FILE);
+        if (keyStoreLoc != null) {
+            try {
+                InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
+                keyContent = IOUtils.readStringFromStream(is);
+            } catch (Exception ex) {
+                throw new SecurityException(ex);
+            }
+        } else {
+            keyContent = props.getProperty(RSSEC_KEY_STORE_JWKSET);
+            if (keyContent == null) {
+                keyContent = props.getProperty(RSSEC_KEY_STORE_JWKKEY);
+            }
+        }
+        if (jwe != null) {
+            keyContent = jwe.decrypt(keyContent).getContentText();
+        }
+        if (props.getProperty(RSSEC_KEY_STORE_JWKKEY) == null) {
+            return reader.jsonToJwkSet(keyContent);
+        } else {
+            JsonWebKey key = reader.jsonToJwk(keyContent);
+            JsonWebKeys keys = new JsonWebKeys();
+            keys.setKeys(Collections.singletonList(key));
+            return keys;
+        }
+    }
+    public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper) {
+        return loadJsonWebKey(m, props, keyOper, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper, JwkReaderWriter reader) {
+        PrivateKeyPasswordProvider cb = 
+            (PrivateKeyPasswordProvider)m.getContextualProperty(CryptoUtils.RSSEC_KEY_PSWD_PROVIDER);
+        if (cb == null && keyOper != null) {
+            String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER
+                : keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) ? CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null;
+            if (propName != null) {
+                cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName);
+            }
+        }
+        JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
+        String kid = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_ALIAS);
+        if (kid == null && keyOper != null) {
+            String keyIdProp = null;
+            if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT)) {
+                keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jwe";
+            } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN)
+                       || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) {
+                keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jws";
+            }
+            if (keyIdProp != null) {
+                kid = props.getProperty(keyIdProp);
+            }
+        }
+        if (kid != null) {
+            return jwkSet.getKey(kid);
+        } else if (keyOper != null) {
+            List<JsonWebKey> keys = jwkSet.getKeyUseMap().get(keyOper);
+            if (keys != null && keys.size() == 1) {
+                return keys.get(0);
+            }
+        }
+        return null;
+    }
+    private static byte[] stringToBytes(String str) {
+        try {
+            return str.getBytes("UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
new file mode 100644
index 0000000..04516a3
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jws;
+
+import java.util.Set;
+
+import org.apache.cxf.rs.security.jose.jwt.JwtHeaders;
+
+public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvider {
+    private Set<String> supportedAlgorithms;
+    private String defaultJwtAlgorithm;
+    
+    protected AbstractJwsSignatureProvider(Set<String> supportedAlgorithms) {
+        this.supportedAlgorithms = supportedAlgorithms;
+    }
+    
+    protected JwtHeaders prepareHeaders(JwtHeaders headers) {
+        if (headers == null) {
+            headers = new JwtHeaders();
+        }
+        String algo = headers.getAlgorithm();
+        if (algo != null) {
+            checkAlgorithm(algo);
+        } else {
+            headers.setAlgorithm(defaultJwtAlgorithm);
+        }
+        return headers;
+    }
+    
+    @Override
+    public JwsSignature createJwsSignature(JwtHeaders headers) {
+        return doCreateJwsSignature(prepareHeaders(headers));
+    }
+    
+    protected abstract JwsSignature doCreateJwsSignature(JwtHeaders headers);
+    
+    public void setDefaultJwtAlgorithm(String algo) {
+        this.defaultJwtAlgorithm = algo;
+    }
+    protected void checkAlgorithm(String algo) {
+        if (algo == null || !supportedAlgorithms.contains(algo)) {
+            throw new SecurityException();
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
new file mode 100644
index 0000000..f1547b5
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jws;
+
+import java.security.SecureRandom;
+import java.security.interfaces.ECPrivateKey;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+
+public class EcDsaJwsSignatureProvider extends PrivateKeyJwsSignatureProvider {
+    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
+        Arrays.asList(Algorithm.SHA256withECDSA.getJwtName(),
+                      Algorithm.SHA384withECDSA.getJwtName(),
+                      Algorithm.SHA512withECDSA.getJwtName())); 
+    
+    public EcDsaJwsSignatureProvider(ECPrivateKey key) {
+        this(key, null);
+    }
+    public EcDsaJwsSignatureProvider(ECPrivateKey key, AlgorithmParameterSpec spec) {
+        this(key, null, spec);
+    }
+    public EcDsaJwsSignatureProvider(ECPrivateKey key, SecureRandom random, AlgorithmParameterSpec spec) {
+        super(key, random, spec, SUPPORTED_ALGORITHMS);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
new file mode 100644
index 0000000..38ed06a
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jws;
+
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.crypto.Mac;
+
+import org.apache.cxf.common.util.Base64Exception;
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.apache.cxf.rs.security.jose.jwt.JwtHeaders;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils;
+
+public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider implements JwsSignatureVerifier {
+    private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(
+        Arrays.asList(Algorithm.HmacSHA256.getJwtName(),
+                      Algorithm.HmacSHA384.getJwtName(),
+                      Algorithm.HmacSHA512.getJwtName())); 
+    private byte[] key;
+    private AlgorithmParameterSpec hmacSpec;
+    
+    public HmacJwsSignatureProvider(byte[] key) {
+        this(key, null);
+    }
+    public HmacJwsSignatureProvider(byte[] key, AlgorithmParameterSpec spec) {
+        super(SUPPORTED_ALGORITHMS);
+        this.key = key;
+        this.hmacSpec = spec;
+    }
+    public HmacJwsSignatureProvider(String encodedKey) {
+        super(SUPPORTED_ALGORITHMS);
+        try {
+            this.key = Base64UrlUtility.decode(encodedKey);
+        } catch (Base64Exception ex) {
+            throw new SecurityException();
+        }
+    }
+    
+    @Override
+    public boolean verify(JwtHeaders headers, String unsignedText, byte[] signature) {
+        byte[] expected = computeMac(headers, unsignedText);
+        return Arrays.equals(expected, signature);
+    }
+    
+    private byte[] computeMac(JwtHeaders headers, String text) {
+        return HmacUtils.computeHmac(key, 
+                                     Algorithm.toJavaName(headers.getAlgorithm()),
+                                     hmacSpec,
+                                     text);
+    }
+    protected JwsSignature doCreateJwsSignature(JwtHeaders headers) {
+        final Mac mac = HmacUtils.getInitializedMac(key, Algorithm.toJavaName(headers.getAlgorithm()),
+                                                    hmacSpec);
+        return new JwsSignature() {
+
+            @Override
+            public void update(byte[] src, int off, int len) {
+                mac.update(src, off, len);
+            }
+
+            @Override
+            public byte[] sign() {
+                return mac.doFinal();
+            }
+            
+        };
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
new file mode 100644
index 0000000..422473f
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
@@ -0,0 +1,122 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jws;
+
+import java.io.UnsupportedEncodingException;
+
+import org.apache.cxf.common.util.Base64Exception;
+import org.apache.cxf.rs.security.jose.jwt.JwtHeaders;
+import org.apache.cxf.rs.security.jose.jwt.JwtHeadersReader;
+import org.apache.cxf.rs.security.jose.jwt.JwtTokenReader;
+import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+public class JwsCompactConsumer {
+    private JwtHeadersReader reader = new JwtTokenReaderWriter();
+    private String encodedSequence;
+    private String encodedSignature;
+    private String headersJson;
+    private String jwsPayload;
+    private JwsSignatureProperties props;
+    public JwsCompactConsumer(String encodedJws) {
+        this(encodedJws, null, null);
+    }
+    public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props) {
+        this(encodedJws, props, null);
+    }
+    public JwsCompactConsumer(String encodedJws, JwtTokenReader r) {
+        this(encodedJws, null, r);
+    }
+    public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props, JwtHeadersReader r) {
+        if (r != null) {
+            this.reader = r;
+        }
+        this.props = props;
+        String[] parts = encodedJws.split("\\.");
+        if (parts.length != 3) {
+            if (parts.length == 2 && encodedJws.endsWith(".")) {
+                encodedSignature = "";
+            } else {
+                throw new OAuthServiceException("Invalid JWS Compact sequence");
+            }
+        } else {
+            encodedSignature = parts[2];
+        }
+        headersJson = decodeToString(parts[0]);
+        jwsPayload = decodeToString(parts[1]);
+        encodedSequence = parts[0] + "." + parts[1];
+        
+    }
+    public String getUnsignedEncodedPayload() {
+        return encodedSequence;
+    }
+    public String getEncodedSignature() {
+        return encodedSignature;
+    }
+    public String getDecodedJsonHeaders() {
+        return headersJson;
+    }
+    public String getDecodedJwsPayload() {
+        return jwsPayload;
+    }
+    public byte[] getDecodedJwsPayloadBytes() {
+        try {
+            return jwsPayload.getBytes("UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    public byte[] getDecodedSignature() {
+        return encodedSignature.isEmpty() ? new byte[]{} : decode(encodedSignature);
+    }
+    public JwtHeaders getJwtHeaders() {
+        return getReader().fromJsonHeaders(headersJson);
+    }
+    public boolean verifySignatureWith(JwsSignatureVerifier validator) {
+        enforceJweSignatureProperties();
+        if (!validator.verify(getJwtHeaders(), getUnsignedEncodedPayload(), getDecodedSignature())) {
+            throw new SecurityException();
+        }
+        return true;
+    }
+    private void enforceJweSignatureProperties() {
+        if (props != null) {
+            //TODO:
+        }
+    }
+    private static String decodeToString(String encoded) {
+        try {
+            return new String(decode(encoded), "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+        
+    }
+    protected JwtHeadersReader getReader() {
+        return reader;
+    }
+    private static byte[] decode(String encoded) {
+        try {
+            return Base64UrlUtility.decode(encoded);
+        } catch (Base64Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
new file mode 100644
index 0000000..ef4dd52
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
@@ -0,0 +1,109 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jws;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtHeaders;
+import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter;
+import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+public class JwsCompactProducer {
+    private JwtHeadersWriter writer = new JwtTokenReaderWriter();
+    private JwtHeaders headers;
+    private String plainJwsPayload;
+    private String signature;
+    private String plainRep;
+    
+    public JwsCompactProducer(String plainJwsPayload) {
+        this(null, null, plainJwsPayload);
+    }
+    public JwsCompactProducer(JwtHeaders headers, String plainJwsPayload) {
+        this(headers, null, plainJwsPayload);
+    }
+    public JwsCompactProducer(JwtHeaders headers, JwtHeadersWriter w, String plainJwsPayload) {
+        this.headers = headers;
+        if (w != null) {
+            this.writer = w;
+        }
+        this.plainJwsPayload = plainJwsPayload;
+    }
+    public JwtHeaders getHeaders() {
+        if (headers == null) {
+            headers = new JwtHeaders();
+        }
+        return headers;
+    }
+    public String getUnsignedEncodedJws() {
+        checkAlgorithm();
+        if (plainRep == null) {
+            plainRep = Base64UrlUtility.encode(writer.headersToJson(getHeaders())) 
+                + "." 
+                + Base64UrlUtility.encode(plainJwsPayload);
+        }
+        return plainRep;
+    }
+    
+    public String getSignedEncodedJws() {
+        checkAlgorithm();
+        boolean noSignature = StringUtils.isEmpty(signature);
+        if (noSignature && !isPlainText()) {
+            throw new IllegalStateException("Signature is not available");
+        }
+        return getUnsignedEncodedJws() + "." + (noSignature ? "" : signature);
+    }
+    
+    public String signWith(JwsSignatureProvider signer) { 
+        JwsSignature worker = signer.createJwsSignature(getHeaders());
+        try {
+            byte[] bytes = getUnsignedEncodedJws().getBytes("UTF-8");
+            worker.update(bytes, 0, bytes.length);
+            signWith(worker.sign());
+            return getSignedEncodedJws();
+        } catch (Exception ex) {
+            throw new SecurityException();
+        }
+    }
+    
+    public String signWith(String signatureText) {
+        setEncodedSignature(Base64UrlUtility.encode(signatureText));
+        return getSignedEncodedJws();
+    }
+    
+    public String signWith(byte[] signatureOctets) {
+        setEncodedSignature(Base64UrlUtility.encode(signatureOctets));
+        return getSignedEncodedJws();
+    }
+    
+    private void setEncodedSignature(String sig) {
+        this.signature = sig;
+    }
+    private boolean isPlainText() {
+        return JwtConstants.PLAIN_TEXT_ALGO.equals(getAlgorithm());
+    }
+    private String getAlgorithm() {
+        return getHeaders().getAlgorithm();
+    }
+    private void checkAlgorithm() {
+        if (getAlgorithm() == null) {
+            throw new IllegalStateException("Algorithm header is not set");
+        }
+    }
+}


Mime
View raw message