Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE85011EBA for ; Wed, 17 Sep 2014 17:20:05 +0000 (UTC) Received: (qmail 42084 invoked by uid 500); 17 Sep 2014 17:20:05 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 42020 invoked by uid 500); 17 Sep 2014 17:20:05 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 42010 invoked by uid 99); 17 Sep 2014 17:20:05 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Sep 2014 17:20:05 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 3D767A18DD6; Wed, 17 Sep 2014 17:20:05 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Date: Wed, 17 Sep 2014 17:20:05 -0000 Message-Id: <7a8206d087824673b865bdb1db06725c@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [2/9] [CXF-5944] Changing packages and the module name based on the feedback from Luigi Lo Iacono http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/Constants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/Constants.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/Constants.java deleted file mode 100644 index c7630b2..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/Constants.java +++ /dev/null @@ -1,33 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.grant; - -public final class Constants { - public static final String JWT_BEARER_GRANT = "urn:ietf:params:oauth:grant-type:jwt-bearer"; - public static final String CLIENT_GRANT_ASSERTION_PARAM = "assertion"; - - public static final String CLIENT_AUTH_ASSERTION_PARAM = "client_assertion"; - public static final String CLIENT_AUTH_ASSERTION_TYPE = "client_assertion_type"; - public static final String CLIENT_AUTH_JWT_BEARER = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"; - - - private Constants() { - - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerClientCredentialsGrant.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerClientCredentialsGrant.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerClientCredentialsGrant.java deleted file mode 100644 index de6b0a4..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerClientCredentialsGrant.java +++ /dev/null @@ -1,41 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.grant; - -import javax.ws.rs.core.MultivaluedMap; - -import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; - -public class JwtBearerClientCredentialsGrant extends AbstractJwtBearerGrant { - - private static final long serialVersionUID = 4801583498206813025L; - - public JwtBearerClientCredentialsGrant(String assertion, boolean encoded, String scope) { - super(OAuthConstants.CLIENT_CREDENTIALS_GRANT, assertion, encoded, scope); - } - - public MultivaluedMap toMap() { - MultivaluedMap map = initMap(); - map.putSingle(Constants.CLIENT_AUTH_ASSERTION_TYPE, Constants.CLIENT_AUTH_JWT_BEARER); - map.putSingle(Constants.CLIENT_AUTH_ASSERTION_PARAM, encodeAssertion()); - addScope(map); - return map; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrant.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrant.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrant.java deleted file mode 100644 index 798e247..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrant.java +++ /dev/null @@ -1,48 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.grant; - -import javax.ws.rs.core.MultivaluedMap; - -public class JwtBearerGrant extends AbstractJwtBearerGrant { - private static final long serialVersionUID = -7296527609343431294L; - - public JwtBearerGrant(String assertion) { - this(assertion, false); - } - - public JwtBearerGrant(String assertion, boolean encoded) { - this(assertion, false, null); - } - - public JwtBearerGrant(String assertion, String scope) { - this(assertion, false, scope); - } - - public JwtBearerGrant(String assertion, boolean encoded, String scope) { - super(Constants.JWT_BEARER_GRANT, assertion, encoded, scope); - } - - public MultivaluedMap toMap() { - MultivaluedMap map = initMap(); - map.putSingle(Constants.CLIENT_GRANT_ASSERTION_PARAM, encodeAssertion()); - addScope(map); - return map; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrantHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrantHandler.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrantHandler.java deleted file mode 100644 index 69c9848..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtBearerGrantHandler.java +++ /dev/null @@ -1,91 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.grant; - -import java.util.Arrays; - -import javax.ws.rs.core.MultivaluedMap; - -import org.apache.cxf.jaxrs.utils.HttpUtils; -import org.apache.cxf.rs.security.oauth2.common.Client; -import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; -import org.apache.cxf.rs.security.oauth2.common.UserSubject; -import org.apache.cxf.rs.security.oauth2.jws.JwsJwtCompactConsumer; -import org.apache.cxf.rs.security.oauth2.jwt.JwtToken; -import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReader; -import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; -import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; -import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; - -/** - * The "JWT Bearer" grant handler - */ -public class JwtBearerGrantHandler extends AbstractJwtHandler { - private static final String ENCODED_JWT_BEARER_GRANT; - static { - // AccessTokenService may be configured with the form provider - // which will not decode by default - so listing both the actual - // and encoded grant type value will help - ENCODED_JWT_BEARER_GRANT = HttpUtils.urlEncode(Constants.JWT_BEARER_GRANT, "UTF-8"); - } - private JwtTokenReader jwtReader; - public JwtBearerGrantHandler() { - super(Arrays.asList(Constants.JWT_BEARER_GRANT, ENCODED_JWT_BEARER_GRANT)); - } - - @Override - public ServerAccessToken createAccessToken(Client client, MultivaluedMap params) - throws OAuthServiceException { - String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM); - if (assertion == null) { - throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); - } - try { - JwsJwtCompactConsumer jwsReader = getJwsReader(assertion); - JwtToken jwtToken = jwsReader.getJwtToken(); - super.validateSignature(jwtToken.getHeaders(), - jwsReader.getUnsignedEncodedPayload(), - jwsReader.getDecodedSignature()); - - - super.validateClaims(client, jwtToken.getClaims()); - UserSubject grantSubject = new UserSubject(jwtToken.getClaims().getSubject()); - - return doCreateAccessToken(client, - grantSubject, - Constants.JWT_BEARER_GRANT, - OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE))); - } catch (OAuthServiceException ex) { - throw ex; - } catch (Exception ex) { - throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex); - } - - } - - protected JwsJwtCompactConsumer getJwsReader(String assertion) { - return new JwsJwtCompactConsumer(assertion, jwtReader); - } - - public void setJwtReader(JwtTokenReader tokenReader) { - this.jwtReader = tokenReader; - } - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtUserSubject.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtUserSubject.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtUserSubject.java deleted file mode 100644 index fae1140..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/grant/JwtUserSubject.java +++ /dev/null @@ -1,34 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.grant; - -import org.apache.cxf.rs.security.oauth2.common.UserSubject; -import org.apache.cxf.rs.security.oauth2.jwt.JwtToken; - -public class JwtUserSubject extends UserSubject { - private static final long serialVersionUID = -1135272749329239037L; - private JwtToken token; - public JwtUserSubject(String user, JwtToken token) { - super(user); - this.token = token; - } - public JwtToken getToken() { - return token; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java deleted file mode 100644 index e3356a7..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java +++ /dev/null @@ -1,133 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.IOException; -import java.io.InputStream; -import java.security.interfaces.RSAPrivateKey; -import java.util.Properties; - -import javax.crypto.SecretKey; - -import org.apache.cxf.Bus; -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.oauth2.jwe.AesCbcHmacJweDecryption; -import org.apache.cxf.rs.security.oauth2.jwe.AesGcmWrapKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.AesWrapKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.JweCryptoProperties; -import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionOutput; -import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionProvider; -import org.apache.cxf.rs.security.oauth2.jwe.JweHeaders; -import org.apache.cxf.rs.security.oauth2.jwe.RSAOaepKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.WrappedKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.WrappedKeyJweDecryption; -import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey; -import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AbstractJweDecryptingFilter { - private static final String RSSEC_ENCRYPTION_IN_PROPS = "rs.security.encryption.in.properties"; - private static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties"; - private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm"; - private JweDecryptionProvider decryption; - private JweCryptoProperties cryptoProperties; - private String defaultMediaType; - protected JweDecryptionOutput decrypt(InputStream is) throws IOException { - JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider(); - JweDecryptionOutput out = theDecryptor.decrypt(new String(IOUtils.readBytesFromStream(is), "UTF-8")); - validateHeaders(out.getHeaders()); - return out; - } - - protected void validateHeaders(JweHeaders headers) { - // complete - } - public void setDecryptionProvider(JweDecryptionProvider decryptor) { - this.decryption = decryptor; - } - protected JweDecryptionProvider getInitializedDecryptionProvider() { - if (decryption != null) { - return decryption; - } - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - Bus bus = m.getExchange().getBus(); - try { - WrappedKeyDecryptionAlgorithm keyDecryptionProvider = null; - Properties props = ResourceUtils.loadProperties(propLoc, bus); - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - //TODO: Private JWK sets can be JWE encrypted - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(jwk.toRSAPrivateKey()); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = jwk.toSecretKey(); - if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key); - } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key); - } - } else { - // TODO: support elliptic curve keys - } - } else { - keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm( - (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER)); - } - if (keyDecryptionProvider == null) { - throw new SecurityException(); - } - String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP); - boolean isAesHmac = Algorithm.isAesCbcHmac(contentEncryptionAlgo); - if (isAesHmac) { - return new AesCbcHmacJweDecryption(keyDecryptionProvider); - } else { - return new WrappedKeyJweDecryption(keyDecryptionProvider, cryptoProperties, null); - } - - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - - } - - public void setCryptoProperties(JweCryptoProperties cryptoProperties) { - this.cryptoProperties = cryptoProperties; - } - - public String getDefaultMediaType() { - return defaultMediaType; - } - - public void setDefaultMediaType(String defaultMediaType) { - this.defaultMediaType = defaultMediaType; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java deleted file mode 100644 index 27f0f4e..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java +++ /dev/null @@ -1,106 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.security.interfaces.RSAPublicKey; -import java.util.Properties; - -import org.apache.cxf.Bus; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey; -import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils; -import org.apache.cxf.rs.security.oauth2.jws.HmacJwsSignatureProvider; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureProperties; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.oauth2.jws.PublicKeyJwsSignatureVerifier; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AbstractJwsReaderProvider { - private static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties"; - private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties"; - - private JwsSignatureVerifier sigVerifier; - private JwsSignatureProperties sigProperties; - private String defaultMediaType; - - public void setSignatureVerifier(JwsSignatureVerifier signatureVerifier) { - this.sigVerifier = signatureVerifier; - } - - public void setSignatureProperties(JwsSignatureProperties signatureProperties) { - this.sigProperties = signatureProperties; - } - - public JwsSignatureProperties getSigProperties() { - return sigProperties; - } - - protected JwsSignatureVerifier getInitializedSigVerifier() { - if (sigVerifier != null) { - return sigVerifier; - } - - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - Bus bus = m.getExchange().getBus(); - try { - Properties props = ResourceUtils.loadProperties(propLoc, bus); - JwsSignatureVerifier theVerifier = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY); - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - theVerifier = new PublicKeyJwsSignatureVerifier(jwk.toRSAPublicKey()); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) - && Algorithm.isHmacSign(jwk.getAlgorithm())) { - theVerifier = - new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); - } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { - theVerifier = new PublicKeyJwsSignatureVerifier(jwk.toECPublicKey()); - } - - } else { - theVerifier = new PublicKeyJwsSignatureVerifier( - (RSAPublicKey)CryptoUtils.loadPublicKey(m, props)); - } - return theVerifier; - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - - public String getDefaultMediaType() { - return defaultMediaType; - } - - public void setDefaultMediaType(String defaultMediaType) { - this.defaultMediaType = defaultMediaType; - } - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java deleted file mode 100644 index 2c89957..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java +++ /dev/null @@ -1,105 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.security.interfaces.RSAPrivateKey; -import java.util.Properties; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey; -import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils; -import org.apache.cxf.rs.security.oauth2.jws.EcDsaJwsSignatureProvider; -import org.apache.cxf.rs.security.oauth2.jws.HmacJwsSignatureProvider; -import org.apache.cxf.rs.security.oauth2.jws.JwsCompactProducer; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.oauth2.jws.PrivateKeyJwsSignatureProvider; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AbstractJwsWriterProvider { - private static final String RSSEC_SIGNATURE_OUT_PROPS = "rs.security.signature.out.properties"; - private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties"; - private static final String JSON_WEB_SIGNATURE_ALGO_PROP = "rs.security.jws.content.signature.algorithm"; - - private JwsSignatureProvider sigProvider; - - public void setSignatureProvider(JwsSignatureProvider signatureProvider) { - this.sigProvider = signatureProvider; - } - - protected JwsSignatureProvider getInitializedSigProvider(JwtHeaders headers) { - if (sigProvider != null) { - return sigProvider; - } - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_OUT_PROPS, RSSEC_SIGNATURE_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - try { - Properties props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus()); - JwsSignatureProvider theSigProvider = null; - String rsaSignatureAlgo = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - //TODO: Private JWK sets can be JWE encrypted - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN); - rsaSignatureAlgo = jwk.getAlgorithm(); - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - theSigProvider = new PrivateKeyJwsSignatureProvider(jwk.toRSAPrivateKey()); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) - && Algorithm.isHmacSign(rsaSignatureAlgo)) { - theSigProvider = - new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); - } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { - theSigProvider = new EcDsaJwsSignatureProvider(jwk.toECPrivateKey()); - } - } else { - RSAPrivateKey pk = (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, - CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER); - theSigProvider = new PrivateKeyJwsSignatureProvider(pk); - } - if (rsaSignatureAlgo == null) { - rsaSignatureAlgo = props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP); - } - headers.setAlgorithm(rsaSignatureAlgo); - if (theSigProvider == null) { - throw new SecurityException(); - } - return theSigProvider; - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - protected void writeJws(JwsCompactProducer p, JwsSignatureProvider theSigProvider, OutputStream os) - throws IOException { - p.signWith(theSigProvider); - IOUtils.copy(new ByteArrayInputStream(p.getSignedEncodedJws().getBytes("UTF-8")), os); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java deleted file mode 100644 index 53b9890..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.client.ClientRequestContext; -import javax.ws.rs.client.ClientResponseContext; -import javax.ws.rs.client.ClientResponseFilter; - -import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionOutput; -import org.apache.cxf.rs.security.oauth2.jwt.JwtUtils; - -@Priority(Priorities.JWE_CLIENT_READ_PRIORITY) -public class JweClientResponseFilter extends AbstractJweDecryptingFilter implements ClientResponseFilter { - @Override - public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { - JweDecryptionOutput out = decrypt(res.getEntityStream()); - byte[] bytes = out.getContent(); - res.setEntityStream(new ByteArrayInputStream(bytes)); - res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JwtUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - res.getHeaders().putSingle("Content-Type", ct); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java deleted file mode 100644 index e12a251..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.PreMatching; - -import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionOutput; -import org.apache.cxf.rs.security.oauth2.jwt.JwtUtils; - -@PreMatching -@Priority(Priorities.JWE_SERVER_READ_PRIORITY) -public class JweContainerRequestFilter extends AbstractJweDecryptingFilter implements ContainerRequestFilter { - @Override - public void filter(ContainerRequestContext context) throws IOException { - JweDecryptionOutput out = decrypt(context.getEntityStream()); - byte[] bytes = out.getContent(); - context.setEntityStream(new ByteArrayInputStream(bytes)); - context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JwtUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - context.getHeaders().putSingle("Content-Type", ct); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java deleted file mode 100644 index e37f68c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java +++ /dev/null @@ -1,200 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.security.interfaces.RSAPublicKey; -import java.util.Properties; -import java.util.zip.DeflaterOutputStream; - -import javax.annotation.Priority; -import javax.crypto.SecretKey; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.ext.WriterInterceptor; -import javax.ws.rs.ext.WriterInterceptorContext; - -import org.apache.cxf.Bus; -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.io.CachedOutputStream; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.oauth2.jwe.AesCbcHmacJweEncryption; -import org.apache.cxf.rs.security.oauth2.jwe.AesGcmWrapKeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.AesWrapKeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.JweCompactProducer; -import org.apache.cxf.rs.security.oauth2.jwe.JweEncryptionProvider; -import org.apache.cxf.rs.security.oauth2.jwe.JweEncryptionState; -import org.apache.cxf.rs.security.oauth2.jwe.JweHeaders; -import org.apache.cxf.rs.security.oauth2.jwe.JweOutputStream; -import org.apache.cxf.rs.security.oauth2.jwe.KeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.RSAOaepKeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.WrappedKeyJweEncryption; -import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey; -import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -@Priority(Priorities.JWE_WRITE_PRIORITY) -public class JweWriterInterceptor implements WriterInterceptor { - private static final String RSSEC_ENCRYPTION_OUT_PROPS = "rs.security.encryption.out.properties"; - private static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties"; - private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm"; - private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm"; - private static final String JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP = "rs.security.jwe.zip.algorithm"; - private JweEncryptionProvider encryptionProvider; - private boolean contentTypeRequired = true; - private boolean useJweOutputStream; - private JwtHeadersWriter writer = new JwtTokenReaderWriter(); - @Override - public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - - //ctx.setMediaType(JAXRSUtils.toMediaType(JwtConstants.MEDIA_TYPE_JOSE_JSON)); - - OutputStream actualOs = ctx.getOutputStream(); - - JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider(); - - String ctString = null; - if (contentTypeRequired) { - MediaType mt = ctx.getMediaType(); - if (mt != null) { - if ("application".equals(mt.getType())) { - ctString = mt.getSubtype(); - } else { - ctString = JAXRSUtils.mediaTypeToString(mt); - } - } - } - - - if (useJweOutputStream) { - JweEncryptionState encryption = theEncryptionProvider.createJweEncryptionState(ctString); - try { - JweCompactProducer.startJweContent(actualOs, - encryption.getHeaders(), - writer, - encryption.getContentEncryptionKey(), - encryption.getIv()); - } catch (IOException ex) { - throw new SecurityException(ex); - } - OutputStream jweStream = new JweOutputStream(actualOs, encryption.getCipher(), - encryption.getAuthTagProducer()); - if (encryption.isCompressionSupported()) { - jweStream = new DeflaterOutputStream(jweStream); - } - - ctx.setOutputStream(jweStream); - ctx.proceed(); - jweStream.flush(); - } else { - CachedOutputStream cos = new CachedOutputStream(); - ctx.setOutputStream(cos); - ctx.proceed(); - String jweContent = theEncryptionProvider.encrypt(cos.getBytes(), ctString); - IOUtils.copy(new ByteArrayInputStream(jweContent.getBytes("UTF-8")), actualOs); - actualOs.flush(); - } - } - - protected JweEncryptionProvider getInitializedEncryptionProvider() { - if (encryptionProvider != null) { - return encryptionProvider; - } - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - Bus bus = m.getExchange().getBus(); - try { - KeyEncryptionAlgorithm keyEncryptionProvider = null; - String keyEncryptionAlgo = null; - Properties props = ResourceUtils.loadProperties(propLoc, bus); - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - keyEncryptionAlgo = jwk.getAlgorithm(); - // TODO: Put it into some factory code - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(jwk.toRSAPublicKey(), - getKeyEncryptionAlgo(props, keyEncryptionAlgo)); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = jwk.toSecretKey(); - if (Algorithm.isAesKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } else if (Algorithm.isAesGcmKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesGcmWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } - } else { - // TODO: support elliptic curve keys - } - - } else { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm( - (RSAPublicKey)CryptoUtils.loadPublicKey(m, props), - getKeyEncryptionAlgo(props, keyEncryptionAlgo)); - } - if (keyEncryptionProvider == null) { - throw new SecurityException(); - } - - String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP); - JweHeaders headers = new JweHeaders(getKeyEncryptionAlgo(props, keyEncryptionAlgo), - contentEncryptionAlgo); - String compression = props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP); - if (compression != null) { - headers.setZipAlgorithm(compression); - } - boolean isAesHmac = Algorithm.isAesCbcHmac(contentEncryptionAlgo); - if (isAesHmac) { - return new AesCbcHmacJweEncryption( - keyEncryptionAlgo, contentEncryptionAlgo, keyEncryptionProvider); - } else { - return new WrappedKeyJweEncryption(headers, keyEncryptionProvider); - } - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - private String getKeyEncryptionAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo; - } - public void setUseJweOutputStream(boolean useJweOutputStream) { - this.useJweOutputStream = useJweOutputStream; - } - - public void setWriter(JwtHeadersWriter writer) { - this.writer = writer; - } - - public void setEncryptionProvider(JweEncryptionProvider encryptionProvider) { - this.encryptionProvider = encryptionProvider; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java deleted file mode 100644 index e5a872e..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.client.ClientRequestContext; -import javax.ws.rs.client.ClientResponseContext; -import javax.ws.rs.client.ClientResponseFilter; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.oauth2.jws.JwsCompactConsumer; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.oauth2.jwt.JwtUtils; - -@Priority(Priorities.JWS_CLIENT_READ_PRIORITY) -public class JwsClientResponseFilter extends AbstractJwsReaderProvider implements ClientResponseFilter { - @Override - public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()), - getSigProperties()); - p.verifySignatureWith(theSigVerifier); - byte[] bytes = p.getDecodedJwsPayloadBytes(); - res.setEntityStream(new ByteArrayInputStream(bytes)); - res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JwtUtils.checkContentType(p.getJwtHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - res.getHeaders().putSingle("Content-Type", ct); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java deleted file mode 100644 index d431cc1..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java +++ /dev/null @@ -1,53 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.PreMatching; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.oauth2.jws.JwsCompactConsumer; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.oauth2.jwt.JwtUtils; - -@PreMatching -@Priority(Priorities.JWS_SERVER_READ_PRIORITY) -public class JwsContainerRequestFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter { - @Override - public void filter(ContainerRequestContext context) throws IOException { - - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()), - getSigProperties()); - p.verifySignatureWith(theSigVerifier); - byte[] bytes = p.getDecodedJwsPayloadBytes(); - context.setEntityStream(new ByteArrayInputStream(bytes)); - context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - - String ct = JwtUtils.checkContentType(p.getJwtHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - context.getHeaders().putSingle("Content-Type", ct); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyReader.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyReader.java deleted file mode 100644 index 2d3a144..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyReader.java +++ /dev/null @@ -1,55 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.IOException; -import java.io.InputStream; -import java.lang.annotation.Annotation; -import java.lang.reflect.Type; - -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.ext.MessageBodyReader; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.oauth2.jws.JwsJwtCompactConsumer; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.oauth2.jwt.JwtToken; - -public class JwsJwtMessageBodyReader extends AbstractJwsReaderProvider - implements MessageBodyReader { - - @Override - public boolean isReadable(Class cls, Type type, Annotation[] anns, MediaType mt) { - return cls == JwtToken.class; - } - - @Override - public JwtToken readFrom(Class cls, Type t, Annotation[] anns, MediaType mt, - MultivaluedMap headers, InputStream is) throws IOException, - WebApplicationException { - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsJwtCompactConsumer p = new JwsJwtCompactConsumer(IOUtils.readStringFromStream(is), - getSigProperties()); - p.verifySignatureWith(theSigVerifier); - return p.getJwtToken(); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyWriter.java deleted file mode 100644 index 595b83c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsJwtMessageBodyWriter.java +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.IOException; -import java.io.OutputStream; -import java.lang.annotation.Annotation; -import java.lang.reflect.Type; - -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.ext.MessageBodyWriter; - -import org.apache.cxf.rs.security.oauth2.jws.JwsJwtCompactProducer; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; -import org.apache.cxf.rs.security.oauth2.jwt.JwtToken; - -public class JwsJwtMessageBodyWriter extends AbstractJwsWriterProvider - implements MessageBodyWriter { - - @Override - public long getSize(JwtToken token, Class cls, Type type, Annotation[] anns, MediaType mt) { - return -1; - } - - @Override - public boolean isWriteable(Class cls, Type type, Annotation[] anns, MediaType mt) { - return cls == JwtToken.class; - } - - @Override - public void writeTo(JwtToken token, Class cls, Type type, Annotation[] anns, MediaType mt, - MultivaluedMap headers, OutputStream os) throws IOException, - WebApplicationException { - JwsJwtCompactProducer p = new JwsJwtCompactProducer(token); - JwtHeaders jwtHeaders = new JwtHeaders(); - JwsSignatureProvider sigProvider = getInitializedSigProvider(jwtHeaders); - jwtHeaders.setContentType(JwtConstants.TYPE_JWT); - writeJws(p, sigProvider, os); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java deleted file mode 100644 index fdbf56b..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java +++ /dev/null @@ -1,98 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -import java.io.IOException; -import java.io.OutputStream; - -import javax.annotation.Priority; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.ext.WriterInterceptor; -import javax.ws.rs.ext.WriterInterceptorContext; - -import org.apache.cxf.io.CachedOutputStream; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.rs.security.oauth2.jws.JwsCompactProducer; -import org.apache.cxf.rs.security.oauth2.jws.JwsOutputStream; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignature; -import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlOutputStream; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - -@Priority(Priorities.JWS_WRITE_PRIORITY) -public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements WriterInterceptor { - private boolean contentTypeRequired = true; - private boolean useJwsOutputStream; - private JwtHeadersWriter writer = new JwtTokenReaderWriter(); - @Override - public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - //ctx.setMediaType(JAXRSUtils.toMediaType(JwtConstants.MEDIA_TYPE_JOSE_JSON)); - JwtHeaders headers = new JwtHeaders(); - JwsSignatureProvider sigProvider = getInitializedSigProvider(headers); - setContentTypeIfNeeded(headers, ctx); - - OutputStream actualOs = ctx.getOutputStream(); - if (useJwsOutputStream) { - JwsSignature jwsSignature = sigProvider.createJwsSignature(headers); - JwsOutputStream jwsStream = new JwsOutputStream(actualOs, jwsSignature); - byte[] headerBytes = writer.headersToJson(headers).getBytes("UTF-8"); - Base64UrlUtility.encodeAndStream(headerBytes, 0, headerBytes.length, jwsStream); - jwsStream.write(new byte[]{'.'}); - - Base64UrlOutputStream base64Stream = new Base64UrlOutputStream(jwsStream); - ctx.setOutputStream(base64Stream); - ctx.proceed(); - base64Stream.flush(); - jwsStream.flush(); - } else { - CachedOutputStream cos = new CachedOutputStream(); - ctx.setOutputStream(cos); - ctx.proceed(); - JwsCompactProducer p = new JwsCompactProducer(headers, new String(cos.getBytes(), "UTF-8")); - writeJws(p, sigProvider, actualOs); - } - } - - public void setContentTypeRequired(boolean contentTypeRequired) { - this.contentTypeRequired = contentTypeRequired; - } - - public void setUseJwsOutputStream(boolean useJwsOutputStream) { - this.useJwsOutputStream = useJwsOutputStream; - } - public void setWriter(JwtHeadersWriter writer) { - this.writer = writer; - } - private void setContentTypeIfNeeded(JwtHeaders headers, WriterInterceptorContext ctx) { - if (contentTypeRequired) { - MediaType mt = ctx.getMediaType(); - if (mt != null) { - if ("application".equals(mt.getType())) { - headers.setContentType(mt.getSubtype()); - } else { - headers.setContentType(JAXRSUtils.mediaTypeToString(mt)); - } - } - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/Priorities.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/Priorities.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/Priorities.java deleted file mode 100644 index 42b2523..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/Priorities.java +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwt.jaxrs; - -public final class Priorities { - public static final int JWE_SERVER_READ_PRIORITY = 1000; - public static final int JWE_WRITE_PRIORITY = 1000; - public static final int JWE_CLIENT_READ_PRIORITY = 1001; - public static final int JWS_SERVER_READ_PRIORITY = 1001; - public static final int JWS_WRITE_PRIORITY = 1001; - public static final int JWS_CLIENT_READ_PRIORITY = 1000; - private Priorities() { - - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java new file mode 100644 index 0000000..554e5db --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java @@ -0,0 +1,210 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jwe; + +import java.security.Security; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; + +import javax.crypto.Cipher; +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.jose.jwa.Algorithm; +import org.apache.cxf.rs.security.jose.jws.JwsCompactReaderWriterTest; +import org.apache.cxf.rs.security.jose.jwt.JwtConstants; +import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; + +public class JweCompactReaderWriterTest extends Assert { + // A1 example + private static final byte[] CONTENT_ENCRYPTION_KEY_A1 = { + (byte)177, (byte)161, (byte)244, (byte)128, 84, (byte)143, (byte)225, + 115, 63, (byte)180, 3, (byte)255, 107, (byte)154, (byte)212, (byte)246, + (byte)138, 7, 110, 91, 112, 46, 34, 105, 47, + (byte)130, (byte)203, 46, 122, (byte)234, 64, (byte)252}; + private static final String RSA_MODULUS_ENCODED_A1 = "oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW" + + "cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S" + + "psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a" + + "sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS" + + "tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj" + + "YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw"; + private static final String RSA_PUBLIC_EXPONENT_ENCODED_A1 = "AQAB"; + private static final String RSA_PRIVATE_EXPONENT_ENCODED_A1 = + "kLdtIj6GbDks_ApCSTYQtelcNttlKiOyPzMrXHeI-yk1F7-kpDxY4-WY5N" + + "WV5KntaEeXS1j82E375xxhWMHXyvjYecPT9fpwR_M9gV8n9Hrh2anTpTD9" + + "3Dt62ypW3yDsJzBnTnrYu1iwWRgBKrEYY46qAZIrA2xAwnm2X7uGR1hghk" + + "qDp0Vqj3kbSCz1XyfCs6_LehBwtxHIyh8Ripy40p24moOAbgxVw3rxT_vl" + + "t3UVe4WO3JkJOzlpUf-KTVI2Ptgm-dARxTEtE-id-4OJr0h-K-VFs3VSnd" + + "VTIznSxfyrj8ILL6MG_Uv8YAu7VILSB3lOW085-4qE3DzgrTjgyQ"; + + private static final byte[] INIT_VECTOR_A1 = {(byte)227, (byte)197, 117, (byte)252, 2, (byte)219, + (byte)233, 68, (byte)180, (byte)225, 77, (byte)219}; + + // A3 example + private static final byte[] CONTENT_ENCRYPTION_KEY_A3 = { + 4, (byte)211, 31, (byte)197, 84, (byte)157, (byte)252, (byte)254, 11, 100, + (byte)157, (byte)250, 63, (byte)170, 106, (byte)206, 107, 124, (byte)212, + 45, 111, 107, 9, (byte)219, (byte)200, (byte)177, 0, (byte)240, (byte)143, + (byte)156, 44, (byte)207}; + private static final byte[] INIT_VECTOR_A3 = { + 3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 101}; + private static final String KEY_ENCRYPTION_KEY_A3 = "GawgguFyGrWKav7AX4VKUg"; + private static final String JWE_OUTPUT_A3 = + "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0" + + ".6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ" + + ".AxY8DCtDaGlsbGljb3RoZQ" + + ".KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY" + + ".U0m_YmjN04DJvceFICbCVQ"; + + @BeforeClass + public static void registerBouncyCastleIfNeeded() throws Exception { + try { + // Java 8 apparently has it + Cipher.getInstance(Algorithm.AES_GCM_ALGO_JAVA); + } catch (Throwable t) { + // Oracle Java 7 + Security.addProvider(new BouncyCastleProvider()); + } + } + @AfterClass + public static void unregisterBouncyCastleIfNeeded() throws Exception { + Security.removeProvider(BouncyCastleProvider.class.getName()); + } + + @Test + public void testEncryptDecryptAesWrapA128CBCHS256() throws Exception { + final String specPlainText = "Live long and prosper."; + JweHeaders headers = new JweHeaders(); + headers.setAlgorithm(Algorithm.A128KW.getJwtName()); + headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName()); + + byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3); + + AesWrapKeyEncryptionAlgorithm keyEncryption = + new AesWrapKeyEncryptionAlgorithm(cekEncryptionKey, Algorithm.A128KW.getJwtName()); + JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, + CONTENT_ENCRYPTION_KEY_A3, + INIT_VECTOR_A3, + keyEncryption); + String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); + assertEquals(JWE_OUTPUT_A3, jweContent); + + AesWrapKeyDecryptionAlgorithm keyDecryption = new AesWrapKeyDecryptionAlgorithm(cekEncryptionKey); + JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption); + String decryptedText = decryption.decrypt(jweContent).getContentText(); + assertEquals(specPlainText, decryptedText); + } + @Test + public void testEncryptDecryptAesGcmWrapA128CBCHS256() throws Exception { + final String specPlainText = "Live long and prosper."; + JweHeaders headers = new JweHeaders(); + headers.setAlgorithm(JwtConstants.A128GCMKW_ALGO); + headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName()); + + byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3); + + AesGcmWrapKeyEncryptionAlgorithm keyEncryption = + new AesGcmWrapKeyEncryptionAlgorithm(cekEncryptionKey, JwtConstants.A128GCMKW_ALGO); + JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, + CONTENT_ENCRYPTION_KEY_A3, + INIT_VECTOR_A3, + keyEncryption); + String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); + + AesGcmWrapKeyDecryptionAlgorithm keyDecryption = new AesGcmWrapKeyDecryptionAlgorithm(cekEncryptionKey); + JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption); + String decryptedText = decryption.decrypt(jweContent).getContentText(); + assertEquals(specPlainText, decryptedText); + } + + @Test + public void testEncryptDecryptSpecExample() throws Exception { + final String specPlainText = "The true sign of intelligence is not knowledge but imagination."; + String jweContent = encryptContent(specPlainText, true); + + decrypt(jweContent, specPlainText, true); + } + + @Test + public void testDirectKeyEncryptDecrypt() throws Exception { + final String specPlainText = "The true sign of intelligence is not knowledge but imagination."; + SecretKey key = createSecretKey(true); + String jweContent = encryptContentDirect(key, specPlainText); + + decryptDirect(key, jweContent, specPlainText); + } + + @Test + public void testEncryptDecryptJwsToken() throws Exception { + String jweContent = encryptContent(JwsCompactReaderWriterTest.ENCODED_TOKEN_SIGNED_BY_MAC, false); + decrypt(jweContent, JwsCompactReaderWriterTest.ENCODED_TOKEN_SIGNED_BY_MAC, false); + } + + private String encryptContent(String content, boolean createIfException) throws Exception { + RSAPublicKey publicKey = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED_A1, + RSA_PUBLIC_EXPONENT_ENCODED_A1); + SecretKey key = createSecretKey(createIfException); + String jwtKeyName = null; + if (key == null) { + // the encryptor will generate it + jwtKeyName = Algorithm.A128GCM.getJwtName(); + } else { + jwtKeyName = Algorithm.toJwtName(key.getAlgorithm(), key.getEncoded().length * 8); + } + JweEncryptionProvider encryptor = new WrappedKeyJweEncryption( + new JweHeaders(Algorithm.RSA_OAEP.getJwtName(), jwtKeyName), + key == null ? null : key.getEncoded(), + INIT_VECTOR_A1, + new RSAOaepKeyEncryptionAlgorithm(publicKey, + Algorithm.RSA_OAEP.getJwtName())); + return encryptor.encrypt(content.getBytes("UTF-8"), null); + } + private String encryptContentDirect(SecretKey key, String content) throws Exception { + DirectKeyJweEncryption encryptor = new DirectKeyJweEncryption(key, INIT_VECTOR_A1); + return encryptor.encrypt(content.getBytes("UTF-8"), null); + } + private void decrypt(String jweContent, String plainContent, boolean unwrap) throws Exception { + RSAPrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1, + RSA_PRIVATE_EXPONENT_ENCODED_A1); + JweDecryptionProvider decryptor = new WrappedKeyJweDecryption(new RSAOaepKeyDecryptionAlgorithm(privateKey)); + String decryptedText = decryptor.decrypt(jweContent).getContentText(); + assertEquals(decryptedText, plainContent); + } + private void decryptDirect(SecretKey key, String jweContent, String plainContent) throws Exception { + DirectKeyJweDecryption decryptor = new DirectKeyJweDecryption(key); + String decryptedText = decryptor.decrypt(jweContent).getContentText(); + assertEquals(decryptedText, plainContent); + } + private SecretKey createSecretKey(boolean createIfException) throws Exception { + SecretKey key = null; + if (Cipher.getMaxAllowedKeyLength("AES") > 128) { + key = CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY_A1, "AES"); + } else if (createIfException) { + key = CryptoUtils.createSecretKeySpec(CryptoUtils.generateSecureRandomBytes(128 / 8), "AES"); + } + return key; + } +} + http://git-wip-us.apache.org/repos/asf/cxf/blob/30dec871/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java new file mode 100644 index 0000000..e914b9b --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java @@ -0,0 +1,78 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jwe; + +import java.security.Security; + +import org.apache.cxf.rs.security.jose.jwa.Algorithm; +import org.apache.cxf.rs.security.jose.jwt.JwtConstants; +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + +public class JwePbeHmacAesWrapTest extends Assert { + @Before + public void registerBouncyCastleIfNeeded() throws Exception { + Security.addProvider(new BouncyCastleProvider()); + } + @After + public void unregisterBouncyCastleIfNeeded() throws Exception { + Security.removeProvider(BouncyCastleProvider.class.getName()); + } + @Test + public void testEncryptDecryptPbesHmacAesWrapA128CBCHS256() throws Exception { + final String specPlainText = "Live long and prosper."; + JweHeaders headers = new JweHeaders(); + headers.setAlgorithm(JwtConstants.PBES2_HS256_A128KW_ALGO); + headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName()); + final String password = "Thus from my lips, by yours, my sin is purged."; + KeyEncryptionAlgorithm keyEncryption = + new PbesHmacAesWrapKeyEncryptionAlgorithm(password, JwtConstants.PBES2_HS256_A128KW_ALGO); + JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, keyEncryption); + String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); + + PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); + JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption); + String decryptedText = decryption.decrypt(jweContent).getContentText(); + assertEquals(specPlainText, decryptedText); + + } + @Test + public void testEncryptDecryptPbesHmacAesWrapAesGcm() throws Exception { + final String specPlainText = "Live long and prosper."; + JweHeaders headers = new JweHeaders(); + headers.setAlgorithm(JwtConstants.PBES2_HS256_A128KW_ALGO); + headers.setContentEncryptionAlgorithm(Algorithm.A128GCM.getJwtName()); + final String password = "Thus from my lips, by yours, my sin is purged."; + KeyEncryptionAlgorithm keyEncryption = + new PbesHmacAesWrapKeyEncryptionAlgorithm(password, JwtConstants.PBES2_HS256_A128KW_ALGO); + JweEncryptionProvider encryption = + new WrappedKeyJweEncryption(headers, keyEncryption); + String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); + PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); + JweDecryptionProvider decryption = new WrappedKeyJweDecryption(keyDecryption, null, null); + String decryptedText = decryption.decrypt(jweContent).getContentText(); + assertEquals(specPlainText, decryptedText); + + } +} +