Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CB75411CB3 for ; Fri, 19 Sep 2014 14:49:11 +0000 (UTC) Received: (qmail 13908 invoked by uid 500); 19 Sep 2014 14:49:11 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 13843 invoked by uid 500); 19 Sep 2014 14:49:11 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 13826 invoked by uid 99); 19 Sep 2014 14:49:11 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Sep 2014 14:49:11 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 35B9E8A5FE8; Fri, 19 Sep 2014 14:49:11 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Date: Fri, 19 Sep 2014 14:49:14 -0000 Message-Id: In-Reply-To: <36a29c89e3b7410284e3ba7258af541e@git.apache.org> References: <36a29c89e3b7410284e3ba7258af541e@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [05/10] Changing the oauth2-jwt source folder to oauth2-jose http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java deleted file mode 100644 index 9d5fc9c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java +++ /dev/null @@ -1,187 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.security.interfaces.RSAPublicKey; -import java.util.Properties; -import java.util.zip.DeflaterOutputStream; - -import javax.annotation.Priority; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.ext.WriterInterceptor; -import javax.ws.rs.ext.WriterInterceptorContext; - -import org.apache.cxf.Bus; -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.io.CachedOutputStream; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption; -import org.apache.cxf.rs.security.jose.jwe.AesGcmContentEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer; -import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; -import org.apache.cxf.rs.security.jose.jwe.JweEncryptionState; -import org.apache.cxf.rs.security.jose.jwe.JweHeaders; -import org.apache.cxf.rs.security.jose.jwe.JweOutputStream; -import org.apache.cxf.rs.security.jose.jwe.JweUtils; -import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweEncryption; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; -import org.apache.cxf.rs.security.jose.jwk.JwkUtils; -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -@Priority(Priorities.JWE_WRITE_PRIORITY) -public class JweWriterInterceptor implements WriterInterceptor { - private static final String RSSEC_ENCRYPTION_OUT_PROPS = "rs.security.encryption.out.properties"; - private static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties"; - private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm"; - private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm"; - private static final String JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP = "rs.security.jwe.zip.algorithm"; - private JweEncryptionProvider encryptionProvider; - private boolean contentTypeRequired = true; - private boolean useJweOutputStream; - private JwtHeadersWriter writer = new JwtTokenReaderWriter(); - @Override - public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - - //ctx.setMediaType(JAXRSUtils.toMediaType(JwtConstants.MEDIA_TYPE_JOSE_JSON)); - - OutputStream actualOs = ctx.getOutputStream(); - - JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider(); - - String ctString = null; - if (contentTypeRequired) { - MediaType mt = ctx.getMediaType(); - if (mt != null) { - if ("application".equals(mt.getType())) { - ctString = mt.getSubtype(); - } else { - ctString = JAXRSUtils.mediaTypeToString(mt); - } - } - } - - - if (useJweOutputStream) { - JweEncryptionState encryption = theEncryptionProvider.createJweEncryptionState(ctString); - try { - JweCompactProducer.startJweContent(actualOs, - encryption.getHeaders(), - writer, - encryption.getContentEncryptionKey(), - encryption.getIv()); - } catch (IOException ex) { - throw new SecurityException(ex); - } - OutputStream jweStream = new JweOutputStream(actualOs, encryption.getCipher(), - encryption.getAuthTagProducer()); - if (encryption.isCompressionSupported()) { - jweStream = new DeflaterOutputStream(jweStream); - } - - ctx.setOutputStream(jweStream); - ctx.proceed(); - jweStream.flush(); - } else { - CachedOutputStream cos = new CachedOutputStream(); - ctx.setOutputStream(cos); - ctx.proceed(); - String jweContent = theEncryptionProvider.encrypt(cos.getBytes(), ctString); - IOUtils.copy(new ByteArrayInputStream(jweContent.getBytes("UTF-8")), actualOs); - actualOs.flush(); - } - } - - protected JweEncryptionProvider getInitializedEncryptionProvider() { - if (encryptionProvider != null) { - return encryptionProvider; - } - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - Bus bus = m.getExchange().getBus(); - try { - KeyEncryptionAlgorithm keyEncryptionProvider = null; - String keyEncryptionAlgo = null; - Properties props = ResourceUtils.loadProperties(propLoc, bus); - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm()); - keyEncryptionProvider = JweUtils.getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo); - - } else { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm( - (RSAPublicKey)CryptoUtils.loadPublicKey(m, props), - getKeyEncryptionAlgo(props, keyEncryptionAlgo)); - } - if (keyEncryptionProvider == null) { - throw new SecurityException(); - } - - String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP); - JweHeaders headers = new JweHeaders(getKeyEncryptionAlgo(props, keyEncryptionAlgo), - contentEncryptionAlgo); - String compression = props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP); - if (compression != null) { - headers.setZipAlgorithm(compression); - } - boolean isAesHmac = Algorithm.isAesCbcHmac(contentEncryptionAlgo); - if (isAesHmac) { - return new AesCbcHmacJweEncryption(contentEncryptionAlgo, keyEncryptionProvider); - } else { - return new WrappedKeyJweEncryption(headers, - keyEncryptionProvider, - new AesGcmContentEncryptionAlgorithm(contentEncryptionAlgo)); - } - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - private String getKeyEncryptionAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo; - } - public void setUseJweOutputStream(boolean useJweOutputStream) { - this.useJweOutputStream = useJweOutputStream; - } - - public void setWriter(JwtHeadersWriter writer) { - this.writer = writer; - } - - public void setEncryptionProvider(JweEncryptionProvider encryptionProvider) { - this.encryptionProvider = encryptionProvider; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java deleted file mode 100644 index aeaa742..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java +++ /dev/null @@ -1,51 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.client.ClientRequestContext; -import javax.ws.rs.client.ClientResponseContext; -import javax.ws.rs.client.ClientResponseFilter; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.jose.jwt.JwtUtils; - -@Priority(Priorities.JWS_CLIENT_READ_PRIORITY) -public class JwsClientResponseFilter extends AbstractJwsReaderProvider implements ClientResponseFilter { - @Override - public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()), - getSigProperties()); - p.verifySignatureWith(theSigVerifier); - byte[] bytes = p.getDecodedJwsPayloadBytes(); - res.setEntityStream(new ByteArrayInputStream(bytes)); - res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JwtUtils.checkContentType(p.getJwtHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - res.getHeaders().putSingle("Content-Type", ct); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java deleted file mode 100644 index d80aa38..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java +++ /dev/null @@ -1,53 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.PreMatching; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.jose.jwt.JwtUtils; - -@PreMatching -@Priority(Priorities.JWS_SERVER_READ_PRIORITY) -public class JwsContainerRequestFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter { - @Override - public void filter(ContainerRequestContext context) throws IOException { - - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()), - getSigProperties()); - p.verifySignatureWith(theSigVerifier); - byte[] bytes = p.getDecodedJwsPayloadBytes(); - context.setEntityStream(new ByteArrayInputStream(bytes)); - context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - - String ct = JwtUtils.checkContentType(p.getJwtHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - context.getHeaders().putSingle("Content-Type", ct); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java deleted file mode 100644 index 831d114..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java +++ /dev/null @@ -1,55 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.IOException; -import java.io.InputStream; -import java.lang.annotation.Annotation; -import java.lang.reflect.Type; - -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.ext.MessageBodyReader; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.jose.jwt.JwtToken; - -public class JwsJwtMessageBodyReader extends AbstractJwsReaderProvider - implements MessageBodyReader { - - @Override - public boolean isReadable(Class cls, Type type, Annotation[] anns, MediaType mt) { - return cls == JwtToken.class; - } - - @Override - public JwtToken readFrom(Class cls, Type t, Annotation[] anns, MediaType mt, - MultivaluedMap headers, InputStream is) throws IOException, - WebApplicationException { - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsJwtCompactConsumer p = new JwsJwtCompactConsumer(IOUtils.readStringFromStream(is), - getSigProperties()); - p.verifySignatureWith(theSigVerifier); - return p.getJwtToken(); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java deleted file mode 100644 index 17b11f5..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.IOException; -import java.io.OutputStream; -import java.lang.annotation.Annotation; -import java.lang.reflect.Type; - -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.ext.MessageBodyWriter; - -import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jwt.JwtConstants; -import org.apache.cxf.rs.security.jose.jwt.JwtHeaders; -import org.apache.cxf.rs.security.jose.jwt.JwtToken; - -public class JwsJwtMessageBodyWriter extends AbstractJwsWriterProvider - implements MessageBodyWriter { - - @Override - public long getSize(JwtToken token, Class cls, Type type, Annotation[] anns, MediaType mt) { - return -1; - } - - @Override - public boolean isWriteable(Class cls, Type type, Annotation[] anns, MediaType mt) { - return cls == JwtToken.class; - } - - @Override - public void writeTo(JwtToken token, Class cls, Type type, Annotation[] anns, MediaType mt, - MultivaluedMap headers, OutputStream os) throws IOException, - WebApplicationException { - JwsJwtCompactProducer p = new JwsJwtCompactProducer(token); - JwtHeaders jwtHeaders = new JwtHeaders(); - JwsSignatureProvider sigProvider = getInitializedSigProvider(jwtHeaders); - jwtHeaders.setContentType(JwtConstants.TYPE_JWT); - writeJws(p, sigProvider, os); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java deleted file mode 100644 index c99ec15..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java +++ /dev/null @@ -1,98 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.IOException; -import java.io.OutputStream; - -import javax.annotation.Priority; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.ext.WriterInterceptor; -import javax.ws.rs.ext.WriterInterceptorContext; - -import org.apache.cxf.io.CachedOutputStream; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer; -import org.apache.cxf.rs.security.jose.jws.JwsOutputStream; -import org.apache.cxf.rs.security.jose.jws.JwsSignature; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jwt.JwtHeaders; -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlOutputStream; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - -@Priority(Priorities.JWS_WRITE_PRIORITY) -public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements WriterInterceptor { - private boolean contentTypeRequired = true; - private boolean useJwsOutputStream; - private JwtHeadersWriter writer = new JwtTokenReaderWriter(); - @Override - public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - //ctx.setMediaType(JAXRSUtils.toMediaType(JwtConstants.MEDIA_TYPE_JOSE_JSON)); - JwtHeaders headers = new JwtHeaders(); - JwsSignatureProvider sigProvider = getInitializedSigProvider(headers); - setContentTypeIfNeeded(headers, ctx); - - OutputStream actualOs = ctx.getOutputStream(); - if (useJwsOutputStream) { - JwsSignature jwsSignature = sigProvider.createJwsSignature(headers); - JwsOutputStream jwsStream = new JwsOutputStream(actualOs, jwsSignature); - byte[] headerBytes = writer.headersToJson(headers).getBytes("UTF-8"); - Base64UrlUtility.encodeAndStream(headerBytes, 0, headerBytes.length, jwsStream); - jwsStream.write(new byte[]{'.'}); - - Base64UrlOutputStream base64Stream = new Base64UrlOutputStream(jwsStream); - ctx.setOutputStream(base64Stream); - ctx.proceed(); - base64Stream.flush(); - jwsStream.flush(); - } else { - CachedOutputStream cos = new CachedOutputStream(); - ctx.setOutputStream(cos); - ctx.proceed(); - JwsCompactProducer p = new JwsCompactProducer(headers, new String(cos.getBytes(), "UTF-8")); - writeJws(p, sigProvider, actualOs); - } - } - - public void setContentTypeRequired(boolean contentTypeRequired) { - this.contentTypeRequired = contentTypeRequired; - } - - public void setUseJwsOutputStream(boolean useJwsOutputStream) { - this.useJwsOutputStream = useJwsOutputStream; - } - public void setWriter(JwtHeadersWriter writer) { - this.writer = writer; - } - private void setContentTypeIfNeeded(JwtHeaders headers, WriterInterceptorContext ctx) { - if (contentTypeRequired) { - MediaType mt = ctx.getMediaType(); - if (mt != null) { - if ("application".equals(mt.getType())) { - headers.setContentType(mt.getSubtype()); - } else { - headers.setContentType(JAXRSUtils.mediaTypeToString(mt)); - } - } - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java deleted file mode 100644 index fc48ebc..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -public final class Priorities { - public static final int JWE_SERVER_READ_PRIORITY = 1000; - public static final int JWE_WRITE_PRIORITY = 1000; - public static final int JWE_CLIENT_READ_PRIORITY = 1001; - public static final int JWS_SERVER_READ_PRIORITY = 1001; - public static final int JWS_WRITE_PRIORITY = 1001; - public static final int JWS_CLIENT_READ_PRIORITY = 1000; - private Priorities() { - - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java deleted file mode 100644 index 800bd1a..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java +++ /dev/null @@ -1,209 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rs.security.jose.jwa; - -import java.util.HashMap; -import java.util.Map; - -import org.apache.cxf.rs.security.jose.jwt.JwtConstants; - - - - -public enum Algorithm { - // Signature - HmacSHA256(JwtConstants.HMAC_SHA_256_ALGO, 256), - HmacSHA384(JwtConstants.HMAC_SHA_384_ALGO, 384), - HmacSHA512(JwtConstants.HMAC_SHA_512_ALGO, 512), - - SHA256withRSA(JwtConstants.RS_SHA_256_ALGO, 256), - SHA384withRSA(JwtConstants.RS_SHA_384_ALGO, 384), - SHA512withRSA(JwtConstants.RS_SHA_512_ALGO, 512), - - SHA256withECDSA(JwtConstants.ES_SHA_256_ALGO, 256), - SHA384withECDSA(JwtConstants.ES_SHA_384_ALGO, 384), - SHA512withECDSA(JwtConstants.ES_SHA_512_ALGO, 512), - - // Key Encryption - RSA_OAEP(JwtConstants.RSA_OAEP_ALGO, "RSA/ECB/OAEPWithSHA-1AndMGF1Padding", -1), - RSA_OAEP_256(JwtConstants.RSA_OAEP_256_ALGO, "RSA/ECB/OAEPWithSHA-256AndMGF1Padding", -1), - RSA_1_5(JwtConstants.RSA_1_5_ALGO, "RSA/ECB/PKCS1Padding", -1), - A128KW(JwtConstants.A128KW_ALGO, "AESWrap", 128), - A192KW(JwtConstants.A192KW_ALGO, "AESWrap", 192), - A256KW(JwtConstants.A256KW_ALGO, "AESWrap", 256), - A128GCMKW(JwtConstants.A128GCMKW_ALGO, "AES/GCM/NoPadding", 128), - A192GCMKW(JwtConstants.A192GCMKW_ALGO, "AES/GCM/NoPadding", 192), - A256GCMKW(JwtConstants.A256GCMKW_ALGO, "AES/GCM/NoPadding", 256), - PBES2_HS256_A128KW(JwtConstants.PBES2_HS256_A128KW_ALGO, "AESWrap", 128), - PBES2_HS384_A192KW(JwtConstants.PBES2_HS384_A192KW_ALGO, "AESWrap", 192), - PBES2_HS512_A256KW(JwtConstants.PBES2_HS512_A256KW_ALGO, "AESWrap", 256), - - // Content Encryption - A128GCM(JwtConstants.A128GCM_ALGO, "AES/GCM/NoPadding", 128), - A192GCM(JwtConstants.A192GCM_ALGO, "AES/GCM/NoPadding", 192), - A256GCM(JwtConstants.A256GCM_ALGO, "AES/GCM/NoPadding", 256), - A128CBC_HS256(JwtConstants.A128CBC_HS256_ALGO, "AES/CBC/PKCS7Padding", 128), - A192CBC_HS384(JwtConstants.A192CBC_HS384_ALGO, "AES/CBC/PKCS7Padding", 192), - A256CBC_HS512(JwtConstants.A256CBC_HS512_ALGO, "AES/CBC/PKCS7Padding", 256); - - public static final String HMAC_SHA_256_JAVA = "HmacSHA256"; - public static final String HMAC_SHA_384_JAVA = "HmacSHA384"; - public static final String HMAC_SHA_512_JAVA = "HmacSHA512"; - public static final String RS_SHA_256_JAVA = "SHA256withRSA"; - public static final String RS_SHA_384_JAVA = "SHA384withRSA"; - public static final String RS_SHA_512_JAVA = "SHA512withRSA"; - public static final String ES_SHA_256_JAVA = "SHA256withECDSA"; - public static final String ES_SHA_384_JAVA = "SHA384withECDSA"; - public static final String ES_SHA_512_JAVA = "SHA512withECDSA"; - public static final String RSA_OAEP_ALGO_JAVA = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding"; - public static final String RSA_OAEP_256_ALGO_JAVA = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"; - public static final String RSA_1_5_ALGO_JAVA = "RSA/ECB/PKCS1Padding"; - public static final String AES_ALGO_JAVA = "AES"; - public static final String AES_WRAP_ALGO_JAVA = "AESWrap"; - public static final String AES_GCM_ALGO_JAVA = "AES/GCM/NoPadding"; - public static final String AES_CBC_ALGO_JAVA = "AES/CBC/PKCS7Padding"; - - private static final Map JAVA_TO_JWT_NAMES; - private static final Map JWT_TO_JAVA_NAMES; - static { - JAVA_TO_JWT_NAMES = new HashMap(); - JAVA_TO_JWT_NAMES.put(HMAC_SHA_256_JAVA, JwtConstants.HMAC_SHA_256_ALGO); - JAVA_TO_JWT_NAMES.put(HMAC_SHA_384_JAVA, JwtConstants.HMAC_SHA_384_ALGO); - JAVA_TO_JWT_NAMES.put(HMAC_SHA_512_JAVA, JwtConstants.HMAC_SHA_512_ALGO); - JAVA_TO_JWT_NAMES.put(RS_SHA_256_JAVA, JwtConstants.RS_SHA_256_ALGO); - JAVA_TO_JWT_NAMES.put(RS_SHA_384_JAVA, JwtConstants.RS_SHA_384_ALGO); - JAVA_TO_JWT_NAMES.put(RS_SHA_512_JAVA, JwtConstants.RS_SHA_512_ALGO); - JAVA_TO_JWT_NAMES.put(ES_SHA_256_JAVA, JwtConstants.ES_SHA_256_ALGO); - JAVA_TO_JWT_NAMES.put(ES_SHA_384_JAVA, JwtConstants.ES_SHA_384_ALGO); - JAVA_TO_JWT_NAMES.put(ES_SHA_512_JAVA, JwtConstants.ES_SHA_512_ALGO); - JAVA_TO_JWT_NAMES.put(RSA_OAEP_ALGO_JAVA, JwtConstants.RSA_OAEP_ALGO); - JAVA_TO_JWT_NAMES.put(RSA_OAEP_256_ALGO_JAVA, JwtConstants.RSA_OAEP_256_ALGO); - JAVA_TO_JWT_NAMES.put(RSA_1_5_ALGO_JAVA, JwtConstants.RSA_1_5_ALGO); - JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JwtConstants.A256GCM_ALGO); - JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JwtConstants.A192GCM_ALGO); - JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JwtConstants.A128GCM_ALGO); - JAVA_TO_JWT_NAMES.put(AES_WRAP_ALGO_JAVA, JwtConstants.A128KW_ALGO); - JAVA_TO_JWT_NAMES.put(AES_WRAP_ALGO_JAVA, JwtConstants.A192KW_ALGO); - JAVA_TO_JWT_NAMES.put(AES_WRAP_ALGO_JAVA, JwtConstants.A256KW_ALGO); - JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JwtConstants.A128CBC_HS256_ALGO); - JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JwtConstants.A192CBC_HS384_ALGO); - JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JwtConstants.A256CBC_HS512_ALGO); - JWT_TO_JAVA_NAMES = new HashMap(); - JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_256_ALGO, HMAC_SHA_256_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_384_ALGO, HMAC_SHA_384_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.HMAC_SHA_512_ALGO, HMAC_SHA_512_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.RS_SHA_256_ALGO, RS_SHA_256_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.RS_SHA_384_ALGO, RS_SHA_384_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.RS_SHA_512_ALGO, RS_SHA_512_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.ES_SHA_256_ALGO, ES_SHA_256_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.ES_SHA_384_ALGO, ES_SHA_384_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.ES_SHA_512_ALGO, ES_SHA_512_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.RSA_OAEP_ALGO, RSA_OAEP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.RSA_OAEP_256_ALGO, RSA_OAEP_256_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.RSA_1_5_ALGO, RSA_1_5_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A128KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A192KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A256KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A256GCM_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A192GCM_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A128GCM_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A256GCMKW_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A192GCMKW_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A128GCMKW_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A128CBC_HS256_ALGO, AES_CBC_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A192CBC_HS384_ALGO, AES_CBC_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.A256CBC_HS512_ALGO, AES_CBC_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.PBES2_HS256_A128KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.PBES2_HS384_A192KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JwtConstants.PBES2_HS512_A256KW_ALGO, AES_WRAP_ALGO_JAVA); - } - private final String jwtName; - private final String javaName; - private final int keySizeBits; - - private Algorithm(String jwtName, int keySizeBits) { - this(jwtName, null, keySizeBits); - } - private Algorithm(String jwtName, String javaName, int keySizeBits) { - this.jwtName = jwtName; - this.javaName = javaName; - this.keySizeBits = keySizeBits; - } - - public String getJwtName() { - return jwtName; - } - - public String getJavaName() { - return javaName == null ? name() : javaName; - } - - public String getJavaAlgoName() { - return stripAlgoProperties(getJavaName()); - } - - public int getKeySizeBits() { - return keySizeBits; - } - - public static String toJwtName(String javaName, int keyBitSize) { - //TODO: perhaps a key should be a name+keysize pair - String name = JAVA_TO_JWT_NAMES.get(javaName); - if (name == null && javaName.startsWith(AES_ALGO_JAVA)) { - name = "A" + keyBitSize + "GCM"; - } - return name; - } - public static String toJavaName(String jwtName) { - return JWT_TO_JAVA_NAMES.get(jwtName); - } - public static String toJavaAlgoNameOnly(String jwtName) { - return stripAlgoProperties(toJavaName(jwtName)); - } - public static String stripAlgoProperties(String javaName) { - if (javaName != null) { - int index = javaName.indexOf('/'); - if (index != -1) { - javaName = javaName.substring(0, index); - } - } - return javaName; - } - public static boolean isAesKeyWrap(String algo) { - return JwtConstants.A128KW_ALGO.equals(algo) - || JwtConstants.A192KW_ALGO.equals(algo) - || JwtConstants.A256KW_ALGO.equals(algo); - } - public static boolean isAesGcmKeyWrap(String algo) { - return JwtConstants.A128GCM_ALGO.equals(algo) - || JwtConstants.A192GCMKW_ALGO.equals(algo) - || JwtConstants.A256GCMKW_ALGO.equals(algo); - } - public static boolean isHmacSign(String algo) { - return JwtConstants.HMAC_SHA_256_ALGO.equals(algo) - || JwtConstants.HMAC_SHA_384_ALGO.equals(algo) - || JwtConstants.HMAC_SHA_512_ALGO.equals(algo); - } - public static boolean isAesCbcHmac(String algo) { - return JwtConstants.A128CBC_HS256_ALGO.equals(algo) - || JwtConstants.A192CBC_HS384_ALGO.equals(algo) - || JwtConstants.A256CBC_HS512_ALGO.equals(algo); - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java deleted file mode 100644 index adf6d59..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java +++ /dev/null @@ -1,61 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.util.concurrent.atomic.AtomicInteger; - -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - - -public abstract class AbstractContentEncryptionAlgorithm extends AbstractContentEncryptionCipherProperties - implements ContentEncryptionAlgorithm { - private static final int DEFAULT_IV_SIZE = 128; - private byte[] cek; - private byte[] iv; - private AtomicInteger providedIvUsageCount; - private String algorithm; - - protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, String algo) { - this.cek = cek; - this.iv = iv; - if (iv != null && iv.length > 0) { - providedIvUsageCount = new AtomicInteger(); - } - this.algorithm = algo; - } - @Override - public String getAlgorithm() { - return algorithm; - } - public byte[] getContentEncryptionKey(JweHeaders headers) { - return cek; - } - public byte[] getInitVector() { - if (iv == null) { - return CryptoUtils.generateSecureRandomBytes(getIvSize() / 8); - } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) { - throw new SecurityException(); - } else { - return iv; - } - } - protected int getIvSize() { - return DEFAULT_IV_SIZE; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java deleted file mode 100644 index 291b8cb..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.spec.AlgorithmParameterSpec; - -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - - -public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties { - private static final int DEFAULT_AUTH_TAG_LENGTH = 128; - private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; - - public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { - return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); - } - public byte[] getAdditionalAuthenticationData(String headersJson) { - return JweHeaders.toCipherAdditionalAuthData(headersJson); - } - protected int getAuthTagLen() { - return authTagLen; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java deleted file mode 100644 index e2e1ac7..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java +++ /dev/null @@ -1,108 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwt.JwtConstants; -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersReader; -import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public abstract class AbstractJweDecryption implements JweDecryptionProvider { - private JweCryptoProperties props; - private KeyDecryptionAlgorithm keyDecryptionAlgo; - private ContentDecryptionAlgorithm contentDecryptionAlgo; - private JwtHeadersReader reader = new JwtTokenReaderWriter(); - protected AbstractJweDecryption(JweCryptoProperties props, - JwtHeadersReader theReader, - KeyDecryptionAlgorithm keyDecryptionAlgo, - ContentDecryptionAlgorithm contentDecryptionAlgo) { - this.props = props; - if (theReader != null) { - reader = theReader; - } - this.keyDecryptionAlgo = keyDecryptionAlgo; - this.contentDecryptionAlgo = contentDecryptionAlgo; - } - - protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) { - return this.keyDecryptionAlgo.getDecryptedContentEncryptionKey(consumer); - } - - public JweDecryptionOutput decrypt(String content) { - JweCompactConsumer consumer = new JweCompactConsumer(content, reader); - return doDecrypt(consumer); - } - public byte[] decrypt(JweCompactConsumer consumer) { - return doDecrypt(consumer).getContent(); - } - - protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) { - consumer.enforceJweCryptoProperties(props); - byte[] cek = getContentEncryptionKey(consumer); - return doDecrypt(consumer, cek); - } - protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) { - KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(consumer)); - keyProperties.setAdditionalData(getContentEncryptionCipherAAD(consumer)); - AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(consumer); - keyProperties.setAlgoSpec(spec); - boolean compressionSupported = - JwtConstants.DEFLATE_ZIP_ALGORITHM.equals(consumer.getJweHeaders().getZipAlgorithm()); - keyProperties.setCompressionSupported(compressionSupported); - byte[] actualCek = getActualCek(cek, consumer.getJweHeaders().getContentEncryptionAlgorithm()); - Key secretKey = CryptoUtils.createSecretKeySpec(actualCek, keyProperties.getKeyAlgo()); - byte[] bytes = - CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(consumer), secretKey, keyProperties); - return new JweDecryptionOutput(consumer.getJweHeaders(), bytes); - } - protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) { - return consumer.getEncryptedContentEncryptionKey(); - } - protected AlgorithmParameterSpec getContentEncryptionCipherSpec(JweCompactConsumer consumer) { - return contentDecryptionAlgo.getAlgorithmParameterSpec(getContentEncryptionCipherInitVector(consumer)); - } - protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) { - return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm()); - } - protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) { - return contentDecryptionAlgo.getAdditionalAuthenticationData(consumer.getDecodedJsonHeaders()); - } - protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) { - return contentDecryptionAlgo.getEncryptedSequence(consumer.getEncryptedContent(), - getEncryptionAuthenticationTag(consumer)); - } - protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) { - return consumer.getContentDecryptionCipherInitVector(); - } - protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) { - return consumer.getEncryptionAuthenticationTag(); - } - protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) { - return getEncryptionAuthenticationTag(consumer).length * 8; - } - protected byte[] getActualCek(byte[] theCek, String algoJwt) { - return theCek; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java deleted file mode 100644 index 747d996..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java +++ /dev/null @@ -1,184 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.Cipher; -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwt.JwtConstants; -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public abstract class AbstractJweEncryption implements JweEncryptionProvider { - protected static final int DEFAULT_AUTH_TAG_LENGTH = 128; - private JweHeaders headers; - private JwtHeadersWriter writer; - private ContentEncryptionAlgorithm contentEncryptionAlgo; - private KeyEncryptionAlgorithm keyEncryptionAlgo; - - protected AbstractJweEncryption(JweHeaders headers, - ContentEncryptionAlgorithm contentEncryptionAlgo, - KeyEncryptionAlgorithm keyEncryptionAlgo) { - this(headers, contentEncryptionAlgo, keyEncryptionAlgo, null); - } - protected AbstractJweEncryption(JweHeaders headers, - ContentEncryptionAlgorithm contentEncryptionAlgo, - KeyEncryptionAlgorithm keyEncryptionAlgo, - JwtHeadersWriter writer) { - this.headers = headers; - this.writer = writer; - if (this.writer == null) { - this.writer = new JwtTokenReaderWriter(); - } - this.keyEncryptionAlgo = keyEncryptionAlgo; - this.contentEncryptionAlgo = contentEncryptionAlgo; - } - - protected AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { - return contentEncryptionAlgo.getAlgorithmParameterSpec(theIv); - } - - protected byte[] getContentEncryptionKey() { - byte[] cek = getProvidedContentEncryptionKey(); - if (cek == null) { - String algoJava = getContentEncryptionAlgoJava(); - String algoJwt = getContentEncryptionAlgoJwt(); - cek = CryptoUtils.getSecretKey(Algorithm.stripAlgoProperties(algoJava), - getCekSize(algoJwt)).getEncoded(); - } - return cek; - } - - protected int getCekSize(String algoJwt) { - return Algorithm.valueOf(algoJwt.replace('-', '_')).getKeySizeBits(); - } - - protected byte[] getProvidedContentEncryptionKey() { - return contentEncryptionAlgo.getContentEncryptionKey(headers); - } - - protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) { - return keyEncryptionAlgo.getEncryptedContentEncryptionKey(headers, theCek); - } - - protected String getContentEncryptionAlgoJwt() { - return headers.getContentEncryptionAlgorithm(); - } - protected String getContentEncryptionAlgoJava() { - return Algorithm.toJavaName(getContentEncryptionAlgoJwt()); - } - protected byte[] getAAD(JweHeaders theHeaders) { - return contentEncryptionAlgo.getAdditionalAuthenticationData(writer.headersToJson(theHeaders)); - } - public String encrypt(byte[] content, String contentType) { - JweEncryptionInternal state = getInternalState(contentType); - - byte[] cipher = CryptoUtils.encryptBytes(content, createCekSecretKey(state), state.keyProps); - - - JweCompactProducer producer = getJweCompactProducer(state, cipher); - return producer.getJweContent(); - } - - protected JweCompactProducer getJweCompactProducer(JweEncryptionInternal state, byte[] cipher) { - return new JweCompactProducer(state.theHeaders, - getJwtHeadersWriter(), - state.jweContentEncryptionKey, - state.theIv, - cipher, - DEFAULT_AUTH_TAG_LENGTH); - } - - protected JwtHeadersWriter getJwtHeadersWriter() { - return writer; - } - protected JweHeaders getJweHeaders() { - return headers; - } - @Override - public JweEncryptionState createJweEncryptionState(String contentType) { - JweEncryptionInternal state = getInternalState(contentType); - Cipher c = CryptoUtils.initCipher(createCekSecretKey(state), state.keyProps, - Cipher.ENCRYPT_MODE); - return new JweEncryptionState(c, - state.theHeaders, - state.jweContentEncryptionKey, - state.theIv, - getAuthenticationTagProducer(state), - state.keyProps.isCompressionSupported()); - } - protected AuthenticationTagProducer getAuthenticationTagProducer(JweEncryptionInternal state) { - return null; - } - protected SecretKey createCekSecretKey(JweEncryptionInternal state) { - return CryptoUtils.createSecretKeySpec(getActualCek(state.secretKey, this.getContentEncryptionAlgoJwt()), - state.keyProps.getKeyAlgo()); - } - - protected byte[] getActualCek(byte[] theCek, String algoJwt) { - return theCek; - } - - private JweEncryptionInternal getInternalState(String contentType) { - byte[] theCek = getContentEncryptionKey(); - String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); - KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName); - keyProps.setCompressionSupported(compressionRequired(headers)); - - byte[] theIv = contentEncryptionAlgo.getInitVector(); - AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv); - keyProps.setAlgoSpec(specParams); - byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); - - JweHeaders theHeaders = headers; - if (contentType != null) { - theHeaders = new JweHeaders(theHeaders.asMap()); - theHeaders.setContentType(contentType); - } - byte[] additionalEncryptionParam = getAAD(theHeaders); - keyProps.setAdditionalData(additionalEncryptionParam); - - - JweEncryptionInternal state = new JweEncryptionInternal(); - state.theHeaders = theHeaders; - state.jweContentEncryptionKey = jweContentEncryptionKey; - state.keyProps = keyProps; - state.secretKey = theCek; - state.theIv = theIv; - return state; - } - private boolean compressionRequired(JweHeaders theHeaders) { - return JwtConstants.DEFLATE_ZIP_ALGORITHM.equals(theHeaders.getZipAlgorithm()); - } - protected KeyEncryptionAlgorithm getKeyEncryptionAlgo() { - return keyEncryptionAlgo; - } - protected static class JweEncryptionInternal { - JweHeaders theHeaders; - byte[] jweContentEncryptionKey; - byte[] theIv; - KeyProperties keyProps; - byte[] secretKey; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java deleted file mode 100644 index 6e831a9..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,100 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; -import java.util.Set; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgorithm { - private Key keyEncryptionKey; - private boolean wrap; - private String algorithm; - private Set supportedAlgorithms; - protected AbstractWrapKeyEncryptionAlgorithm(Key key, Set supportedAlgorithms) { - this(key, null, true, supportedAlgorithms); - } - protected AbstractWrapKeyEncryptionAlgorithm(Key key, boolean wrap, Set supportedAlgorithms) { - this(key, null, wrap, supportedAlgorithms); - } - protected AbstractWrapKeyEncryptionAlgorithm(Key key, String jweAlgo, Set supportedAlgorithms) { - this(key, jweAlgo, true, supportedAlgorithms); - } - protected AbstractWrapKeyEncryptionAlgorithm(Key key, String jweAlgo, boolean wrap, - Set supportedAlgorithms) { - this.keyEncryptionKey = key; - this.algorithm = jweAlgo; - this.wrap = wrap; - this.supportedAlgorithms = supportedAlgorithms; - } - @Override - public String getAlgorithm() { - return algorithm; - } - @Override - public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { - checkAlgorithms(headers); - KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers)); - AlgorithmParameterSpec spec = getAlgorithmParameterSpec(headers); - if (spec != null) { - secretKeyProperties.setAlgoSpec(spec); - } - if (!wrap) { - return CryptoUtils.encryptBytes(cek, keyEncryptionKey, secretKeyProperties); - } else { - return CryptoUtils.wrapSecretKey(cek, - getContentEncryptionAlgoJava(headers), - keyEncryptionKey, - secretKeyProperties); - } - } - protected String getKeyEncryptionAlgoJava(JweHeaders headers) { - return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm()); - } - protected String getContentEncryptionAlgoJava(JweHeaders headers) { - return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); - } - protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweHeaders headers) { - return null; - } - protected String checkAlgorithm(String algo) { - if (algo != null && !supportedAlgorithms.contains(algo)) { - throw new SecurityException(); - } - return algo; - } - protected void checkAlgorithms(JweHeaders headers) { - String providedAlgo = headers.getKeyEncryptionAlgorithm(); - if ((providedAlgo == null && algorithm == null) - || (providedAlgo != null && algorithm != null && !providedAlgo.equals(algorithm))) { - throw new SecurityException(); - } - if (providedAlgo != null) { - checkAlgorithm(providedAlgo); - } else if (algorithm != null) { - headers.setKeyEncryptionAlgorithm(algorithm); - checkAlgorithm(algorithm); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java deleted file mode 100644 index 518b006..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java +++ /dev/null @@ -1,76 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.spec.AlgorithmParameterSpec; -import java.util.Arrays; - -import javax.crypto.spec.IvParameterSpec; - -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersReader; - -public class AesCbcHmacJweDecryption extends AbstractJweDecryption { - public AesCbcHmacJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo) { - this(keyDecryptionAlgo, null, null); - } - public AesCbcHmacJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo, - JweCryptoProperties props, - JwtHeadersReader reader) { - super(props, reader, keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm()); - } - protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) { - validateAuthenticationTag(consumer, cek); - return super.doDecrypt(consumer, cek); - } - @Override - protected byte[] getActualCek(byte[] theCek, String algoJwt) { - return AesCbcHmacJweEncryption.doGetActualCek(theCek, algoJwt); - } - protected void validateAuthenticationTag(JweCompactConsumer consumer, byte[] theCek) { - byte[] actualAuthTag = consumer.getEncryptionAuthenticationTag(); - - final AesCbcHmacJweEncryption.MacState macState = - AesCbcHmacJweEncryption.getInitializedMacState(theCek, - consumer.getContentDecryptionCipherInitVector(), - consumer.getJweHeaders(), - consumer.getDecodedJsonHeaders()); - macState.mac.update(consumer.getEncryptedContent()); - byte[] expectedAuthTag = AesCbcHmacJweEncryption.signAndGetTag(macState); - if (!Arrays.equals(actualAuthTag, expectedAuthTag)) { - throw new SecurityException(); - } - - } - private static class AesCbcContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties - implements ContentDecryptionAlgorithm { - @Override - public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { - return new IvParameterSpec(theIv); - } - @Override - public byte[] getAdditionalAuthenticationData(String headersJson) { - return null; - } - @Override - public byte[] getEncryptedSequence(byte[] cipher, byte[] authTag) { - return cipher; - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java deleted file mode 100644 index 5e3eaa5..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java +++ /dev/null @@ -1,196 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.nio.ByteBuffer; -import java.security.spec.AlgorithmParameterSpec; -import java.util.Arrays; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import javax.crypto.Mac; -import javax.crypto.spec.IvParameterSpec; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils; - -public class AesCbcHmacJweEncryption extends AbstractJweEncryption { - private static final Set SUPPORTED_CEK_ALGORITHMS = new HashSet( - Arrays.asList(Algorithm.A128CBC_HS256.getJwtName(), - Algorithm.A192CBC_HS384.getJwtName(), - Algorithm.A256CBC_HS512.getJwtName())); - private static final Map AES_HMAC_MAP; - private static final Map AES_CEK_SIZE_MAP; - static { - AES_HMAC_MAP = new HashMap(); - AES_HMAC_MAP.put(Algorithm.A128CBC_HS256.getJwtName(), Algorithm.HMAC_SHA_256_JAVA); - AES_HMAC_MAP.put(Algorithm.A192CBC_HS384.getJwtName(), Algorithm.HMAC_SHA_384_JAVA); - AES_HMAC_MAP.put(Algorithm.A256CBC_HS512.getJwtName(), Algorithm.HMAC_SHA_512_JAVA); - - AES_CEK_SIZE_MAP = new HashMap(); - AES_CEK_SIZE_MAP.put(Algorithm.A128CBC_HS256.getJwtName(), 32); - AES_CEK_SIZE_MAP.put(Algorithm.A192CBC_HS384.getJwtName(), 48); - AES_CEK_SIZE_MAP.put(Algorithm.A256CBC_HS512.getJwtName(), 64); - } - public AesCbcHmacJweEncryption(String cekAlgoJwt, - KeyEncryptionAlgorithm keyEncryptionAlgorithm) { - this(new JweHeaders(keyEncryptionAlgorithm.getAlgorithm(), cekAlgoJwt), null, null, - keyEncryptionAlgorithm); - } - public AesCbcHmacJweEncryption(JweHeaders headers, - KeyEncryptionAlgorithm keyEncryptionAlgorithm) { - this(headers, null, null, keyEncryptionAlgorithm); - } - public AesCbcHmacJweEncryption(JweHeaders headers, byte[] cek, - byte[] iv, KeyEncryptionAlgorithm keyEncryptionAlgorithm) { - this(headers, cek, iv, keyEncryptionAlgorithm, null); - } - public AesCbcHmacJweEncryption(JweHeaders headers, - byte[] cek, - byte[] iv, - KeyEncryptionAlgorithm keyEncryptionAlgorithm, - JwtHeadersWriter writer) { - super(headers, - new AesCbcContentEncryptionAlgorithm(cek, iv, - validateCekAlgorithm(headers.getContentEncryptionAlgorithm())), - keyEncryptionAlgorithm, writer); - - } - @Override - protected byte[] getActualCek(byte[] theCek, String algoJwt) { - return doGetActualCek(theCek, algoJwt); - } - @Override - protected int getCekSize(String algoJwt) { - return getFullCekKeySize(algoJwt) * 8; - } - protected static byte[] doGetActualCek(byte[] theCek, String algoJwt) { - int size = getFullCekKeySize(algoJwt) / 2; - byte[] actualCek = new byte[size]; - System.arraycopy(theCek, size, actualCek, 0, size); - return actualCek; - } - - protected static int getFullCekKeySize(String algoJwt) { - return AES_CEK_SIZE_MAP.get(algoJwt); - } - - protected JweCompactProducer getJweCompactProducer(JweEncryptionInternal state, byte[] cipher) { - final MacState macState = getInitializedMacState(state); - macState.mac.update(cipher); - byte[] authTag = signAndGetTag(macState); - return new JweCompactProducer(macState.headersJson, - state.jweContentEncryptionKey, - state.theIv, - cipher, - authTag); - } - - protected static byte[] signAndGetTag(MacState macState) { - macState.mac.update(macState.al); - byte[] sig = macState.mac.doFinal(); - - int authTagLen = DEFAULT_AUTH_TAG_LENGTH / 8; - byte[] authTag = new byte[authTagLen]; - System.arraycopy(sig, 0, authTag, 0, authTagLen); - return authTag; - } - private MacState getInitializedMacState(final JweEncryptionInternal state) { - String headersJson = getJwtHeadersWriter().headersToJson(state.theHeaders); - return getInitializedMacState(state.secretKey, state.theIv, state.theHeaders, headersJson); - } - protected static MacState getInitializedMacState(byte[] secretKey, - byte[] theIv, - JweHeaders theHeaders, - String headersJson) { - String algoJwt = theHeaders.getContentEncryptionAlgorithm(); - int size = getFullCekKeySize(algoJwt) / 2; - byte[] macKey = new byte[size]; - System.arraycopy(secretKey, 0, macKey, 0, size); - - String hmacAlgoJava = AES_HMAC_MAP.get(algoJwt); - Mac mac = HmacUtils.getInitializedMac(macKey, hmacAlgoJava, null); - - - byte[] aad = JweHeaders.toCipherAdditionalAuthData(headersJson); - ByteBuffer buf = ByteBuffer.allocate(8); - final byte[] al = buf.putInt(0).putInt(aad.length * 8).array(); - - mac.update(aad); - mac.update(theIv); - MacState macState = new MacState(); - macState.mac = mac; - macState.al = al; - macState.headersJson = headersJson; - return macState; - } - - protected AuthenticationTagProducer getAuthenticationTagProducer(final JweEncryptionInternal state) { - final MacState macState = getInitializedMacState(state); - - - return new AuthenticationTagProducer() { - - @Override - public void update(byte[] cipher, int off, int len) { - macState.mac.update(cipher, off, len); - } - - @Override - public byte[] getTag() { - return signAndGetTag(macState); - } - - }; - } - - protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) { - return getKeyEncryptionAlgo().getEncryptedContentEncryptionKey(getJweHeaders(), theCek); - } - - private static class AesCbcContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm { - public AesCbcContentEncryptionAlgorithm(byte[] cek, byte[] iv, String algo) { - super(cek, iv, algo); - } - @Override - public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { - return new IvParameterSpec(theIv); - } - @Override - public byte[] getAdditionalAuthenticationData(String headersJson) { - return null; - } - } - - protected static class MacState { - protected Mac mac; - private byte[] al; - private String headersJson; - } - - private static String validateCekAlgorithm(String cekAlgo) { - if (!SUPPORTED_CEK_ALGORITHMS.contains(cekAlgo)) { - throw new SecurityException(); - } - return cekAlgo; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java deleted file mode 100644 index 05d77ea..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java +++ /dev/null @@ -1,30 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - - -public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties - implements ContentDecryptionAlgorithm { - - @Override - public byte[] getEncryptedSequence(byte[] cipher, byte[] authTag) { - return JweCompactConsumer.getCipherWithAuthTag(cipher, authTag); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java deleted file mode 100644 index fd028c1..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java +++ /dev/null @@ -1,58 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - - -public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm { - private static final Set SUPPORTED_ALGORITHMS = new HashSet( - Arrays.asList(Algorithm.A128GCM.getJwtName(), - Algorithm.A192GCM.getJwtName(), - Algorithm.A256GCM.getJwtName())); - private static final int DEFAULT_IV_SIZE = 96; - public AesGcmContentEncryptionAlgorithm(String algo) { - this((byte[])null, null, algo); - } - public AesGcmContentEncryptionAlgorithm(String encodedCek, String encodedIv, String algo) { - this((byte[])CryptoUtils.decodeSequence(encodedCek), CryptoUtils.decodeSequence(encodedIv), algo); - } - public AesGcmContentEncryptionAlgorithm(SecretKey key, byte[] iv, String algo) { - this(key.getEncoded(), iv, algo); - } - public AesGcmContentEncryptionAlgorithm(byte[] cek, byte[] iv, String algo) { - super(cek, iv, checkAlgorithm(algo)); - } - protected int getIvSize() { - return DEFAULT_IV_SIZE; - } - private static String checkAlgorithm(String algo) { - if (SUPPORTED_ALGORITHMS.contains(algo)) { - return algo; - } - throw new SecurityException(); - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java deleted file mode 100644 index 0b2c824..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,57 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.spec.AlgorithmParameterSpec; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm { - public AesGcmWrapKeyDecryptionAlgorithm(String encodedKey) { - this(CryptoUtils.decodeSequence(encodedKey)); - } - public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey) { - this(CryptoUtils.createSecretKeySpec(secretKey, Algorithm.AES_ALGO_JAVA)); - } - public AesGcmWrapKeyDecryptionAlgorithm(SecretKey secretKey) { - super(secretKey, true); - } - @Override - protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) { - byte[] encryptedCekKey = super.getEncryptedContentEncryptionKey(consumer); - byte[] tag = getDecodedBytes(consumer, "tag"); - return JweCompactConsumer.getCipherWithAuthTag(encryptedCekKey, tag); - } - protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) { - byte[] iv = getDecodedBytes(consumer, "iv"); - return CryptoUtils.getContentEncryptionCipherSpec(128, iv); - } - private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) { - try { - Object ivHeader = consumer.getJweHeaders().getHeader(headerName); - return Base64UrlUtility.decode(ivHeader.toString()); - } catch (Exception ex) { - throw new SecurityException(ex); - } - } -}