cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5954] Completing the initial PbesHmacAesWrap code
Date Mon, 15 Sep 2014 16:33:40 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes e1885f1a2 -> 103a6aef9


[CXF-5954] Completing the initial PbesHmacAesWrap code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/103a6aef
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/103a6aef
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/103a6aef

Branch: refs/heads/3.0.x-fixes
Commit: 103a6aef91a0760a4bf78e53c94f5624a0af30f4
Parents: e1885f1
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Mon Sep 15 17:30:58 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Mon Sep 15 17:33:13 2014 +0100

----------------------------------------------------------------------
 .../oauth2/jwe/AbstractJweEncryption.java       |  7 +++-
 .../PbesHmacAesWrapKeyEncryptionAlgorithm.java  | 43 +++++++++++---------
 .../oauth2/jwe/WrappedKeyJweDecryption.java     |  4 +-
 .../jwt/AbstractJwtObjectReaderWriter.java      |  2 +-
 .../oauth2/jwe/JweCompactReaderWriterTest.java  | 17 --------
 .../oauth2/jwe/JwePbeHmacAesWrapTest.java       | 26 +++++++++++-
 6 files changed, 55 insertions(+), 44 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
index 885e29d..cd21354 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java
@@ -151,13 +151,16 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
         String contentEncryptionAlgoJavaName = Algorithm.toJavaName(theHeaders.getContentEncryptionAlgorithm());
         KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
         keyProps.setCompressionSupported(compressionRequired(theHeaders));
-        byte[] additionalEncryptionParam = getAAD(theHeaders);
-        keyProps.setAdditionalData(additionalEncryptionParam);
         
         byte[] theIv = contentEncryptionAlgo.getInitVector();
         AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv);
         keyProps.setAlgoSpec(specParams);
         byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek);
+        
+        byte[] additionalEncryptionParam = getAAD(theHeaders);
+        keyProps.setAdditionalData(additionalEncryptionParam);
+        
+        
         JweEncryptionInternal state = new JweEncryptionInternal();
         state.theHeaders = theHeaders;
         state.jweContentEncryptionKey = jweContentEncryptionKey;

http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
index 892086e..b5ffa53 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
@@ -81,11 +81,9 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgor
     
     @Override
     public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
-        int keySize = DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
-        byte[] saltInput = createSaltInputValue(keySize);
-        PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(createShaDigest());
-        gen.init(password, saltInput, pbesCount);
-        byte[] derivedKey = ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey();
+        int keySize = getKeySize(keyAlgoJwt);
+        byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize);
+        byte[] derivedKey = createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
         
         headers.setHeader("p2s", Base64UrlUtility.encode(saltInput));
         headers.setHeader("p2c", Integer.valueOf(pbesCount));
@@ -101,46 +99,51 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgor
         };
         return aesWrap.getEncryptedContentEncryptionKey(headers, cek);
         
+        
     }
-    
-    private Digest createShaDigest() {
+    static int getKeySize(String keyAlgoJwt) {
+        return DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
+    }
+    static byte[] createDerivedKey(String keyAlgoJwt, int keySize,
+                                   byte[] password, byte[] saltInput, int pbesCount) {
+        byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput);
+        Digest digest = null;
         int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt);
         if (macSigSize == 256) { 
-            return new SHA256Digest();
+            digest = new SHA256Digest();
         } else if (macSigSize == 384) {
-            return new SHA384Digest();
+            digest = new SHA384Digest();
         } else {
-            return new SHA512Digest();
+            digest = new SHA512Digest();
         }
-            
-        
+        PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
+        gen.init(password, saltValue, pbesCount);
+        return ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey();
     }
     
-    private byte[] createSaltInputValue(int keySize) {
+    
+    private static byte[] createSaltValue(String keyAlgoJwt, byte[] saltInput) {
         byte[] algoBytes = stringToBytes(keyAlgoJwt);
-        
-        
-        byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize);
-        byte[] saltValue = new byte[algoBytes.length + 1 + keySize];
+        byte[] saltValue = new byte[algoBytes.length + 1 + saltInput.length];
         System.arraycopy(algoBytes, 0, saltValue, 0, algoBytes.length);
         saltValue[algoBytes.length] = 0;
         System.arraycopy(saltInput, 0, saltValue, algoBytes.length + 1, saltInput.length);
         return saltValue;
     }
-    private static String validateKeyAlgorithm(String algo) {
+    static String validateKeyAlgorithm(String algo) {
         if (!SUPPORTED_ALGORITHMS.contains(algo)) {
             throw new SecurityException();
         }
         return algo;
     }
-    private static int validatePbesCount(int count) {
+    static int validatePbesCount(int count) {
         if (count < 1000) {
             throw new SecurityException();
         }
         return count;
     }    
     
-    private static byte[] stringToBytes(String str) {
+    static byte[] stringToBytes(String str) {
         try {
             return str.getBytes("UTF-8");
         } catch (UnsupportedEncodingException ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
index 45164bf..b36585a 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java
@@ -41,11 +41,11 @@ public class WrappedKeyJweDecryption extends AbstractJweDecryption {
         this(new WrappedKeyDecryptionAlgorithm(cekDecryptionKey, unwrap),
              props, reader);
     }
-    public WrappedKeyJweDecryption(WrappedKeyDecryptionAlgorithm keyDecryptionAlgo,
+    public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
                                    JweCryptoProperties props, JwtHeadersReader reader) {
   
         this(keyDecryptionAlgo, props, reader, new AesGcmContentDecryptionAlgorithm());
     }
-    public WrappedKeyJweDecryption(WrappedKeyDecryptionAlgorithm keyDecryptionAlgo,
+    public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,
                                    JweCryptoProperties props, JwtHeadersReader reader,
                                    ContentDecryptionAlgorithm cipherProps) {    
         super(props, reader, keyDecryptionAlgo, cipherProps);

http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java
index b525bc2..9d48765 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java
@@ -178,7 +178,7 @@ public class AbstractJwtObjectReaderWriter {
             value = valueStr.substring(1, valueStr.length() - 1);
         } else if ("true".equals(value) || "false".equals(value)) {
             value = Boolean.valueOf(valueStr);
-        }
+        } 
         return value;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
index beed021..f59e602 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
@@ -205,22 +205,5 @@ public class JweCompactReaderWriterTest extends Assert {
         }
         return key;
     }
-    
-    @Test
-    public void testEncryptDecryptPbesHmacAesWrapA128CBCHS256() throws Exception {
-        final String specPlainText = "Live long and prosper.";
-        JweHeaders headers = new JweHeaders();
-        headers.setAlgorithm(JwtConstants.PBES2_HS256_A128KW_ALGO);
-        headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName());
-        final String password = "Thus from my lips, by yours, my sin is purged."; 
-        KeyEncryptionAlgorithm keyEncryption = 
-            new PbesHmacAesWrapKeyEncryptionAlgorithm(password,
-                                                      4096,
-                                                      JwtConstants.PBES2_HS256_A128KW_ALGO);
-        JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, keyEncryption);
-        String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
-        
-        System.out.println(jweContent);
-    }
 }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java
index 9dbd2cf..704f37b 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java
@@ -49,8 +49,30 @@ public class JwePbeHmacAesWrapTest extends Assert {
             new PbesHmacAesWrapKeyEncryptionAlgorithm(password, JwtConstants.PBES2_HS256_A128KW_ALGO);
         JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, keyEncryption);
         String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
-        assertNotNull(jweContent);
-
+        
+        PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password);
+        JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
+        String decryptedText = decryption.decrypt(jweContent).getContentText();
+        assertEquals(specPlainText, decryptedText);
+        
+    }
+    @Test
+    public void testEncryptDecryptPbesHmacAesWrapAesGcm() throws Exception {
+        final String specPlainText = "Live long and prosper.";
+        JweHeaders headers = new JweHeaders();
+        headers.setAlgorithm(JwtConstants.PBES2_HS256_A128KW_ALGO);
+        headers.setContentEncryptionAlgorithm(Algorithm.A128GCM.getJwtName());
+        final String password = "Thus from my lips, by yours, my sin is purged."; 
+        KeyEncryptionAlgorithm keyEncryption = 
+            new PbesHmacAesWrapKeyEncryptionAlgorithm(password, JwtConstants.PBES2_HS256_A128KW_ALGO);
+        JweEncryptionProvider encryption = 
+            new WrappedKeyJweEncryption(headers, keyEncryption);
+        String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
+        PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password);
+        JweDecryptionProvider decryption = new WrappedKeyJweDecryption(keyDecryption, null,
null);
+        String decryptedText = decryption.decrypt(jweContent).getContentText();
+        assertEquals(specPlainText, decryptedText);
+        
     }
 }
 


Mime
View raw message