cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5944] Updating JAXRS filters to support the direct key encryption
Date Fri, 26 Sep 2014 14:49:34 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes d88bdb585 -> 3a343848f


[CXF-5944] Updating JAXRS filters to support the direct key encryption


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3a343848
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3a343848
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3a343848

Branch: refs/heads/3.0.x-fixes
Commit: 3a343848f555e55efbae517d469f6123a27a1559
Parents: d88bdb5
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Sep 26 15:48:23 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Sep 26 15:49:13 2014 +0100

----------------------------------------------------------------------
 .../jose/jaxrs/AbstractJweDecryptingFilter.java | 37 +++++++++++++-------
 .../jose/jaxrs/JweWriterInterceptor.java        | 33 ++++++++++++-----
 .../jose/jwe/ContentDecryptionAlgorithm.java    |  2 +-
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 10 ++++++
 4 files changed, 60 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/3a343848/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
index 635919e..65deb0b 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
@@ -23,6 +23,8 @@ import java.io.InputStream;
 import java.security.interfaces.RSAPrivateKey;
 import java.util.Properties;
 
+import javax.crypto.SecretKey;
+
 import org.apache.cxf.Bus;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
@@ -32,6 +34,7 @@ import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption;
 import org.apache.cxf.rs.security.jose.jwe.AesGcmContentDecryptionAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweDecryption;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
@@ -77,27 +80,35 @@ public class AbstractJweDecryptingFilter {
         try {
             KeyDecryptionAlgorithm keyDecryptionProvider = null;
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
+            String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
+            SecretKey ctDecryptionKey = null;
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
-                keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk,
-                                                                           getKeyEncryptionAlgo(props,

-                                                                                        
       jwk.getAlgorithm()));
+                String keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
+                if ("direct".equals(keyEncryptionAlgo)) {
+                    contentEncryptionAlgo = getContentEncryptionAlgo(props, contentEncryptionAlgo);
+                    ctDecryptionKey = JweUtils.getContentDecryptionSecretKey(jwk, contentEncryptionAlgo);
+                } else {
+                    keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo);
+                }
             } else {
                 keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(
                     (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER));
             }
-            if (keyDecryptionProvider == null) {
+            if (keyDecryptionProvider == null && ctDecryptionKey == null) {
                 throw new SecurityException();
             }
-            String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
-            boolean isAesHmac = Algorithm.isAesCbcHmac(contentEncryptionAlgo);
-            if (isAesHmac) { 
-                return new AesCbcHmacJweDecryption(keyDecryptionProvider, contentEncryptionAlgo);
+            if (keyDecryptionProvider != null) {
+                if (Algorithm.isAesCbcHmac(contentEncryptionAlgo)) { 
+                    return new AesCbcHmacJweDecryption(keyDecryptionProvider, contentEncryptionAlgo);
+                } else {
+                    return new WrappedKeyJweDecryption(keyDecryptionProvider, 
+                                                       new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo));
+                }
             } else {
-                return new WrappedKeyJweDecryption(keyDecryptionProvider, 
-                                                   new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo));
+                return new DirectKeyJweDecryption(ctDecryptionKey, 
+                                                  new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo));
             }
-            
         } catch (SecurityException ex) {
             throw ex;
         } catch (Exception ex) {
@@ -109,7 +120,9 @@ public class AbstractJweDecryptingFilter {
     private String getKeyEncryptionAlgo(Properties props, String algo) {
         return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo;
     }
-
+    private String getContentEncryptionAlgo(Properties props, String algo) {
+        return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo;
+    }
     public String getDefaultMediaType() {
         return defaultMediaType;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3a343848/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 496ede0..c9fd343 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -44,6 +44,8 @@ import org.apache.cxf.rs.security.jose.JoseHeadersWriter;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption;
 import org.apache.cxf.rs.security.jose.jwe.AesGcmContentEncryptionAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.ContentEncryptionAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweEncryption;
 import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionState;
@@ -133,34 +135,44 @@ public class JweWriterInterceptor implements WriterInterceptor {
             KeyEncryptionAlgorithm keyEncryptionProvider = null;
             String keyEncryptionAlgo = null;
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
+            String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
+            ContentEncryptionAlgorithm ctEncryptionProvider = null;
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
                 keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
-                keyEncryptionProvider = JweUtils.getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo);
+                if ("direct".equals(keyEncryptionAlgo)) {
+                    contentEncryptionAlgo = getContentEncryptionAlgo(props, jwk.getAlgorithm());
+                    ctEncryptionProvider = JweUtils.getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo);
+                } else {
+                    keyEncryptionProvider = JweUtils.getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo);
+                }
                 
             } else {
                 keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(
                     (RSAPublicKey)CryptoUtils.loadPublicKey(m, props), 
                     getKeyEncryptionAlgo(props, keyEncryptionAlgo));
             }
-            if (keyEncryptionProvider == null) {
+            if (keyEncryptionProvider == null && ctEncryptionProvider == null) {
                 throw new SecurityException();
             }
             
-            String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
+            
             JweHeaders headers = new JweHeaders(getKeyEncryptionAlgo(props, keyEncryptionAlgo),

                                                 contentEncryptionAlgo);
             String compression = props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP);
             if (compression != null) {
                 headers.setZipAlgorithm(compression);
             }
-            boolean isAesHmac = Algorithm.isAesCbcHmac(contentEncryptionAlgo);
-            if (isAesHmac) { 
-                return new AesCbcHmacJweEncryption(contentEncryptionAlgo, keyEncryptionProvider);
+            if (keyEncryptionProvider != null) {
+                if (Algorithm.isAesCbcHmac(contentEncryptionAlgo)) { 
+                    return new AesCbcHmacJweEncryption(contentEncryptionAlgo, keyEncryptionProvider);
+                } else {
+                    return new WrappedKeyJweEncryption(headers, 
+                                                       keyEncryptionProvider,
+                                                       new AesGcmContentEncryptionAlgorithm(contentEncryptionAlgo));
+                }
             } else {
-                return new WrappedKeyJweEncryption(headers, 
-                                                   keyEncryptionProvider,
-                                                   new AesGcmContentEncryptionAlgorithm(contentEncryptionAlgo));
+                return new DirectKeyJweEncryption(ctEncryptionProvider);
             }
         } catch (SecurityException ex) {
             throw ex;
@@ -171,6 +183,9 @@ public class JweWriterInterceptor implements WriterInterceptor {
     private String getKeyEncryptionAlgo(Properties props, String algo) {
         return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo;
     }
+    private String getContentEncryptionAlgo(Properties props, String algo) {
+        return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo;
+    }
     public void setUseJweOutputStream(boolean useJweOutputStream) {
         this.useJweOutputStream = useJweOutputStream;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3a343848/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
index ccba40b..ccf7ce7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java
@@ -19,6 +19,6 @@
 package org.apache.cxf.rs.security.jose.jwe;
 
 
-interface ContentDecryptionAlgorithm extends ContentEncryptionCipherProperties {
+public interface ContentDecryptionAlgorithm extends ContentEncryptionCipherProperties {
     byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3a343848/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index e7e1289..483ff52 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -84,4 +84,14 @@ public final class JweUtils {
         }
         return contentEncryptionProvider;
     }
+    public static SecretKey getContentDecryptionSecretKey(JsonWebKey jwk) {
+        return getContentDecryptionSecretKey(jwk, null);
+    }
+    public static SecretKey getContentDecryptionSecretKey(JsonWebKey jwk, String defaultAlgorithm)
{
+        String ctEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
+        if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) && Algorithm.isAesGcm(ctEncryptionAlgo))
{
+            return JwkUtils.toSecretKey(jwk);
+        }
+        return null;
+    }
 }


Mime
View raw message