cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5954] Supporting encrypted sets and keys
Date Tue, 16 Sep 2014 12:58:33 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 0f3d4a6f0 -> f97f694a7


[CXF-5954] Supporting encrypted sets and keys


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f97f694a
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f97f694a
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f97f694a

Branch: refs/heads/3.0.x-fixes
Commit: f97f694a7bcd722e130f8b2ee803d1bd997eed28
Parents: 0f3d4a6
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Sep 16 13:57:01 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Sep 16 13:58:14 2014 +0100

----------------------------------------------------------------------
 .../oauth2/jwe/AbstractJweEncryption.java       |  15 +-
 .../oauth2/jwe/AesCbcHmacJweEncryption.java     |   4 +-
 .../oauth2/jwe/KeyDecryptionAlgorithm.java      |   2 +-
 .../PbesHmacAesWrapKeyDecryptionAlgorithm.java  |  54 ++++++++
 .../PbesHmacAesWrapKeyEncryptionAlgorithm.java  |  15 ++
 .../cxf/rs/security/oauth2/jwk/JwkUtils.java    | 137 ++++++++++++++++---
 .../rs/security/oauth2/jwk/JsonWebKeyTest.java  |  53 +++++++
 .../oauth2/utils/crypto/CryptoUtils.java        |   1 +
 .../jaxrs/security/jwt/JAXRSJweJwsTest.java     |  14 +-
 .../cxf/systest/jaxrs/security/jwt/server.xml   |   1 +
 .../security/certs/encryptedJwkPrivateSet.txt   |   1 +
 .../secret.aescbchmac.inlinejwk.properties      |  23 ++++
 .../secret.aescbchmac.inlineset.properties      |  33 +++++
 .../jaxrs/security/secret.aescbchmac.properties |   2 +-
 14 files changed, 322 insertions(+), 33 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
index cd21354..bfab97f 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
@@ -141,22 +141,21 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
     }
     
     private JweEncryptionInternal getInternalState(String contentType) {
-        JweHeaders theHeaders = headers;
-        if (contentType != null) {
-            theHeaders = new JweHeaders(theHeaders.asMap());
-            theHeaders.setContentType(contentType);
-        }
-        
         byte[] theCek = getContentEncryptionKey();
-        String contentEncryptionAlgoJavaName = Algorithm.toJavaName(theHeaders.getContentEncryptionAlgorithm());
+        String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
         KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
-        keyProps.setCompressionSupported(compressionRequired(theHeaders));
+        keyProps.setCompressionSupported(compressionRequired(headers));
         
         byte[] theIv = contentEncryptionAlgo.getInitVector();
         AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv);
         keyProps.setAlgoSpec(specParams);
         byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
         
+        JweHeaders theHeaders = headers;
+        if (contentType != null) {
+            theHeaders = new JweHeaders(theHeaders.asMap());
+            theHeaders.setContentType(contentType);
+        }
         byte[] additionalEncryptionParam = getAAD(theHeaders);
         keyProps.setAdditionalData(additionalEncryptionParam);
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java
index 492e0a6..c3fba4e 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java
@@ -52,9 +52,9 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
         AES_CEK_SIZE_MAP.put(Algorithm.A256CBC_HS512.getJwtName(), 64);
     }
     public AesCbcHmacJweEncryption(String keyAlgo, 
-                                   String celAlgoJwt, 
+                                   String cekAlgoJwt, 
                                    KeyEncryptionAlgorithm keyEncryptionAlgorithm) {
-        this(new JweHeaders(keyAlgo, validateCekAlgorithm(celAlgoJwt)), 
+        this(new JweHeaders(keyAlgo, validateCekAlgorithm(cekAlgoJwt)), 
              null, null, keyEncryptionAlgorithm);
     }
     public AesCbcHmacJweEncryption(JweHeaders headers, 

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java
index ae0fa9e..d58e295 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java
@@ -19,6 +19,6 @@
 package org.apache.cxf.rs.security.oauth2.jwe;
 
 
-interface KeyDecryptionAlgorithm {
+public interface KeyDecryptionAlgorithm {
     byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
new file mode 100644
index 0000000..192b3f0
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwe;
+
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+
+public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
+    private byte[] password;
+    public PbesHmacAesWrapKeyDecryptionAlgorithm(String password) {    
+        this(PbesHmacAesWrapKeyEncryptionAlgorithm.stringToBytes(password));
+    }
+    public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password) {    
+        this(PbesHmacAesWrapKeyEncryptionAlgorithm.charsToBytes(password));
+    }
+    public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password) {    
+        this.password = password;
+    }
+    @Override
+    public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
+        byte[] saltInput = getDecodedBytes(consumer, "p2s");
+        int pbesCount = Integer.parseInt((String)consumer.getJweHeaders().getHeader("p2c"));
+        String keyAlgoJwt = consumer.getJweHeaders().getAlgorithm();
+        int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt);
+        byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm
+            .createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
+        KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey);
+        return aesWrap.getDecryptedContentEncryptionKey(consumer);
+    }    
+    private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) {
+        try {
+            Object headerValue = consumer.getJweHeaders().getHeader(headerName);
+            return Base64UrlUtility.decode(headerValue.toString());
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
index b5ffa53..9015760 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
@@ -19,6 +19,9 @@
 package org.apache.cxf.rs.security.oauth2.jwe;
 
 import java.io.UnsupportedEncodingException;
+import java.nio.ByteBuffer;
+import java.nio.CharBuffer;
+import java.nio.charset.Charset;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -70,6 +73,12 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgor
     public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, int pbesCount, String keyAlgoJwt)
{
         this(stringToBytes(password), pbesCount, keyAlgoJwt);
     }
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, String keyAlgoJwt) {
+        this(password, 4096, keyAlgoJwt);
+    }
+    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, int pbesCount, String keyAlgoJwt)
{
+        this(charsToBytes(password), pbesCount, keyAlgoJwt);
+    }
     public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, String keyAlgoJwt) {
         this(password, 4096, keyAlgoJwt);
     }
@@ -150,5 +159,11 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgor
             throw new SecurityException(ex);
         }
     }
+    static byte[] charsToBytes(char[] chars) {
+        ByteBuffer bb = Charset.forName("UTF-8").encode(CharBuffer.wrap(chars));
+        byte[] b = new byte[bb.remaining()];
+        bb.get(b);
+        return b;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
index da7c70e..fba082a 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
@@ -19,6 +19,8 @@
 package org.apache.cxf.rs.security.oauth2.jwk;
 
 import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.util.Collections;
 import java.util.List;
 import java.util.Properties;
 
@@ -26,42 +28,135 @@ import org.apache.cxf.Bus;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.oauth2.jwe.AesCbcHmacJweDecryption;
+import org.apache.cxf.rs.security.oauth2.jwe.AesCbcHmacJweEncryption;
+import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.oauth2.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.oauth2.jwe.KeyDecryptionAlgorithm;
+import org.apache.cxf.rs.security.oauth2.jwe.KeyEncryptionAlgorithm;
+import org.apache.cxf.rs.security.oauth2.jwe.PbesHmacAesWrapKeyDecryptionAlgorithm;
+import org.apache.cxf.rs.security.oauth2.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm;
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.PrivateKeyPasswordProvider;
 
 public final class JwkUtils {
     public static final String JWK_KEY_STORE_TYPE = "jwk";
+    public static final String RSSEC_KEY_STORE_JWKSET = "rs.security.keystore.jwkset";
+    public static final String RSSEC_KEY_STORE_JWKKEY = "rs.security.keystore.jwkkey";
     private JwkUtils() {
         
     }
-    public static JsonWebKeys loadPersistJwkSet(Message m, Properties props) {
-        return loadPersistJwkSet(m, props, new DefaultJwkReaderWriter());
+    public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) {
+        return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter());
     }
-    public static JsonWebKeys loadPersistJwkSet(Message m, Properties props, JwkReaderWriter
reader) {
+    public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password, JwkReaderWriter
writer) {
+        return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer);
+    }
+    public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter
writer) {
+        return jwe.encrypt(stringToBytes(writer.jwkSetToJson(jwkSet)), "jwk-set+json");
+    }
+    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) {
+        return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password, JwkReaderWriter
reader) {
+        return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password), reader);
+    }
+    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe,
JwkReaderWriter reader) {
+        return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
+    }
+    public static String encryptJwkKey(JsonWebKey jwk, char[] password) {
+        return encryptJwkKey(jwk, password, new DefaultJwkReaderWriter());
+    }
+    public static String encryptJwkKey(JsonWebKey jwkKey, char[] password, JwkReaderWriter
writer) {
+        return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer);
+    }
+    public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter
writer) {
+        return jwe.encrypt(stringToBytes(writer.jwkToJson(jwkKey)), "jwk+json");
+    }
+    public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) {
+        return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter
reader) {
+        return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader);
+    }
+    public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe,
JwkReaderWriter reader) {
+        return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
+    }
+    private static JweEncryptionProvider createDefaultEncryption(char[] password) {
+        KeyEncryptionAlgorithm keyEncryption = 
+            new PbesHmacAesWrapKeyEncryptionAlgorithm(password, Algorithm.PBES2_HS256_A128KW.getJwtName());
+        return new AesCbcHmacJweEncryption(Algorithm.PBES2_HS256_A128KW.getJwtName(),
+                                           Algorithm.A128CBC_HS256.getJwtName(),
+                                           keyEncryption);
+    }
+    private static JweDecryptionProvider createDefaultDecryption(char[] password) {
+        KeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password);
+        return new AesCbcHmacJweDecryption(keyDecryption);
+    }
+    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider
cb) {
+        return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter());
+    }
+    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider
cb, 
+                                         JwkReaderWriter reader) {
         JsonWebKeys jwkSet = (JsonWebKeys)m.getExchange().get(props.get(CryptoUtils.RSSEC_KEY_STORE_FILE));
         if (jwkSet == null) {
-            jwkSet = loadJwkSet(props, m.getExchange().getBus(), reader);
+            jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader);
             m.getExchange().put((String)props.get(CryptoUtils.RSSEC_KEY_STORE_FILE), jwkSet);
         }
         return jwkSet;
     }
-    public static JsonWebKeys loadJwkSet(Properties props, Bus bus) {
-        return loadJwkSet(props, bus, new DefaultJwkReaderWriter());
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider
cb) {
+        return loadJwkSet(props, bus, cb, new DefaultJwkReaderWriter());
     }
-    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JwkReaderWriter reader)
{
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider
cb, 
+                                         JwkReaderWriter reader) {
+        JweDecryptionProvider decryption = cb != null
+            ? new AesCbcHmacJweDecryption(new PbesHmacAesWrapKeyDecryptionAlgorithm(cb.getPassword(props)))
: null;
+        return loadJwkSet(props, bus, decryption, reader);
+    }
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider
jwe, JwkReaderWriter reader) {
+        String keyContent = null;
         String keyStoreLoc = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_FILE);
-        try {
-            InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
-            return reader.jsonToJwkSet(IOUtils.readStringFromStream(is));
-        } catch (Exception ex) {
-            throw new SecurityException(ex);
+        if (keyStoreLoc != null) {
+            try {
+                InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
+                keyContent = IOUtils.readStringFromStream(is);
+            } catch (Exception ex) {
+                throw new SecurityException(ex);
+            }
+        } else {
+            keyContent = props.getProperty(RSSEC_KEY_STORE_JWKSET);
+            if (keyContent == null) {
+                keyContent = props.getProperty(RSSEC_KEY_STORE_JWKKEY);
+            }
+        }
+        if (jwe != null) {
+            keyContent = jwe.decrypt(keyContent).getContentText();
+        }
+        if (props.getProperty(RSSEC_KEY_STORE_JWKKEY) == null) {
+            return reader.jsonToJwkSet(keyContent);
+        } else {
+            JsonWebKey key = reader.jsonToJwk(keyContent);
+            JsonWebKeys keys = new JsonWebKeys();
+            keys.setKeys(Collections.singletonList(key));
+            return keys;
         }
     }
-    public static JsonWebKey loadJsonWebKey(Message m, Properties props) {
-        return loadJsonWebKey(m, props, null);
+    public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper)
{
+        return loadJsonWebKey(m, props, keyOper, new DefaultJwkReaderWriter());
     }
-    public static JsonWebKey loadJsonWebKey(Message m, Properties props,
-                                            String keyOper) {
-        JsonWebKeys jwkSet = loadPersistJwkSet(m, props);
+    public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper,
JwkReaderWriter reader) {
+        PrivateKeyPasswordProvider cb = 
+            (PrivateKeyPasswordProvider)m.getContextualProperty(CryptoUtils.RSSEC_KEY_PSWD_PROVIDER);
+        if (cb == null && keyOper != null) {
+            String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER
+                : keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) ? CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER
: null;
+            if (propName != null) {
+                cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName);
+            }
+        }
+        JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
         String kid = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_ALIAS);
         if (kid == null && keyOper != null) {
             String keyIdProp = null;
@@ -85,5 +180,11 @@ public final class JwkUtils {
         }
         return null;
     }
-    
+    private static byte[] stringToBytes(String str) {
+        try {
+            return str.getBytes("UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
index 4085666..a2b5237 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
@@ -19,11 +19,15 @@
 package org.apache.cxf.rs.security.oauth2.jwk;
 
 import java.io.InputStream;
+import java.security.Security;
 import java.util.List;
 import java.util.Map;
 
 import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.rs.security.oauth2.jwe.JweCompactConsumer;
+import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 import org.junit.Assert;
 import org.junit.Test;
@@ -96,6 +100,9 @@ public class JsonWebKeyTest extends Assert {
     @Test
     public void testPrivateSetAsList() throws Exception {
         JsonWebKeys jwks = readKeySet("jwkPrivateSet.txt");
+        validatePrivateSet(jwks);
+    }
+    private void validatePrivateSet(JsonWebKeys jwks) throws Exception {
         List<JsonWebKey> keys = jwks.getKeys();
         assertEquals(2, keys.size());
         
@@ -106,6 +113,48 @@ public class JsonWebKeyTest extends Assert {
         assertEquals(11, rsaKey.asMap().size());
         validatePrivateRsaKey(rsaKey);
     }
+    @Test
+    public void testEncryptDecryptPrivateSet() throws Exception {
+        Security.addProvider(new BouncyCastleProvider());    
+        try {
+            JsonWebKeys jwks = readKeySet("jwkPrivateSet.txt");
+            validatePrivateSet(jwks);
+            String encryptedKeySet = JwkUtils.encryptJwkSet(jwks, "password".toCharArray());
+            JweCompactConsumer c = new JweCompactConsumer(encryptedKeySet);
+            assertEquals("jwk-set+json", c.getJweHeaders().getContentType());
+            assertEquals(Algorithm.PBES2_HS256_A128KW.getJwtName(), c.getJweHeaders().getKeyEncryptionAlgorithm());
+            assertEquals(Algorithm.A128CBC_HS256.getJwtName(), c.getJweHeaders().getContentEncryptionAlgorithm());
+            assertNotNull(c.getJweHeaders().getHeader("p2s"));
+            assertNotNull(c.getJweHeaders().getHeader("p2c"));
+            jwks = JwkUtils.decryptJwkSet(encryptedKeySet, "password".toCharArray());
+            validatePrivateSet(jwks);
+        } finally {
+            Security.removeProvider(BouncyCastleProvider.class.getName());
+        }
+    }
+    @Test
+    public void testEncryptDecryptPrivateKey() throws Exception {
+        final String key = "{\"kty\":\"oct\","
+            + "\"alg\":\"A128KW\","
+            + "\"k\":\"GawgguFyGrWKav7AX4VKUg\","
+            + "\"kid\":\"AesWrapKey\"}";
+        Security.addProvider(new BouncyCastleProvider());    
+        try {
+            JsonWebKey jwk = readKey(key);
+            validateSecretAesKey(jwk);
+            String encryptedKey = JwkUtils.encryptJwkKey(jwk, "password".toCharArray());
+            JweCompactConsumer c = new JweCompactConsumer(encryptedKey);
+            assertEquals("jwk+json", c.getJweHeaders().getContentType());
+            assertEquals(Algorithm.PBES2_HS256_A128KW.getJwtName(), c.getJweHeaders().getKeyEncryptionAlgorithm());
+            assertEquals(Algorithm.A128CBC_HS256.getJwtName(), c.getJweHeaders().getContentEncryptionAlgorithm());
+            assertNotNull(c.getJweHeaders().getHeader("p2s"));
+            assertNotNull(c.getJweHeaders().getHeader("p2c"));
+            jwk = JwkUtils.decryptJwkKey(encryptedKey, "password".toCharArray());
+            validateSecretAesKey(jwk);
+        } finally {
+            Security.removeProvider(BouncyCastleProvider.class.getName());
+        }
+    }
     
     @Test
     public void testSecretSetAsList() throws Exception {
@@ -168,4 +217,8 @@ public class JsonWebKeyTest extends Assert {
         JwkReaderWriter reader = new DefaultJwkReaderWriter();
         return reader.jsonToJwkSet(s);
     }
+    public JsonWebKey readKey(String key) throws Exception {
+        JwkReaderWriter reader = new DefaultJwkReaderWriter();
+        return reader.jsonToJwk(key);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java
index cb1e81e..3001b4b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java
@@ -78,6 +78,7 @@ public final class CryptoUtils {
     public static final String RSSEC_KEY_STORE_ALIAS = "rs.security.keystore.alias";
     public static final String RSSEC_KEY_STORE_FILE = "rs.security.keystore.file";
     public static final String RSSEC_PRINCIPAL_NAME = "rs.security.principal.name";
+    public static final String RSSEC_KEY_PSWD_PROVIDER = "rs.security.key.password.provider";
     public static final String RSSEC_SIG_KEY_PSWD_PROVIDER = "rs.security.signature.key.password.provider";
     public static final String RSSEC_DECRYPT_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider";
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
index b1252fd..db5f04f 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
@@ -124,7 +124,14 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase
{
         assertEquals("book", text);
     }
     @Test
-    public void testJweJwkAesWrapAndAesCbcHMac() throws Exception {
+    public void testJweJwkAesCbcHMacInlineSet() throws Exception {
+        doTestJweJwkAesCbcHMac("org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties");
+    }
+    @Test
+    public void testJweJwkAesCbcHMacInlineSingleKey() throws Exception {
+        doTestJweJwkAesCbcHMac("org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties");
+    }
+    private void doTestJweJwkAesCbcHMac(String propFile) throws Exception {
         String address = "https://localhost:" + PORT + "/jwejwkaescbchmac";
         JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
         SpringBusFactory bf = new SpringBusFactory();
@@ -139,8 +146,9 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
         providers.add(jweWriter);
         providers.add(new JweClientResponseFilter());
         bean.setProviders(providers);
-        bean.getProperties(true).put("rs.security.encryption.properties",
-                                     "org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties");
+        bean.getProperties(true).put("rs.security.encryption.properties", propFile);
+        PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl();
+        bean.getProperties(true).put("rs.security.key.password.provider", provider);
         BookStore bs = bean.create(BookStore.class);
         String text = bs.echoText("book");
         assertEquals("book", text);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
index ca3a0db..0da9b3f 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
@@ -136,6 +136,7 @@ under the License.
         </jaxrs:providers>
         <jaxrs:properties>
             <entry key="rs.security.encryption.properties" value="org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties"/>
+            <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
         </jaxrs:properties>
     </jaxrs:server>
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jwejwshmac">

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
new file mode 100644
index 0000000..0865b39
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
@@ -0,0 +1 @@
+eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiSmZmRmp6YzhGUHhRVlFPSlVYbXZuZyIsInAyYyI6NDA5NiwiY3R5IjoiandrLXNldCtqc29uIn0.osOgt-dpiYVRkJO_jYkrC7wIzAUi_HMRzW-XjvwHJbXECJGlmzFeMw.lYcyfoR4xxkHscyZ8--p9g.x0QTLYtwBtMmfRjH_wxUTsUiR2DIHFbY4SwZGKXW9E5hIfz0YJn2syO5c7ozIJrL3Al4OeCVRTg--aif0WXtLW728KdU1qDrQ3Pj8GW0J8eCUonLDJZEMssWFdroyhBvHIu-Jlpx0lnsjTStdMwwx9pL8OM4jtsOziDMjpuUqKCqfii8UfG1dKaH6FPRKsRe4K08D02XXKDopyZ1XUXNCj3ov4kgo2o_sUWcVcy8Oo56_77IvIL5CY-Itclv0EUWfI_Sd0Q9_n6m14ZyVbcU1r9NMwcruGTj-6ef5-dST58rPg_D-0ngp9zJg5cfzsI9_UWAw1xQtTKQQ07vQhvIHjRDc-M58_dZ3xp__hTjrZtqAufnGrYLK-ZaQO5-5VYZglbtDtPbNA6WAUxxBBsI6FMo0y5nM0ZFo2JV1vnwoQKLERn91IwVUJbtOr1_y2osWWvwxF7iRuClKaV1XJ3Zg_F8bawstSe-gzdKMmv9AYMMrAh2TSbTvOxi5s4bvWX_vjbFN5vINzVLj-o40BT36o-V6LXylxXFOToBBuRNUrHg8bhLGxZR3zVE_0panv1ruebnpWNGCwgpBK0NYornbV-i1RfreFhzWcOyHbE8hmFqMQhsuGvyrbszuxJ9rpryJsKjAxrsPb_SuhzVb-2WFsNynpTciAcGp6xjb_pm2-25u4iBjOfL9PlQcaEcrIxzihb9PGzJFOfBIvteAqCOJx4iiNfutcGxBEcnV1VOLGSp8uJPoWE3n6dROYu5pqO
 -ztLH-mfU9IjC6K7J5ulRtbZU2_qxVpcNTClRjT5BPWMgVElfvUIkHry-X6CjUUm3dh6B-zH5hTT3NTPOL7EwtebAtkiK509GOvO6pDOuqtn8-Dn92RDlh2fecDJOycjRInyt71SkrI6WhiVylhRNiZvt720Nesg41OqMweWxpgu4TGZflX9fB8sG-RBO0I1hP00Zk_c4t7t4k0-qKtV56zt3LJVE6K-hGBCB_0HtPDRbWUdkKbqkJ51JUda6RnXYBe7tLlVIzcLubd1YrikKeg0JnrFNafXqMoOWmUm2Q11EHuAZUiIJkBejgSEnbgfCjUc9gckQ0vOBP7ERhQJ4scpDCrG4fE5SPKo484qLxZuLhZBAntPdLCfKIav6WUg_Vbd0M7pP1vb53LdsZAsPidk_AB7_3TQdCct4xvK5C6MdHNQArlKzE9oMahQdyDWcYe7YbAu2ROwoz6xU3jKsrzJv-XI-Svw10eaE-KTlQwi8GaWw168-0Jnv23nSk5jGHh681iK8R0zbCIO2TNGZLe_jnJjiOlM-F3N-li73YEl8p30y2i0BUYTrPZYkwLUhFedlSX0hwR1jQpIoV0njzGeyf-pfySAUHXOhHRA00O3BzPZAXNBDTYCi54d6ng8QtlvG_IrhLbGkVTKJt8S6bfbsdvZvK8VW8_D0zf8uMoWBTAAoOkEz2a3x-UJ120LYq8LwzksuEFPRJ56m-YRLMO39vfMnQZbOxHsjzGsIZPgcaMhsYQugCMfU_TIJLc4zQx0DCC5VVnOwumXBz8lV0LHUOx79TXFzYMF0-VhzO0I.P-GdQKruCwb8-iDagtZIqQ
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
new file mode 100644
index 0000000..1c172a1
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties
@@ -0,0 +1,23 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.jwkkey=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoi\
+dk5QZzk4emFVT2RxZEJRbzhfZU5OUSIsInAyYyI6NDA5NiwiY3R5IjoiandrK2pzb24ifQ.8RodwuWBWWZp9fj5FB93D5Qf9y27eyQiqR\
+Hq0sbezF8m8ZIWjFqdgA.E5r-EbVtVttblREyU2mMVg.xI7gboooFhAcbnhBfsJD8-lbmf0sp0ZABNGLOf7ETs1TbHtRJ1qZlxczfwP2WG0\
+YggD9PsYMTllG7JeVU6xG2mF4t8kpquMiC3e4JlGJlvM.-XoyywZ0D2D9hk5w4RjnmA
+rs.security.keystore.alias.jwe=AesWrapKey
+rs.security.jwe.content.encryption.algorithm=A128CBC-HS256

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
new file mode 100644
index 0000000..3968284
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties
@@ -0,0 +1,33 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.jwkset=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiSmZmRmp6YzhGUHhRVlFPSlVYbXZuZ\
+yIsInAyYyI6NDA5NiwiY3R5IjoiandrLXNldCtqc29uIn0.osOgt-dpiYVRkJO_jYkrC7wIzAUi_HMRzW-XjvwHJbXECJGlmzFeMw.lYcyfoR4xxkHscyZ8--p9g.x0QTLYtwB\
+tMmfRjH_wxUTsUiR2DIHFbY4SwZGKXW9E5hIfz0YJn2syO5c7ozIJrL3Al4OeCVRTg--aif0WXtLW728KdU1qDrQ3Pj8GW0J8eCUonLDJZEMssWFdroyhBvHIu-Jlpx0lnsjTSt\
+dMwwx9pL8OM4jtsOziDMjpuUqKCqfii8UfG1dKaH6FPRKsRe4K08D02XXKDopyZ1XUXNCj3ov4kgo2o_sUWcVcy8Oo56_77IvIL5CY-Itclv0EUWfI_Sd0Q9_n6m14ZyVbcU1r9\
+NMwcruGTj-6ef5-dST58rPg_D-0ngp9zJg5cfzsI9_UWAw1xQtTKQQ07vQhvIHjRDc-M58_dZ3xp__hTjrZtqAufnGrYLK-ZaQO5-5VYZglbtDtPbNA6WAUxxBBsI6FMo0y5nM0Z\
+Fo2JV1vnwoQKLERn91IwVUJbtOr1_y2osWWvwxF7iRuClKaV1XJ3Zg_F8bawstSe-gzdKMmv9AYMMrAh2TSbTvOxi5s4bvWX_vjbFN5vINzVLj-o40BT36o-V6LXylxXFOToBBuRN\
+UrHg8bhLGxZR3zVE_0panv1ruebnpWNGCwgpBK0NYornbV-i1RfreFhzWcOyHbE8hmFqMQhsuGvyrbszuxJ9rpryJsKjAxrsPb_SuhzVb-2WFsNynpTciAcGp6xjb_pm2-25u4iB\
+jOfL9PlQcaEcrIxzihb9PGzJFOfBIvteAqCOJx4iiNfutcGxBEcnV1VOLGSp8uJPoWE3n6dROYu5pqO-ztLH-mfU9IjC6K7J5ulRtbZU2_qxVpcNTClRjT5BPWMgVElfvUIkHry-X\
+6CjUUm3dh6B-zH5hTT3NTPOL7EwtebAtkiK509GOvO6pDOuqtn8-Dn92RDlh2fecDJOycjRInyt71SkrI6WhiVylhRNiZvt720Nesg41OqMweWxpgu4TGZflX9fB8sG-RBO0I1hP00\
+Zk_c4t7t4k0-qKtV56zt3LJVE6K-hGBCB_0HtPDRbWUdkKbqkJ51JUda6RnXYBe7tLlVIzcLubd1YrikKeg0JnrFNafXqMoOWmUm2Q11EHuAZUiIJkBejgSEnbgfCjUc9gckQ0vOBP\
+7ERhQJ4scpDCrG4fE5SPKo484qLxZuLhZBAntPdLCfKIav6WUg_Vbd0M7pP1vb53LdsZAsPidk_AB7_3TQdCct4xvK5C6MdHNQArlKzE9oMahQdyDWcYe7YbAu2ROwoz6xU3jKsrzJ\
+v-XI-Svw10eaE-KTlQwi8GaWw168-0Jnv23nSk5jGHh681iK8R0zbCIO2TNGZLe_jnJjiOlM-F3N-li73YEl8p30y2i0BUYTrPZYkwLUhFedlSX0hwR1jQpIoV0njzGeyf-pfySAUH\
+XOhHRA00O3BzPZAXNBDTYCi54d6ng8QtlvG_IrhLbGkVTKJt8S6bfbsdvZvK8VW8_D0zf8uMoWBTAAoOkEz2a3x-UJ120LYq8LwzksuEFPRJ56m-YRLMO39vfMnQZbOxHsjzGsIZPg\
+caMhsYQugCMfU_TIJLc4zQx0DCC5VVnOwumXBz8lV0LHUOx79TXFzYMF0-VhzO0I.P-GdQKruCwb8-iDagtZIqQ
+rs.security.keystore.alias.jwe=AesWrapKey
+rs.security.jwe.content.encryption.algorithm=A128CBC-HS256

http://git-wip-us.apache.org/repos/asf/cxf/blob/f97f694a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties
index eaddbf0..56faf68 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties
@@ -16,5 +16,5 @@
 #    under the License.
 rs.security.keystore.type=jwk
 rs.security.keystore.alias.jwe=AesWrapKey
-rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt
 rs.security.jwe.content.encryption.algorithm=A128CBC-HS256


Mime
View raw message