cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [2/2] git commit: [CXF-5944] Moving some of security utils to the core where they might stay and working toward preparing creating a JOSE module without the deps on the OAuth2 module, the idea from Luigio
Date Mon, 06 Oct 2014 15:30:51 GMT
[CXF-5944] Moving some of security utils to the core where they might stay and working toward preparing creating a JOSE module without the deps on the OAuth2 module, the idea from Luigio


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6129ec5f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6129ec5f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6129ec5f

Branch: refs/heads/master
Commit: 6129ec5f6735a986660a2d05c6b3b0c9230610d9
Parents: 8644ac4
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Mon Oct 6 16:30:17 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Mon Oct 6 16:30:17 2014 +0100

----------------------------------------------------------------------
 .../cxf/common/util/crypto/CryptoUtils.java     | 667 ++++++++++++++++
 .../cxf/common/util/crypto/HmacUtils.java       | 145 ++++
 .../cxf/common/util/crypto/KeyProperties.java   |  88 +++
 .../common/util/crypto/MessageDigestUtils.java  |  74 ++
 .../jose/jaxrs/AbstractJweDecryptingFilter.java |   6 +-
 .../jose/jaxrs/AbstractJwsReaderProvider.java   |   5 +-
 .../jose/jaxrs/AbstractJwsWriterProvider.java   |   7 +-
 .../jose/jaxrs/JweWriterInterceptor.java        |   5 +-
 .../security/jose/jaxrs/KeyManagementUtils.java | 145 ++++
 .../jose/jaxrs/PrivateKeyPasswordProvider.java  |  25 +
 .../jwe/AbstractContentEncryptionAlgorithm.java |   2 +-
 ...stractContentEncryptionCipherProperties.java |   2 +-
 .../jose/jwe/AbstractJweDecryption.java         |   4 +-
 .../jose/jwe/AbstractJweEncryption.java         |   4 +-
 .../jwe/AbstractWrapKeyEncryptionAlgorithm.java |   4 +-
 .../jose/jwe/AesCbcHmacJweEncryption.java       |   2 +-
 .../jwe/AesGcmContentEncryptionAlgorithm.java   |   2 +-
 .../jwe/AesGcmWrapKeyDecryptionAlgorithm.java   |   2 +-
 .../jwe/AesGcmWrapKeyEncryptionAlgorithm.java   |   2 +-
 .../jose/jwe/AesWrapKeyDecryptionAlgorithm.java |   2 +-
 .../jose/jwe/AesWrapKeyEncryptionAlgorithm.java |   2 +-
 .../PbesHmacAesWrapKeyEncryptionAlgorithm.java  |   2 +-
 .../jose/jwe/WrappedKeyDecryptionAlgorithm.java |   4 +-
 .../cxf/rs/security/jose/jwk/JwkUtils.java      |  24 +-
 .../jose/jws/HmacJwsSignatureProvider.java      |   2 +-
 .../jose/jws/HmacJwsSignatureVerifier.java      |   2 +-
 .../jws/PrivateKeyJwsSignatureProvider.java     |   2 +-
 .../jose/jws/PublicKeyJwsSignatureVerifier.java |   2 +-
 .../jose/jwe/JweCompactReaderWriterTest.java    |   2 +-
 .../jose/jws/JwsCompactReaderWriterTest.java    |   2 +-
 .../code/DefaultEncryptingCodeDataProvider.java |   2 +-
 .../oauth2/grants/code/DigestCodeVerifier.java  |   2 +-
 .../DefaultEncryptingOAuthDataProvider.java     |   4 +-
 .../oauth2/tokens/hawk/HawkAccessToken.java     |   2 +-
 .../tokens/hawk/HawkAccessTokenValidator.java   |   2 +-
 .../tokens/hawk/HawkAuthorizationScheme.java    |   2 +-
 .../oauth2/utils/MessageDigestUtils.java        |  80 --
 .../rs/security/oauth2/utils/OAuthUtils.java    |   1 +
 .../oauth2/utils/crypto/CryptoUtils.java        | 774 -------------------
 .../security/oauth2/utils/crypto/HmacUtils.java | 146 ----
 .../oauth2/utils/crypto/KeyProperties.java      |  88 ---
 .../utils/crypto/ModelEncryptionSupport.java    |   2 +
 .../crypto/PrivateKeyPasswordProvider.java      |  25 -
 .../oauth2/utils/crypto/CryptoUtilsTest.java    |   2 +
 .../utils/crypto/EncryptingDataProvider.java    |   1 +
 .../jaxrs/security/jwt/JAXRSJweJwsTest.java     |   2 +-
 .../jwt/PrivateKeyPasswordProviderImpl.java     |   2 +-
 .../security/oauth2/OAuthDataProviderImpl.java  |   4 +-
 48 files changed, 1206 insertions(+), 1172 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/core/src/main/java/org/apache/cxf/common/util/crypto/CryptoUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/crypto/CryptoUtils.java b/core/src/main/java/org/apache/cxf/common/util/crypto/CryptoUtils.java
new file mode 100644
index 0000000..184f69f
--- /dev/null
+++ b/core/src/main/java/org/apache/cxf/common/util/crypto/CryptoUtils.java
@@ -0,0 +1,667 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.common.util.crypto;
+
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.security.Key;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.Signature;
+import java.security.cert.Certificate;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+import java.security.spec.ECPrivateKeySpec;
+import java.security.spec.ECPublicKeySpec;
+import java.security.spec.RSAPrivateCrtKeySpec;
+import java.security.spec.RSAPrivateKeySpec;
+import java.security.spec.RSAPublicKeySpec;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.CompressionUtils;
+import org.apache.cxf.helpers.IOUtils;
+
+
+/**
+ * Encryption helpers
+ */
+public final class CryptoUtils {
+    
+    private CryptoUtils() {
+    }
+    
+    public static String encodeSecretKey(SecretKey key) throws SecurityException {
+        return encodeBytes(key.getEncoded());
+    }
+    
+    public static String encryptSecretKey(SecretKey secretKey, PublicKey publicKey) 
+        throws SecurityException {
+        KeyProperties props = new KeyProperties(publicKey.getAlgorithm());
+        return encryptSecretKey(secretKey, publicKey, props);
+    }
+    
+    public static String encryptSecretKey(SecretKey secretKey, PublicKey publicKey,
+        KeyProperties props) throws SecurityException {
+        byte[] encryptedBytes = encryptBytes(secretKey.getEncoded(), 
+                                             publicKey,
+                                             props);
+        return encodeBytes(encryptedBytes);
+    }
+    
+    public static byte[] generateSecureRandomBytes(int size) {
+        SecureRandom sr = new SecureRandom();
+        byte[] bytes = new byte[size];
+        sr.nextBytes(bytes);
+        return bytes;
+    }
+    
+    public static RSAPublicKey getRSAPublicKey(String encodedModulus,
+                                               String encodedPublicExponent) {
+        try {
+            return getRSAPublicKey(CryptoUtils.decodeSequence(encodedModulus),
+                                   CryptoUtils.decodeSequence(encodedPublicExponent));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static RSAPublicKey getRSAPublicKey(byte[] modulusBytes,
+                                               byte[] publicExponentBytes) {
+        try {
+            return getRSAPublicKey(KeyFactory.getInstance("RSA"), 
+                                   modulusBytes,
+                                   publicExponentBytes);
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }         
+    }
+    
+    public static RSAPublicKey getRSAPublicKey(KeyFactory factory,
+                                               byte[] modulusBytes,
+                                               byte[] publicExponentBytes) {
+        BigInteger modulus =  new BigInteger(1, modulusBytes);
+        BigInteger publicExponent =  new BigInteger(1, publicExponentBytes);
+        try {
+            return (RSAPublicKey)factory.generatePublic(
+                new RSAPublicKeySpec(modulus, publicExponent));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }    
+    }
+    
+    public static RSAPrivateKey getRSAPrivateKey(String encodedModulus,
+                                                 String encodedPrivateExponent) {
+        try {
+            return getRSAPrivateKey(CryptoUtils.decodeSequence(encodedModulus),
+                                    CryptoUtils.decodeSequence(encodedPrivateExponent));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static RSAPrivateKey getRSAPrivateKey(byte[] modulusBytes,
+                                                 byte[] privateExponentBytes) {
+        BigInteger modulus =  new BigInteger(1, modulusBytes);
+        BigInteger privateExponent =  new BigInteger(1, privateExponentBytes);
+        try {
+            KeyFactory factory = KeyFactory.getInstance("RSA");
+            return (RSAPrivateKey)factory.generatePrivate(
+                new RSAPrivateKeySpec(modulus, privateExponent));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }    
+    }
+    //CHECKSTYLE:OFF
+    public static RSAPrivateKey getRSAPrivateKey(String encodedModulus,
+                                                 String encodedPublicExponent,
+                                                 String encodedPrivateExponent,
+                                                 String encodedPrimeP,
+                                                 String encodedPrimeQ,
+                                                 String encodedPrimeExpP,
+                                                 String encodedPrimeExpQ,
+                                                 String encodedCrtCoefficient) {
+    //CHECKSTYLE:ON
+        try {
+            return getRSAPrivateKey(CryptoUtils.decodeSequence(encodedModulus),
+                                    CryptoUtils.decodeSequence(encodedPublicExponent),
+                                    CryptoUtils.decodeSequence(encodedPrivateExponent),
+                                    CryptoUtils.decodeSequence(encodedPrimeP),
+                                    CryptoUtils.decodeSequence(encodedPrimeQ),
+                                    CryptoUtils.decodeSequence(encodedPrimeExpP),
+                                    CryptoUtils.decodeSequence(encodedPrimeExpQ),
+                                    CryptoUtils.decodeSequence(encodedCrtCoefficient));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }
+    }
+    //CHECKSTYLE:OFF
+    public static RSAPrivateKey getRSAPrivateKey(byte[] modulusBytes,
+                                                 byte[] publicExponentBytes,
+                                                 byte[] privateExponentBytes,
+                                                 byte[] primePBytes,
+                                                 byte[] primeQBytes,
+                                                 byte[] primeExpPBytes,
+                                                 byte[] primeExpQBytes,
+                                                 byte[] crtCoefficientBytes) {
+    //CHECKSTYLE:ON
+        BigInteger modulus =  new BigInteger(1, modulusBytes);
+        BigInteger publicExponent =  new BigInteger(1, publicExponentBytes);
+        BigInteger privateExponent =  new BigInteger(1, privateExponentBytes);
+        BigInteger primeP =  new BigInteger(1, primePBytes);
+        BigInteger primeQ =  new BigInteger(1, primeQBytes);
+        BigInteger primeExpP =  new BigInteger(1, primeExpPBytes);
+        BigInteger primeExpQ =  new BigInteger(1, primeExpQBytes);
+        BigInteger crtCoefficient =  new BigInteger(1, crtCoefficientBytes);
+        try {
+            KeyFactory factory = KeyFactory.getInstance("RSA");
+            return (RSAPrivateKey)factory.generatePrivate(
+                new RSAPrivateCrtKeySpec(modulus, 
+                                         publicExponent,
+                                         privateExponent,
+                                         primeP,
+                                         primeQ,
+                                         primeExpP,
+                                         primeExpQ,
+                                         crtCoefficient));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }    
+    }
+    
+    public static ECPrivateKey getECPrivateKey(String curve, String encodedPrivateKey) {
+        try {
+            return getECPrivateKey(curve, CryptoUtils.decodeSequence(encodedPrivateKey));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }
+    }
+    public static ECPrivateKey getECPrivateKey(String curve, byte[] privateKey) {
+        try {
+            ECParameterSpec params = getECParameterSpec(curve, true);
+            ECPrivateKeySpec keySpec = new ECPrivateKeySpec(
+                                           new BigInteger(1, privateKey), params);
+            KeyFactory kf = KeyFactory.getInstance("EC");
+            return (ECPrivateKey) kf.generatePrivate(keySpec);
+
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }    
+    }
+    private static ECParameterSpec getECParameterSpec(String curve, boolean isPrivate) 
+        throws Exception {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
+        ECGenParameterSpec kpgparams = new ECGenParameterSpec("sec"
+                                                              + curve.toLowerCase().replace("-", "")
+                                                              + "r1");
+        kpg.initialize(kpgparams);
+        KeyPair pair = kpg.generateKeyPair();
+        return isPrivate ? ((ECPublicKey) pair.getPublic()).getParams()
+            : ((ECPrivateKey) pair.getPrivate()).getParams();
+    }
+    
+    public static ECPublicKey getECPublicKey(String curve, String encodedXPoint, String encodedYPoint) {
+        try {
+            return getECPublicKey(curve,
+                                  CryptoUtils.decodeSequence(encodedXPoint),
+                                  CryptoUtils.decodeSequence(encodedYPoint));
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }
+    }
+    public static ECPublicKey getECPublicKey(String curve, byte[] xPoint, byte[] yPoint) {
+        try {
+            ECParameterSpec params = getECParameterSpec(curve, false);
+
+            ECPoint ecPoint = new ECPoint(new BigInteger(1, xPoint),
+                                          new BigInteger(1, yPoint));
+            ECPublicKeySpec keySpec = new ECPublicKeySpec(ecPoint, params);
+            KeyFactory kf = KeyFactory.getInstance("EC");
+            return (ECPublicKey) kf.generatePublic(keySpec);
+
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }    
+    }
+    
+    public static AlgorithmParameterSpec getContentEncryptionCipherSpec(int authTagLength, byte[] iv) {
+        if (authTagLength > 0) {
+            return CryptoUtils.getGCMParameterSpec(authTagLength, iv);
+        } else if (iv.length > 0) {
+            return new IvParameterSpec(iv);
+        } else {
+            return null;
+        }
+    }
+    
+    public static AlgorithmParameterSpec getGCMParameterSpec(int authTagLength, byte[] iv) {
+        return new GCMParameterSpec(authTagLength, iv);
+    }
+    
+    public static byte[] signData(byte[] data, PrivateKey key, String signAlgo) {
+        return signData(data, key, signAlgo, null, null);
+    }
+    
+    public static byte[] signData(byte[] data, PrivateKey key, String signAlgo, SecureRandom random,
+                           AlgorithmParameterSpec params) {
+        try {
+            Signature s = getSignature(key, signAlgo, random, params);
+            s.update(data);
+            return s.sign();
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static Signature getSignature(PrivateKey key, String signAlgo, SecureRandom random,
+                                  AlgorithmParameterSpec params) {
+        try {
+            Signature s = Signature.getInstance(signAlgo);
+            if (random == null) {
+                s.initSign(key);
+            } else {
+                s.initSign(key, random);
+            }
+            if (params != null) {
+                s.setParameter(params);
+            }
+            return s;
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static boolean verifySignature(byte[] data, byte[] signature, PublicKey key, String signAlgo) {
+        return verifySignature(data, signature, key, signAlgo, null);
+    }
+    
+    public static boolean verifySignature(byte[] data, byte[] signature, PublicKey key, String signAlgo, 
+                                AlgorithmParameterSpec params) {
+        try {
+            Signature s = Signature.getInstance(signAlgo);
+            s.initVerify(key);
+            if (params != null) {
+                s.setParameter(params);
+            }
+            s.update(data);
+            return s.verify(signature);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static SecretKey getSecretKey(String symEncAlgo) throws SecurityException {
+        return getSecretKey(new KeyProperties(symEncAlgo));
+    }
+    
+    public static SecretKey getSecretKey(String symEncAlgo, int keySize) throws SecurityException {
+        return getSecretKey(new KeyProperties(symEncAlgo, keySize));
+    }
+    
+    public static SecretKey getSecretKey(KeyProperties props) throws SecurityException {
+        try {
+            KeyGenerator keyGen = KeyGenerator.getInstance(props.getKeyAlgo());
+            AlgorithmParameterSpec algoSpec = props.getAlgoSpec();
+            SecureRandom random = props.getSecureRandom();
+            if (algoSpec != null) {
+                if (random != null) {
+                    keyGen.init(algoSpec, random);
+                } else {
+                    keyGen.init(algoSpec);
+                }
+            } else {
+                int keySize = props.getKeySize();
+                if (keySize == -1) {
+                    keySize = 128;
+                }
+                if (random != null) {
+                    keyGen.init(keySize, random);
+                } else {
+                    keyGen.init(keySize);
+                }
+            }
+            
+            return keyGen.generateKey();
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static String decryptSequence(String encodedToken, String encodedSecretKey)
+        throws SecurityException {
+        return decryptSequence(encodedToken, encodedSecretKey, new KeyProperties("AES"));
+    }
+    
+    public static String decryptSequence(String encodedData, String encodedSecretKey, 
+        KeyProperties props) throws SecurityException {
+        SecretKey key = decodeSecretKey(encodedSecretKey, props.getKeyAlgo());
+        return decryptSequence(encodedData, key, props);
+    }
+    
+    public static String decryptSequence(String encodedData, Key secretKey) throws SecurityException {
+        return decryptSequence(encodedData, secretKey, null);
+    }
+    
+    public static String decryptSequence(String encodedData, Key secretKey,
+        KeyProperties props) throws SecurityException {
+        byte[] encryptedBytes = decodeSequence(encodedData);
+        byte[] bytes = decryptBytes(encryptedBytes, secretKey, props);
+        try {
+            return new String(bytes, "UTF-8");
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static String encryptSequence(String sequence, Key secretKey) throws SecurityException {
+        return encryptSequence(sequence, secretKey, null);
+    }
+    
+    public static String encryptSequence(String sequence, Key secretKey,
+        KeyProperties keyProps) throws SecurityException {
+        try {
+            byte[] bytes = encryptBytes(sequence.getBytes("UTF-8"), secretKey, keyProps);
+            return encodeBytes(bytes);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static String encodeBytes(byte[] bytes) throws SecurityException {
+        try {
+            return Base64UrlUtility.encode(bytes);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static byte[] encryptBytes(byte[] bytes, Key secretKey) throws SecurityException {
+        return encryptBytes(bytes, secretKey, null);
+    }
+    
+    public static byte[] encryptBytes(byte[] bytes, Key secretKey,
+        KeyProperties keyProps) throws SecurityException {
+        return processBytes(bytes, secretKey, keyProps, Cipher.ENCRYPT_MODE);
+    }
+    
+    public static byte[] decryptBytes(byte[] bytes, Key secretKey) throws SecurityException {
+        return decryptBytes(bytes, secretKey, null);
+    }
+    
+    public static byte[] decryptBytes(byte[] bytes, Key secretKey, 
+        KeyProperties keyProps) throws SecurityException {
+        return processBytes(bytes, secretKey, keyProps, Cipher.DECRYPT_MODE);
+    }
+    
+    public static byte[] wrapSecretKey(byte[] keyBytes, 
+                                       String keyAlgo,
+                                       Key wrapperKey,
+                                       KeyProperties wrapperKeyProps)  throws SecurityException {
+        return wrapSecretKey(new SecretKeySpec(keyBytes, convertJCECipherToSecretKeyName(keyAlgo)), 
+                             wrapperKey, 
+                             wrapperKeyProps);
+    }
+    
+    public static byte[] wrapSecretKey(Key secretKey,
+                                       Key wrapperKey,
+                                       KeyProperties keyProps)  throws SecurityException {
+        try {
+            Cipher c = initCipher(wrapperKey, keyProps, Cipher.WRAP_MODE);
+            return c.wrap(secretKey);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }    
+    }
+    
+    public static SecretKey unwrapSecretKey(byte[] wrappedBytes,
+                                            String wrappedKeyAlgo,
+                                            Key unwrapperKey,
+                                            String unwrapperKeyAlgo)  throws SecurityException {
+        return unwrapSecretKey(wrappedBytes, wrappedKeyAlgo, unwrapperKey, 
+                               new KeyProperties(unwrapperKeyAlgo));
+    }
+    
+    public static SecretKey unwrapSecretKey(byte[] wrappedBytes,
+                                            String wrappedKeyAlgo,
+                                            Key unwrapperKey,
+                                            KeyProperties keyProps)  throws SecurityException {
+        return (SecretKey)unwrapKey(wrappedBytes, wrappedKeyAlgo, unwrapperKey, keyProps, Cipher.SECRET_KEY);    
+    }
+    
+    public static Key unwrapKey(byte[] wrappedBytes,
+                                            String wrappedKeyAlgo,
+                                            Key unwrapperKey,
+                                            KeyProperties keyProps,
+                                            int wrappedKeyType)  throws SecurityException {
+        try {
+            Cipher c = initCipher(unwrapperKey, keyProps, Cipher.UNWRAP_MODE);
+            return c.unwrap(wrappedBytes, wrappedKeyAlgo, wrappedKeyType);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }    
+    }
+    
+    private static byte[] processBytes(byte[] bytes, 
+                                      Key secretKey, 
+                                      KeyProperties keyProps, 
+                                      int mode)  throws SecurityException {
+        boolean compressionSupported = keyProps != null && keyProps.isCompressionSupported();
+        if (compressionSupported && mode == Cipher.ENCRYPT_MODE) {
+            bytes = CompressionUtils.deflate(bytes, false);
+        }
+        try {
+            Cipher c = initCipher(secretKey, keyProps, mode);
+            byte[] result = new byte[0];
+            int blockSize = keyProps != null ? keyProps.getBlockSize() : -1;
+            if (secretKey instanceof SecretKey && blockSize == -1) {
+                result = c.doFinal(bytes);
+            } else {
+                if (blockSize == -1) {
+                    blockSize = secretKey instanceof PublicKey ? 117 : 128;
+                }
+                boolean updateRequired = keyProps != null && keyProps.getAdditionalData() != null;
+                int offset = 0;
+                for (; offset + blockSize < bytes.length; offset += blockSize) {
+                    byte[] next = !updateRequired ? c.doFinal(bytes, offset, blockSize) 
+                        : c.update(bytes, offset, blockSize);
+                    result = addToResult(result, next);
+                }
+                if (offset < bytes.length) {
+                    result = addToResult(result, c.doFinal(bytes, offset, bytes.length - offset));
+                } else {
+                    result = addToResult(result, c.doFinal());
+                }
+            }
+            if (compressionSupported && mode == Cipher.DECRYPT_MODE) {
+                result = IOUtils.readBytesFromStream(CompressionUtils.inflate(result, false));
+            }
+            return result;
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    public static Cipher initCipher(Key secretKey, KeyProperties keyProps, int mode)  throws SecurityException {
+        try {
+            String algorithm = keyProps != null && keyProps.getKeyAlgo() != null 
+                ? keyProps.getKeyAlgo() : secretKey.getAlgorithm();
+            Cipher c = Cipher.getInstance(algorithm);
+            if (keyProps == null || keyProps.getAlgoSpec() == null && keyProps.getSecureRandom() == null) {
+                c.init(mode, secretKey);
+            } else {
+                AlgorithmParameterSpec algoSpec = keyProps.getAlgoSpec();
+                SecureRandom random = keyProps.getSecureRandom();
+                if (algoSpec == null) {
+                    c.init(mode, secretKey, random);
+                } else if (random == null) {
+                    c.init(mode, secretKey, algoSpec);
+                } else {
+                    c.init(mode, secretKey, algoSpec, random);
+                }
+            }
+            if (keyProps != null && keyProps.getAdditionalData() != null) {
+                c.updateAAD(keyProps.getAdditionalData());
+            }
+            return c;
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    private static byte[] addToResult(byte[] prefix, byte[] suffix) {
+        if (suffix == null || suffix.length == 0) {
+            return prefix;    
+        } else if (prefix.length == 0) {
+            return suffix;
+        } else {
+            byte[] result = new byte[prefix.length + suffix.length];
+            System.arraycopy(prefix, 0, result, 0, prefix.length);
+            System.arraycopy(suffix, 0, result, prefix.length, suffix.length);
+            return result;
+        }
+    }
+    
+    public static SecretKey decodeSecretKey(String encodedSecretKey) throws SecurityException {
+        return decodeSecretKey(encodedSecretKey, "AES");
+    }
+    
+    public static SecretKey decodeSecretKey(String encodedSecretKey, String secretKeyAlgo) 
+        throws SecurityException {
+        byte[] secretKeyBytes = decodeSequence(encodedSecretKey);
+        return createSecretKeySpec(secretKeyBytes, secretKeyAlgo);
+    }
+    
+    public static SecretKey decryptSecretKey(String encodedEncryptedSecretKey,
+                                             PrivateKey privateKey) {
+        return decryptSecretKey(encodedEncryptedSecretKey, "AES", privateKey);
+    }
+    
+    
+    public static SecretKey decryptSecretKey(String encodedEncryptedSecretKey,
+                                             String secretKeyAlgo,
+                                             PrivateKey privateKey)
+        throws SecurityException {
+        KeyProperties props = new KeyProperties(privateKey.getAlgorithm());
+        return decryptSecretKey(encodedEncryptedSecretKey, secretKeyAlgo, props, privateKey);
+    }
+    
+    public static SecretKey decryptSecretKey(String encodedEncryptedSecretKey,
+                                             String secretKeyAlgo,
+                                             KeyProperties props,
+                                             PrivateKey privateKey) throws SecurityException {
+        byte[] encryptedBytes = decodeSequence(encodedEncryptedSecretKey);
+        byte[] descryptedBytes = decryptBytes(encryptedBytes, privateKey, props);
+        return createSecretKeySpec(descryptedBytes, secretKeyAlgo);
+    }
+    
+    public static SecretKey createSecretKeySpec(String encodedBytes, String algo) {
+        return new SecretKeySpec(decodeSequence(encodedBytes), algo);
+    }
+    public static SecretKey createSecretKeySpec(byte[] bytes, String algo) {
+        return new SecretKeySpec(bytes, convertJCECipherToSecretKeyName(algo));
+    }
+    public static byte[] decodeSequence(String encodedSequence) throws SecurityException {
+        try {
+            return Base64UrlUtility.decode(encodedSequence);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+    private static String convertJCECipherToSecretKeyName(String jceCipherName) {
+        if (jceCipherName != null) {
+            if (jceCipherName.startsWith("AES")) {
+                return "AES";
+            } else if (jceCipherName.startsWith("DESede")) {
+                return "DESede";
+            } else if (jceCipherName.startsWith("SEED")) {
+                return "SEED";
+            } else if (jceCipherName.startsWith("Camellia")) {
+                return "Camellia";
+            }
+        }
+        return null;
+    }
+    public static Certificate loadCertificate(InputStream storeLocation, char[] storePassword, String alias,
+                                              String storeType) {
+        KeyStore keyStore = loadKeyStore(storeLocation, storePassword, storeType);
+        return loadCertificate(keyStore, alias);
+    }
+    public static Certificate loadCertificate(KeyStore keyStore, String alias) {
+        try {
+            return keyStore.getCertificate(alias);
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }
+    }
+    public static PublicKey loadPublicKey(InputStream storeLocation, char[] storePassword, String alias,
+                                          String storeType) {
+        return loadCertificate(storeLocation, storePassword, alias, storeType).getPublicKey();
+    }
+    public static PublicKey loadPublicKey(KeyStore keyStore, String alias) {
+        return loadCertificate(keyStore, alias).getPublicKey();
+    }
+    public static KeyStore loadKeyStore(InputStream storeLocation, char[] storePassword, String type) {
+        try {
+            KeyStore ks = KeyStore.getInstance(type == null ? KeyStore.getDefaultType() : type);
+            ks.load(storeLocation, storePassword);
+            return ks;
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    public static PrivateKey loadPrivateKey(InputStream storeLocation, 
+                                            char[] storePassword, 
+                                            char[] keyPassword, 
+                                            String alias,
+                                            String storeType) {
+        KeyStore keyStore = loadKeyStore(storeLocation, storePassword, storeType);
+        return loadPrivateKey(keyStore, keyPassword, alias);
+    }
+    
+    public static PrivateKey loadPrivateKey(KeyStore keyStore,
+                                            char[] keyPassword, 
+                                            String alias) {
+        try {
+            KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
+                keyStore.getEntry(alias, new KeyStore.PasswordProtection(keyPassword));
+            return pkEntry.getPrivateKey();
+        } catch (Exception ex) { 
+            throw new SecurityException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/core/src/main/java/org/apache/cxf/common/util/crypto/HmacUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/crypto/HmacUtils.java b/core/src/main/java/org/apache/cxf/common/util/crypto/HmacUtils.java
new file mode 100644
index 0000000..4a07edc
--- /dev/null
+++ b/core/src/main/java/org/apache/cxf/common/util/crypto/HmacUtils.java
@@ -0,0 +1,145 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.common.util.crypto;
+
+import java.io.UnsupportedEncodingException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.spec.AlgorithmParameterSpec;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.Base64Utility;
+
+public final class HmacUtils {
+    
+    private HmacUtils() {
+        
+    }
+    
+    public static String encodeHmacString(String macSecret, String macAlgoJavaName, String data) {
+        return Base64Utility.encode(computeHmac(macSecret, macAlgoJavaName, data));
+    }
+    
+    public static String encodeHmacString(String macSecret, String macAlgoJavaName, String data, boolean urlSafe) {
+        byte[] bytes = computeHmac(macSecret, macAlgoJavaName, data);
+        return urlSafe ? Base64UrlUtility.encode(bytes) : Base64Utility.encode(bytes);
+    }
+    
+    public static Mac getMac(String macAlgoJavaName) {
+        return getMac(macAlgoJavaName, (String)null);
+    }
+    
+    public static Mac getMac(String macAlgoJavaName, String provider) {
+        try {
+            return provider == null ? Mac.getInstance(macAlgoJavaName) : Mac.getInstance(macAlgoJavaName, provider);
+        } catch (NoSuchAlgorithmException e) {
+            throw new SecurityException(e);
+        } catch (NoSuchProviderException e) {
+            throw new SecurityException(e);
+        }
+    }
+    
+    public static Mac getMac(String macAlgoJavaName, Provider provider) {
+        try {
+            return Mac.getInstance(macAlgoJavaName, provider);
+        } catch (NoSuchAlgorithmException e) {
+            throw new SecurityException(e);
+        }
+    }
+    
+    public static byte[] computeHmac(String key, String macAlgoJavaName, String data) {
+        Mac mac = getMac(macAlgoJavaName);
+        return computeHmac(key, mac, data);
+    }
+    
+    public static byte[] computeHmac(byte[] key, String macAlgoJavaName, String data) {
+        return computeHmac(key, macAlgoJavaName, null, data);
+    }
+    public static byte[] computeHmac(byte[] key, String macAlgoJavaName, AlgorithmParameterSpec spec, 
+                                     String data) {
+        Mac mac = getMac(macAlgoJavaName);
+        return computeHmac(new SecretKeySpec(key, mac.getAlgorithm()), mac, spec, data);
+    }
+    
+    public static byte[] computeHmac(String key, Mac hmac, String data) {
+        try {
+            return computeHmac(key.getBytes("UTF-8"), hmac, data);
+        } catch (UnsupportedEncodingException e) {
+            throw new SecurityException(e);
+        }
+    }
+    
+    public static byte[] computeHmac(byte[] key, Mac hmac, String data) {
+        SecretKeySpec secretKey = new SecretKeySpec(key, hmac.getAlgorithm());
+        return computeHmac(secretKey, hmac, data);
+    }
+    
+    public static byte[] computeHmac(Key secretKey, Mac hmac, String data) {
+        return computeHmac(secretKey, hmac, null, data);
+    }
+    
+    public static byte[] computeHmac(Key secretKey, Mac hmac, AlgorithmParameterSpec spec, String data) {
+        initMac(hmac, secretKey, spec);
+        return hmac.doFinal(data.getBytes());
+    }
+    
+    public static Mac getInitializedMac(byte[] key, String algo, AlgorithmParameterSpec spec) {
+        Mac hmac = getMac(algo);
+        initMac(hmac, key, spec);
+        return hmac;
+    }
+    
+    private static void initMac(Mac hmac, byte[] key, AlgorithmParameterSpec spec) {
+        initMac(hmac, new SecretKeySpec(key, hmac.getAlgorithm()), spec);
+        
+    }
+    private static void initMac(Mac hmac, Key secretKey, AlgorithmParameterSpec spec) {
+        try {
+            if (spec == null) {
+                hmac.init(secretKey);
+            } else {
+                hmac.init(secretKey, spec);
+            }
+        } catch (InvalidKeyException e) {
+            throw new SecurityException(e);
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new SecurityException(e);
+        }
+    }
+    
+    public static String generateKey(String algo) {
+        try {
+            KeyGenerator keyGen = KeyGenerator.getInstance(algo);
+            return Base64Utility.encode(keyGen.generateKey().getEncoded());
+        } catch (NoSuchAlgorithmException e) {
+            throw new SecurityException(e);
+        }
+    }
+    
+       
+       
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/core/src/main/java/org/apache/cxf/common/util/crypto/KeyProperties.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/crypto/KeyProperties.java b/core/src/main/java/org/apache/cxf/common/util/crypto/KeyProperties.java
new file mode 100644
index 0000000..1d4f75c
--- /dev/null
+++ b/core/src/main/java/org/apache/cxf/common/util/crypto/KeyProperties.java
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.common.util.crypto;
+
+import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+
+public class KeyProperties {
+    private String keyAlgo;
+    private int keySize;
+    private int blockSize = -1;
+    private byte[] additionalData;
+    private SecureRandom secureRandom;
+    private AlgorithmParameterSpec algoSpec;
+    private boolean compressionSupported;
+    
+    public KeyProperties() {
+    }
+    
+    public KeyProperties(String keyAlgo) {
+        this(keyAlgo, -1);
+    }
+    public KeyProperties(String keyAlgo, int keySize) {
+        this.keyAlgo = keyAlgo;
+        this.keySize = keySize;
+    }
+    public String getKeyAlgo() {
+        return keyAlgo;
+    }
+    public void setKeyAlgo(String keyAlgo) {
+        this.keyAlgo = keyAlgo;
+    }
+    public int getKeySize() {
+        return keySize;
+    }
+    public void setKeySize(int keySize) {
+        this.keySize = keySize;
+    }
+    public SecureRandom getSecureRandom() {
+        return secureRandom;
+    }
+    public void setSecureRandom(SecureRandom secureRandom) {
+        this.secureRandom = secureRandom;
+    }
+    public AlgorithmParameterSpec getAlgoSpec() {
+        return algoSpec;
+    }
+    public void setAlgoSpec(AlgorithmParameterSpec algoSpec) {
+        this.algoSpec = algoSpec;
+    }
+    public int getBlockSize() {
+        return blockSize;
+    }
+    public void setBlockSize(int blockSize) {
+        this.blockSize = blockSize;
+    }
+    public boolean isCompressionSupported() {
+        return compressionSupported;
+    }
+    public void setCompressionSupported(boolean compressionSupported) {
+        this.compressionSupported = compressionSupported;
+    }
+    public byte[] getAdditionalData() {
+        return additionalData;
+    }
+    public void setAdditionalData(byte[] additionalData) {
+        this.additionalData = additionalData;
+    }
+    
+    
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java b/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
new file mode 100644
index 0000000..314f791
--- /dev/null
+++ b/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.common.util.crypto;
+
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+/**
+ * The utility Message Digest generator which can be used for generating
+ * random values
+ */
+public final class MessageDigestUtils {
+    
+    public static final String ALGO_SHA_1 = "SHA-1";
+    public static final String ALGO_SHA_256 = "SHA-256";
+    public static final String ALGO_MD5 = "MD5";
+    
+    private MessageDigestUtils() {
+        
+    }
+        
+    public static String generate(byte[] input) {
+        return generate(input, ALGO_MD5);
+    }   
+    
+    public static String generate(byte[] input, String algo) {    
+        try {
+            byte[] messageDigest = createDigest(input, algo);
+            StringBuffer hexString = new StringBuffer();
+            for (int i = 0; i < messageDigest.length; i++) {
+                hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
+            }
+
+            return hexString.toString();
+        } catch (NoSuchAlgorithmException e) {
+            throw new SecurityException(e);
+        }
+    }
+
+    public static byte[] createDigest(String input, String algo) {
+        try {
+            return createDigest(input.getBytes("UTF-8"), algo);
+        } catch (UnsupportedEncodingException e) {
+            throw new SecurityException(e);
+        } catch (NoSuchAlgorithmException e) {
+            throw new SecurityException(e);
+        }   
+    }
+    
+    public static byte[] createDigest(byte[] input, String algo) throws NoSuchAlgorithmException { 
+        MessageDigest md = MessageDigest.getInstance(algo);
+        md.reset();
+        md.update(input);
+        return md.digest();
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
index 65deb0b..a1bd5cf 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java
@@ -44,7 +44,6 @@ import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweDecryption;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AbstractJweDecryptingFilter {
     private static final String RSSEC_ENCRYPTION_IN_PROPS = "rs.security.encryption.in.properties";
@@ -82,7 +81,7 @@ public class AbstractJweDecryptingFilter {
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
             String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
             SecretKey ctDecryptionKey = null;
-            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) {
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
                 String keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
                 if ("direct".equals(keyEncryptionAlgo)) {
@@ -93,7 +92,8 @@ public class AbstractJweDecryptingFilter {
                 }
             } else {
                 keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(
-                    (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER));
+                    (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(
+                        m, props, KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER));
             }
             if (keyDecryptionProvider == null && ctDecryptionKey == null) {
                 throw new SecurityException();

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
index 1eb9dee..6902e97 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
@@ -31,7 +31,6 @@ import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jws.PublicKeyJwsSignatureVerifier;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AbstractJwsReaderProvider {
     private static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties";
@@ -62,14 +61,14 @@ public class AbstractJwsReaderProvider {
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
             JwsSignatureVerifier theVerifier = null;
             String rsaSignatureAlgo = null;
-            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) {
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY);
                 rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
                 theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo);
                 
             } else {
                 theVerifier = new PublicKeyJwsSignatureVerifier(
-                                  (RSAPublicKey)CryptoUtils.loadPublicKey(m, props));
+                                  (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props));
             }
             return theVerifier;
         } catch (SecurityException ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
index d2fc2ae..480f83d 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java
@@ -36,7 +36,6 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jws.PrivateKeyJwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jwt.JwtHeaders;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AbstractJwsWriterProvider {
     private static final String RSSEC_SIGNATURE_OUT_PROPS = "rs.security.signature.out.properties";
@@ -63,14 +62,14 @@ public class AbstractJwsWriterProvider {
             Properties props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
             JwsSignatureProvider theSigProvider = null; 
             String rsaSignatureAlgo = null;
-            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) {
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN);
                 rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
                 theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo);
             } else {
                 rsaSignatureAlgo = getSignatureAlgo(props, null);
-                RSAPrivateKey pk = (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, 
-                                                              CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER);
+                RSAPrivateKey pk = (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(m, props, 
+                    KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER);
                 theSigProvider = new PrivateKeyJwsSignatureProvider(pk, rsaSignatureAlgo);
             }
             if (theSigProvider == null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index c9fd343..d35c519 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -57,7 +57,6 @@ import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyEncryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweEncryption;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 @Priority(Priorities.JWE_WRITE_PRIORITY)
 public class JweWriterInterceptor implements WriterInterceptor {
@@ -137,7 +136,7 @@ public class JweWriterInterceptor implements WriterInterceptor {
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
             String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
             ContentEncryptionAlgorithm ctEncryptionProvider = null;
-            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) {
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
                 keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
                 if ("direct".equals(keyEncryptionAlgo)) {
@@ -149,7 +148,7 @@ public class JweWriterInterceptor implements WriterInterceptor {
                 
             } else {
                 keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(
-                    (RSAPublicKey)CryptoUtils.loadPublicKey(m, props), 
+                    (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), 
                     getKeyEncryptionAlgo(props, keyEncryptionAlgo));
             }
             if (keyEncryptionProvider == null && ctEncryptionProvider == null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
new file mode 100644
index 0000000..369e072
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
@@ -0,0 +1,145 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.Properties;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.jaxrs.utils.ResourceUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.security.SecurityContext;
+
+
+/**
+ * Encryption helpers
+ */
+public final class KeyManagementUtils {
+    public static final String RSSEC_KEY_STORE_TYPE = "rs.security.keystore.type";
+    public static final String RSSEC_KEY_STORE_PSWD = "rs.security.keystore.password";
+    public static final String RSSEC_KEY_PSWD = "rs.security.key.password";
+    public static final String RSSEC_KEY_STORE_ALIAS = "rs.security.keystore.alias";
+    public static final String RSSEC_KEY_STORE_FILE = "rs.security.keystore.file";
+    public static final String RSSEC_PRINCIPAL_NAME = "rs.security.principal.name";
+    public static final String RSSEC_KEY_PSWD_PROVIDER = "rs.security.key.password.provider";
+    public static final String RSSEC_SIG_KEY_PSWD_PROVIDER = "rs.security.signature.key.password.provider";
+    public static final String RSSEC_DECRYPT_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider";
+    
+    private KeyManagementUtils() {
+    }
+    
+    public static PublicKey loadPublicKey(Message m, Properties props) {
+        KeyStore keyStore = KeyManagementUtils.loadPersistKeyStore(m, props);
+        return CryptoUtils.loadPublicKey(keyStore, props.getProperty(RSSEC_KEY_STORE_ALIAS));
+    }
+    public static PublicKey loadPublicKey(Message m, String keyStoreLocProp) {
+        return loadPublicKey(m, keyStoreLocProp, null);
+    }
+    public static PublicKey loadPublicKey(Message m, String keyStoreLocPropPreferred, String keyStoreLocPropDefault) {
+        String keyStoreLoc = getMessageProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault);
+        Bus bus = m.getExchange().getBus();
+        try {
+            Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus);
+            return KeyManagementUtils.loadPublicKey(m, props);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    private static String getMessageProperty(Message m, String keyStoreLocPropPreferred, 
+                                             String keyStoreLocPropDefault) {
+        String propLoc = 
+            (String)MessageUtils.getContextualProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault);
+        if (propLoc == null) {
+            throw new SecurityException();
+        }
+        return propLoc;
+    }
+    public static PrivateKey loadPrivateKey(Properties props, Bus bus, PrivateKeyPasswordProvider provider) {
+        KeyStore keyStore = loadKeyStore(props, bus);
+        return loadPrivateKey(keyStore, props, bus, provider);
+    }
+    public static PrivateKey loadPrivateKey(KeyStore keyStore, 
+                                            Properties props, 
+                                            Bus bus, 
+                                            PrivateKeyPasswordProvider provider) {
+        
+        String keyPswd = props.getProperty(RSSEC_KEY_PSWD);
+        String alias = props.getProperty(RSSEC_KEY_STORE_ALIAS);
+        char[] keyPswdChars = provider != null ? provider.getPassword(props) 
+            : keyPswd != null ? keyPswd.toCharArray() : null;    
+        return CryptoUtils.loadPrivateKey(keyStore, keyPswdChars, alias);
+    }
+    
+    public static PrivateKey loadPrivateKey(Message m, String keyStoreLocProp, String passwordProviderProp) {
+        return loadPrivateKey(m, keyStoreLocProp, null, passwordProviderProp);
+    }
+    public static PrivateKey loadPrivateKey(Message m, String keyStoreLocPropPreferred,
+                                            String keyStoreLocPropDefault, String passwordProviderProp) {
+        String keyStoreLoc = getMessageProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault);
+        Bus bus = m.getExchange().getBus();
+        try {
+            Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus);
+            return KeyManagementUtils.loadPrivateKey(m, props, passwordProviderProp);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    public static PrivateKey loadPrivateKey(Message m, Properties props, String passwordProviderProp) {
+        Bus bus = m.getExchange().getBus();
+        KeyStore keyStore = KeyManagementUtils.loadPersistKeyStore(m, props);
+        PrivateKeyPasswordProvider cb = 
+            (PrivateKeyPasswordProvider)m.getContextualProperty(passwordProviderProp);
+        if (cb != null && m.getExchange().getInMessage() != null) {
+            SecurityContext sc = m.getExchange().getInMessage().get(SecurityContext.class);
+            if (sc != null) {
+                Principal p = sc.getUserPrincipal();
+                if (p != null) {
+                    props.setProperty(RSSEC_PRINCIPAL_NAME, p.getName());
+                }
+            }
+        }
+        return KeyManagementUtils.loadPrivateKey(keyStore, props, bus, cb);
+    }
+    public static KeyStore loadPersistKeyStore(Message m, Properties props) {
+        KeyStore keyStore = (KeyStore)m.getExchange().get(props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE));
+        if (keyStore == null) {
+            keyStore = KeyManagementUtils.loadKeyStore(props, m.getExchange().getBus());
+            m.getExchange().put((String)props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE), keyStore);
+        }
+        return keyStore;
+    }
+    public static KeyStore loadKeyStore(Properties props, Bus bus) {
+        String keyStoreType = props.getProperty(RSSEC_KEY_STORE_TYPE);
+        String keyStoreLoc = props.getProperty(RSSEC_KEY_STORE_FILE);
+        String keyStorePswd = props.getProperty(RSSEC_KEY_STORE_PSWD);
+        try {
+            InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
+            return CryptoUtils.loadKeyStore(is, keyStorePswd.toCharArray(), keyStoreType);
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java
new file mode 100644
index 0000000..bfcde49
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.util.Properties;
+
+public interface PrivateKeyPasswordProvider {
+    char[] getPassword(Properties storeProperties); 
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
index adf6d59..770ee56 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
@@ -20,7 +20,7 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.util.concurrent.atomic.AtomicInteger;
 
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 
 
 public abstract class AbstractContentEncryptionAlgorithm extends AbstractContentEncryptionCipherProperties

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
index 291b8cb..bc30979 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
@@ -20,7 +20,7 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.spec.AlgorithmParameterSpec;
 
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 
 
 public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties {

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
index 987ebb7..45d3ee7 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
@@ -21,12 +21,12 @@ package org.apache.cxf.rs.security.jose.jwe;
 import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
 
+import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.JoseHeadersReader;
 import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public abstract class AbstractJweDecryption implements JweDecryptionProvider {
     private KeyDecryptionAlgorithm keyDecryptionAlgo;

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index 86ff16e..4354bf3 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -23,12 +23,12 @@ import java.security.spec.AlgorithmParameterSpec;
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 
+import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 import org.apache.cxf.rs.security.jose.JoseHeadersWriter;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public abstract class AbstractJweEncryption implements JweEncryptionProvider {
     protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
index 6e831a9..ed35eab 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
@@ -22,9 +22,9 @@ import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Set;
 
+import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgorithm {
     private Key keyEncryptionKey;

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index 111641e..ab0220c 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -26,9 +26,9 @@ import java.util.Map;
 import javax.crypto.Mac;
 import javax.crypto.spec.IvParameterSpec;
 
+import org.apache.cxf.common.util.crypto.HmacUtils;
 import org.apache.cxf.rs.security.jose.JoseHeadersWriter;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils;
 
 public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
     private static final Map<String, String> AES_HMAC_MAP;

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
index 65575ac..bcd0fb3 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -20,8 +20,8 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import javax.crypto.SecretKey;
 
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 
 public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm {

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
index c05bafa..0043ec2 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
@@ -23,8 +23,8 @@ import java.security.spec.AlgorithmParameterSpec;
 import javax.crypto.SecretKey;
 
 import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public AesGcmWrapKeyDecryptionAlgorithm(String encodedKey) {    

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java
index ff34b93..e230470 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java
@@ -26,8 +26,8 @@ import java.util.Set;
 import javax.crypto.SecretKey;
 
 import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AesGcmWrapKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm {
     private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
index 0ee79b4..3ba6919 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
@@ -20,8 +20,8 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import javax.crypto.SecretKey;
 
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AesWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public AesWrapKeyDecryptionAlgorithm(String encodedKey) {    

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java
index a0b01b9..a8b5899 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java
@@ -24,8 +24,8 @@ import java.util.Set;
 
 import javax.crypto.SecretKey;
 
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AesWrapKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm {
     private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>(

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
index 3728444..4697cad 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
@@ -29,8 +29,8 @@ import java.util.Map;
 import java.util.Set;
 
 import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.bouncycastle.crypto.digests.SHA384Digest;

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
index 4566f61..8af2c63 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
@@ -21,9 +21,9 @@ package org.apache.cxf.rs.security.jose.jwe;
 import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
 
+import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
     private Key cekDecryptionKey;

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index bf255b9..c994b1e 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -32,9 +32,12 @@ import java.util.Properties;
 import javax.crypto.SecretKey;
 
 import org.apache.cxf.Bus;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils;
+import org.apache.cxf.rs.security.jose.jaxrs.PrivateKeyPasswordProvider;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption;
@@ -44,8 +47,6 @@ import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.PrivateKeyPasswordProvider;
 
 public final class JwkUtils {
     public static final String JWK_KEY_STORE_TYPE = "jwk";
@@ -144,10 +145,10 @@ public final class JwkUtils {
     }
     public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb, 
                                          JwkReaderWriter reader) {
-        JsonWebKeys jwkSet = (JsonWebKeys)m.getExchange().get(props.get(CryptoUtils.RSSEC_KEY_STORE_FILE));
+        JsonWebKeys jwkSet = (JsonWebKeys)m.getExchange().get(props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE));
         if (jwkSet == null) {
             jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader);
-            m.getExchange().put((String)props.get(CryptoUtils.RSSEC_KEY_STORE_FILE), jwkSet);
+            m.getExchange().put((String)props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE), jwkSet);
         }
         return jwkSet;
     }
@@ -162,7 +163,7 @@ public final class JwkUtils {
     }
     public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe, JwkReaderWriter reader) {
         String keyContent = null;
-        String keyStoreLoc = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_FILE);
+        String keyStoreLoc = props.getProperty(KeyManagementUtils.RSSEC_KEY_STORE_FILE);
         if (keyStoreLoc != null) {
             try {
                 InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
@@ -193,23 +194,24 @@ public final class JwkUtils {
     }
     public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper, JwkReaderWriter reader) {
         PrivateKeyPasswordProvider cb = 
-            (PrivateKeyPasswordProvider)m.getContextualProperty(CryptoUtils.RSSEC_KEY_PSWD_PROVIDER);
+            (PrivateKeyPasswordProvider)m.getContextualProperty(KeyManagementUtils.RSSEC_KEY_PSWD_PROVIDER);
         if (cb == null && keyOper != null) {
-            String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER
-                : keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) ? CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null;
+            String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER
+                : keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) 
+                ? KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null;
             if (propName != null) {
                 cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName);
             }
         }
         JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
-        String kid = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_ALIAS);
+        String kid = props.getProperty(KeyManagementUtils.RSSEC_KEY_STORE_ALIAS);
         if (kid == null && keyOper != null) {
             String keyIdProp = null;
             if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT)) {
-                keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jwe";
+                keyIdProp = KeyManagementUtils.RSSEC_KEY_STORE_ALIAS + ".jwe";
             } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN)
                        || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) {
-                keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jws";
+                keyIdProp = KeyManagementUtils.RSSEC_KEY_STORE_ALIAS + ".jws";
             }
             if (keyIdProp != null) {
                 kid = props.getProperty(keyIdProp);

http://git-wip-us.apache.org/repos/asf/cxf/blob/6129ec5f/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
index 2d09bb1..3808d4e 100644
--- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
@@ -24,8 +24,8 @@ import javax.crypto.Mac;
 
 import org.apache.cxf.common.util.Base64Exception;
 import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.crypto.HmacUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils;
 
 public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
     private byte[] key;


Mime
View raw message